Privacy Policy
3. Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance and to act as a point of contact for data protection matters.
Data Protection Officer: Khaled Shivji
Email: compliance@sail.legal
Alternative Email: khaled@sail.legal
You can contact our DPO if you have any questions about our data protection practices, wish to exercise your data protection rights, or have concerns about how we handle your personal data.
4. Information we collect and how we use it
We collect and process various types of personal data depending on your relationship with us. The categories of personal data we may collect include:
4.1 Recruitment and Employment Data
When you apply for a position with S.AI.L, or during the course of your employment, we may collect and process the following personal data:
Contact Details: including your name, address, telephone number, and personal email address
Date of birth: for identity verification and right to work confirmation
Identification documents: a copy of the photo page from your passport(s), driving licences, other photo identification
Employment history: including job applications, employment references, and details of secondary employment
Education history: including qualifications, certificates, and academic records
Right to work information: documentation demonstrating your legal right to work in the relevant jurisdiction
Criminal conviction data: details of any criminal convictions where legally permitted and relevant to the role, including Disclosure and Barring Service (DBS), Access NI, or Disclosure Scotland checks
We use this information for the following purposes:
To assess your suitability for employment
To verify your identity and right to work
To conduct pre-employment screening and background checks where legally permitted
To maintain employment records and fulfill our legal obligations as an employer
To communicate with you throughout the recruitment process
To comply with health and safety requirements
To administer payroll, benefits, and other employment-related matters
4.2 Client and Business Partner Data
When you engage with us as a client or business partner, we may collect and process:
Contact information: including names, job titles, business addresses, telephone numbers, and business email addresses
Professional information: including company details, role descriptions, and areas of expertise
Communication records: including correspondence, meeting notes, and call records Financial information: including billing details, payment information, and transaction records
Project information: including details of services provided, project outcomes, and performance metrics
We use this information for:
Providing our consulting and advisory services
Managing client relationships and communications
Processing payments and maintaining financial records
Improving our services and developing new offerings
Complying with legal and regulatory requirements
Marketing our services (where you have consented or we have a legitimate interest)
4.3. Website and Digital Communications Data
When you visit our website or interact with our digital communications, we may collect:
Technical information: including IP addresses, browser types, device information, and operating systems
Usage data: including pages visited, time spent on our website, and navigation patterns
Communication preferences: including newsletter subscriptions and marketing preferences
Cookies and similar technologies: as described in our cookies policy
We use this information to:
Provide and improve our website functionality
Analyse website usage and performance
Deliver relevant content and communications
Ensure website security and prevent fraud
Comply with legal obligations
4.4. Marketing and Communications Data
With your consent or where we have a legitimate interest, we may collect and process:
Contact preferences: including communication channels and frequency preferences
Marketing data: including responses to marketing campaigns and engagement metrics
Event participation: including attendance at webinars, conferences, and other events
Professional interests: including areas of expertise and industry focus
We use this information to:
Send you relevant marketing communications and updates
Invite you to events and webinars
Provide you with industry insights and thought leadership content
Improve our marketing effectiveness and customer experience
Legal basis for processing your data
5.1 Consent
We rely on your consent for:
Marketing communications and newsletters
Nonessential cookies and tracking technologies
Certain types of data sharing with third parties
Processing special category data where required
Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal
5.2 Contract
We process your personal data where it is necessary for the performance of a contract with you or to take steps at your request before entering into a contract. This includes:
Processing employment contracts and related obligations
Delivering consulting and advisory services to clients
Managing client relationships and service delivery
Processing payments and maintaining financial records
5.3. Legal Obligation
We process your personal data where we have a legal obligation to do so, including:
Compliance with employment law requirements
Tax and accounting obligations
Anti-money laundering, anti-terrorist financing and know your customer requirements
Health and safety obligations
Regulatory reporting requirements
5.4. Legitimate Interests
We may process your personal data where it is necessary for our legitimate interests or those of a third party, provided your fundamental rights and freedoms do not override those interests. Our legitimate interests include:
Operating and improving our business
Ensuring network and information security
Preventing fraud and criminal activity
Direct marketing to existing clients and prospects
Maintaining business records and archives
Defending legal claims and protecting our rights
5.5. Special Category Data
Where we process special category data (such as criminal conviction data for background checks), we rely on additional legal bases that comply with legislation, including:
Explicit consent where required
Employment law obligations
Substantial public interest grounds
Legal claims and judicial proceedings
We may share your personal data with the following categories of recipients:
6.1 Group Companies
We may share your personal data with companies wholly or partially owned by S.AI.L as well as our parent company Exec X AI Ltd. This sharing enables us to:
Provide integrated services across our group
Share resources and expertise
Maintain consistent data protection standards
Deliver comprehensive solutions to our clients
All group companies are required to protect your personal data in accordance with this privacy policy and applicable data protection laws
6.2 Employer of Record Services
If you have applied to work for S.AI.L, we may share your personal details with our employer of record (EOR) aggregated service provider, RemoFirst, Inc ("RemoFirst"). RemoFirst provides employment services that enable us to engage personnel in jurisdictions where we do not have a direct legal presence. RemoFirst's privacy policy can be found at: https://www.remofirst.com/legal/privacypolicy
RemoFirst may further share your details with its in-country EOR partners as necessary to facilitate employment arrangements in specific jurisdictions. All such sharing is conducted in accordance with applicable data protection laws and contractual safeguards.
6.3 Professional Service Providers
If you submit a request to S.AI.L to establish a communications channel via email, video call, telephone call, social media messaging or app-based messaging such as WhatsApp, we will send your personal details to Pipedrive, Inc ("Pipedrive) which provides a customer relations management ("CRM") service to S.AI.L in the capacity of a data controller
We may share your personal data with professional advisors and service providers, including:
Legal advisors and law firms
Accountants and auditors
IT service providers and cloud hosting companies
Marketing and communications agencies
Recruitment agencies and background check providers
Insurance providers
Banking and payment processing services
All service providers are required to maintain appropriate technical and organisational measures to protect your personal data and are contractually bound to process your data only in accordance with our instructions
6.4 Regulatory and Legal Authorities
We may share your personal data with regulatory authorities, law enforcement agencies, courts, and other public bodies where:
Required by law or legal process
Necessary to comply with regulatory obligations
Required to protect our rights, property, or safety
Necessary to prevent or investigate suspected criminal activity
Required for the administration of justice
6.5 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, we may transfer your personal data to the relevant third parties. We will ensure that any such transfer is conducted in accordance with applicable data protection laws and that appropriate safeguards are in place
International transfers of personal data
We may transfer your personal data to countries outside the European Economic Area (EEA), United Kingdom, and Dubai International Financial Centre. When we do so, we ensure that appropriate safeguards are in place to protect your personal data
7.1 Transfers to RemoFirst, Inc.
Organisation: RemoFirst, Inc.
Category of recipient: Employer of record service provider
Country: United States
Safeguards: The transfer is made on the basis that the United States has been assessed as providing adequate protection to data subjects under applicable adequacy regulations or data bridge arrangements
7.2. Transfers to Exec X AI Ltd
Organisation: Exec X AI Ltd
Category of recipient: Parent company providing IT assets, IP, and shared services
Territory: Dubai International Financial Centre (DIFC)
Safeguards: The transfer is made on the basis that the DIFC has been assessed as providing adequate protection to data subjects under applicable adequacy regulations or data bridge arrangements
7.3 Transfers to Pipedrive, Inc
Category of recipient: SaaS - CRM
Country: United States
Safeguards: The transfer is made on the basis that the United States has been assessed as providing adequate protection to data subjects under applicable adequacy regulations or data bridge arrangements
7.4. Other International Transfers
Where we transfer personal data to other countries that do not have an adequacy decision, we implement appropriate safeguards, including:
Standard contractual clauses approved by the relevant supervisory authorities
Binding corporate rules where applicable
Certification schemes and codes of conduct
Specific derogations under data protection legislation where applicable
You can obtain copies of the safeguards we have in place for international transfers by contacting us using the details provided in this privacy policy
How long do we keep your personal data
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements
8.1 General Retention Period
Unless otherwise specified, we will keep your personal data on file for one calendar year from the date of last interaction or the end of our relationship with you
8.2 Specific Retention Periods
Employment Records: We retain employment-related personal data for the duration of employment plus seven years after termination, or as required by applicable employment law
Client Records: We retain client-related personal data for the duration of our engagement plus seven years after completion of services, or as required by applicable professional and regulatory obligations
Financial Records: We retain financial and accounting records for seven years after the end of the relevant financial year, or as required by applicable tax and accounting laws
Marketing Data: We retain marketing-related personal data until you withdraw consent or object to processing, or for three years from last interaction, whichever is earlier
Legal Claims: We may retain personal data for longer periods where necessary to establish, exercise, or defend legal claims
8.3 Secure Disposal
When personal data is no longer required, we securely delete or destroy it in accordance with our data retention and disposal procedures. This includes both electronic and physical records
Your rights under data protection law
You have various rights in relation to your personal data under applicable data protection laws. These rights may vary depending on the legal basis for processing and the jurisdiction in which you are located
9.1 Right of Access
You have the right to request access to the personal data we hold about you. This includes the right to obtain:
Confirmation of whether we process your personal data
A copy of your personal data
Information about how we use your personal data
Details of who we share your personal data with
Information about international transfers
Details of how long we keep your personal data
9.2 Right to Rectification
You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. We will respond to such requests without undue delay and will notify any third parties to whom we have disclosed the data of any corrections made
9.3. Right to Erasure (Right to be Forgotten)
You have the right to request that we delete your personal data in certain circumstances, including:
The personal data is no longer necessary for the original purpose
You withdraw consent and there is no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
The personal data has been unlawfully processed
Deletion is required for compliance with a legal obligation
9.4. Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances, including:
You contest the accuracy of the personal data
The processing is unlawful but you prefer restriction to deletion
We no longer need the data but you require it for legal claims
You have objected to processing pending verification of our legitimate grounds
9.5. Right to Object
You have the right to object to processing of your personal data in certain circumstances, including:
Processing based on legitimate interests
Direct marketing (including profiling for marketing purposes)
Processing for scientific, historical, or statistical
9.6. Right to Data Portability
Where we process your personal data based on consent or contract using automated means, you have the right to:
Receive your personal data in a structured, commonly used, and machine-readable format
Transmit your personal data to another controller without hindrance
Have your personal data transmitted directly to another controller where technically feasible
9.7. Right to Withdraw Consent
Where we process your personal data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal
9.8. Exercising Your Rights
To exercise any of these rights, please contact us using the details provided in this privacy policy. We will respond to your request without undue delay and in any event within one month of receipt. In complex cases, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it
We may request additional information to verify your identity before responding to your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request
Automated decision making and profiling
We may use automated tools and algorithms to assist with certain business processes, such as:
Screening job applications for relevant qualifications and experience
Analysing website usage patterns to improve user experience
Detecting and preventing fraudulent activity
Personalising marketing communications to support our sales teams prior to your engagement with SAIL as a potential client (if applicable), your interests and your preferences
In all cases, these automated tools are subject to human oversight and review to comply with our Responsible AI Policy. Significant decisions affecting you will involve human judgment and consideration of your individual circumstances
If we do engage in such processing, we will provide you with meaningful information about the logic involved, the significance, and the envisaged consequences of such processing, and you will have the right to obtain human intervention, express your point of view, and contest the decision
11. Criminal background checks
Where legally permitted and relevant to the role or engagement, we may use your personal data to conduct criminal background checks. This may include:
Disclosure and Barring Service (DBS) checks in the United Kingdom
Access NI checks in Northern Ireland
Disclosure Scotland checks in Scotland
Equivalent background checks in other jurisdictions where you may be employed
We will only conduct such checks where:
It is legally permitted under applicable law
It is necessary and proportionate for the role or engagement
We have a lawful basis for processing the data
You have been informed of the check and its scope
The results of background checks will be processed in accordance with applicable law and will only be used for the specific purposes for which they were obtained. We will retain such information only for as long as necessary and in accordance with our retention policy
12. Cookies and similar technologies
S.AI.L uses cookies and similar technologies to improve your experience on our website, understand how our site is used, and support our marketing efforts. Some cookies are essential for the site to function, while others help us personalise content and measure performance.
For full details about how we use cookies, please refer to our Cookie Policy
13. Changes to this privacy policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will notify you by:
Posting the updated policy on our website with a new effective date
Sending you an email notification if you have provided us with your email address
Providing notice through our services or other appropriate means
We encourage you to review this privacy policy periodically to stay informed about how we protect your personal data. Your continued use of our services after any changes to this privacy policy will constitute your acceptance of such changes
How to contact us and how to file complaints
If you have any questions, concerns, or complaints about this privacy policy or our data protection practices, please contact us using the following details:
Email: compliance@sail.legal
Data Protection Officer: Khaled Shivji
DPO Email: compliance@sail.legal or khaled@sail.legal
We take all privacy concerns seriously and will investigate any complaints promptly and thoroughly. We aim to respond to all enquiries within one month of receipt
14.1 Right to Complain to Supervisory Authorities
If you are not satisfied with our response to your complaint or believe that we are processing your personal data in a way that is not lawful, you have the right to lodge a complaint with the relevant supervisory authority. The supervisory authority you can complain to may depend on where you live, where you work, or where you believe the infringement took place.
For complaints in the United Kingdom:
Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF | Telephone: 0303 123 1113 | Website: https://www.ico.org.uk/makeacomplaint
For complaints in the European Union:
You can find details of your local supervisory authority at: https://edpb.europa.eu/aboutedpb/board/members_en
For complaints in the DIFC:
DIFC Commissioner of Data Protection, Dubai International Financial Centre Authority, Level 14, The Gate Building | Telephone: +971 4 362 2222 | Email: commissioner@dp.difc.ae