Privacy Policy

This Privacy Policy explains how Grafx Media House (“Grafx”, “we”, “us”) collects, uses, shares, and protects personal data when you interact with grafx.ae, our embedded chatbot assistant, our contact and inquiry forms, our gated resource downloads, and our career application form (together, the “Services”).

Grafx is registered in the Emirate of Dubai, United Arab Emirates (UAE), and is the “Controller” of the personal data processed through the Services.

We process personal data in accordance with the UAE PDPL and any Executive Regulations and guidance issued by the UAE Data Office under it. Where you reach the Services from outside the UAE, we also handle your data consistently with applicable local laws, including the EU General Data Protection Regulation (GDPR) for visitors located in the European Economic Area or the United Kingdom.

These Services are operated from the UAE mainland (i.e., onshore UAE); they are not provided from DIFC or ADGM and the data protection regimes of those financial free zones do not apply.

Data you provide directly. Your name, work email, phone number, company, country, industry and any free-text message you submit through a contact form, an inquiry form, a gated download, the chatbot, or a career application (including your CV/resume and any attachments you upload).

Data collected automatically. Limited technical data needed to operate and secure the site — IP address (used for rate-limiting and abuse prevention), device and browser characteristics, pages viewed, approximate timestamps. We do not use third-party advertising trackers or cross-site tracking pixels.

Data from sub-processors. Operational metadata from the platforms we use to host the site, deliver email, and run the assistant (listed in Section 7).

We do not knowingly collect sensitive personal data (health, biometric, racial, religious, political or family data). Please do not share sensitive data through the chatbot or contact forms.

Under the PDPL, all processing must rest on a lawful basis. We rely on:

• Your consent — when you submit a form, send a message to the chatbot, request a gated download, or apply for a role.
• Performance of a contract or steps prior to a contract — when we engage with a prospective client or process a candidate application.
• Our legitimate interests — to operate, secure and improve the Services, prevent fraud and abuse, and develop our business. We balance these interests against your rights and will not rely on this basis where your rights override our interests.
• Legal obligations — when we are required by UAE law to retain or disclose data.

We use your personal data to:

• respond to enquiries and provide requested information;
• operate the chatbot assistant and remember the context of a single conversation;
• deliver the resource you requested (ebooks, guides, whitepapers);
• evaluate career applications and follow up;
• classify and prioritise inbound leads internally — including automated summarisation, intent classification and a recommended next step generated by AI (see Section 5);
• send operational confirmations and replies (we do not send marketing emails without your separate consent);
• protect the Services from abuse and security threats; and
• comply with legal obligations.

The Services use artificial intelligence in two specific ways you should know about:

• The Grafx chatbot uses Large Language Models (LLMs) from Anthropic and OpenAI to generate replies. Your messages and the model's replies are transmitted to those providers in real time so the model can answer you. Providers process this data under their own published privacy commitments; we do not authorise them to use your messages to train their general-purpose models.
• Our internal lead intelligence uses LLMs to produce a short summary, classify intent, and suggest a next step for our team after you have already submitted your details through a form or the chatbot. This is an aid to our human team, not an automated decision that produces legal or similarly significant effects on you.

Under the PDPL, you have the right to object to processing that is based solely on automated decision-making which produces legal or similarly significant effects on you. To exercise this right, see Section 12.

We do not sell your personal data and we do not share it with third parties for their independent marketing.

We share limited personal data with the sub-processors that operate the Services on our behalf. Each is bound by a written data processing arrangement and processes data only for the purpose described:

• Supabase Inc. — primary database, file storage, and authentication for the admin dashboard.
• Anthropic PBC & OpenAI OpCo, LLC — large-language-model providers powering the chatbot and the internal lead-intelligence tools.
• Resend (Drie Hoeven Tech B.V.) — transactional email delivery (form confirmations, internal notifications, resource delivery).
• DataForSEO LLC — keyword research and SERP analytics used by our editorial team. Does not receive your personal data.
• Hostinger International Ltd. — the VPS that runs the website.
• Google LLC — Google Analytics 4 (only when you consent to analytics cookies via the cookie banner); processes anonymised page-view and interaction data to give us aggregate site-usage reports.

We may also disclose personal data when required by law, court order, or to protect the rights, property or safety of Grafx, our users or others.

grafx.ae uses a minimal number of cookies and similar storage technologies. We group them as follows:

• Strictly necessary — required to operate the site (e.g. the session cookie for the admin login). These run without consent because the Services cannot function without them.
• Functional — remember the state of your chatbot conversation and any UI preferences within a session.
• Analytics — we use Google Analytics 4 with IP anonymisation and Google's Consent Mode v2. Analytics cookies are only set once you grant consent in the cookie banner; before that, no analytics cookies are written and no personal data is sent to Google for analytics purposes.
• Marketing — currently not in use. We do not run advertising trackers.

You are asked for your preferences the first time you visit and can change them at any time from the “Cookie preferences” link in the footer. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Some of our sub-processors store or process personal data outside the UAE (for example, in the United States or the European Economic Area). Where personal data is transferred outside the UAE, we rely on one or more of: an adequacy determination by the UAE Data Office, contractual safeguards (such as Standard Contractual Clauses with the receiving party), or your explicit consent. We will provide details of the safeguards on written request.

• Lead and contact records — retained for the duration of any active engagement and for a reasonable follow-up window thereafter (typically up to 24 months).
• Chatbot conversations — retained for service quality and to support any lead captured during the conversation; deleted when the related lead record is deleted.
• Career applications — retained for the duration of the hiring cycle and a short period afterwards in case a future opportunity opens (typically up to 12 months).
• Operational and security logs — retained for a short rolling window (typically 30-90 days).

You can request earlier deletion at any time, subject to any legal obligation we have to retain certain records.

We protect personal data with encryption in transit (HTTPS everywhere), encryption at rest via our hosting provider, strict access controls on the admin dashboard, IP-based rate limits on every public endpoint, and a standard security-header policy. If we become aware of a personal data breach that risks affecting your rights, we will notify the UAE Data Office within 72 hours and inform you without undue delay where required.

You have the following rights with respect to your personal data:

• Right of access — obtain confirmation of, and a copy of, the personal data we hold about you.
• Right to be informed — receive clear information about how your data is processed (this Policy).
• Right to rectification — have inaccurate or incomplete data corrected.
• Right to erasure — request deletion of your personal data where one of the grounds in the PDPL applies.
• Right to restrict processing — ask us to limit our use of your data in certain circumstances.
• Right to data portability — receive a copy of the data you provided to us in a structured, machine-readable format.
• Right to object — object to processing based on our legitimate interests, or to automated decision-making that produces legal or similarly significant effects on you.
• Right to withdraw consent — withdraw any consent you have given, at any time, without affecting the lawfulness of processing before withdrawal.

To make a request, email us at info@grafx.ae with the subject line “Privacy request”. Tell us which right you are exercising and provide any information we may need to verify your identity. We will respond without undue delay and in any case within thirty (30) days, as required by the PDPL. If your request is complex or we receive a high volume of requests, we may extend that period and will let you know.

If you believe we have processed your personal data in a way that does not comply with the PDPL, you have the right to lodge a complaint with the UAE Data Office, the supervisory authority for the PDPL. We would, of course, prefer to address any concerns directly first — please contact us using the details below.

The Services are intended for business and professional audiences aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us so we can remove it.

We may update this Privacy Policy from time to time to reflect changes in our practices, in the law, or in the supervisory guidance issued by the UAE Data Office. We will change the “Last updated” date above and, for material changes, draw your attention to them on the site.

For privacy-related questions, to exercise any of the rights in Section 11, or for any request related to your personal data, contact:

Grafx Media House
Dubai, United Arab Emirates
info@grafx.ae

We act as both Controller and (in the limited circumstances above) Processor under the PDPL. A Data Protection Officer (DPO) will be appointed at the threshold required by the PDPL Executive Regulations and the info@grafx.ae address will remain the correct privacy contact in the meantime.