Privacy Policy

This policy sets out how WEALTH CASTLE – FZCO ("Wealth Castle", "we", "us") handles personal information collected from prospects, clients, and visitors to thewealthcastle.com. We treat the confidentiality of client information as a matter of practice principle, not a regulatory afterthought. This page describes what we collect, why, how long we keep it, and the rights you hold over it under UAE Federal Decree-Law No. 45 of 2021 (the Personal Data Protection Law, "PDPL") and, where applicable, the EU General Data Protection Regulation ("GDPR").

1.Who we are

Wealth Castle – FZCO is a UAE corporate-services practice licensed by the International Free Zone Authority (IFZA) and registered at Building A1, Dubai Digital Park, IFZA Properties, Dubai Silicon Oasis, Dubai, United Arab Emirates. Our Tax Registration Number is 104243824000003. We are the controller of personal information collected through this website and through our engagement with you.

2.What we collect

We collect only the information we genuinely need to provide our services. The categories below are exhaustive — there is nothing we collect that is not listed here.

From prospects who contact us

• Your name and the name of any business or family entity you represent
• Email address and telephone number
• The structuring question or context you share in your initial enquiry
• Country of current residence or operation
• Preferred timing for an initial consultation

From clients we engage with

• Identity verification documents (passport, Emirates ID, proof of address, business registration)
• Source-of-funds and source-of-wealth documentation (required under UAE AML law)
• Beneficial ownership information for any entity we structure on your behalf
• Financial and tax-related documents you provide in the course of structuring
• Correspondence between us and you, and between us and third parties acting on your behalf

From all visitors to this website

• IP address and approximate geographic location (city / country)
• Browser type and operating system
• Pages visited and time spent (via privacy-respecting analytics — no cross-site tracking)
• Referring website, where applicable

3.Why we collect it

Each category is collected for a specific, limited purpose. We do not repurpose data collected for one reason for an unrelated purpose without your further consent.

• Lead qualification and consultation booking — to respond to your enquiry, schedule an initial conversation, and triage where in the architecture we can help.
• Engagement performance — to deliver the services you have engaged us to provide, including communicating with you and with regulators or third parties on your behalf.
• Legal and regulatory compliance — to meet our obligations under UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering, Cabinet Decision No. 58 of 2020 on Ultimate Beneficial Ownership, and the DNFBP supervisory regime. These obligations apply to all corporate-services providers in the UAE; we do not have discretion to disapply them.
• Internal record-keeping — to maintain accurate financial, tax, and engagement records as required by UAE corporate and VAT law.
• Website operation and security — to keep the site running and to detect abusive traffic.

4.Legal basis (GDPR-relevant visitors only)

For visitors in the EU/UK whose data is processed under GDPR or UK GDPR, our legal bases are:

• Consent — for the use of non-essential cookies and analytics, where you have explicitly accepted.
• Contract performance — to deliver services you have engaged us to provide.
• Legal obligation — to comply with our AML, sanctions screening, beneficial-ownership, and tax-record obligations under UAE law.
• Legitimate interests — for the security and operation of our website, where this is not overridden by your rights.

5.How long we keep it

We retain personal information only for as long as we have a documented reason to do so.

• Initial enquiries that do not become engagements are kept for 24 months from last contact, then deleted.
• Active client records are kept for the duration of the engagement plus the longer of (a) the statutory retention periods under UAE law (typically 5 years for AML records and 7 years for VAT records) or (b) 7 years from the closure of the engagement.
• Backups containing personal information are subject to a 90-day rolling deletion policy.
• Server logs containing IP addresses are retained for 30 days.

6.Who we share it with

We do not sell personal information. We do not share it with marketing networks, data brokers, advertising platforms, or any party that would use it for profiling or remarketing. The only parties who receive your data are the operational service providers and regulators below, and only the minimum required for the stated purpose.

Operational service providers (data processors)

• Calendly (USA) — to schedule consultation slots
• Resend (USA / EU) — to deliver email notifications and confirmations
• Hostinger (Lithuania / EU) — for website hosting and the dedicated virtual private server that holds our internal client and engagement records (Wealth Castle operates this server directly; client data is not held on third-party SaaS platforms)
• Cloudflare (USA) — for DNS, content delivery, and basic security
• Zoho Books (UAE data centre) — for invoicing and tax records

Regulators and statutory recipients

• The UAE Financial Intelligence Unit, where a suspicious transaction report is legally required
• The UAE Federal Tax Authority and IFZA registrar, for filings and notifications relating to your engagement
• Foreign tax authorities where required by tax-information-exchange agreements to which the UAE is party

Coordinated counsel (only with your instruction)

Where your engagement requires coordination with UAE law firms, foreign tax advisors, DIFC trustees, banking introducers, or estate counsel, we share only the information you authorise, only with the named counterpart, and only for the specific purpose. We confirm such sharing with you in writing before it happens.

7.International transfers

Some of our processors store data outside the UAE (typically in the United States or the European Union). Where data is transferred to a jurisdiction with personal-data protections deemed adequate by the UAE Data Office (or, for GDPR-covered data, by the European Commission), we rely on that adequacy decision. Where the jurisdiction is not adequacy-listed, we rely on standard contractual clauses agreed with the processor. We can provide details of the safeguards on request.

8.Your rights

Under UAE PDPL (and, where applicable, GDPR/UK GDPR) you have the following rights over your personal information.

• Access — to know what we hold and to receive a copy.
• Rectification — to correct anything that is inaccurate or incomplete.
• Erasure — to have your data deleted, subject to our statutory retention obligations.
• Restriction — to ask us to limit how we process your data while a question is resolved.
• Portability — to receive your data in a structured, machine-readable format.
• Objection — to object to processing based on legitimate interests.
• Withdrawal of consent — at any time, where processing is based on consent.

To exercise any of these rights, contact us at the address in section 11. We respond within 30 days. If we cannot meet a request because of a statutory obligation, we explain why in writing.

9.Cookies and tracking

We use the minimum cookies required for the site to function. We do not use marketing or advertising cookies, and we do not allow third parties to set tracking cookies through our site.

• Essential cookies — session management for our consultation booking form. These are set automatically and cannot be disabled if you wish to book a consultation.
• Functional cookies — set by Calendly if you engage with the scheduling widget. Calendly's own privacy policy applies to those cookies; you can decline them by booking via email instead of the form.
• Analytics cookies — used only with your explicit consent via the cookie banner. We use a privacy-respecting analytics provider that does not employ cross-site tracking, advertising IDs, or fingerprinting.

10.Security

We protect personal information through encryption in transit (TLS 1.3 on the website and all administrative interfaces), encryption at rest for client records, two-factor authentication on all administrative accounts, role-based access limited to staff who need the data, and regular audits of who has accessed what. We test our security posture quarterly. If we ever become aware of a breach affecting your personal data, we notify you and the relevant regulator within the timeframes required by law (72 hours under PDPL).

11.Contact us

Any privacy-related question, request, or complaint can be sent to:

If you are unsatisfied with our response, you may lodge a complaint with the UAE Data Office or, if you are in the EU/UK, with your local supervisory authority.

12.Updates to this policy

We update this policy when our processing materially changes. The "last updated" date at the top of this page is authoritative. Material changes are notified to active clients by email. For prospects and visitors, the current version on this page applies; we encourage you to revisit it from time to time.