GulfCAPITAL

LEGAL & COMPLIANCE

Regulatory & Legal Documents

Introduction

GulfCapital Management Ltd and its affiliated entities (collectively, "GulfCapital", "we", "our", or "us") are committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information in connection with our investment management services, website operations, and other business activities.

GulfCapital is incorporated in the Dubai International Financial Centre (DIFC) and regulated by the Dubai Financial Services Authority (DFSA). Our operations in Abu Dhabi are regulated by the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM). As such, we operate within a dual regulatory framework and adhere to the DIFC Data Protection Law No. 5 of 2020 (as amended), the ADGM Data Protection Regulations 2021, and applicable UAE federal data protection legislation.

This Policy applies to all individuals whose personal data we process, including current and prospective investors, website visitors, counterparties, service providers, and employees of institutional clients.

Data We Collect

Depending on your relationship with GulfCapital, we may collect and process the following categories of personal data:

Identity and Contact Data

  • Full name, title, and date of birth
  • Nationality, passport or national ID details
  • Email address, telephone number, and postal address
  • Employer name and professional role

Financial and Investment Data

  • Net worth and investable assets information
  • Source of wealth and source of funds documentation
  • Bank account details and investment portfolio information
  • Transaction history and account statements
  • Tax identification numbers and residency information

Technical and Usage Data

  • IP address, browser type, and device identifiers
  • Pages visited, time spent, and navigation paths on our website
  • Cookie identifiers and preference settings

Correspondence Data

  • Emails, letters, and call recordings where consent has been obtained or where required by regulation
  • Notes from meetings and investor relations interactions

We do not intentionally collect special category data (e.g., health, biometric, or political opinions) unless specifically required by applicable law or regulation and only with your explicit consent.

How We Use Your Data

We use your personal data for the following purposes:

Investment Management and Servicing

Processing subscriptions, redemptions, and transfers; maintaining investor accounts; distributing capital call and distribution notices; and providing fund performance reporting and investor communications.

Regulatory Compliance

Conducting Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorist Financing (CTF) checks; complying with DFSA and FSRA reporting obligations; fulfilling FATCA, CRS, and other tax transparency requirements; and responding to lawful requests from regulatory authorities.

Risk Management and Fraud Prevention

Assessing investor suitability and appropriateness; monitoring for suspicious activity; maintaining internal audit and compliance records.

Marketing and Communications

Sending investor newsletters, research publications, and event invitations where you have provided consent or where we have a legitimate interest and a prior relationship exists. You may opt out at any time.

Website and Technology Operations

Maintaining the security and functionality of our website; analysing usage patterns to improve our online services; troubleshooting technical issues.

Under the DIFC Data Protection Law, we process your personal data on the following legal grounds:

PurposeLegal Basis
Investor onboarding and KYCContractual necessity; Legal obligation
AML/CTF complianceLegal obligation (DFSA/FSRA rules)
Fund administrationContractual necessity
Marketing communicationsLegitimate interests; Consent
Website analyticsLegitimate interests; Consent (cookies)
Regulatory reportingLegal obligation

Sharing Your Data

We do not sell, rent, or trade your personal data. We may disclose your data to the following categories of recipients where necessary:

  • Service providers: Fund administrators, custodians, prime brokers, auditors, legal counsel, and IT service providers acting as data processors under contractual obligations of confidentiality.
  • Regulatory authorities: The DFSA, FSRA, UAE Central Bank, and other competent authorities where required by law.
  • Tax authorities: Including exchange of information under FATCA (to US IRS via UAE authorities) and OECD Common Reporting Standards.
  • Professional advisers: Lawyers, accountants, and risk consultants engaged on a need-to-know basis under professional secrecy obligations.
  • Business transferees: In the event of a merger, acquisition, or restructuring of GulfCapital's business, personal data may be disclosed as part of due diligence and subsequently transferred to any acquirer.

International Data Transfers

GulfCapital may transfer personal data to countries outside the DIFC and UAE, including to our London office and international service providers. Where we transfer data outside jurisdictions deemed to have adequate data protection standards, we put in place appropriate safeguards, including:

  • Standard contractual clauses approved by the Commissioner of Data Protection;
  • Binding corporate rules where applicable;
  • Reliance on regulatory exemptions for investment management activities.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. In practice:

  • Investor account records are retained for a minimum of six years from the date of the last transaction, in accordance with DFSA requirements.
  • AML/KYC records are retained for a minimum of six years after the business relationship ends.
  • Website interaction logs are retained for up to 26 months.
  • Marketing contact records are retained until you withdraw consent or opt out.

Your Rights

Subject to applicable law, you have the following rights in respect of your personal data:

  • Right of access: To request a copy of the personal data we hold about you.
  • Right to rectification: To request correction of inaccurate or incomplete data.
  • Right to erasure: To request deletion of your data, subject to our legal retention obligations.
  • Right to restriction: To request that we restrict the processing of your data in certain circumstances.
  • Right to data portability: To receive your data in a structured, commonly used format.
  • Right to object: To object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact our Data Protection Officer (details below). We will respond within 30 days. In some cases, we may need to verify your identity before fulfilling a request.

Security

GulfCapital implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

  • Encryption of data in transit and at rest;
  • Role-based access controls and multi-factor authentication;
  • Regular penetration testing and security audits;
  • Staff training on data protection and information security;
  • Incident response and breach notification procedures aligned with DFSA and FSRA requirements.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant regulatory authority within 72 hours and will notify you without undue delay if the breach is likely to result in a high risk to you.

Cookies

We use cookies and similar tracking technologies on our website. Please refer to our Cookie Policy for full details of the cookies we use, their purposes, and how to manage your preferences.

Contact Our Data Protection Officer

If you have any questions about this Privacy Policy, wish to exercise any of your rights, or wish to make a complaint, please contact our Data Protection Officer:

GulfCapital Management Ltd
Data Protection Officer
Gate Village 4, Level 5
DIFC, Dubai, UAE
dpo@gulfcapital.com

You also have the right to lodge a complaint with the DIFC Commissioner of Data Protection at www.difc.ae or with the ADGM Registration Authority.

REGULATORY NOTE

GulfCapital is authorised and regulated by the DFSA (Reference No. F001234) and the FSRA of ADGM (Reference No. 190005678). This Privacy Policy is reviewed annually and was last updated on 1 January 2025. We reserve the right to update this Policy at any time; material changes will be communicated to affected individuals.