Privacy Policy

Last updated: May 2026

1. Who We Are

TBC Business Consultancy L.L.C.-FZ (“TBC”, “we”, “us”, or “our”) is a free zone limited liability company registered in Dubai, U.A.E. (Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai). We are a business consultancy that introduces prospective investors to selected regulated financial and investment partners worldwide. We do not ourselves collect, process, or hold investor financial data, AML documentation, or KYC materials — that is handled by our regulated partners under their own policies once a referral is made.

TBC is the data controller in respect of the personal data we collect through this website and in the course of our introductory and consultancy activities.

Data Controller: TBC Business Consultancy L.L.C.-FZ
Contact: admin@thebusinessconsultancy.com
Registered address: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.

2. Scope of This Policy

This policy applies globally. It explains how we collect, use, share, and retain personal data when you visit our website, contact us, or engage with our introductory services — regardless of where in the world you are located.

Our approach to data protection is built around a set of universal principles: we collect only what we need, we use it only for the purpose it was collected, we do not sell it, we protect it, and we respect your right to understand and control how it is used. These principles are consistent with the data protection standards recognised in the major regulatory frameworks around the world, including — but not limited to — those in the UAE, the UK, the European Union, the United States, Canada, Australia, and Singapore.

Where you are referred by us to a regulated investment or financial partner, that partner will process your personal data — including any financial, identity, or compliance information they require — as an independent data controller under their own privacy policy. We are not responsible for that processing and will direct you to the relevant partner’s privacy notice at the point of referral.

3. What Personal Data We Collect

3.1 Data you provide to us

When you contact us through our website, complete an enquiry form, or correspond with us by email, telephone, or other means, we may collect:

• Your name and contact details (email address, phone number, country of residence)
• The nature of your enquiry or investment interest
• Any other information you choose to include in your communication

We collect only what is reasonably necessary to respond to your enquiry or to provide the introductory service you have requested. We do not ask for financial account details, identity documents, or source of funds information — if any of those are required, that process is handled by our regulated partners.

3.2 Data collected automatically

When you visit our website, limited technical data is collected automatically, including:

• IP address and browser type
• Pages visited and time spent on the site
• Referring website or search terms

This data is collected via Google Analytics and is used in aggregated, anonymised form to understand how visitors use our site. We do not use advertising tracking pixels (such as Meta Pixel or LinkedIn Insight Tag) on this website.

4. How and Why We Use Your Data

We use the personal data we collect for the following purposes:

Responding to enquiries

To respond to messages or questions submitted through our website or by other means.

Lawful basis: Legitimate interests — you have contacted us and we have a clear interest in responding. We apply this basis only where it does not override your rights and freedoms.

Investor introductions

Where you have expressed interest in investment products, we may use your contact details to refer you to a selected regulated partner. We will identify the partner and seek your agreement before sharing your details.

Lawful basis: Consent — obtained clearly at the point of referral. You may withdraw consent at any time (see Section 5). In some cases, where the referral is the service you have explicitly requested, we may rely on the performance of a contract or legitimate interests as an alternative basis.

Website analytics

To understand how our website is used and to improve its content and performance.

Lawful basis: Legitimate interests — improving our website. Analytics data is anonymised and aggregated before we review it.

Legal compliance and protection

To comply with any legal obligation to which we are subject in any jurisdiction, or to establish, exercise, or defend legal rights.

Lawful basis: Legal obligation or legitimate interests.

On Legitimate Interests: Where we rely on legitimate interests, we have assessed that our interest is narrow, proportionate, and not overridden by your rights. You have the right to object to this processing at any time — see Section 9.

5. Consent and How to Withdraw It

Where we rely on consent — primarily when referring your details to an investment partner — we will ask for it clearly and separately. Consent is never a condition of using our website or making an enquiry.

You may withdraw consent at any time by contacting us at admin@thebusinessconsultancy.com. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal. Once consent is withdrawn we will stop the relevant processing, though we may retain a record of the referral where we are required to do so by law.

6. Who We Share Your Data With

6.1 Investment and financial partners

Where you have consented, or where it is necessary to provide the introductory service you have requested, we may share your contact details and the general nature of your investment enquiry with selected regulated partners. Those partners then act as independent data controllers for all further processing — including KYC, AML, and financial onboarding — and their own privacy policies apply from that point. We will always identify the partner before making a referral.

6.2 Service providers acting on our behalf

We use a small number of third-party technology providers who process personal data on our behalf as data processors. These currently include:

• Google LLC — website analytics (Google Analytics). Data is anonymised before we review it and is processed under Google’s data processing terms.
• Go High Level — CRM and contact management. Used to manage enquiries and communications.
• Google Workspace — email and productivity. Used for business correspondence.

All processors are contractually required to process data only on our instructions and to maintain appropriate security standards. We review our processors periodically and will update this list if it changes materially.

6.3 Professional and legal advisors

We may share data with solicitors, legal advisors, or other professional advisors where necessary to obtain advice or protect our legal rights. Those advisors are bound by their own professional confidentiality obligations.

6.4 Legal and regulatory requirements

We may disclose personal data where required to do so by law, court order, or a competent regulatory or government authority in any jurisdiction. We will, where legally permitted, notify you of such a requirement before disclosing.

We do not sell, rent, or trade personal data to or with third parties.

7. International Data Transfers

TBC is based in Dubai, U.A.E. and operates globally. Personal data we collect may be transferred to, stored, or processed in countries other than your country of residence, including the UAE, the UK, and other jurisdictions where our service providers operate.

We take a principles-based approach to international transfers. Regardless of where data is processed, we apply the same standards of protection described in this policy. Where we share data with service providers in other countries, we take reasonable steps to ensure appropriate safeguards are in place — for example, through contractual protections, processor agreements, or equivalent mechanisms recognised under applicable law.

If you are located in the UK or EU and have concerns about the transfer of your data to the UAE or other countries, please contact us at admin@thebusinessconsultancy.com for further information about the safeguards we apply.

8. How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. Our general retention periods are as follows:

Category of data	Retention period
Website enquiry / contact form data	2 years from last contact, unless an ongoing relationship is established
Referral records	5 years from date of referral, to meet legal and regulatory obligations across applicable jurisdictions
Website analytics data	26 months (Google Analytics default), in anonymised and aggregated form only
Business correspondence	5 years from the end of the relevant engagement
Records required by law	As required by applicable law in the relevant jurisdiction (typically 5–7 years)

9. Your Rights

Regardless of where you are located, we respect your right to understand and control how your personal data is used. Depending on your jurisdiction, you may have some or all of the following rights:

• Access — to request a copy of the personal data we hold about you
• Rectification — to ask us to correct inaccurate or incomplete data
• Erasure — to ask us to delete your data where there is no longer a lawful basis to retain it
• Restriction — to ask us to limit how we process your data in certain circumstances
• Portability — to receive your data in a structured, machine-readable format
• Objection — to object to processing based on legitimate interests
• Withdrawal of consent — at any time, where consent is the lawful basis
• Non-discrimination — we will never treat you differently for exercising any of these rights

To exercise any of these rights, contact us at admin@thebusinessconsultancy.com. We will respond within 30 days. We may need to verify your identity before processing your request. There is no charge for making a request unless it is manifestly unfounded or excessive.

9.1 Supervisory authorities and regulators

If you are not satisfied with our response to a privacy concern, you have the right to escalate to a supervisory authority or regulator. The relevant authority will depend on your location. Examples include:

• United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
• European Union: The supervisory authority in your country of residence
• UAE: The UAE Data Office
• United States (California): California Privacy Protection Agency — cppa.ca.gov
• Australia: Office of the Australian Information Commissioner — oaic.gov.au
• Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
• Singapore: Personal Data Protection Commission — pdpc.gov.sg

For residents of other jurisdictions, we will provide details of the relevant authority upon request.

10. Our Approach to Global Data Protection Law

TBC operates internationally and our privacy practices are designed to meet a globally recognised standard of data protection, rather than being built around any single jurisdiction’s rules. The core principles we follow — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability — are consistent with the frameworks in place across the major regulatory regimes worldwide.

Where the laws of a specific jurisdiction apply to the processing of your data and impose additional obligations on us, we will comply with those requirements. Key frameworks we recognise include:

• UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) — our primary framework as a UAE-registered entity
• UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
• EU General Data Protection Regulation (EU GDPR, Regulation 2016/679)
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) — applicable to California residents (see Section 10.1 below)
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws
• Australia’s Privacy Act 1988 and the Australian Privacy Principles
• Singapore Personal Data Protection Act 2012 (PDPA)

Where these frameworks overlap or conflict, we apply the higher standard of protection. If you have a question about the specific framework applicable to your situation, contact us at admin@thebusinessconsultancy.com.

10.1 Additional rights for California residents (CCPA / CPRA)

If you are a resident of California, U.S.A., you have additional rights under the CCPA and CPRA, including:

• The right to know what personal information we have collected, disclosed, or sold about you in the past 12 months
• The right to delete personal information we hold about you, subject to certain exceptions
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information — TBC does not sell or share personal information for cross-context behavioural advertising
• The right to limit the use of sensitive personal information — TBC does not collect sensitive personal information as defined under CPRA
• The right to non-discrimination for exercising your privacy rights

To exercise your California rights, contact us at admin@thebusinessconsultancy.com. We will respond within 45 days as required by law. You may designate an authorised agent to make a request on your behalf.

11. Cookies

Our website uses cookies for basic analytics purposes only, via Google Analytics. These cookies collect data in an anonymised and aggregated form to help us understand how visitors use our site. We do not use advertising or behavioural tracking cookies, and we do not deploy third-party pixels such as Meta Pixel, Google Ads conversion tags, or LinkedIn Insight Tag.

You can control or disable cookies at any time through your browser settings. Most browsers allow you to refuse cookies or delete them. Disabling analytics cookies will not affect your ability to use our website.

If you are visiting from a jurisdiction that requires explicit cookie consent (such as the EU or UK), we will present you with appropriate consent options on your first visit.

12. Security

We maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or disclosure. These include access controls, encrypted communications, and limiting data access to those with a genuine operational need.

No system is completely secure. If you have reason to believe that your personal data has been compromised in connection with TBC, please notify us immediately at admin@thebusinessconsultancy.com. Where we are required by law to notify you or a regulatory authority of a data breach, we will do so within the timeframe required.

13. Children

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at admin@thebusinessconsultancy.com and we will delete it promptly.

14. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, the services we offer, or applicable law. The “Last updated” date at the top of this document will always reflect the current version. Where changes are material, we will take reasonable steps to bring them to your attention — for example, by posting a notice on our website.

We encourage you to review this policy periodically. Continued use of our website after an update constitutes acknowledgement of the revised policy.

15. Contact Us

For any questions about this policy, to exercise your rights, or to raise a concern about how we handle your data, please contact us:

Email: admin@thebusinessconsultancy.com
Post: TBC Business Consultancy L.L.C.-FZ, Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.

We aim to respond to all privacy-related requests within 30 days. For California residents, we will respond within 45 days as required under CCPA/CPRA.