Privacy Policy — transparent by design.

ZhenyYET FZE ("ZhenyYET", "we", "us") is a free-zone establishment registered in Dubai, United Arab Emirates, with offices at Bay Square, Building 7, Office 1408, Business Bay. We act as the data controller for personal information collected through our website, marketing channels and direct client engagements.

For matters relating to this notice, you can reach our Data Protection Officer at [email protected] or by post at the address above. Where you are based outside the UAE, your local supervisory authority may also have jurisdiction; we will cooperate with cross-border requests in good faith.

This notice describes how we handle personal data in three distinct contexts: visitors to zhenyyet.com, prospective clients who contact us through forms or email, and individuals connected to our active engagements (such as employees of a client organisation).

It does not cover personal data we process strictly on behalf of a client under a separate Data Processing Agreement — in those cases, the client remains the controller and we act as a processor under their instructions.

From website visitors we collect minimal first-party analytics (aggregated page views, referrers, approximate region, device class). We do not run advertising trackers and do not sell visitor data.

When you contact us, we collect the information you choose to provide (typically name, work email, company, role and a brief description of your enquiry). For active engagements, we additionally process business contact details and any data shared with us as part of investigations, takedown requests or security assessments — always under contract.

We process personal data to (i) respond to enquiries and prepare proposals; (ii) deliver the services you contract us for; (iii) operate, secure and improve our website and infrastructure; (iv) comply with legal, tax and regulatory obligations in the UAE and applicable jurisdictions; and (v) communicate occasional service updates to existing clients.

We rely on legitimate interests, contract performance and legal obligation as our primary lawful bases. Where consent is required (for example, marketing emails to non-clients), we ask for it explicitly and you can withdraw it at any time.

We share personal data only with vetted sub-processors that support our operations (cloud hosting, secure email, ticketing, accounting, audit). Each sub-processor is bound by written confidentiality and security commitments at least equivalent to our own.

We do not sell personal data. We may disclose information when required by a court, regulator or competent authority, and we will notify affected individuals where legally permitted.

Our primary infrastructure is hosted in the UAE and the European Union. Where personal data is transferred outside its country of origin, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions or, where applicable, your explicit consent. A summary of current sub-processors and transfer mechanisms is available on request.

Subject to applicable law, you have the right to access, correct, delete or restrict the processing of your personal data, to object to certain processing activities and, where relevant, to data portability. To exercise these rights, write to [email protected] from the email address associated with your data; we may ask for additional verification before acting on a request.

We aim to respond to verified requests within thirty (30) calendar days. If you are unhappy with our response, you may lodge a complaint with your local supervisory authority.

We retain personal data only for as long as necessary to fulfil the purposes set out above, plus any period required by law (typically up to seven years for financial records). Engagement data is purged or anonymised within ninety (90) days of contract termination unless a longer retention period has been agreed in writing.

We review this notice at least annually. Material changes are communicated through a banner on our website and, for active clients, by direct email at least thirty (30) days before they take effect.