Legal
Data Protection Policy
Last updated: 7 July 2026
1. Purpose and scope
This Data Protection Policy sets out how Fitout Audit approaches the protection of personal data across the platform at www.fitoutaudit.com. It complements our Privacy Policy and Terms of Service and applies to all Fitout Audit team members and service providers who handle personal data on our behalf.
2. Regulatory context
We operate from the United Arab Emirates and align our processing with the principles of the UAE Personal Data Protection Law (PDPL, Federal Decree Law No. 45 of 2021) and, where applicable, the general data protection principles of the free-zone regulators (DIFC, ADGM). When we serve users or process data connected to jurisdictions outside the UAE, we take reasonable steps to respect applicable data protection rules in those jurisdictions.
3. Our data protection principles
- Lawful and fair: we collect only what we can justify — either to deliver the service you asked for, to run the business (billing, security), or where you have given clear consent.
- Purpose-limited: we use your data for the specific purposes described in our Privacy Policy, and not for unrelated purposes.
- Data-minimising: we collect the smallest amount of information that makes the service work. We do not enrich profiles from third-party trackers.
- Accurate: you can correct your information at any time in your account or by emailing us.
- Retention-limited: we do not keep information longer than we need to, subject to legal obligations to retain records.
- Secure: we protect your information with encryption and role-scoped access.
- Accountable: we can show, on request, how we handle your data end to end.
4. How we protect data — our security posture
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest — including uploaded documents and database records — is encrypted using strong industry-standard ciphers.
- Access to production data is scoped to the smallest set of authorised individuals, using role-based access controls and least-privilege principles.
- Uploaded documents are stored in a private, access-controlled object store; direct download is only possible through short-lived, signed URLs issued after authentication and ownership checks.
- Password credentials are never stored in clear text — only as one-way hashes.
- Our platform runs on infrastructure providers that hold independent security attestations (SOC 2 Type II, ISO 27001) and maintain their own regional data centres in secure facilities.
- We keep audit logs of administrative access and material changes.
- Payments never touch our own servers — they are processed by our PCI-DSS-compliant payment provider directly.
5. Data processors and cross-border transfers
We use a small number of specialist service providers to run the platform. In summary:
- A managed database and file-storage provider hosts your account, audit records, and uploaded documents in a regional data centre located in South Asia.
- An AI document-processing partner performs structured extraction of line items from your uploaded documents. They do not use your documents to train shared or public models.
- A third-party embedding provider is used to search our internal pricing database using short text descriptions.
- A global PCI-DSS-compliant payment provider handles all card transactions.
- A third-party email delivery provider sends account and report emails on our behalf, with SPF, DKIM, and DMARC authentication.
- A global content delivery network hosts the website itself.
Because these providers operate internationally, personal data may be transferred outside the UAE. Where we transfer personal data across borders, we select providers that offer contractual and technical safeguards comparable to those expected under the UAE Personal Data Protection Law.
You can request the current list of processors and their roles by emailing hello@fitoutaudit.com.
6. Your rights as a data subject
You may:
- Access: request a copy of the personal data we hold about you.
- Correct: ask us to update inaccurate or incomplete data.
- Delete: ask us to delete your personal data (subject to lawful retention).
- Restrict or object: limit or object to specific processing activities.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time.
- Portability: receive your data in a machine-readable format.
- Complain: raise a concern with the applicable UAE data protection authority.
To exercise any of these rights, email hello@fitoutaudit.com. We aim to respond within thirty (30) days, or sooner where required by law.
7. Incident response
If we discover a personal data incident that is likely to materially affect you, we will notify affected users promptly, with a description of what happened, what data was involved, what we have done to contain it, and what we recommend you do next. We will also notify the applicable regulator when required by law.
8. Employees and contractors
Anyone acting on behalf of Fitout Audit — full-time, part-time, contractor, or engaged service provider — is bound by confidentiality obligations and must handle personal data in line with this policy.
9. Changes to this policy
We may update this policy as our platform, providers, or the regulatory landscape evolves. The “last updated” date at the top of the page will reflect the most recent change.
10. Contact
Data protection queries: hello@fitoutaudit.com / +971 55 336 2690.
Note: this policy is a starting point and does not constitute legal advice. It should be reviewed by a qualified UAE lawyer before use with real customer traffic.