7. LEGAL BASIS FOR PROCESSING (ACCORDING TO UAE PDPL)

The processing of your Personal Data is based on one or more of the following legal bases provided by the PDPL:

• Consent:For specific purposes (e.g., direct marketing, certain cookies), we will ask for your explicit consent. You have the right to withdraw your consent at any time.
• Contractual Necessity:The processing is necessary for the performance of a contract to which you are a party (e.g., to provide and manage your account and related services as a Controller) or to take pre-contractual steps at your request.
• Legal Obligation:The processing is necessary to comply with a legal obligation to which Last Cluster is subject under the laws of the United Arab Emirates (e.g., tax obligations, authority requests).
• Protection of Vital Interests:The processing is necessary to protect the vital interests of the Data Subject or another natural person (rarely applicable in our context).
• Legitimate Interest:We may process data for our legitimate interests (e.g., ensuring the security of our systems, improving our website, managing customer support efficiently), provided that such interests are not overridden by your fundamental rights and freedoms. We will perform a case-by-case balancing assessment.

8. DATA SHARING AND COMMUNICATION (AS CONTROLLERS)

We do not sell your Personal Data. We may share Personal Data processed as Controllers only in the following circumstances:

• Third-Party Service Providers (Our Processors):We share data with companies that provide services on our behalf (e.g., payment processors, CRM/support platform providers, web analytics tools, hosting providers for our website). These providers act as our Data Processors and are contractually obligated to protect the data and use it only for the purposes we define.
• Business Partners:Only with your explicit consent or where necessary to provide a requested joint service, we may share limited data with selected partners.
• Legal and Governmental Authorities:We may disclose Personal Data if required by the law of the United Arab Emirates, by a court order, or by a competent governmental authority, or if necessary to protect our legal rights or security.
• Corporate Transfers:In the event of a merger, acquisition, reorganization, or sale of assets, Personal Data may be transferred as part of the transaction, in compliance with PDPL regulations and by informing you accordingly.
• Affiliated Companies:We may share data with other companies in our group for internal administrative purposes or for the coordinated provision of services (e.g., global support), always in compliance with this policy and with adequate safeguards.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law and our agreements.

9. INTERNATIONAL DATA TRANSFER (AS CONTROLLERS)

The Personal Data we collect as Controllers may be processed, stored, or accessed from locations outside the United Arab Emirates (UAE), where we, our affiliated companies, or our third-party service providers operate.
We will carry out such international transfers only in accordance with the UAE PDPL. We will transfer data only to:

• Countries for which the UAE Data Office has issued an adequacy decision.
• Countries without an adequacy decision, only if appropriate safeguardsapproved under the PDPL are in place, such as:
  • Standard Contractual Clauses (SCC)approved by the UAE Data Office entered into with the data recipient. [Note: Verify if the UAE Data Office has published specific SCCs]
  • Binding Corporate Rules (BCR)approved, for intra-group transfers.
• In the absence of the above conditions (exceptional circumstances), we may rely on specific derogationsprovided by the PDPL, such as your explicit consent to the proposed transfer (after being informed of the risks), or if the transfer is necessary for the performance of a contract with you, for important reasons of public interest, or to establish/exercise/defend a legal claim.

We will provide you with specific information on the safeguards adopted for the international transfers that concern you, upon request. [Optional: List here the main countries/regions to which transfers occur and the prevailing mechanism, e.g., ‘Our main providers are located in [Europe/USA] and we use approved SCCs…’]

10. SECURITY MEASURES

We adopt appropriate and commercially reasonable technical, administrative, and physical security measures to protect Personal Data (processed as Controllers) from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to:

• Data encryption (at rest and in transit, where technically feasible and appropriate).
• Strict access controls based on roles and the “need-to-know” principle.
• Firewalls, intrusion detection/prevention systems, and Anti-DDoS protection for our infrastructures.
• Vulnerability management and patch management procedures.
• Staff training on data security and privacy.
• Backup and disaster recovery procedures.
• Security monitoring and logging to detect and respond to incidents.

Despite our efforts, no security measure is perfect. In the event of a personal data breach (Data Breach) that may pose a risk to the rights and freedoms of individuals, we will notify the UAE Data Office and, if necessary, the data subjects, in accordance with the requirements of the PDPL.

11. DATA RETENTION (AS CONTROLLERS)

We retain Personal Data processed as Controllers only for the time strictly necessary to fulfill the purposes for which it was collected, as described in Section 6, and to comply with our legal, regulatory, tax, accounting, or reporting obligations in the UAE.

To determine the appropriate retention period, we consider: the quantity, nature, and sensitivity of the data; the potential risk of harm; the purposes of the processing; the possibility of achieving those purposes by other means; the applicable legal requirements.

Example of criteria/periods (to be adapted):

• Client Account Data:Retained for the duration of the contractual relationship plus a subsequent period of [Number, e.g., 3] years for legal/tax/rights defense obligations.
• Marketing Data (based on consent):Retained until consent is revoked.
• Website Logs:Retained for [Number, e.g., 6] months for security/performance analysis.
  At the end of the retention period, Personal Data will be securely deleted or irreversibly anonymized.

12. DATA SUBJECT’S RIGHTS (ACCORDING TO UAE PDPL)

Under the UAE PDPL, you have specific rights regarding the Personal Data we process as Controllers:

• Right of Access:Request information about the processing and a copy of your data.
• Right to Rectification:Request the correction of inaccurate or incomplete data.
• Right to Erasure (“Right to be Forgotten”):Request the deletion of your data in certain circumstances.
• Right to Restriction of Processing:Request to limit the processing of your data in certain situations.
• Right to Data Portability:Receive your data (provided by you, processed with consent/contract by automated means) in a structured, machine-readable format, and transmit it to another controller.
• Right to Object:Object to processing based on legitimate interest or for direct marketing. Object to decisions based solely on automated processing (including profiling) with legal/significant effects.
• Right to Withdraw Consent:Withdraw consent at any time for processing based on it.
• Right to Lodge a Complaint:Lodge a complaint with the competent authority, the UAE Data Office.

13. HOW TO EXERCISE YOUR RIGHTS

To exercise any of the rights mentioned above, or to ask questions about this Policy, you can contact us via:

• Dedicated Email:[email protected]

We may need to request specific information from you to confirm your identity before processing the request (security measures). We will try to respond to all legitimate requests within one month of receipt, as provided by the PDPL (extendable by a further two months in complex cases, informing you of the extension).

14. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies on our Website to improve its functionality, analyze traffic, personalize the user experience, and, with your consent, for advertising purposes. For detailed information on the types of cookies used, the purposes, the legal basis, and how to manage your preferences (including how to provide and revoke consent), please consult our separate Cookie Policy, available at the following link: http://www.lastcluster.ae. (Note: A separate policy is strongly recommended)

15. CHILDREN’S PRIVACY

Our services and our website are not directed at persons under the age of 18 (or the minimum age provided by applicable law). We do not knowingly collect Personal Data from minors as Controllers. If we become aware that we have collected Personal Data from a minor without the necessary parental/legal guardian consent, we will take steps to delete that information.

16. CHANGES TO THE PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time. Any changes will be published on this page with an updated “Effective Date”. In case of substantial changes, we will inform you by appropriate means (e.g., via email or a notice on the Website) before the change becomes effective, and if necessary, we will request your consent again for certain processing. We encourage you to periodically consult this page.

17. CONTACTS

For any questions, doubts, or requests regarding this Privacy Policy or our data processing practices as Controllers, please contact us:

Last Cluster Cloud Services LLC
Latifa Tower – Office No. B3107-46, Dubai, UAE
Email: [email protected]
Phone: +971 042201123