STORM Consultancy Solutions STORM Consultancy Solutions

Privacy Policy

GDPR-aligned with regional notes for UAE, Saudi Arabia, Qatar, and wider MENA operations.

Last updated: 20 August 2025

1) Scope & Roles

This Privacy Policy explains how STORM Consultancy Solutions (“STORM”, “we”, “us”) processes personal data relating to website visitors, prospective and current clients and suppliers, and job candidates. For most activities, STORM acts as a data controller; for certain client services we may act as a data processor (per the relevant contract and data processing addendum).

2) Data We Collect

Website & Marketing

  • Contact form details (name, email, company, message)
  • Usage and device info (IP address, pages viewed, referrers)
  • Cookie IDs and similar identifiers (see Section 5)

Business Contacts & Clients

  • Professional contact details and role
  • Contracts, statements of work, and billing info
  • Project communications and meeting records

Support & Services Delivery

  • Tickets, logs, diagnostic data, training attendance
  • System user identifiers for client platforms (as applicable)
  • Audit trails and change histories

Recruitment

  • CVs, cover letters, interview notes, assessment results
  • Background and reference info (where permitted)

3) Sources

  • You (forms, emails, calls, meetings, events)
  • Your organization or colleagues
  • Public or third-party sources (e.g., business directories)
  • Client systems and tools used to deliver services (as agreed)

4) Purposes & Legal Bases

Purpose Examples Legal Basis (GDPR)
Operate our website Security, analytics, performance Legitimate interests / Consent for non-essential cookies
Sales & marketing Responding to inquiries, event follow-ups Legitimate interests / Consent where required
Provide services Projects, support, training, governance Contract performance / Legitimate interests
Compliance Audit, legal requests, sanctions screening Legal obligations / Legitimate interests
Recruitment Candidate evaluation and hiring Legitimate interests / Consent where required

5) Cookies & Similar Technologies

We use essential cookies to operate the site and (where enabled) analytics/marketing cookies to understand engagement. Where required by law, we will request consent before setting non-essential cookies. You can delete cookies in your browser settings.

6) Sharing & Processors

We share personal data with trusted service providers (e.g., hosting, analytics, communication tools, ticketing) under contracts that require appropriate security and confidentiality. We may also share data with advisors (legal, audit), potential acquirers, and authorities where legally necessary. We do not sell personal data.

7) International Transfers

Where data is transferred across borders, we implement safeguards such as Standard Contractual Clauses (and relevant addenda) or rely on adequacy decisions, and we follow local data localization rules where applicable. For client work, transfer mechanisms are defined in the governing contract and data processing addendum.

8) Regional Addenda (MENA & GDPR)

EU/EEA & UK (GDPR)

Where GDPR or the UK GDPR applies, you have statutory rights (see Section 11). We may appoint local representatives where required. Non-essential cookies require consent.

GCC & Wider MENA

We take into account applicable laws in the Middle East & North Africa, including (as applicable): United Arab Emirates, Saudi Arabia, Qatar, Kuwait, Bahrain, Oman, Jordan, Lebanon, Iraq, Syria, Palestine, Yemen, Egypt, Libya, Tunisia, Algeria, Morocco, Sudan, and Mauritania. Local requirements may affect notices, lawful bases, localization, breach notifications, and rights handling. If you are based in one of these countries, you may exercise rights under local law via the process in Section 11.

9) Retention

We keep personal data only as long as necessary for the purposes described in this policy, including to meet legal, accounting, or reporting requirements. Typical periods: marketing contacts (until opt-out or inactivity), contracts and billing records (legal retention periods), support records (project lifecycle + limited archive), recruitment (12–24 months unless you ask us to keep your profile longer or delete it sooner).

10) Security

We use administrative, technical, and physical controls appropriate to the nature of the data (e.g., access controls, encryption in transit, backups, and least-privilege). No system can be 100% secure; we maintain processes for detecting and responding to incidents and, where required, notifying regulators and affected individuals.

11) Your Rights & How to Exercise Them

Subject to applicable law, you may have the right to request access, rectification, deletion, restriction, objection, data portability, or to withdraw consent. To exercise rights, email us at privacy@stormcso.com. We may verify your identity and ask for more information to process your request. You may also have the right to lodge a complaint with your local data protection authority.

12) Children’s Data

Our services are for professional use and not directed to children. We do not knowingly collect personal data from children.

13) Changes to This Policy

We may update this policy from time to time. We will adjust the “Last updated” date above and, where appropriate, provide additional notice.

14) Contact

Privacy Inquiries

Email: privacy@stormcso.com

Address (if required for your local process): add your registered office details.

Complaints

You may contact your local supervisory authority. We are happy to work with you to resolve any concerns promptly.

Back to top