Last updated: 2026-04-08
Privacy Policy
Blooming Dunes Marketing – FZCO ("Blooming Dunes", "we", "us" or "our") is the data controller for personal data processed through bloomingdunes.com and in the course of providing our marketing services. Our registered office is IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates.
This Privacy Policy explains what personal data we collect, why we collect it, the legal bases on which we rely, how we share it, how long we keep it, and the rights you have. It is written to comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL") and, where applicable to visitors located in the European Economic Area or the United Kingdom, with Regulation (EU) 2016/679 ("GDPR").
1. Data we collect
We collect personal data only to the extent necessary to operate the website, respond to enquiries, and deliver the services you request. The categories we process are:
- Contact form data: name, email address, company (optional), phone number (optional), and the content of the message you send us.
- Newsletter data: the email address you provide if you subscribe to updates.
- Technical data: IP address, user-agent, approximate location derived from IP, pages visited, referrer, and timestamps. This data is processed by our hosting and security provider (Cloudflare) to deliver the site, prevent abuse and analyse traffic in aggregate.
- Anti-spam data: when you submit the contact form we run a Cloudflare Turnstile challenge, which processes a token and limited browser signals to verify you are not a bot.
- Cookies: a single first-party cookie that stores your cookie-consent choice. We do not currently run analytics, advertising or tracking cookies.
2. Why we use your data and our legal basis
| Purpose | Legal basis (GDPR) | Lawful ground (PDPL) |
|---|---|---|
| Reply to your contact-form enquiry | Steps taken at your request prior to entering a contract (Art. 6(1)(b)) | Necessary to take steps at the data subject's request |
| Provide marketing services under a signed engagement | Performance of a contract (Art. 6(1)(b)) | Performance of a contract |
| Send the newsletter you subscribed to | Consent (Art. 6(1)(a)) | Consent |
| Operate the website, ensure security, prevent abuse | Legitimate interests (Art. 6(1)(f)) | Necessary for legitimate interests |
| Comply with tax, accounting and legal obligations | Legal obligation (Art. 6(1)(c)) | Compliance with a legal obligation |
3. How we share data
We do not sell your personal data. We share it only with the following categories of processors, each bound by written agreements that require an adequate level of protection:
- Cloudflare, Inc. — hosting (Cloudflare Pages), CDN, DDoS protection and Turnstile bot mitigation.
- Resend (Resend.com, Inc.) — transactional email delivery for contact-form submissions.
- Professional advisors — accountants, auditors and legal counsel, where strictly necessary.
- Public authorities — where we are legally required to disclose data.
4. International transfers
Some of our processors are located outside the UAE and outside the EEA, including in the United States. Where personal data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses or another lawful transfer mechanism. Where data is transferred outside the UAE we rely on the cross-border transfer mechanisms recognised by Article 22 of the PDPL.
5. Retention
- Contact-form messages: kept for up to 24 months after the last interaction, then deleted.
- Client records: kept for the duration of the engagement and for 5 years afterwards to comply with UAE accounting and tax record-keeping requirements.
- Newsletter subscribers: kept until you unsubscribe, after which your address is removed within 30 days.
- Server logs and Turnstile tokens: kept for up to 30 days.
6. Your rights
Subject to the conditions set out in the PDPL and the GDPR, you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate or incomplete data;
- request erasure ("right to be forgotten");
- restrict or object to the processing of your data;
- request data portability;
- withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
- lodge a complaint with the UAE Data Office or, if you are in the EU, with your local supervisory authority.
To exercise any of these rights please email [email protected]. We will respond within 30 days.
7. Security
We apply reasonable technical and organisational measures to protect personal data: TLS encryption in transit, access controls, least-privilege credentials, secret rotation, and continuous monitoring on our hosting platform. No system is perfectly secure; if we ever become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify the competent authority and, where required, the affected individuals without undue delay.
8. Children
Our services are directed at businesses and adult professionals. We do not knowingly process personal data of children under the age of 18. If you believe a child has provided us with personal data, please contact us so we can delete it.
9. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the most recent revision took effect. Material changes will be communicated through a prominent notice on the website.
10. Contact
Questions, requests or complaints regarding this Privacy Policy should be addressed to:
Blooming Dunes Marketing – FZCO
IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
Email: [email protected]