Skip to content
Skip to main content
GOLIATHTECHNOLOGY
Legal

Privacy Policy

Draft — this document is a working draft pending review by legal counsel. Do not rely on it as legal advice.

Last updated · 25 May 2026

⚠️ DRAFT — review with legal counsel before publishing. See legal-drafts/README.md for the list of placeholders that must be filled and the clauses that need substantive review.

Last updated: [LAST_UPDATED] Controller: [ENTITY_FULL_NAME], license [ENTITY_LICENSE_NO], [ENTITY_ADDRESS].

1. About this notice

This notice explains how [ENTITY_FULL_NAME] ("Goliath", "we") collects and uses personal data when you visit goliath.technology, contact us through the site, or otherwise interact with us. It is written to meet our obligations under the DIFC Data Protection Law 2020, the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the EU General Data Protection Regulation (GDPR), and the UK GDPR — as applicable to the jurisdiction of the person whose data we hold.

If you have any privacy enquiry, contact [ENTITY_DPO_EMAIL].

2. What data we collect

We collect only the data we need to respond to enquiries, deliver our services, and run a secure, legal website.

When you contact us through the site (intake chat or partner form):

  • Name
  • Job title
  • Company / organisation
  • Email address
  • The contents of your message and any attachments
  • Date and time of contact

When you use the website without contacting us:

  • IP address (truncated for analytics, full IP only kept in security logs)
  • Browser and device type
  • Referrer URL
  • Pages viewed and approximate session duration
  • Strictly necessary cookies (see our Cookie Notice)

We do not collect sensitive categories of data (health, religious belief, political opinion, biometric, sexual orientation) via this site. If you choose to disclose such information in a free-text message, we will minimise its retention.

3. Why we use it — and on what lawful basis

PurposeLawful basis (GDPR / DP Law equivalent)
Responding to your enquiryLegitimate interest, and, where requested, taking steps prior to entering a contract
Sending follow-up information about our services to people who explicitly opt inConsent
Site security, fraud prevention, abuse loggingLegitimate interest
Aggregate, non-identifying analyticsLegitimate interest
Compliance with legal obligations (e.g. responding to lawful requests)Legal obligation

We do not sell personal data. We do not use personal data to train AI models without explicit, separate consent.

4. The AI intake agent ("Goliath Intake")

When you converse with our AI intake agent, the conversation is processed by OpenAI through its API on our behalf. OpenAI does not use API conversation data to train its models. The agent generates structured replies that a Goliath partner reviews before any follow-up is sent.

Conversations are retained for up to [RETENTION_DAYS_CONTACT] from the last interaction for partner review and follow-up. After that period they are deleted or anonymised. We do not retain transcripts beyond what is needed to respond to your enquiry.

You can request a copy of your conversation, ask for it to be deleted, or ask for it to be excluded from future processing at any time, by writing to [ENTITY_DPO_EMAIL].

5. Who we share data with

We share personal data only with:

  • Processors acting on our behalf under written contracts that meet GDPR Article 28 / DP Law equivalent standards. Current processors include:
    • Email infrastructure provider
    • Hosting provider
    • Web analytics provider ([ANALYTICS_PROVIDER])
    • OpenAI — used to power the Goliath Intake AI agent on the contact and home pages
  • Regulators, courts, or law enforcement where we are legally required to disclose data, and only to the extent required.
  • Professional advisors (lawyers, accountants, auditors) on a need-to-know basis.

We do not sell, rent, or trade personal data with anyone, in any market.

6. Cross-border transfers

Goliath operates from DIFC, Dubai. Some of our processors are located outside the UAE — for example, in the European Economic Area, the United Kingdom, or the United States. When we transfer personal data outside the UAE:

  • We rely on adequacy decisions where available (e.g. DIFC ↔ EU under the DIFC DP Law adequacy mechanism).
  • Otherwise, we use Standard Contractual Clauses or other safeguards permitted under the DP Law and GDPR.

You can request a copy of the transfer mechanism that applies to your data by writing to [ENTITY_DPO_EMAIL].

7. How long we keep it

CategoryRetention
Enquiry messages (intake / partner form / email)[RETENTION_DAYS_CONTACT] from last contact, then deleted or anonymised
Security logs (IPs, access logs)90 days
CookiesSee Cookie Notice
Contractual records (invoicing, engagement letters)7 years (DIFC tax and commercial record-keeping requirements)

Aggregate, fully anonymised analytics may be retained indefinitely as they no longer constitute personal data.

8. Your rights

Wherever you are, you have the right to:

  • Know what personal data we hold about you (access)
  • Correct inaccurate data
  • Delete personal data we no longer need to hold
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interest
  • Withdraw consent at any time
  • Data portability — receive your data in a structured, machine-readable format

Depending on your jurisdiction, you may also have the right to lodge a complaint with the DIFC Commissioner of Data Protection, the UAE Data Office, your national EU supervisory authority, or the UK ICO.

To exercise any right, write to [ENTITY_DPO_EMAIL]. We respond within 30 days. Where the request is complex, we may extend by a further 60 days and will tell you the reason.

9. Security

We use industry-standard controls — TLS encryption in transit, encrypted storage, principle of least privilege, MFA on administrative access, logging and monitoring. We review controls regularly. No system is perfectly secure, but we hold ourselves to the standard appropriate for a B2B consultancy operating in regulated client environments.

If we become aware of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and you without undue delay, in accordance with applicable law.

10. Children

The site is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, please contact [ENTITY_DPO_EMAIL] and we will delete it.

11. Changes to this notice

We will update this notice when our practices change. Substantive changes are dated at the top and, where the change is material, we will inform people who have previously contacted us.

12. Contact

[ENTITY_DPO_NAME] (Data Protection Officer) [ENTITY_DPO_EMAIL] [ENTITY_FULL_NAME] [ENTITY_ADDRESS]