Section 1
1. About this Policy
This Privacy Policy (the “Policy”) sets out the principles and practices that govern how Velmont Crest collects, uses, discloses, transfers, retains and safeguards Personal Data in the course of operating the website at velmontcrest.ae and delivering accounting, bookkeeping, VAT, corporate tax, audit-readiness, CFO advisory, AML compliance support and business setup advisory engagements to clients in the United Arab Emirates.
It is published in English. Where a translation is provided for convenience, the English text shall prevail in the event of any inconsistency or dispute concerning interpretation.
This Policy applies to every visitor to the Website, every prospective client who submits an enquiry, every Client we engage under an Engagement Letter, every supplier and counterparty whose Personal Data is processed in connection with a Client engagement, and every job applicant who contacts us through the Website or by email.
1.1 Effective date and versioning
This Policy is effective from 23 June 2026 and supersedes any earlier privacy notice published on the Website. The version reference for this Policy is v3.0. Material changes are notified in accordance with Section 15.
1.2 Severability
If any provision of this Policy is held by a competent court or supervisory authority to be invalid, unlawful or unenforceable, that provision shall be severed and the remainder of the Policy shall continue in full force and effect to the maximum extent permitted by law.
1.3 Counsel review notice
This is a model Policy. Final wording must be reviewed by UAE-qualified legal counsel before deployment to production, and re-reviewed whenever the Executive Regulations to Federal Decree-Law No. 45 of 2021 are amended, supplemented or restated.
Section 2
2. Data Controller and Contact
Velmont Crest is a trading name under which an accounting practice operated by Abdullah Al Mamun, a natural person licensed to trade in the Emirate of Dubai, provides services to clients in the United Arab Emirates. For the purposes of the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the “PDPL”) and analogous regimes referenced in this Policy, Velmont Crest is the data Controller in respect of the Personal Data described in Section 3.
2.1 Identification details
- Trading name — Velmont Crest (also “Velmont Crest Accounting”)
- Licensing authority — Department of Economic Development, Dubai
- DED licence number — [DED LICENCE NUMBER]
- Registered office — Office [X], Building [Y], Dubai, United Arab Emirates
- Postal correspondence — Dubai, United Arab Emirates
- Website — velmontcrest.ae
2.2 Data Protection Officer
We have appointed a Data Protection Officer (the “DPO”) to oversee compliance with the PDPL and the principles set out in this Policy. The DPO is the first point of contact for privacy enquiries, rights requests, complaints and incident notifications.
- DPO email — dpo@velmontcrest.ae (preferred). Until that mailbox is provisioned, please copy info@velmontcrest.ae marked “Data Protection”.
- DPO postal — Office [X], Building [Y], Dubai, United Arab Emirates — marked “Strictly Private — DPO”.
- Telephone — +971 54 794 9327
Section 3
3. Categories of Personal Data Collected
We collect only the Personal Data that is necessary to deliver the services you have requested, to satisfy our legal and regulatory obligations, and to operate the Website. The categories below describe the data types we may collect and process; not every category will apply to every individual.
3.1 Identifiers
Full legal name, date of birth, nationality, Emirates ID number and image of the Emirates ID, passport number and image of the passport bio-page, UAE residence visa details, and where the engagement requires it, beneficial-ownership identifiers for ultimate beneficial owners (UBOs) and authorised signatories.
3.2 Contact details
Personal and business email addresses, mobile and landline telephone numbers, WhatsApp identifier, postal address, and any preferred channel of communication you have nominated.
3.3 Financial and KYC data
Bank statements, trade licence copies, Memorandum and Articles of Association, shareholder registers, source-of-funds and source-of-wealth declarations, World-Check / sanctions screening outputs, politically exposed person (PEP) status, and supporting documentation required for client due diligence under Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Cabinet Decision No. 10 of 2019.
3.4 Payment data
Bank account name and IBAN supplied for invoice settlement, payment references, invoice records, credit notes and remittance advices. We do not store full card numbers; any card processing is handled by regulated payment processors operating their own controller obligations.
3.5 Communications
Emails, WhatsApp Business messages, SMS, call logs, voicemail transcripts and (where lawful and notified in advance) call recordings used for service-quality, evidence and dispute-resolution purposes.
3.6 Engagement records
Workpapers, trial balances, journals, ledgers, accounting reconciliations, VAT and corporate tax computations, tax returns prepared, audit schedules, management accounts, board packs, AML risk assessments and any analysis, advice or memorandum produced in the course of an engagement.
3.7 Technical and device data
Internet protocol (IP) address, browser type and version, operating system, device identifiers, screen resolution, language preference, referring URL, pages visited, time-on-page, click events, search terms entered on the Website and a session identifier issued by our analytics platform. See Section 9 for cookie detail.
3.8 Marketing preferences
Newsletter subscription status, the topics you have opted into, the timestamps of consent grant and consent withdrawal, and engagement metrics with marketing emails (opens, clicks) used only at an aggregate level to improve content relevance.
3.9 Sensitive Personal Data
We do not solicit Sensitive Personal Data (data relating to racial origin, political opinions, religious beliefs, health, criminal record, biometric data or genetic data) as a routine matter. Where such data is incidentally received — for example, a residency visa stamp disclosing nationality or a copy of an Emirates ID containing a photograph — it is processed strictly for the purpose for which it was provided and protected with enhanced safeguards in accordance with Article 15 PDPL.
Section 4
4. How We Use Your Personal Data
Every processing operation we perform is grounded in one or more of the lawful bases set out in Article 5 of the PDPL. The table below pairs each purpose with its lawful basis and, where relevant, the specific statutory instrument that obliges us to process the data.
4.1 Service delivery and engagement administration
Lawful basis: performance of a contract to which you are a party, or steps taken at your request prior to entering into a contract (Article 5(1)(b) PDPL).
We use Personal Data to evaluate proposed engagements, scope services, prepare and execute Engagement Letters, deliver bookkeeping and tax services, produce deliverables, manage your account, respond to queries, and administer renewals and terminations.
4.2 Anti-money-laundering and counter-financing of terrorism
Lawful basis: compliance with a legal obligation to which Velmont Crest is subject (Article 5(1)(c) PDPL).
Velmont Crest is required to perform Customer Due Diligence, Enhanced Due Diligence where appropriate, ongoing monitoring, sanctions and PEP screening, and Suspicious Transaction Report or Suspicious Activity Report filings via the goAML platform of the UAE Financial Intelligence Unit, in accordance with Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019 and Cabinet Decision No. 53 of 2023, together with the Ministry of Economy AML/CFT Guidelines for DNFBPs.
4.3 Tax record-keeping
Lawful basis: compliance with a legal obligation (Article 5(1)(c) PDPL).
We retain accounting and tax records for the periods mandated by Federal Decree-Law No. 47 of 2022 on the Taxation of Corporations and Businesses (Article 56), Federal Decree-Law No. 8 of 2017 on Value Added Tax (as amended by Federal Decree-Law No. 18 of 2022) and Federal Decree-Law No. 28 of 2022 on Tax Procedures, and the Executive Regulations to each.
4.4 Billing, collections and dispute resolution
Lawful basis: performance of a contract (Article 5(1)(b) PDPL) and our legitimate interest in being paid for services delivered and in defending or pursuing legal claims (Article 5(1)(f) PDPL).
We issue invoices, take payment, manage receivables, pursue overdue debts, and where necessary instruct legal counsel or commence proceedings. Personal Data may be shared with collection counsel, the courts and counter-parties to the extent required for the proper conduct of those activities.
4.5 Security, fraud prevention and integrity of systems
Lawful basis: legitimate interest in maintaining the security, availability and integrity of our IT environment and protecting our staff, clients and the public from fraud, social-engineering and impersonation attacks (Article 5(1)(f) PDPL).
We log access to systems, monitor for anomalous activity, run vulnerability scans, retain audit trails, and investigate suspected incidents.
4.6 Marketing communications
Lawful basis: your consent (Article 5(1)(a) PDPL), which you may withdraw at any time without affecting the lawfulness of prior processing.
Where you have opted in, we send periodic newsletters, regulatory updates and invitations. Every marketing message includes a one-click unsubscribe mechanism. We honour withdrawal requests within seven (7) days of receipt.
4.7 Analytics and service improvement
Lawful basis: legitimate interest in understanding aggregate Website performance and improving content (Article 5(1)(f) PDPL). Where feasible we use privacy-respecting, cookie-free or first-party analytics; where cookies are used, Section 9 applies.
4.8 Recruitment
Lawful basis: steps taken at the request of the data subject prior to entering into a contract (Article 5(1)(b) PDPL).
Personal Data submitted in connection with a job application is used to evaluate candidacy, conduct reference checks and, where the candidate is successful, on-board the individual. Unsuccessful application data is handled in accordance with Section 7.6.
Section 5
5. Third-Party Data Processors and Recipients
We engage carefully selected third-party processors who act on our documented instructions and are bound by data-processing terms equivalent to those required by Article 26 PDPL. Categories of processor used in the ordinary course of business include the following. Specific processors may change from time to time; the categories themselves are stable.
5.1 Categories of processor
- Cloud hosting and edge delivery — Cloudflare and our website host, providing Website delivery, DNS, TLS termination, DDoS protection and edge caching. Cross-border transfers in scope; safeguards in Section 6.
- Accounting and tax-filing software — Cloud accounting platforms including Zoho Books, QuickBooks Online and Xero, where the platform is selected by you for your engagement, together with Federal Tax Authority “EmaraTax” submissions.
- Productivity and email — Google Workspace (mail, calendar, document collaboration) for internal collaboration and client correspondence.
- Messaging — WhatsApp Business for messaging at your request, subject to WhatsApp’s own privacy notice.
- Payment processing — UAE banks for receipt of bank transfers; we do not operate or store card-acquirer data.
- Electronic signature — DocuSign or an equivalent qualified provider for the execution of Engagement Letters, addenda and consents.
- Analytics — A privacy-respecting analytics provider configured to anonymise IP addresses and to retain raw data for no longer than necessary.
- Professional advisers — Legal counsel, external auditors and insurance brokers acting in the ordinary course of business; each is independently bound by professional confidentiality.
- Regulators and authorities — UAE Federal Tax Authority, UAE Ministry of Economy, UAE Financial Intelligence Unit (goAML), Department of Economic Development of Dubai, courts and supervisory authorities, strictly where disclosure is required by law.
5.2 Processor governance
We perform risk-based due diligence before engaging any processor, including a review of the processor’s public security posture, the location and resilience of its data centres, its incident-response track record, the certifications it holds (for example ISO/IEC 27001, SOC 2 Type II or equivalent) and the residual risk of any sub-processing chain it operates.
We execute a data-processing addendum with each processor that addresses, at a minimum, the subject matter and duration of processing, the nature and purpose of processing, the categories of Personal Data and data subjects, the security measures required, the conditions for engaging sub-processors, the obligation to notify us of a Personal Data Breach without undue delay, audit and inspection rights, cooperation with rights requests, the geography of processing, and the return or destruction of Personal Data on termination.
We review each processor periodically on a risk-sensitive basis and reassess on any material change, including a change in ownership, a change in the geography of processing or a reported security incident. Where a processor no longer meets our requirements, we exit the relationship and migrate processing to an alternative provider on a timeline appropriate to the risk.
5.3 Disclosure to regulators and authorities
We disclose Personal Data to regulators, supervisory authorities, courts and law-enforcement bodies only where required by UAE law or by a lawful order made under it. Where we receive a request that we consider overbroad, unlawful or improperly served, we will, where lawfully able to do so, challenge or narrow the request before complying.
Section 6
6. Cross-Border Data Transfers
Some of the processors described in Section 5 process Personal Data outside the United Arab Emirates. Articles 22 to 23 of the PDPL require transfers to be made only to jurisdictions that offer an adequate level of protection or, where adequacy is not established, subject to appropriate safeguards.
6.1 Adequacy and safeguards
Where the UAE Data Office has determined that a jurisdiction provides an adequate level of protection, we rely on that determination. Where it has not, we rely on contractual safeguards equivalent to the standard contractual clauses used in comparable global regimes, supplementary technical measures including encryption-in-transit and at-rest, and a transfer-impact assessment that records the residual risk.
6.2 DIFC engagements
Where Personal Data is processed in connection with an engagement involving a DIFC-incorporated counterparty, transfers from the DIFC are made in accordance with the DIFC Data Protection Law No. 5 of 2020 and the regulations made under it. The Commissioner of Data Protection for the DIFC is the supervisory authority for such transfers.
Section 7
7. Data Retention
Personal Data is retained only for as long as necessary to achieve the purpose for which it was collected, to satisfy our legal and regulatory obligations, and to defend against potential legal claims. The retention periods below reflect the longer of the contractually-agreed period and the statutory minimum applicable in the United Arab Emirates.
7.1 Retention table
- Customer due diligence and AML records — Five (5) years from the end of the business relationship or the date of the occasional transaction, in accordance with Article 16 of Cabinet Decision No. 10 of 2019.
- Accounting and corporate-tax records — Seven (7) years from the end of the tax period to which they relate, in accordance with Article 56 of Federal Decree-Law No. 47 of 2022 and Federal Decree-Law No. 28 of 2022.
- VAT records and supporting evidence — Five (5) years from the end of the tax period (fifteen (15) years for records relating to capital assets, and longer periods for real-estate records as prescribed by the Executive Regulations to the VAT law).
- Engagement letters, correspondence and workpapers — Seven (7) years from the end of the engagement, aligned with the tax record-keeping window.
- Marketing preferences and consent logs — Until withdrawal of consent, plus a further three (3) years to evidence that consent was validly obtained, after which records are securely destroyed.
- Website analytics — Twenty-four (24) months at user-identifiable granularity, after which records are aggregated and the underlying identifiers irreversibly deleted.
- Communications archive — Five (5) years from the date of the last communication in the relevant thread, longer where the communication forms part of a tax or AML record.
- Job applicant data (unsuccessful) — Six (6) months from the date of the final decision unless the candidate has consented to retention in a candidate pool, in which case twenty-four (24) months from consent.
- Security logs — Twelve (12) months for routine logs; longer where the log evidences a confirmed or suspected incident, until the incident file is closed in writing.
7.2 Destruction
When the applicable retention period expires, Personal Data is securely destroyed using methods appropriate to the medium — cryptographic deletion for cloud storage, secure-erase for portable media, and cross-cut shredding for paper. Backup copies are overwritten in line with the routine backup-rotation cycle.
Section 8
8. Your Rights as a Data Subject
Articles 13 to 17 of the PDPL grant you a number of rights in respect of the Personal Data we hold about you. These rights are not absolute — certain rights may be limited where a statutory retention obligation applies or where another data subject’s rights would be infringed — but we will respond to every request in accordance with the timelines set out in this Policy.
8.1 Right to access
You may request confirmation of whether we are processing Personal Data about you and, if so, a copy of that data together with information about the purposes of processing, the recipients to whom the data has been disclosed, the retention period and the source of the data where it was not collected directly from you.
8.2 Right to rectification
You may request correction of inaccurate or incomplete Personal Data without undue delay.
8.3 Right to erasure
You may request deletion of your Personal Data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent and there is no other lawful basis, or where processing is unlawful. This right is limited where retention is required by Section 7 to satisfy a legal obligation.
8.4 Right to restriction of processing
You may request that we restrict processing pending resolution of an accuracy dispute or pending verification of an objection to processing.
8.5 Right to data portability
Where processing is based on consent or contract and is carried out by automated means, you may request that the Personal Data you provided to us be transmitted to you, or directly to another controller, in a structured, commonly used and machine-readable format.
8.6 Right to object
You may object to processing carried out on the basis of legitimate interest, including profiling for marketing purposes. We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
8.7 Right to withdraw consent
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8.8 How to exercise your rights
Requests should be submitted in writing to the DPO using the contact details in Section 2.2. We will verify your identity using proportionate means — typically by reference to information already held about you, or by requesting a copy of an identity document where the data at stake warrants additional assurance — before disclosing Personal Data or acting on a request.
We respond within thirty (30) calendar days of a validly made request. Where a request is particularly complex, or where multiple requests have been received from the same data subject in close succession, the response window may be extended by a further thirty (30) days; we will inform you of any extension and the reasons for it within the original thirty-day window.
We do not charge a fee for the first request in any twelve-month period. For manifestly unfounded or repetitive requests we may charge a reasonable administrative fee that reflects the cost of providing the information or taking the action requested, or we may decline to act on the request, and in either case we will explain our reasoning and your right to lodge a complaint as described in Section 17.
Where a request relates to Personal Data we hold as a processor on behalf of a Client — for example, employee or supplier Personal Data we process as part of a bookkeeping or payroll engagement — we will forward the request to the Client without undue delay and assist the Client in responding, in accordance with the data-processing addendum in place for that engagement.
Section 9
9. Cookies and Similar Technologies
A cookie is a small text file placed on your device when you visit a website. We use only a small set of cookies and similar technologies, and we categorise them so you can make informed choices.
9.1 Strictly necessary cookies
These cookies are essential for the Website to function — for example, to remember security tokens or your cookie-banner preferences. They cannot be disabled through this Policy.
9.2 Analytics cookies
Set by our analytics provider to collect aggregate information about how visitors use the Website. IP addresses are anonymised before collection. You may opt out via the cookie banner or your browser controls.
9.3 Marketing cookies
Used where you have consented to marketing communications, to measure the effectiveness of marketing campaigns. You may opt out at any time.
9.4 Managing cookies
You can control cookies through your browser settings, the cookie-preferences mechanism on the Website where implemented, and global signals such as Global Privacy Control where supported. Disabling certain cookies may affect Website functionality.
Section 10
10. Children’s Personal Data
The Website and our services are directed at businesses and adult professionals. We do not knowingly collect Personal Data from any individual under the age of eighteen (18). Where we become aware that Personal Data has been collected from a minor without verified consent of a parent or legal guardian, we delete that data without undue delay. Where applicable, our processing of minors’ data complies with Article 6(2) PDPL and Federal Law No. 3 of 2016 (Wadeema’s Law).
Section 11
11. Security Measures
We apply technical and organisational measures appropriate to the nature, scope, context and purposes of processing, and to the risk to data subjects, in line with Article 20 PDPL. These measures are reviewed periodically and after any material change to our IT environment.
11.1 Encryption
Transport Layer Security (TLS) 1.2 or higher for data in transit. AES-256 or equivalent for data at rest in our primary storage systems.
11.2 Access control
Role-based access control on the principle of least privilege, multi-factor authentication on all administrative and email accounts, periodic access reviews and immediate revocation on departure.
11.3 Endpoint and network
Full-disk encryption on workstations, automatic patching, endpoint detection and response, and a documented acceptable-use policy for staff.
11.4 People controls
Background checks proportionate to role, written confidentiality undertakings in every employment and contractor agreement, and regular privacy and information-security awareness training.
11.5 Vendor and third-party security
Security due diligence on processors before engagement; periodic reassessment; contractual obligations to notify us of incidents.
11.6 Secure destruction
Cryptographic deletion, certified secure-erase and cross-cut shredding as appropriate. Disposal of physical media is logged.
11.7 Backups and resilience
Encrypted backups are taken on a rolling cycle appropriate to the recovery objectives of each system. Restore tests are performed periodically to verify that backups are recoverable and that recovery-time objectives are met. Backup media inherits the access-control and destruction standards applied to the corresponding primary system.
11.8 Security testing and review
Our security controls are reviewed at least annually and after any material change to our IT environment or to the threat landscape. Where the engagement risk profile warrants it, we commission independent penetration testing or vulnerability assessment by a qualified third-party tester, and we close findings on a timeline calibrated to severity.
11.9 No guarantee
Notwithstanding the controls described in this Section 11, no system of safeguards can be made absolutely secure. We do not warrant that the Website or any communication channel is free from interception, intrusion or compromise; we do undertake to apply, monitor and improve safeguards proportionate to the risk.
Section 12
12. Personal Data Breach Notification
In the event of a Personal Data Breach (as defined in Article 1 PDPL), we follow a documented incident-response procedure designed to identify, contain, eradicate and recover from the incident, to assess and report the breach in accordance with our legal obligations, and to capture lessons that strengthen future resilience.
Initial triage takes place as soon as we become aware of a potential breach. Where the breach is likely to prejudice the privacy, confidentiality or security of the affected data, we will notify the UAE Data Office in accordance with Article 9 PDPL, normally within seventy-two (72) hours of becoming aware of the breach, and provide the information required by the Data Office including the nature of the breach, the categories and approximate number of affected data subjects, the categories and approximate volume of affected records, the likely consequences and the measures taken or proposed to address the breach.
Where the breach is likely to result in a high risk to the rights and freedoms of affected data subjects, we will notify those data subjects directly without undue delay, in clear and plain language, describing the nature of the breach, the contact point for further information and the measures recommended to mitigate potential adverse consequences.
We maintain an internal Personal Data Breach register that records, for each incident, the facts of the breach, its effects and the remedial action taken, in line with the accountability principle in Article 4 PDPL. The register is reviewed periodically to identify trends and to inform improvements to our technical and organisational measures.
Section 13
13. Marketing Communications
Marketing communications are sent on an opt-in basis. We do not engage in unsolicited commercial messaging. Every marketing email contains a clearly labelled unsubscribe link, and every WhatsApp Business marketing message contains a STOP keyword instruction. Withdrawal of consent takes effect within seven (7) days of receipt, save where a transactional or service message is required.
We do not sell Personal Data to third parties, and we do not share Personal Data with third parties for their independent marketing purposes.
Section 14
14. Profiling and Automated Decision-Making
We do not make decisions producing legal effects on any data subject, or significantly affecting any data subject, solely on the basis of automated processing or profiling. Where automated tools assist with administrative tasks — for example, sanctions-list matching during AML screening or invoice anomaly detection — the output is reviewed by a qualified human before any decision is taken.
Section 15
15. Changes to this Policy
We may revise this Policy from time to time to reflect changes in law, regulatory guidance, the services we provide or the technology we use. The effective date and version reference at the top of this Policy will be updated whenever a revision is published.
Material changes — meaning changes that may meaningfully affect the rights of data subjects or the way Personal Data is processed — will be notified to affected individuals by email or by a prominent notice on the Website at least thirty (30) days before they take effect, save where an earlier effective date is required by law.
Section 16
16. Contact and Supervisory Authority
For any enquiry concerning this Policy, your Personal Data or the exercise of your rights, please contact the DPO using the details in Section 2.2.
The supervisory authority for the PDPL in the United Arab Emirates is the UAE Data Office. Information about the Data Office, including current contact details, is available at u.ae › Data Protection Laws. For DIFC-related processing, the supervisory authority is the Commissioner of Data Protection for the DIFC.
Section 17
17. Complaints
You have the right to lodge a complaint with the UAE Data Office, or with the Commissioner of Data Protection for the DIFC where applicable, in respect of any matter concerning the processing of your Personal Data. We would, however, encourage you to raise any concern with the DPO in the first instance so that we have an opportunity to investigate and resolve the matter directly.
Section 18
18. Glossary of Defined Terms
Capitalised terms used in this Policy have the meanings set out below.
18.1 Defined terms
- Client — A person or entity that has entered into an Engagement Letter with Velmont Crest.
- Controller — The natural or legal person who determines the purposes and means of the processing of Personal Data, as defined in Article 1 PDPL.
- Engagement Letter — The written agreement between Velmont Crest and a Client that records the scope, fees and terms of an engagement.
- Personal Data — Any data relating to an identified or identifiable natural person, as defined in Article 1 PDPL.
- Personal Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, as defined in Article 1 PDPL.
- Processor — A natural or legal person that processes Personal Data on behalf of the Controller, as defined in Article 1 PDPL.
- Sensitive Personal Data — Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, biometric data for the purpose of uniquely identifying a person, health data or data concerning sexual life or sexual orientation, as defined in Article 1 PDPL.
- Website — The website operated by Velmont Crest at velmontcrest.ae and any subdomain of it.
