PRIVACY POLICY
OF THE ALLOSTAPARTNERS.COM WEBSITE
Effective Date: July 03, 2026
Last Updated: July 03, 2026
This Privacy Policy (hereinafter referred to as the "Policy") is issued and operated by Allosta Partners SPC Ltd., a segregated portfolio company registered in the International Corporate Register of the Ras Al Khaimah International Corporate Centre (RAK ICC, UAE) under Registration Number: ICC20231035, having its legal address at: T1 11F-10, RAKEZ Amenity Centre, RAKEZ Business Zones, Al Jazeera Al Hamra, P.O. Box 85649, United Arab Emirates (hereinafter referred to as the "Company" or the "Data Controller").
SECTION 1. PREAMBLE & DATA CONTROLLER DETAILS
1.1. This Privacy Policy (hereinafter — the "Policy") is an official legal document that defines the procedures, conditions, purposes, and legal bases for processing the personal data of Users on the website allostapartners.com, including the integrated scoring platform, the Investor Portal, artificial intelligence components (E-agent "Igor", AI-Avatar video interview module), as well as associated mobile and web applications (collectively referred to as the "Platform" or the "Website").
1.2. The Data Controller under this Policy is Allosta Partners SPC Ltd., a segregated portfolio company registered in the International Corporate Register of the Ras Al Khaimah International Corporate Centre (RAK ICC, UAE), Registration Number: ICC20231035. The legal and business address of the company is: T1 11F-10, RAKEZ Amenity Centre, RAKEZ Business Zones, Al Jazeera Al Hamra, P.O. Box 85649, United Arab Emirates (hereinafter — the "Company" or the "Data Controller").
1.3. This Policy is developed in strict compliance with the provisions of the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL). Concurrently, the substantive law governing the operation of the Platform as a whole is the substantive law of England and Wales, pursuant to the Company's License Agreement.
1.4. The use of the Platform, registration on the Investor Portal, initiation of AI-scoring procedures, as well as full or partial acceptance of the terms of the Company's License Agreement, signifies the unconditional consent of the User (Data Subject) to the terms of this Policy and the data processing procedures established herein. If the User does not agree with the terms of this Policy, they must immediately cease all use of the Platform.
1.5. In order to monitor compliance with personal data protection laws and ensure efficient interaction with Data Subjects and the supervisory authorities of the UAE, the Company has appointed a Data Protection Officer (DPO).
1.6. Any requests, demands, notices, or applications regarding the exercise of Data Subjects' rights, withdrawal of consent for data processing, or clarification of the provisions of this Policy, must be directed directly to the Company's DPO at the official email address: partners@allosta.com with the subject line marked "Attn: Data Protection Officer".
SECTION 2. LAWFUL BASIS FOR PROCESSING
2.1. In accordance with Article 4 and Article 5 of the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL), the Data Controller processes the personal data of Data Subjects strictly upon valid lawful bases.
2.2. The Data Controller hereby declares and establishes the following lawful bases that permit the collection, retention, analysis, and other forms of personal data processing on the Platform:
2.3. Performance of a Contract (Contractual Necessity):
The processing of personal data is strictly necessary for the conclusion, performance, or termination of contractual obligations between the User and the Company. This basis encompasses the acceptance of the Website's public offer, compliance with the terms of the License Agreement, and the execution and implementation of the Subscription Agreement for accessing the closed-loop scoring SaaS platform and the Investor Portal.
2.4. Compliance with Applicable Legal Obligations:
The Data Controller processes data to comply with statutory mandates under UAE laws and applicable international regulatory standards. This includes the mandatory execution of Know Your Customer (KYC) due diligence procedures, adherence to Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulatory frameworks, as well as the recording and safeguarding of the System Audit Trail.
2.5. Explicit and Informed Consent of the Data Subject (Explicit Consent):
In cases prescribed by law or upon the activation of specific AI components (including the initiation of Q1/Q2-questioning by E-agent "Igor" and the launch of the AI-Avatar video interview module), data processing is conducted based on the explicit, free, specific, and unambiguous consent of the User. This consent is provided by the User in electronic form at the moment of registration on the Website by ticking the respective check-box.
SECTION 3. CATEGORIES OF DATA COLLECTED
3.1. In accordance with the data minimization principle established under the UAE PDPL, the Data Controller collects and processes the personal data of Data Subjects strictly to the extent necessary to achieve the stated purposes of the Platform.
3.2. All processed personal data are strictly categorized by their nature and technical source of origin into the following 4 (four) primary categories:
3.3. Идентификационные (установочные) данные:
Данная категория включает персональные сведения, необходимые для базовой регистрации Пользователя и проведения процедур верификации личности (KYC). В состав данных входят:
- Фамилия, имя, отчество (при наличии);
- Данные заграничного паспорта и (или) удостоверения личности резидента ОАЭ (Emirates ID);
- Адрес постоянной регистрации и (или) фактического проживания;
- Сведения о гражданстве, дате и месте рождения.
3.3. Identification (Identity) Data:
This category includes personal information required for core User registration and the execution of identity verification (KYC) procedures. The data set comprises:
- Full name (first name, patronymic, and surname, if applicable);
- International passport details and/or UAE Resident Identity Card (Emirates ID) data;
- Permanent registration and/or actual residential address;
- Information on nationality, date, and place of birth.
3.4. Биометрические данные и специализированные ИИ-данные:
Данная категория включает в себя массивы данных высокой степени конфиденциальности, обрабатываемые проприетарными алгоритмами машинного обучения Компании. В состав данных входят:
- Видео- и аудиозаписи интервью Пользователя, проходящего верификацию через интерактивный Модуль AI-Аватар (включая уникальные параметры голоса и динамические характеристики изображения лица);
- Полные текстовые транскрипции устной речи, сформированные в процессе автоматического распознавания;
- Логи обработки естественного языка (NLP-логи), формируемые в ходе Q1/Q2-анкетирования Е-агентом «Игорь».
3.4. Biometric Data and Specialized AI Data:
This category encompasses highly sensitive data arrays processed by the Company’s proprietary machine learning algorithms. The data set comprises:
- Video and audio recordings of the User participating in interviews via the interactive AI-Avatar Module (including unique vocal parameters and dynamic facial imagery characteristics);
- Full textual transcriptions of speech generated through automated speech-to-text recognition processes;
- Natural Language Processing logs (NLP logs) accumulated during Q1/Q2-questioning by E-agent "Igor".
3.5. Финансовые данные и сведения о благосостоянии:
Данная категория собирается Оператором в целях комплаенса, оценки платежеспособности в рамках «специальных ситуаций» и подтверждения легальности капитала. В состав данных входят:
- Официальные документы и декларации об источнике происхождения денежных средств и капитала (Source of Wealth / Source of Funds);
- Заверенные банковские выписки, отчеты о движении денежных средств и состоянии счетов;
- Документы, подтверждающие юридический статус квалифицированного (аккредитованного) инвестора.
3.5. Financial Data and Wealth Information:
This category is collected by the Data Controller for compliance purposes, creditworthiness assessment within "Special Situations," and validation of capital legality. The data set comprises:
- Official documents and declarations regarding the Source of Wealth and Source of Funds;
- Certified bank statements, cash flow statements, and account balance reports;
- Documentation confirming the legal status of a qualified (accredited) investor.
3.6. Technical and System Tracking Data:
This category is automatically generated by the Platform’s IT infrastructure during its operational use. The data set comprises:
- The network IP address of the User's device, browser technical parameters, and operating system details;
- Cookies, pixels, and browser local storage data (pursuant to the Cookie Policy);
- User device geolocation details;
- System entries and logs of the System Audit Trail, recording the chronology, exact timestamps, and nature of any actions performed by the User within the closed loop of the Platform.
SECTION 4. PURPOSES OF PROCESSING
4.1. The Data Controller processes the personal data of Data Subjects in strict compliance with the purpose limitation principle established under the UAE PDPL. The utilization of any acquired data is strictly confined to the scope of achieving the "Permitted Purpose" defined herein.
4.2. The "Permitted Purpose" encompasses the aggregate of the following strictly defined technical, legal, and operational objectives required for the functioning of the Platform:
4.3. Automation of Due Diligence Processes:
The processing of identity, financial, and technical data for automated and semi-automated risk analysis, asset ownership structure evaluation, legal encumbrance identification, and conducting Due Diligence on distressed assets (Special Situations) in the global market.
4.4. Execution of Electronic Scoring (E-scoring):
The utilization of compiled questionnaire data, Q1/Q2-questioning results from E-agent "Igor", and NLP logs to construct predictive models, determine investment profiles, calculate credit/investment ratings, and generate automated scoring reports for the participants within the closed loop of the Platform.
4.5. Investor Verification Under AML/KYC Frameworks:
The execution of mandatory legal verification of Data Subjects, including identity verification via the AI-Avatar video interview module, validation of the legality of the Source of Wealth, and cross-referencing against sanctions lists in strict compliance with applicable UAE Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) legislation.
4.6. Technical Support and Platform Administration:
Ensuring the stable functioning of the Website's IT infrastructure and the Investor Portal, prompt resolution of technical incidents, performance optimization of machine learning algorithms, and organizing communication channels with Users regarding the deployment of the Company’s services.
4.7. Cybersecurity Maintenance and Cyberattack Prevention:
Continuous monitoring of the IT perimeter, recording User activities within the System Audit Trail for fraud prevention, identifying suspicious activity, securing databases, and preventing, detecting, and blocking cyberattacks (including DDoS, code injections, and unauthorized access).
SECTION 5. CROSS-BORDER DATA TRANSFER
5.1. The international nature of the Platform's operations and the architecture of its IT infrastructure necessitate the transfer of personal data outside the United Arab Emirates. This section defines the conditions and legal mechanisms of such transfer.
5.2. In accordance with Articles 22 and 23 of the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL), the Data Controller executes cross-border transfers of Data Subjects' personal data strictly to jurisdictions that ensure an adequate level of data protection, or subject to the implementation of specific legal safeguards.
5.3. The Data Subject is hereby notified and agrees that their personal data are initially collected within the UAE, but subsequently transferred for further processing, structuring, and retention to secure international data centers located outside the UAE (including, but not limited to, European Union countries and European jurisdictions). These data centers maintain certified information security systems and comply with rigorous international standards.
5.4. For the purposes of maintaining continuous technical support, executing e-scoring analysis of "Special Situations," and performing AML/KYC compliance checks, personal data may be processed by the Data Controller’s distributed international team of specialists and IT engineers located in various jurisdictions outside the UAE. Access to data is granted under strict confidentiality on a need-to-know basis.
5.5. In events where cross-border transfers are executed to jurisdictions lacking official adequacy recognition from the UAE regulatory authorities, the Data Controller utilizes Standard Contractual Clauses (SCCs) integrated into agreements with contractors, hosting providers, and international units of the Company. These clauses impose stringent confidentiality obligations upon data recipients, mirroring the requirements of the UAE PDPL.
SECTION 6. DATA SUBJECT RIGHTS
6.1. Pursuant to the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL), every User (Data Subject) is guaranteed a set of statutory and unalienable rights regarding their personal data processed by the Data Controller.
6.2. Right to Access:
The Data Subject has the right to request confirmation from the Data Controller as to whether their personal data are being processed, and to obtain detailed information regarding the categories of data processed, the purposes of processing, the recipients or categories of recipients to whom the data have been or will be disclosed, and the geographical location of data storage.
6.3. Right to Rectification:
The Data Subject has the right to obtain from the Data Controller without undue delay the rectification, update, or clarification of any inaccurate, outdated, incomplete, or misleading personal data concerning them, including data compiled during questioning or scoring processes.
6.4. Right to Erasure / Right to be Forgotten:
The Data Subject has the right to demand the erasure of their personal data from the Data Controller’s IT systems if the data are no longer necessary for the "Permitted Purpose," if the Subject withdraws their consent, or if the processing lacks a lawful basis.
This right is limited by the Data Controller’s statutory data retention obligations under applicable AML/CFT legislation and the mandatory maintenance of the System Audit Trail.
6.5. Right to Restrict Processing:
The Data Subject has the right to request the Data Controller to temporarily or permanently restrict the processing of data (except for retention) if the accuracy of the data is contested, the processing is unlawful, or during the period when the Data Controller is verifying the Data Subject's objections.
6.6. Procedure for Submitting Requests:
To exercise any of the aforementioned rights, the Data Subject must submit an official written request to the Company's Data Protection Officer (DPO) at the email address: partners@allosta.com.
The request must include: the applicant’s identification details (Full Name, ID/Passport data), a description of the core requirement, and information confirming interaction with the Platform. The Data Controller undertakes to review the request and provide a reasoned response or confirmation of execution within the timeframes prescribed by the applicable UAE laws.
SECTION 7. DATA RETENTION POLICY
7.1. The Data Controller retains the personal data of Data Subjects for the duration necessary to achieve the "Permitted Purpose" of processing outlined in this Policy, unless a longer retention period is required or permitted by applicable law.
7.2. As a general rule, the User's personal data are collected, processed, and stored within the active IT systems of the Platform for the entire duration of the User's account validity on the Website or the Investor Portal.
7.3. STATUTORY MANDATORY REQUIREMENT (AML/CFT):
It is hereby established that for the purpose of strict compliance with the mandatory provisions of the UAE legislation on Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT), as well as international Financial Action Task Force (FATF) standards, certain categories of data are subject to mandatory archival retention.
7.4. All financial data, KYC identification documents (including passport details, Emirates ID, Source of Wealth documentation), and comprehensive logs of the System Audit Trail of the User's activities shall be retained within an isolated secure archive of the Company for a minimum period of 5 (five) years from the date of the User's account closure or official termination of the contractual relationship.
7.5. Upon the expiration of the established retention periods, including the mandatory five-year archival retention period, the Subject's personal data shall be irreversibly destroyed (erased) from all IT systems and physical media of the Data Controller, or subjected to complete and irreversible anonymization, rendering personal identification impossible.
SECTION 8. DATA SECURITY
8.1. The Data Controller implements comprehensive technical, organizational, and legal measures to ensure the confidentiality, integrity, and availability of Data Subjects' personal data, and to safeguard it against unauthorized or accidental access, destruction, modification, blocking, or other unlawful activities.
8.2. Technical Security Measures:
To secure the Platform's IT perimeter and data during transmission or storage, the Data Controller deploys the following protective mechanisms:
- End-to-End Encryption (SSL/TLS): all network traffic and data exchange sessions between the User's browser, the Website interface, the Investor Portal, and AI components are protected by strict cryptographic encryption protocols both in transit (Data-in-Transit) and at rest on servers (Data-at-Rest);
- Credential Hashing: User passwords, authentication tokens, and critical identifiers undergo one-way cryptographic hashing using modern, resilient algorithms, preventing their exposure in plaintext.
8.3. Data Integrity & System Audit Trail:
The Platform's IT architecture enforces mandatory and continuous logging of all significant system events and User actions. The System Audit Trail operates on the principles of cryptographic immutability of recorded entries. In the event of an information security incident or unauthorized data modification attempts, the Audit Trail serves as a primary tool for instant detection, localization, breach investigation, and database state recovery.
8.4. Organizational Measures & Access Control:
The Company enforces a strict policy for segregating access rights to personal data and AI environments (Access Control Policy):
- Access to personal, financial, and biometric data of Subjects is granted strictly to a limited circle of the Company’s internal personnel and engineers, based on the principle of least privilege and the need-to-know concept;
- All employees with authorized data access undergo vetting, execute legally binding Non-Disclosure Agreements (NDAs), and bear personal disciplinary, civil, and criminal liability for any breach of cybersecurity regulations.