Privacy Policy

The data controller responsible for your personal data is:

Quartermasters F.Z.C is licensed by the Ajman Free Zone Authority (AFZA) and operates under UAE federal law. For any privacy-related inquiries or to exercise your data subject rights, please contact us at hello@quartermasters.me.

We collect personal data only to the extent necessary for the purposes described in this policy. The categories of data we collect are as follows:

2.1 Contact Form Data

When you submit an inquiry via our contact form, we collect:

• Full name
• Email address
• Organization / company name (optional)
• Service of interest
• Message content

2.2 Cookie & Analytics Data

We use cookies and analytics tools (PostHog) to collect technical and usage data, including:

• IP address (anonymized where technically feasible)
• Browser type and version
• Operating system
• Device type
• Pages visited, time on page, and interaction events
• Referring URL
• Preference settings (e.g., language, theme)

2.3 AI Chatbot Conversation Logs (Future)

We plan to introduce an AI-powered assistant (“Q AI Assistant”) that will process natural language queries. When this feature is active, we may collect:

• Text of your conversation with the AI assistant
• Session identifiers
• Timestamps

Conversation data may be processed by Anthropic (Claude API) as our AI infrastructure provider. No conversation data will be used to train third-party AI models without your explicit consent.

2.4 Client Portal Data (Future)

When our client portal becomes available, registered users may provide:

• Account credentials (email and password)
• Project information and documents
• Internal messages and communications
• Profile information

2.5 Payment Information (Future)

Payment processing will be handled by PCI-DSS compliant third-party providers (Stripe and/or PayTabs). We do not store credit card numbers, CVV codes, or full payment card details on our servers. We may receive and retain:

• Transaction reference IDs
• Billing name and address
• Last four digits of the payment card (for reference)
• Transaction amounts and dates

2.6 Analytics Data

We use PostHog for product analytics. Data collected includes:

• Page views and navigation paths
• Click and interaction events
• Feature usage patterns
• Session recordings (if enabled, with sensitive fields masked)
• Performance metrics

We process your personal data under one or more of the following legal bases, as applicable under the UAE PDPL, GDPR, and CCPA/CPRA:

We process personal data strictly for the following purposes and do not use it beyond these stated objectives:

• Service delivery: Responding to inquiries, providing consultancy services across our five licensed verticals (Human Resources Consultancy, Management Consultancies, Consulting & R&D in Technology Education, Organization & Event Management, and Banking Services Consultancy), and managing client relationships.
• Communication: Sending service-related correspondence, responding to your messages, and (with your consent) sending updates about our services.
• Website improvement: Analyzing usage patterns, diagnosing technical issues, and optimizing our platform experience.
• Security: Protecting against unauthorized access, fraud, and abuse of our systems.
• Legal compliance: Fulfilling our obligations under UAE law, AFZA regulations, and other applicable legislation.
• Payment processing: Facilitating transactions through third-party payment processors when our billing features become active.

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized such that it can no longer be associated with you. Where anonymized data is retained for statistical purposes, it is no longer considered personal data.

We do not sell, rent, or trade your personal data. We share data with the following categories of third-party service providers, strictly for the purposes described in this policy:

We may also disclose personal data where required by law, regulation, legal process, or enforceable governmental request, including requests from UAE authorities and AFZA.

Quartermasters F.Z.C is headquartered in the United Arab Emirates. However, some of our third-party service providers operate in jurisdictions outside the UAE, including the United States and the European Economic Area (EEA).

When personal data is transferred outside the UAE or the EEA, we ensure that appropriate safeguards are in place, in compliance with the UAE PDPL and GDPR Chapter V:

• Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with service providers that process data outside the EEA.
• Adequacy decisions: Where transfers are to jurisdictions recognized by the European Commission or the UAE Data Office as providing an adequate level of data protection.
• Data Processing Agreements (DPAs): All third-party processors are bound by DPAs that require them to process data only on our instructions and to implement appropriate technical and organizational security measures.
• Supplementary measures: Including encryption in transit and at rest, access controls, and regular security assessments of our processors.

You may request a copy of the relevant transfer safeguards by contacting us at hello@quartermasters.me.

Depending on your location and applicable law, you may have the following rights regarding your personal data:

Under UAE PDPL & EU GDPR

• Right of Access: Request confirmation as to whether your personal data is being processed and, if so, obtain a copy of that data.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure (“Right to Be Forgotten”): Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
• Right to Restriction of Processing: Request that we limit the processing of your data under certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
• Right to Object: Object to processing based on legitimate interest or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

Additional Rights for California Residents (CCPA/CPRA)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: Request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. As such, there is no need to opt out. Should this change, we will provide a “Do Not Sell or Share My Personal Information” link.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Cookies are small text files placed on your device when you visit our website. We use them to enhance your experience, analyze traffic, and remember your preferences.

Types of Cookies We Use

Managing Cookies

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time by:

• Adjusting your browser settings to block or delete cookies
• Using the cookie preference controls on our website (when available)

Please note that disabling certain cookies may affect the functionality of our website.

We are committed to transparency regarding our use of artificial intelligence and automated processing:

Q AI Assistant (Planned)

We intend to deploy an AI-powered chatbot (“Q AI Assistant”) on our website, powered by Anthropic’s Claude API. This assistant is designed to:

• Answer general questions about our services
• Assist visitors in navigating the website and finding relevant information
• Provide preliminary guidance (not constituting professional advice)

Important Safeguards

• No consequential automated decisions: The AI assistant does not make decisions that produce legal effects or similarly significantly affect you. All material business decisions are made by qualified human professionals.
• Human oversight: AI outputs are subject to review. The assistant is a supplementary tool, not a replacement for professional human judgment.
• Data handling: Conversation data sent to Anthropic’s API is processed under their enterprise data processing terms. Anthropic does not use API inputs/outputs to train its general models.
• Right to object: Under GDPR Article 22 and UAE PDPL, you have the right not to be subject to solely automated decision-making. You may request human intervention at any time by contacting us.

Analytics & Profiling

We use PostHog analytics to understand aggregate usage patterns. This analysis does not involve individual profiling that produces legal or similarly significant effects. We do not use automated profiling to make decisions about individuals.

Our services are intended for businesses and professionals. We do not knowingly collect, solicit, or process personal data from individuals under the age of 18.

If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete that data from our systems. If you believe that we may have collected data from a minor, please contact us at hello@quartermasters.me so we can investigate and take appropriate action.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). Data at rest is encrypted using AES-256 or equivalent standards by our infrastructure providers.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.
• Infrastructure security: Our hosting providers (Vercel, Supabase) maintain SOC 2 Type II compliance, regular penetration testing, and 24/7 monitoring.
• Vendor assessments: We evaluate the security posture of all third-party processors before engaging their services and require contractual security obligations.
• Incident response: We maintain a data breach response plan. In the event of a personal data breach, we will notify affected individuals and the relevant supervisory authority in accordance with applicable law (within 72 hours under GDPR and as required under UAE PDPL).

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to continuous improvement of our security measures.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the “Last Updated” date at the top of this page.
• For material changes, we will provide a prominent notice on our website or send a direct notification to affected users (where feasible and where we have contact details).
• Where required by law (e.g., under GDPR or UAE PDPL), we will obtain your renewed consent before applying changes that affect the legal basis for processing.

We encourage you to review this policy periodically. Your continued use of our website and services after any changes constitutes acceptance of the updated policy, to the extent permitted by applicable law.

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Supervisory Authority Complaints

If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority:

• UAE: The UAE Data Office (established under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data), or the relevant authority designated by the Ajman Free Zone Authority.
• EU/EEA: The data protection authority in your country of residence. A list of EU Data Protection Authorities is available on the European Data Protection Board website.
• California: The California Attorney General’s Office or the California Privacy Protection Agency (CPPA).

CAN-SPAM Compliance

In accordance with the CAN-SPAM Act, all marketing emails sent by Quartermasters F.Z.C will:

• Clearly identify the message as an advertisement (where applicable)
• Include our valid physical postal address
• Provide a clear and conspicuous opt-out / unsubscribe mechanism
• Honor opt-out requests within 10 business days
• Not use deceptive subject lines or false header information