Privacy Policy
Last updated: April 2026
This policy explains what personal data Innovex Agency collects, why we collect it, how long we keep it, and what rights you have. It is written to comply with the EU General Data Protection Regulation (GDPR) and the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).
1. Who we are (data controller)
The data controller responsible for personal data collected through innovexagency.com is INNOVEX TECHNOLOGIES LLC, registered at Warehouse 1, Street 9, Nadd Al Hamar, Dubai, United Arab Emirates — P.O. Box 500001 (registration number Trade Licence 950354). For data protection enquiries, contact legal@innovexagency.com.
- Trade Licence:
- 950354
- VAT (TRN):
- 104034570200003
- Landline:
- +971 4 355 4810
- Mobile:
- +971 52 233 0004
We are not required to appoint a Data Protection Officer under GDPR Article 37; data protection enquiries are handled by the founder via the address above.
2. What we collect and why
We collect personal data only when you actively share it with us, or when our analytics tools record interaction with our site (after you have consented). Each surface is listed below with its lawful basis under GDPR Article 6 and UAE PDPL Article 5.
| Surface | Data | Lawful basis |
|---|---|---|
| Contact form | Name, email, phone, company, project description, optional brief upload | Pre-contractual steps at the data subject's request — GDPR Art. 6(1)(b) / UAE PDPL Art. 5 |
| Newsletter signup | Email address | Consent — GDPR Art. 6(1)(a) / UAE PDPL Art. 5 |
| Job application | Name, email, phone, role, experience, LinkedIn URL, portfolio URL, cover letter, CV upload | Consent (explicit checkbox at submission); pre-contractual steps if hired |
| Applicant portal sign-in | Email address, sign-in token | Contract performance — providing the portal you signed up for |
| AI chat assistant | Message text you send. No name, email, or account data unless you choose to type it. Conversation kept in your browser tab only; only aggregate spend totals are stored on our server. | Legitimate interests in operating an on-site assistant that helps visitors find relevant information about our services — GDPR Art. 6(1)(f) / UAE PDPL Art. 5. You can object at any time under Art. 21 by closing the chat panel and emailing privacy@innovexagency.com to request we don't process any further messages from you. Processed by Anthropic PBC under SCCs (see sub-processors below). |
| Analytics cookies | Page views, referrer, device, anonymised IP via Google Analytics; conversion tracking via Meta Pixel | Consent — only loaded after you accept on the cookie banner |
We never sell personal data, never use it to train AI models, and never share it with third parties beyond the named sub-processors below.
3. Cookies and tracking
We use a small number of cookies, all gated behind explicit consent. The cookie banner appears on first visit and lets you accept or decline analytics + marketing tracking independently.
- Necessary — session cookies for sign-in (`innovex_session`, `innovex_admin`) and theme preference. Cannot be disabled without breaking sign-in.
- Analytics — Google Analytics (GA4) measures which pages help and which don't. Loaded only after consent.
- Marketing — Meta Pixel (Facebook/Instagram) measures conversion from paid social campaigns. Loaded only after consent.
You can change your cookie preferences at any time by tapping the Cookie preferences link in the page footer — the consent banner reappears and lets you re-decide. (Clearing your browser's site data for innovexagency.com works too, but the footer link is one click.)
4. Sub-processors
The following third parties process personal data on our behalf. We have signed a Data Processing Addendum (DPA) with each, or rely on their standard published DPA terms:
- Resend (transactional email — contact, careers, magic links). USA.
- Google LLC — Google Analytics 4 (site analytics, after consent). USA.
- Meta Platforms Ireland Ltd — Meta Pixel (conversion tracking, after consent). Ireland / USA.
- Cal.com (booking iframe — only loads when you click "Book a discovery call"). USA / EU.
- Anthropic PBC (Claude API powers the on-site AI chat assistant — receives only the text you type into the chat panel, plus our site's knowledge base). USA, under EU SCCs and Anthropic's standard published Data Processing Addendum. Anthropic does not use API inputs to train its models.
- Hosting infrastructure — primary site hosted on a virtual private server in the Middle East / EU region; CV uploads and applicant data are stored on the hosting filesystem only.
5. International data transfers
Some of our sub-processors are based outside the European Economic Area or the United Arab Emirates. For each such transfer we rely on one of the following safeguards:
- Standard Contractual Clauses (SCCs) — Resend (US), Google (US) for analytics, and Anthropic (US) for the AI chat assistant, under the European Commission's standard transfer terms (2021/914).
- EU-US Data Privacy Framework — Meta Platforms is certified under the framework, allowing lawful transfer of EU personal data to the US under the European Commission's adequacy decision (2023).
- UAE PDPL Art. 22 — for personal data of UAE residents transferred outside the UAE, we rely on the recipient's adequacy status under UAE Data Office guidance and on contractual safeguards in the DPA. Specifically, transfers to Anthropic (US) for the AI chat assistant rely on the contractual-safeguards leg of Art. 22 via Anthropic's standard published DPA, in the absence of a UAE adequacy decision for the United States.
6. How long we keep your data
- Contact-form enquiries — 24 months from the last contact, or until you ask us to delete them.
- Newsletter subscribers — until you unsubscribe (every email contains a one-click unsubscribe link).
- Newsletter consent records — for the duration of the subscription plus 3 years after unsubscribe. We are required to be able to demonstrate consent under GDPR Art. 7(1); these records are how we do that. Each record holds the timestamp, the consent text shown, and pseudonymised request metadata (HMAC-hashed IP and User-Agent) — never the raw values.
- Job applications — 12 months after the last status change. Deleted earlier on request.
- CV uploads (applicants and contact briefs) — same retention as the parent submission.
- Applicant portal accounts — duration of the relationship + 12 months of inactivity.
- Analytics data (GA4 / Meta Pixel) — governed by each provider's default retention setting (14 months for GA4; configurable on Meta).
- AI chat conversations — the conversation lives in your browser tab's session storage and is cleared when you close the tab. We do not store conversation content on our servers. Anthropic does not retain API inputs beyond the request lifetime under their published commercial terms for API customers, and does not use the inputs to train models. The chat rate-limiter holds a pseudonymised, HMAC-keyed counter of requests per IP for ten minutes, then expires.
7. Your rights
Under GDPR and UAE PDPL you have the following rights over your personal data:
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — delete data we hold about you, subject to overriding legal obligations.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on our legitimate interest, or to direct marketing.
- Withdrawal of consent — for any processing based on consent (newsletter, analytics, marketing cookies). Withdrawal does not affect processing already carried out.
- Complaint to a supervisory authority — your local data protection authority in the EU, or the UAE Data Office. We hope you will contact us first so we can resolve any concerns.
To exercise any of these rights, email legal@innovexagency.com with the request and proof of identity (we may ask for a government-issued ID, redacted to the minimum needed to verify you, to prevent unauthorised access). We respond within 30 calendar days as required by GDPR Art. 12(3) and UAE PDPL Art. 14.
8. Security
We protect personal data with appropriate technical and organisational measures, including:
- HTTPS encryption in transit on every page.
- HMAC-signed session cookies (HttpOnly, SameSite=Lax) for sign-in.
- Server-side magic-byte verification on all uploaded files (PDF, DOC, DOCX) to defend against MIME-spoofed payloads.
- Two-factor authentication on every Innovex team member's cloud accounts.
- Access to applicant data is restricted to named team members with a defined business need.
- Strict Content Security Policy with nonce-based script allowlist on every response.
The full operational-security detail is published on our Trust & Compliance page.
9. If a data breach occurs
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33), and notify affected individuals without undue delay where the risk is high (GDPR Art. 34). For UAE residents we follow the UAE Data Office notification procedure under PDPL Art. 26.
10. Children
Our website is not directed at persons under the age of 16. We do not knowingly collect personal data from minors. If we become aware that a person under 16 has submitted personal data, we will delete it without delay. If you are a parent or guardian and believe your child has shared personal data with us, please contact legal@innovexagency.com.
The AI chat assistant in particular is intended for adult prospective clients evaluating our services. It is not a service for children, and we ask that visitors do not type their own or anyone else's personal data into the chat.
11. Changes to this policy
We may update this policy to reflect changes in law, our services, or our processing activities. The "Last updated" date at the top of this page indicates when the most recent substantive change was made. Material changes that affect how we use your personal data will be communicated to active users by email where we have the right contact details.
12. Contact
For any question about this policy or about how we handle personal data, contact us at legal@innovexagency.com or by post at INNOVEX TECHNOLOGIES LLC, Warehouse 1, Street 9, Nadd Al Hamar, Dubai, United Arab Emirates — P.O. Box 500001.