Privacy Policy

Effective Date:01-01-2026 | Last Updated: 01-01-2026

1. INTRODUCTION

Eglinton Properties LLC (“Eglinton Properties,” “we,” “us,” or “our”) is a real estate company organized and existing under the laws of the United Arab Emirates (“UAE”), with its principal place of business in the UAE. We are committed to protecting the privacy and personal data of our clients, prospective clients, website visitors, business partners, and all other individuals with whom we interact (collectively, “you” or “data subjects”).

This Privacy Policy (the “Policy”) describes how we collect, use, disclose, transfer, store, retain, and otherwise process your personal data in connection with our real estate brokerage, sales, leasing, marketing, property management, investment advisory, and related services (the “Services”). This Policy applies globally and is designed to comply with applicable data protection and privacy laws in all jurisdictions in which we operate, market, or otherwise process personal data, including, without limitation:

• The UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”) and its Executive Regulations
• The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020
• The Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021
• The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and the UK GDPR / Data Protection Act 2018
• The Kingdom of Saudi Arabia’s Personal Data Protection Law (“KSA PDPL”)
• The Bahrain Personal Data Protection Law (Law No. 30 of 2018)
• The Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016)
• The Oman Personal Data Protection Law (Royal Decree No. 6/2022)
• The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and other applicable U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and others)
• Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and provincial equivalents
• Singapore’s Personal Data Protection Act 2012 (“PDPA”)
• India’s Digital Personal Data Protection Act, 2023 (“DPDPA”)
• Australia’s Privacy Act 1988 and the Australian Privacy Principles

Brazil’s Lei Geral de Proteção de Dados (“LGPD”); and

Any other applicable data protection, privacy, electronic communications, and consumer protection laws and regulations in jurisdictions where you reside or where your personal data is otherwise processed.

By accessing our website, engaging our Services, or otherwise providing us with your personal data, you acknowledge that you have read and understood this Policy.

2. DATA CONTROLLER AND CONTACT INFORMATION

Eglinton Properties LLC is the “data controller” (or equivalent role such as “business,” “data fiduciary,” or “personal information controller”) responsible for your personal data under this Policy.

Registered Office: 1907 regal tower, Dubai, United Arab Emirates

General Inquiries: advisory@offplanx.ae

Data Protection Inquiries: advisory@offplanx.ae

Telephone: +971-+971-4-284-2484

If you are located in the European Economic Area (EEA) or United Kingdom and we are required to appoint a representative, our representative will be identified on request to the contact details above. Our Data Protection Officer (“DPO”), where appointed, may be reached at the data protection email indicated above.

3. KEY DEFINITIONS

For the purposes of this Policy, the following terms shall have the meanings ascribed below, interpreted, where applicable, consistently with the relevant data protection law in the jurisdiction in question:

“Personal Data” means any information relating to an identified or identifiable natural person.

“Sensitive Personal Data” means special categories of data as defined under applicable law, including data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, biometric or genetic data, health data, data concerning a person’s sex life or sexual orientation, criminal records, and any other data treated as sensitive under applicable law.

“Processing” means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Data Subject” means the natural person to whom personal data relates.

“Data Processor” means a natural or legal person who processes personal data on behalf of the controller.

4. CATEGORIES OF PERSONAL DATA WE COLLECT

Depending on the nature of your interaction with us, we may collect and process the following categories of personal data:

4.1 Identification and Contact Information

• Full name, title, gender, date of birth, nationality, country of residence, marital status, and family members’ details where relevant to a transaction
• Passport details, Emirates ID, national identification number, visa details, residency status, and copies of related identification documents
• Home, mailing, and business addresses, email addresses, telephone numbers, and other contact details

Photographs, biometric data (where collected for KYC, building access, or similar purposes and to the extent permitted by law), and signature samples.

4.2 Financial and Transactional Information

• Bank account details, IBAN, SWIFT codes, credit/debit card information, payment history, source of funds and source of wealth declarations
• Tax residency information, Tax Identification Numbers (TIN), VAT numbers, FATCA/CRS self-certifications
• Income, employment, occupation, employer details, salary range, and creditworthiness information

Mortgage and financing details, deposit receipts, escrow account information, payment plan records, and transaction history.

4.3 Property and Transaction Information

• Properties viewed, inquired about, listed, purchased, sold, leased, or managed
• Title deeds, Oqood certificates, Ejari registrations, NOCs, MOU/SPA documents, and other transaction-related records
• Preferences regarding location, property type, budget, amenities, investment objectives, and timing

Correspondence and communications relating to viewings, offers, negotiations, and post-transaction matters.

4.4 KYC, AML, and Compliance Data

• Know-Your-Customer (KYC), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) data
• Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) screening results, including Politically Exposed Person (PEP), sanctions, and adverse media screening

Beneficial ownership information for corporate clients.

4.5 Digital, Technical, and Usage Data

• IP address, device identifiers, browser type and version, operating system, language preferences, and time zone settings
• Website usage data including pages visited, click paths, referring/exit URLs, search terms, session duration, and engagement metrics
• Cookies, pixel tags, web beacons, local storage, and similar tracking technologies
• Geolocation data (where you consent to its collection)

Communications with us via email, WhatsApp, SMS, social media, chatbots, telephone (including call recordings, where lawfully made), and our customer relationship management (CRM) systems.

4.6 Marketing and Preference Data

• Marketing preferences and consents, subscription status, and engagement with marketing communications
• Survey responses, feedback, testimonials, and event attendance information

Information you submit through our forms, social media profiles, advertising campaigns, and lead generation activities.

4.7 Sensitive Personal Data

We do not generally seek to collect sensitive personal data. However, in limited circumstances we may receive such data (for example, accessibility requirements relating to property tours, or health information relevant to property modifications). Where we do, we will only process such data with your explicit consent or as otherwise permitted by applicable law.

5. SOURCES OF PERSONAL DATA

We collect personal data from the following sources:

• Directly from you — when you complete forms, register with us, contact us, attend viewings or events, transact with us, or otherwise interact with our Services
• From third parties — including developers, landlords, tenants, joint sellers/buyers, brokers, mortgage providers, banks, conveyancers, lawyers, public registries (e.g., Dubai Land Department, RERA, Trakheesi), credit bureaus, KYC/AML screening services, public databases, sanctions lists, and adverse media sources
• Automatically — through cookies, tracking technologies, server logs, CCTV (where lawfully installed at our premises), and analytics tools when you visit our website or digital platforms

From referrals — such as introductions from existing clients, business partners, marketing partners, lead aggregators, and property portals (e.g., Bayut, Property Finder, Dubizzle).

6. PURPOSES OF PROCESSING AND LEGAL BASES

We process your personal data for the purposes described below. The legal basis on which we rely may vary depending on the jurisdiction and the nature of the processing. Where the GDPR, DIFC Data Protection Law, ADGM Data Protection Regulations, or analogous laws apply, our legal bases include performance of a contract, compliance with legal obligations, legitimate interests, consent, and (in limited cases) vital interests or public interest.

6.1 Provision of Services

• To respond to your inquiries and provide information about properties, market conditions, and our Services
• To facilitate property viewings, valuations, negotiations, sales, purchases, leases, and property management
• To prepare, execute, and administer contracts, MOUs, SPAs, tenancy contracts, and related documentation
• To process payments, deposits, commissions, and refunds, and to manage escrow arrangements

To provide post-transaction services such as handover, snagging, property management, and tenancy renewals.

Legal basis: performance of a contract or taking steps prior to entering into a contract; legitimate interests in operating our business.

6.2 Compliance with Legal and Regulatory Obligations

• Compliance with UAE laws including the Real Estate Regulatory Agency (RERA) rules, Dubai Land Department (DLD) requirements, Federal AML/CTF Law (Federal Decree-Law No. 20 of 2018), and applicable Free Zone regulations
• Verification of identity and conducting KYC, CDD, EDD, sanctions, PEP, and adverse media screening
• Reporting suspicious transactions to competent authorities (including the UAE Financial Intelligence Unit)
• Tax, accounting, and audit obligations, including FATCA, CRS, and economic substance reporting where applicable

Responding to lawful requests from courts, regulators, law enforcement agencies, and other public authorities.

Legal basis: compliance with legal obligations.

6.3 Marketing and Business Development

• Sending you newsletters, market updates, property listings, event invitations, and other marketing communications
• Personalising marketing content based on your preferences and engagement
• Conducting market research, customer satisfaction surveys, and analytics

Running advertising campaigns, including via social media platforms and search engines.

Legal basis: your consent (where required) and/or our legitimate interests in promoting our Services. You may withdraw your consent or object at any time (see Section 9).

6.4 Operational, Security, and Administrative Purposes

• Managing our IT systems, networks, websites, and cybersecurity
• Detecting, preventing, and investigating fraud, security incidents, and other unlawful activities
• Internal training, quality assurance, and recording of communications

Corporate transactions including mergers, acquisitions, restructurings, financings, and due diligence.

Legal basis: legitimate interests; compliance with legal obligations.

6.5 Establishing, Exercising, or Defending Legal Claims

To enforce our contracts and protect our rights, property, or safety, and that of our clients, employees, and the public.

Legal basis: legitimate interests; compliance with legal obligations.

7. COOKIES AND SIMILAR TECHNOLOGIES

Our website uses cookies and similar tracking technologies (such as pixels, web beacons, SDKs, and local storage). Cookies are small text files placed on your device to enable functionality, analyze usage, and deliver targeted advertising. The categories we use include:

• Strictly Necessary Cookies — required for the operation of our website (cannot be disabled)
• Functional Cookies — enable enhanced functionality and personalization
• Analytics/Performance Cookies — help us understand how visitors use our website (e.g., Google Analytics)

Advertising/Targeting Cookies — used to deliver relevant ads on our website and third-party platforms (e.g., Google Ads, Meta Pixel, LinkedIn Insight Tag).

Where required by law (e.g., GDPR, UK PECR, KSA PDPL), we will obtain your prior consent for the use of non-essential cookies through a cookie banner or preference center. You can also manage cookies through your browser settings. Disabling cookies may affect the functionality of our website.

8. DISCLOSURE AND SHARING OF PERSONAL DATA

We do not sell your personal data in the traditional sense. However, depending on your jurisdiction (e.g., California), certain data-sharing practices may be considered “sales” or “sharing” under applicable law. We may disclose your personal data to the following categories of recipients, subject to appropriate safeguards:

• Group Companies and Affiliates — our parent, subsidiaries, and affiliated entities for the purposes set out in this Policy
• Service Providers and Processors — including IT and cloud service providers, CRM and marketing platforms, hosting providers, payment processors, customer support, analytics providers, professional advisors (lawyers, auditors, consultants), and document management providers
• Counterparties and Transaction Participants — including developers, landlords, tenants, sellers, buyers, brokers, conveyancers, escrow agents, banks, mortgage providers, valuers, surveyors, and insurance providers
• Government Authorities and Regulators — including the Dubai Land Department, RERA, DET, the UAE Central Bank, Free Zone authorities, the Financial Intelligence Unit, tax authorities, courts, law enforcement, and other competent authorities
• Marketing and Advertising Partners — such as Google, Meta, LinkedIn, TikTok, and similar platforms, where you have consented or as otherwise permitted by law

Successors in Interest — in connection with any actual or proposed sale, merger, acquisition, financing, restructuring, insolvency, or similar transaction.

9. INTERNATIONAL DATA TRANSFERS

We are headquartered in the UAE and may transfer your personal data to, store it in, and process it in countries other than your country of residence, including jurisdictions that may not provide the same level of data protection as your home country. Such transfers may include, without limitation, transfers to other GCC states, the EEA, the United Kingdom, the United States, India, and other jurisdictions where our service providers and affiliates are based.

Where required by applicable law, we implement appropriate safeguards to ensure adequate protection of your personal data during cross-border transfers, including:

• Transfers to jurisdictions deemed “adequate” under the relevant law (e.g., UAE PDPL adequacy decisions, European Commission adequacy decisions)
• Standard Contractual Clauses (SCCs) or equivalent contractual mechanisms approved by the relevant regulator (e.g., DIFC Standard Contractual Clauses, EU SCCs, UK International Data Transfer Agreement / Addendum, ADGM data export agreements)
• Binding Corporate Rules (BCRs) within our corporate group, where applicable

Your explicit consent or other lawful derogations where permitted by law.

You may request a copy of the relevant safeguards in place by contacting us using the details in Section 2 (subject to redactions for confidentiality).

10. DATA RETENTION

We retain your personal data only for as long as necessary to fulfil the purposes set out in this Policy, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements, and to establish, exercise, or defend legal claims. Retention periods are determined based on:

• The nature and sensitivity of the personal data
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the data and whether those purposes can be achieved by other means

Applicable legal, regulatory, and contractual requirements (for example, UAE AML laws generally require retention of records for at least five (5) years from the end of the business relationship or completion of the transaction; tax records may need to be retained for longer).

Once your personal data is no longer required, we will securely delete, anonymize, or destroy it in accordance with our data retention schedule.

11. YOUR RIGHTS

Subject to applicable law and any conditions or exemptions, you may have the following rights in respect of your personal data:

• Right to Access — to obtain confirmation of whether we process your personal data and a copy of such data
• Right to Rectification — to correct inaccurate or incomplete data
• Right to Erasure / Deletion — to request deletion of your data in certain circumstances (also known as the “right to be forgotten”)
• Right to Restriction — to restrict our processing in certain circumstances
• Right to Data Portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller
• Right to Object — to object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Right Not to Be Subject to Automated Decision-Making — including profiling that produces legal or similarly significant effects
• Right to Lodge a Complaint — with the UAE Data Office, DIFC Commissioner of Data Protection, ADGM Office of Data Protection, your local supervisory authority (e.g., EU/EEA Data Protection Authority, UK ICO), or other competent regulator
• Right to Non-Discrimination — (for California residents and similar jurisdictions) we will not discriminate against you for exercising your privacy rights
• Right to Opt-Out of Sale/Sharing — (for California, Virginia, Colorado, Connecticut, and similar U.S. state residents) you may opt out of any “sale” or “sharing” of personal data and the use of sensitive data for certain purposes

Authorized Agent — you may designate an authorized agent to act on your behalf where permitted by law (subject to verification).

To exercise any of these rights, please contact us using the details in Section 2. We will respond within the timeframes prescribed by applicable law (generally within one (1) month under GDPR, forty-five (45) days under CCPA, and as required under other applicable laws). We may need to verify your identity before responding.

12. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These measures include, where appropriate:

• Encryption of data in transit and at rest
• Access controls, authentication, and role-based permissions
• Network and endpoint security, firewalls, and intrusion detection
• Staff training, confidentiality obligations, and background checks
• Vendor due diligence, contractual safeguards, and ongoing monitoring
• Business continuity, backup, and disaster recovery procedures

Incident response and breach notification protocols.

Despite our safeguards, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

13. CHILDREN’S PRIVACY

Our Services are intended for individuals aged eighteen (18) years and older. We do not knowingly collect personal data from children. Where parental consent is required by applicable law for processing a minor’s data (for example, under GDPR, COPPA in the United States, or KSA PDPL), we will obtain such consent in accordance with the applicable legal requirements. If you believe that we have inadvertently collected personal data from a child without proper consent, please contact us so that we may take appropriate action.

14. THIRD-PARTY WEBSITES AND SERVICES

Our website and communications may contain links to third-party websites, platforms, plug-ins, and applications (for example, property portals, social media platforms, and developer websites). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites or services and are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party website or service that you visit.

15. JURISDICTION-SPECIFIC PROVISIONS

The following provisions supplement this Policy and apply to data subjects in the jurisdictions specified. In the event of any conflict between this Section 15 and other provisions of this Policy, the provisions of this Section 15 shall prevail in respect of data subjects in the relevant jurisdiction.

15.1 United Arab Emirates (UAE) — Federal PDPL

If you are located in the UAE (outside of DIFC and ADGM), the Federal UAE PDPL applies. You have rights of access, rectification, erasure, restriction, portability, and objection. Complaints may be submitted to the UAE Data Office (https://u.ae/en/about-the-uae/digital-uae/data/data-office).

15.2 DIFC and ADGM

If your personal data is processed within the Dubai International Financial Centre, the DIFC Data Protection Law No. 5 of 2020 applies, and you may contact the DIFC Commissioner of Data Protection (commissioner@dp.difc.ae). If processed within the Abu Dhabi Global Market, the ADGM Data Protection Regulations 2021 apply, and you may contact the ADGM Office of Data Protection.

15.3 European Economic Area (EEA) and United Kingdom

If you are located in the EEA or UK, the GDPR/UK GDPR applies. The legal bases for processing your data are as set out in Section 6. You have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner’s Office at https://ico.org.uk). We will appoint an EU/UK representative where required under Article 27 GDPR.

15.4 California, USA (CCPA/CPRA)

If you are a California resident, you have rights under the CCPA/CPRA, including the rights to know, delete, correct, limit the use of sensitive personal information, opt out of “sale” or “sharing” of personal information, and non-discrimination. In the preceding twelve (12) months, we may have collected the categories of personal information described in Section 4 and disclosed such information for business purposes to the categories of recipients listed in Section 8. We do not knowingly sell or share the personal information of minors under 16 without affirmative authorization. To submit requests, use the contact details in Section 2 or our designated webform (where available). Verifiable requests will be processed within forty-five (45) days, subject to extension.

15.5 Other U.S. States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, Indiana, Nebraska, New Jersey, New Hampshire, Minnesota, Maryland, and other states with comprehensive privacy laws have rights similar to those described in Section 11, including rights of access, correction, deletion, portability, and to opt out of targeted advertising, sale of personal data, and certain profiling. You may also appeal our decisions in accordance with applicable law.

15.6 Kingdom of Saudi Arabia (KSA PDPL)

Personal data of data subjects in the Kingdom of Saudi Arabia is processed in accordance with the KSA PDPL and its Implementing Regulations. Cross-border transfers comply with the conditions prescribed by the Saudi Data and Artificial Intelligence Authority (SDAIA).

15.7 Other GCC and MENA Jurisdictions

For data subjects in Bahrain, Qatar, Oman, Kuwait, Egypt, Jordan, and other regional jurisdictions, we comply with applicable local data protection laws, including the Bahrain PDPL, Qatar PDPPL, Oman PDPL, and the Egyptian Personal Data Protection Law (Law No. 151 of 2020).

15.8 Other International Jurisdictions

For data subjects in Canada (PIPEDA and provincial laws including Quebec’s Law 25), Singapore (PDPA), India (DPDPA), Australia (Privacy Act 1988), Brazil (LGPD), Switzerland (revFADP), and other jurisdictions, we comply with the applicable local data protection laws. Specific local rights and contact details for supervisory authorities are available upon request.

16. AUTOMATED DECISION-MAKING AND PROFILING

We may use automated tools to assist with KYC/AML screening, fraud prevention, lead scoring, property recommendations, and marketing personalization. These activities may involve profiling. We do not make decisions producing legal effects or similarly significant effects on you based solely on automated processing without appropriate safeguards (such as human review). Where required by law, you have the right to obtain human intervention, to express your point of view, and to contest such decisions.

17. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. The updated Policy will be posted on our website with a revised “Last Updated” date. Where the changes are material, we will provide additional notice (such as via email or a prominent notice on our website). Your continued use of our Services after such changes constitutes your acknowledgment of the revised Policy, to the extent permitted by applicable law.

18. GOVERNING LAW AND DISPUTE RESOLUTION

This Policy shall be governed by and construed in accordance with the laws of the United Arab Emirates, without prejudice to any mandatory provisions of the law of the jurisdiction in which you reside. Any dispute arising out of or in connection with this Policy shall, subject to your statutory rights, be subject to the exclusive jurisdiction of the competent courts of the Emirate of Dubai, United Arab Emirates.

19. HOW TO CONTACT US

If you have any questions, comments, complaints, or requests regarding this Policy or our processing of your personal data, please contact us at:

Eglinton Properties LLC

Attention: Data Protection Officer / Privacy Team

Address: 1907 Regal Tower, Dubai, United Arab Emirates

Email: advisory@offplanx.ae

— End of Privacy Policy —