Privacy policy

1.1. Capital Catering and Services Sole Proprietorship L.L.C. ("Capital Catering", "CC", "we", "us", or "our") is committed to protecting the privacy and security of personal data in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and other applicable data protection regulations.

1.2. This Privacy Policy outlines how we collect, use, process, store, share, and protect personal data obtained through our business operations, digital platforms, catering services, and interactions with clients, employees, suppliers, and website visitors (collectively, "you" or "data subjects").

1.3. By accessing our services or interacting with us, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2.1. This Privacy Policy applies to all personal data processed by Capital Catering, including but not limited to:

a. data collected via our websites, mobile applications, and digital platforms ("Platforms");
b. data obtained directly from clients, employees, contractors, suppliers, and business partners; and
c. data collected through physical interactions, events, exhibitions, and service delivery.

2.2. Where we act as a data processor on behalf of clients, this Policy complements contractual obligations governing such processing arrangements.

3.1. In most instances, Capital Catering acts as a data controller, determining the purposes and means of personal data processing.

3.2. In certain circumstances, particularly when providing services to clients under contractual arrangements, we may act as a data processor, processing personal data on behalf of our clients who remain the data controllers.

3.3. Where we act as a data processor, we process personal data strictly in accordance with our clients' instructions and applicable data processing agreements.

4.1. Our Platforms may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices or content of such third parties.

4.2. We recommend reviewing the privacy policies of any third-party platforms before providing personal data.

5.1. We may collect and process the following categories of personal data:

a. Identity Data: name, title, date of birth, gender, nationality, and government-issued identification numbers (e.g., Emirates ID, passport);
b. Contact Data: email address, phone numbers, postal address, and emergency contact details;
c. Financial Data: bank account details, payment card information, and transaction records;
d. Employment Data: employment history, job title, professional qualifications, and references;
e. Health Data: dietary restrictions, allergen information, and medical conditions (collected for service provision purposes);
f. Technical Data: IP address, browser type, device information, and usage data from our Platforms;
g. Marketing and Communication Data: preferences for receiving marketing materials and communication history; and
h. Special Categories of Data: where necessary and with appropriate consent, we may process sensitive personal data such as health information.

6.1. Our services are not directed at individuals under the age of 18 unless specifically authorized by parents or legal guardians in the context of school catering or events.

6.2. Where we knowingly collect personal data of minors, we ensure appropriate parental or guardian consent is obtained.

7.1. We process personal data for the following purposes and on the corresponding legal bases:

a. Contract Performance: to fulfill contractual obligations with clients, suppliers, and employees;
b. Legal Compliance: to comply with UAE laws, regulatory requirements, and legal proceedings;
c. Legitimate Interests: to pursue our business operations, improve services, conduct analytics, and maintain security;
d. Consent: where required by law, we rely on your explicit consent, particularly for marketing communications and processing special categories of data;
e. Service Delivery: to provide catering services, manage dietary requirements, and ensure health and safety compliance;
f. Human Resources Management: for recruitment, payroll, benefits administration, and employee relations;
g. Fraud Prevention and Security: to detect and prevent fraudulent activities and ensure the security of our operations; and
h. Business Development: to identify new opportunities, conduct market research, and enhance customer experience.

8.1. We collect personal data through:

a. Direct Interactions: when you engage our services, submit inquiries, register accounts, or attend events;
b. Automated Technologies: via cookies, web beacons, and analytics tools on our Platforms;
c. Third Parties: from business partners, service providers, public databases, and credit reference agencies; and
d. Surveillance Systems: CCTV and security monitoring at our facilities for safety and security purposes.

9.1. Where we rely on consent as the legal basis for processing, you have the right to withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.

9.2. Withdrawal of consent may impact our ability to provide certain services or fulfill contractual obligations.

10.1. We may send you marketing communications about our services, promotions, and events if you have consented or where permitted under applicable law.

10.2. You can opt out of marketing communications at any time by using the unsubscribe link in emails or contacting us directly.

10.3. Opting out of marketing communications does not affect service-related communications necessary for contractual performance.

11.1. This Privacy Policy primarily governs personal data processing activities conducted within the United Arab Emirates.

11.2. Where we process personal data across borders, we ensure compliance with applicable cross-border data transfer regulations.

12.1. We may share personal data with the following categories of recipients:

a. ADNEC Group Entities: for administrative, operational, and strategic purposes;
b. Service Providers: including IT service providers, payment processors, logistics partners, and professional advisors;
c. Regulatory and Law Enforcement Authorities: where required by law or to protect our legal rights;
d. Business Partners: for joint service offerings and collaborative projects; and
e. Successors in Interest: in the event of a merger, acquisition, or business restructuring.

12.2. All third-party processors are contractually obligated to implement appropriate security measures and process personal data solely for specified purposes.

13.1. We may use automated decision-making and profiling technologies to enhance service delivery and operational efficiency.

13.2. You have the right to request human intervention in automated decisions that significantly affect you.

14.1. We take reasonable steps to ensure that personal data is accurate, complete, and up to date.

14.2. You are responsible for informing us of any changes to your personal data to enable us to maintain its accuracy.

15.1. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, regulatory, accounting, or reporting requirements.

15.2. Retention periods vary depending on the nature of the data and applicable legal obligations:

a. Client Data: retained for the duration of the contractual relationship and for up to seven (7) years thereafter for legal and tax compliance;
b. Employee Data: retained for the duration of employment and for a period required by UAE labor laws and tax regulations;
c. Marketing Data: retained until consent is withdrawn or the purpose is no longer applicable;
d. CCTV Footage: retained for up to ninety (90) days unless required for investigations or legal proceedings; and
e. Financial Records: retained in accordance with UAE Federal Tax Authority requirements.

15.3. Upon expiration of retention periods, personal data is securely deleted or anonymized.

16.1. We implement comprehensive administrative, technical, and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure.

16.2. Security measures include:

a. encryption of data in transit and at rest;
b. access controls and authentication mechanisms;
c. regular security audits and vulnerability assessments;
d. employee training on data protection best practices; and
e. incident response and breach notification procedures.

16.3. Despite our best efforts, no method of data transmission or storage is entirely secure. We cannot guarantee absolute security but commit to maintaining industry-standard safeguards.

17.1. We cooperate with regulatory authorities, including the UAE Data Office, and comply with lawful requests for information.

17.2. In cases of data breaches, we will notify affected individuals and regulatory authorities in accordance with UAE PDPL requirements.

18.1. Where personal data is transferred outside the UAE, we ensure compliance with applicable cross-border data transfer regulations under the UAE PDPL.

18.2. We only make these transfers where we are satisfied that adequate levels of protection are in place to protect any information held in that country or that the service provider acts at all times in compliance with applicable privacy laws. Where required under applicable laws we will take measures to ensure that personal data handled in other countries will receive at least the same level of protection as it is given in your home country.

18.3. Transfers will be protected by appropriate safeguards, namely the use of standard data protection clauses, a copy of which can be obtained from our legal team.

18.4. In the event your personal data is transferred to a foreign jurisdiction, it may be subject to the laws of that jurisdiction and we may be required to disclose it to the courts, law enforcement or governmental authorities in those jurisdictions but we will only do so where required by applicable laws.

19.1. Under the UAE PDPL, you have the right to:

a. the right to access and obtain information – to request confirmation as to whether CC holds personal data relating to you and to obtain a copy thereof;
b. the right to rectification – to correct or update inaccurate or incomplete personal data;
c. the right to erasure – to request deletion of your personal data where it is no longer required for its original purpose or where consent has been withdrawn;
d. the right to restrict processing – to request suspension of data processing in certain circumstances;
e. the right to object to processing – to object to processing based on legitimate interests or direct marketing purpose;
f. the right to data portability – to request transfer of your data to another controller in a structured, commonly used, and machine-readable format;
g. the right to complain to the UAE Data Office – to submit a complaint before the UAE Data Office if you believe your rights under the PDPL have been infringed; and
h. the right to withdraw consent – to withdraw your consent at any time where processing is based on consent.

19.2. Requests may be submitted via ithelpdesk@capitalcatering.ae and CC may verify your identity before acting. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

19.3. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

19.4. We endeavour to respond to all legitimate requests within one month of receipt. Where requests are complex or numerous, this period may be extended by a further two (2) months, with prior notification to you of the reason for delay.

20.1. While CC implements comprehensive administrative, technical, and organizational measures to ensure data protection, CC shall not be liable for:

a. the data protection practices of third-party websites, applications, or services linked through CC's Platforms;
b. unauthorized access, interception, or use of your personal data arising from factors beyond CC's reasonable control; or
c. any indirect, consequential, or incidental loss arising from your reliance on or use of third-party services.

20.2. Your use of third-party websites or platforms accessed through CC's digital channels is at your sole risk, and such third parties' respective privacy statements shall apply.

21.1. This Privacy Policy may be updated from time to time to reflect changes in our practices, technology, legal obligations, or service offerings. Any amendments will be published on our website with an updated "Last Updated" date. Where required, we will notify you of significant changes and seek renewed consent.

22.1. If you have any questions or concerns about this Privacy Policy or the handling of your personal data, you may contact us at cybersecurity@modon.com