Privacy Policy
Agreement between
Between
Aurum Wheels Cars rental S.P.S LLC
And:
[USERS/DATA SUBJECTS]
Parties
(1) Aurum Wheels Cars rental S.P.S LLC, a limited liability company incorporated under the laws of the United Arab Emirates, having its registered office at Rashideya 3, City Center Sector, Ajman, United Arab Emirates (hereinafter referred to as “the Company“, “we“, “us“, or “our“), acting as the data controller responsible for the collection, processing, and protection of personal information in accordance with applicable UAE data protection laws.
(2) [USERS/DATA SUBJECTS], being individuals who interact with the Company’s services, website, mobile applications, or any other platforms operated by the Company, including but not limited to customers, prospective customers, website visitors, and any other persons whose personal data is collected, processed, or handled by the Company (hereinafter referred to as “you“, “your“, “Data Subject“, or “User“).
Background
Aurum Wheels Cars rental S.P.S LLC is committed to protecting and respecting the privacy and personal information of all individuals who engage with our car rental services, website, mobile applications, and related platforms.
The Company operates as a vehicle rental service provider in the United Arab Emirates, offering short-term and long-term car rental solutions to customers in Ajman and surrounding emirates.
In the course of providing our rental services, the Company necessarily collects, processes, stores, and manages personal data from customers, prospective customers, and website visitors to facilitate bookings, process payments, verify driver eligibility, and ensure compliance with applicable laws and regulations.
The Company recognizes its legal obligations under the data protection laws of the United Arab Emirates, including but not limited to Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and is committed to implementing appropriate technical and organizational measures to safeguard personal information.
This Privacy Policy has been developed to ensure transparency regarding our data processing activities, to inform Data Subjects of their rights, and to demonstrate our commitment to maintaining the highest standards of data protection and privacy in our business operations.
The Company acknowledges that trust is fundamental to our customer relationships and that protecting personal data is essential for maintaining this trust while delivering efficient and reliable car rental services.
Definitions
Anonymization means the process of removing or altering personal data in such a way that the Data Subject can no longer be identified directly or indirectly.
Biometric Data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, including fingerprints, facial recognition data, or voice patterns.
Consent means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they signify agreement to the processing of personal data relating to them.
Controller or Data Controller means Aurum Wheels Cars rental S.P.S LLC, being the natural or legal person who determines the purposes and means of the processing of personal data.
Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Processing Agreement means a contract between the Controller and a Processor governing the processing of personal data on behalf of the Controller.
Data Protection Authority means the UAE Data Office or any successor regulatory body responsible for the enforcement of data protection laws in the United Arab Emirates.
Data Subject means an identified or identifiable natural person whose personal data is collected, processed, or stored by the Company.
Legitimate Interests means the lawful basis for processing personal data where such processing is necessary for the purposes of legitimate interests pursued by the Controller, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject.
Personal Data means any information relating to an identified or identifiable natural person, including but not limited to names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.
Processing means any operation performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
Processor means a natural or legal person who processes personal data on behalf of the Controller.
Profiling means any form of automated processing of personal data intended to evaluate, analyze or predict aspects concerning a Data Subject’s performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately.
Rental Services means the car rental and related services provided by the Company, including vehicle hire, insurance arrangements, roadside assistance, and ancillary services.
Sensitive Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation.
Third Country means any country outside the United Arab Emirates where personal data may be transferred or processed.
Third Party means any natural or legal person other than the Data Subject, Controller, Processor, and persons authorized to process personal data under the direct authority of the Controller or Processor.
UAE Data Protection Laws means Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and any implementing regulations, guidelines, or successor legislation relating to data protection in the United Arab Emirates.
Data Controller Information
The Data Controller for the purposes of this Privacy Policy is Aurum Wheels Cars rental S.P.S LLC, a limited liability company duly incorporated and registered under the laws of the United Arab Emirates.
The Company’s principal place of business is located at City Center Sector, Rashideya 3, Ajman, United Arab Emirates.
For all inquiries, requests, or communications relating to the processing of Personal Data or this Privacy Policy, Data Subjects may contact the Company using the following details:
Email address: [INSERT EMAIL ADDRESS]
Telephone number: [INSERT PHONE NUMBER]
Postal address: Aurum Wheels Cars rental S.P.S LLC, City Center Sector, Rashideya 3, Ajman, United Arab Emirates
The Company’s commercial registration number is [INSERT COMMERCIAL REGISTRATION NUMBER] and its tax registration number is [INSERT TAX REGISTRATION NUMBER].
Where the Company has appointed a Data Protection Officer or designated privacy contact person, their contact details will be made available upon request or published on the Company’s website.
Types of Personal Data Collected
The Company collects and processes various categories of Personal Data from Data Subjects in connection with the provision of Rental Services and the operation of our business.
Identity and Contact Information collected includes:
Full name as appearing on official identification documents;
Date of birth and age verification details;
Nationality and country of residence;
Government-issued identification numbers including Emirates ID, passport numbers, and visa details;
Contact details including telephone numbers, email addresses, and residential or business addresses;
Emergency contact information.
Driving and Vehicle-Related Information collected includes:
Driving license details including license number, issuing authority, expiry date, and driving categories;
International driving permit information where applicable;
Driving history and traffic violation records;
Vehicle preferences and rental requirements.
Financial and Payment Information collected includes:
Credit card and debit card details including card numbers, expiry dates, and security codes;
Bank account information for direct debits or refunds;
Billing addresses and payment history;
Credit checks and financial verification data.
Rental Transaction Data collected includes:
Booking details including rental dates, pickup and drop-off locations, and vehicle specifications;
Rental agreements and contract terms;
Vehicle condition reports and inspection records;
Mileage records and fuel consumption data;
Insurance claims and incident reports;
Customer service interactions and correspondence.
Technical and Digital Information collected includes:
IP addresses, browser types, and device identifiers;
Website usage data, cookies, and analytics information;
Mobile application usage and location data where permitted;
Login credentials and account access information.
Additional Information may be collected including:
Photographs for identification verification purposes;
CCTV footage from Company premises;
Voice recordings from customer service calls;
Marketing preferences and communication history;
Feedback, reviews, and survey responses.
The Company may also collect Personal Data from third parties including credit reference agencies, fraud prevention services, and business partners where legally permitted and necessary for the provision of Rental Services.
Lawful Basis for Processing
The Company processes Personal Data only where it has a valid lawful basis under UAE Data Protection Laws and in accordance with the principles of data minimization and purpose limitation.
Contractual Necessity: The Company processes Personal Data where such processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract.
This includes processing required for vehicle rental agreements, booking confirmations, payment processing, vehicle delivery and collection, insurance arrangements, and customer support services.
Processing under this basis encompasses identity verification, driving license validation, credit checks, damage assessments, and billing procedures essential to fulfilling rental contracts.
Legitimate Interests: The Company may process Personal Data where such processing is necessary for the purposes of legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
Legitimate interests include fraud prevention, debt recovery, business analytics, service improvement, fleet management, and maintaining accurate customer records.
The Company conducts regular legitimate interests assessments to ensure processing remains proportionate and does not unduly impact Data Subject rights.
Legal Compliance: Personal Data is processed where necessary to comply with legal obligations to which the Company is subject under UAE law or other applicable jurisdictions.
This includes compliance with traffic regulations, anti-money laundering requirements, tax obligations, law enforcement requests, and regulatory reporting duties.
Consent: Where required by law or where no other lawful basis applies, the Company will obtain explicit consent from Data Subjects for specific processing activities.
Consent will be freely given, specific, informed, and unambiguous, and may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Vital Interests: Personal Data may be processed where necessary to protect the vital interests of the Data Subject or another natural person, including emergency situations involving vehicle accidents or medical emergencies.
The Company will clearly communicate the relevant lawful basis for processing to Data Subjects at the time of data collection and will not process Personal Data for purposes incompatible with the original lawful basis without obtaining additional legal grounds.
Purposes of Data Processing
The Company processes Personal Data for the following primary purposes in connection with its Rental Services:
Processing and managing vehicle rental reservations, bookings, and agreements;
Verifying customer identity and eligibility to rent vehicles;
Conducting driving license verification and validation;
Processing rental payments, security deposits, and related financial transactions;
Managing vehicle delivery, collection, and return logistics;
Monitoring vehicle usage, location, and condition during rental periods;
Processing insurance claims and handling accident reports;
Calculating and collecting additional charges, fees, and penalties.
The Company processes Personal Data for customer relationship management purposes including:
Communicating with customers regarding rental services, bookings, and account matters;
Providing customer support and responding to inquiries;
Maintaining customer records and rental history;
Managing customer loyalty programs and benefits;
Conducting customer satisfaction surveys and feedback collection.
The Company processes Personal Data for business administration and legal compliance purposes including:
Complying with applicable laws, regulations, and legal obligations;
Responding to requests from government authorities and law enforcement;
Maintaining accounting records and financial reporting;
Conducting internal audits and risk assessments;
Protecting against fraud, theft, and other criminal activities;
Defending legal claims and enforcing contractual rights.
The Company may process Personal Data for marketing and business development purposes including:
Sending promotional materials and marketing communications where Consent has been obtained;
Analyzing customer preferences and rental patterns to improve services;
Developing new products and services;
Conducting market research and business analytics.
The Company processes Personal Data to maintain and improve its technology platforms including:
Operating and maintaining websites and mobile applications;
Providing technical support and troubleshooting;
Implementing security measures and preventing unauthorized access;
Analyzing website and application usage patterns.
Data Collection Methods
The Company collects Personal Data through various methods as outlined in this section, ensuring that all collection practices comply with UAE Data Protection Laws and are necessary for the provision of Rental Services.
Direct Collection from Data Subjects
Personal Data is collected directly from customers during the rental booking process, including information provided in person at rental locations, over the telephone, or through written correspondence.
Identity verification procedures require customers to present original identification documents, driving licenses, and payment instruments, from which relevant Personal Data is recorded and copied.
Vehicle inspection processes involve collecting customer signatures, photographic records of vehicle condition, and any reported damages or concerns.
Website and Online Platforms
The Company’s website collects Personal Data through online booking forms, contact forms, newsletter subscriptions, and user account registration processes.
Automated collection occurs through cookies, web beacons, and similar tracking technologies that gather information about website usage patterns, browser types, and device characteristics.
IP addresses, geolocation data, and browsing behavior are recorded to enhance user experience and prevent fraudulent activities.
Mobile Applications
Mobile applications collect Personal Data through user registration, booking processes, and location services when enabled by the Data Subject.
Device-specific information including device identifiers, operating system details, and application usage statistics are automatically collected.
Push notification preferences and communication settings are recorded based on user selections within the application.
Third-Party Sources
Personal Data may be obtained from credit reference agencies and fraud prevention services to verify customer identity and assess rental eligibility.
Payment processors and financial institutions provide transaction-related information necessary for processing rental payments and security deposits.
Insurance providers and claims management companies may share relevant Personal Data in connection with vehicle damage claims or incident reports.
Marketing partners and affiliate networks may provide customer referral information and promotional engagement data with appropriate Consent.
Customer Communication Channels
Email communications, live chat interactions, and customer service calls are recorded and stored to maintain service quality and resolve customer inquiries.
Social media interactions and reviews posted on third-party platforms may be collected for reputation management and service improvement purposes.
CCTV and Security Systems
Video surveillance systems at rental locations capture images and recordings for security purposes and vehicle handover documentation.
GPS tracking devices installed in rental vehicles collect location and usage data during the rental period for fleet management and security purposes.
Data Sharing and Disclosure
The Company may share Personal Data with third parties only in accordance with this Privacy Policy and applicable UAE Data Protection Laws.
Service Providers and Processors
The Company may disclose Personal Data to third-party service providers who assist in delivering Rental Services, including payment processors, insurance providers, vehicle maintenance companies, and technology service providers.
All service providers are required to enter into Data Processing Agreements that ensure adequate protection of Personal Data and restrict processing to the purposes specified by the Company.
Legal and Regulatory Authorities
Personal Data may be disclosed to government authorities, law enforcement agencies, courts, or regulatory bodies when required by applicable law or legal process.
The Company may share Personal Data to comply with valid subpoenas, court orders, search warrants, or other legally binding requests from authorized authorities.
Disclosure may occur to investigate suspected criminal activities, prevent fraud, or protect the safety and security of individuals or property.
Business Partners
Personal Data may be shared with authorized dealers, affiliate companies, or strategic business partners solely for the purpose of facilitating vehicle rentals and related services.
Such sharing is limited to the minimum Personal Data necessary to fulfill the specific business purpose and is subject to appropriate confidentiality agreements.
Business Transfers
In the event of a merger, acquisition, sale of assets, or similar business transaction, Personal Data may be transferred to the acquiring entity as part of the business assets.
Data Subjects will be notified of any such transfer and any changes to data processing practices resulting from the transaction.
Emergency Situations
Personal Data may be disclosed without prior consent in emergency situations to protect the vital interests of Data Subjects or third parties, including medical emergencies or immediate safety threats.
Anonymized and Aggregated Data
The Company may share anonymized or aggregated data that cannot reasonably be used to identify individuals for business analytics, market research, or statistical purposes.
Consent-Based Sharing
Personal Data may be shared with third parties when explicit Consent has been obtained from the Data Subject for the specific purpose and recipient.
International Data Transfers
The Company may transfer Personal Data outside the UAE to Third Countries in connection with the provision of Rental Services, technical support, data storage, payment processing, and other legitimate business purposes.
International transfers of Personal Data shall only occur where:
the transfer is necessary for the performance of a contract between the Company and the Data Subject;
the transfer is necessary for the performance of a contract concluded in the interest of the Data Subject between the Company and a Third Party;
the Data Subject has provided explicit Consent to the proposed transfer after being informed of the possible risks;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise, or defense of legal claims; or
the transfer is necessary to protect the vital interests of the Data Subject where Consent cannot be obtained.
Where Personal Data is transferred to Third Countries, the Company shall implement appropriate safeguards including:
binding corporate rules approved by the Data Protection Authority;
standard contractual clauses adopted by the Data Protection Authority;
Data Processing Agreements containing adequate protection measures; or
certification mechanisms approved under UAE Data Protection Laws.
The Company may transfer Personal Data to the following categories of Third Countries in connection with our business operations:
payment processing services located in the United States and European Union;
cloud storage and computing services providers;
vehicle tracking and telematics service providers;
customer relationship management and booking platform providers; and
marketing and analytics service providers.
Data Subjects have the right to obtain information about the safeguards in place for international transfers by contacting the Company using the details provided in Section 17.
The Company shall regularly review and update its international transfer arrangements to ensure continued compliance with UAE Data Protection Laws and adequate protection of Personal Data.
Data Retention
The Company shall retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, or as required by applicable UAE Data Protection Laws.
Customer Account Data including identity verification documents, driving licenses, and contact information shall be retained for a period of seven (7) years following the termination of the customer relationship or last rental transaction, whichever is later.
Financial and Payment Data including payment card information, transaction records, and billing details shall be retained for a period of seven (7) years from the date of the last transaction to comply with applicable financial regulations and tax requirements.
Rental Transaction Records including vehicle assignment data, rental agreements, damage reports, and related correspondence shall be retained for a period of five (5) years following completion of each rental transaction.
Marketing and Communication Data shall be retained until the Data Subject withdraws consent or opts out of marketing communications, after which such data shall be deleted within thirty (30) days.
Website and Application Analytics Data in anonymized or pseudonymized form may be retained for a period of two (2) years for business intelligence and service improvement purposes.
CCTV and Security Footage from Company premises shall be automatically deleted after ninety (90) days unless required for ongoing investigations or legal proceedings.
The Company shall implement automated deletion procedures where technically feasible to ensure Personal Data is deleted upon expiry of the applicable retention period.
Where Personal Data is subject to legal hold due to litigation, regulatory investigation, or other legal proceedings, deletion shall be suspended until such proceedings are concluded and any appeal periods have expired.
Data Subjects may request earlier deletion of their Personal Data in accordance with their rights under Section 10 of this Privacy Policy, subject to the Company’s legal obligations and legitimate business interests.
Upon deletion, Personal Data shall be securely destroyed using industry-standard methods to prevent unauthorized recovery or reconstruction of the deleted information.
Data Subject Rights
Right of Access: Data Subjects have the right to obtain from the Company confirmation as to whether or not Personal Data concerning them is being processed, and where that is the case, access to the Personal Data and information about the processing activities.
Right to Rectification: Data Subjects have the right to obtain from the Company without undue delay the rectification of inaccurate Personal Data concerning them and to have incomplete Personal Data completed.
Right to Erasure: Data Subjects have the right to obtain from the Company the erasure of Personal Data concerning them without undue delay where one of the following grounds applies:
The Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
The Data Subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.
The Personal Data has been unlawfully processed.
The Personal Data has to be erased for compliance with a legal obligation under UAE Data Protection Laws.
Right to Restriction of Processing: Data Subjects have the right to obtain from the Company restriction of processing where one of the following applies:
The accuracy of the Personal Data is contested by the Data Subject for a period enabling the Company to verify the accuracy of the Personal Data.
The processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead.
The Company no longer needs the Personal Data for the purposes of the processing but they are required by the Data Subject for the establishment, exercise or defense of legal claims.
Right to Object: Data Subjects have the right to object at any time to processing of Personal Data concerning them which is based on legitimate interests, including profiling based on those provisions.
Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, Data Subjects have the right to receive the Personal Data concerning them in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Exercise of Rights: Data Subjects may exercise their rights by contacting the Company using the contact details provided in Section 17 of this Privacy Policy.
Response Timeframe: The Company will respond to requests to exercise Data Subject rights within thirty (30) days of receipt of a valid request, or as otherwise required under UAE Data Protection Laws.
Verification Requirements: The Company may require reasonable verification of the Data Subject’s identity before processing requests to exercise rights under this Section.
Right to Lodge a Complaint: Data Subjects have the right to lodge a complaint with the relevant Data Protection Authority in the UAE if they believe their Personal Data has been processed in violation of applicable data protection laws.
Data Security Measures
The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing.
Technical security measures implemented by the Company include:
Encryption of Personal Data both in transit and at rest using industry-standard encryption protocols;
Access controls and authentication systems requiring unique user credentials and multi-factor authentication where appropriate;
Regular security updates and patches for all software systems and applications;
Firewalls and intrusion detection systems to monitor and prevent unauthorized network access;
Secure data backup and recovery procedures with regular testing of restoration capabilities;
Anti-malware and antivirus protection across all systems and devices.
Organizational security measures implemented by the Company include:
Staff training and awareness programs on data protection and security best practices;
Access control policies limiting employee access to Personal Data on a need-to-know basis;
Confidentiality agreements for all employees and contractors with access to Personal Data;
Regular security risk assessments and vulnerability testing;
Incident response procedures for identifying, containing, and reporting security breaches;
Physical security measures for premises where Personal Data is stored or processed.
The Company conducts regular reviews of its security measures to ensure they remain effective and appropriate, with updates implemented as necessary to address emerging threats and technological developments.
Third-party service providers engaged by the Company are required to implement equivalent security measures and provide appropriate assurances regarding the protection of Personal Data in their custody.
The Company maintains records of all security measures implemented and regularly monitors compliance with established security policies and procedures.
Cookies and Tracking Technologies
The Company uses cookies, web beacons, pixels, and similar tracking technologies on its websites, mobile applications, and digital platforms to enhance user experience, analyze website performance, and deliver personalized services.
Essential Cookies are necessary for the basic functionality of our platforms and include:
Session management cookies that maintain user login status and shopping cart contents.
Security cookies that detect fraudulent activity and protect user accounts.
Load balancing cookies that ensure optimal website performance and server distribution.
Performance and Analytics Cookies collect information about how users interact with our platforms, including:
Page views, click patterns, and navigation paths to improve website design and functionality.
Device information, browser type, and operating system for compatibility optimization.
Traffic sources and referral data to understand user acquisition channels.
Functional Cookies enable enhanced features and personalization, including:
Language preferences and location settings for customized content delivery.
Previously viewed vehicles and search preferences for improved user experience.
Customer service chat history and support preferences.
Marketing and Advertising Cookies support promotional activities and targeted advertising:
Tracking user behavior across websites for remarketing campaigns.
Measuring advertisement effectiveness and conversion rates.
Creating user profiles for personalized marketing communications.
Third-Party Tracking Technologies may be implemented through integrated services including:
Google Analytics for website traffic analysis and user behavior insights.
Social media plugins that may track user interactions and sharing activities.
Payment processor tracking for transaction security and fraud prevention.
Users may manage cookie preferences through:
Browser settings to block, delete, or restrict certain types of cookies.
Our cookie consent banner that allows granular control over cookie categories.
Third-party opt-out tools for advertising and analytics services.
Disabling essential cookies may impact the functionality of our Rental Services and prevent access to certain features of our platforms.
The Company retains cookie data for periods ranging from session-based storage to a maximum of twenty-four (24) months, depending on the cookie type and purpose.
Cookie policies are updated periodically, and users will be notified of material changes through our platforms or direct communication methods.
Third-Party Services
The Company integrates various Third Party services into its Rental Services platform to enhance functionality, process payments, facilitate bookings, and provide additional customer services.
Third Party services utilized by the Company may include but are not limited to:
Payment processors and financial service providers for processing rental payments, security deposits, and refunds;
Online booking platforms and reservation systems for managing vehicle availability and customer reservations;
Identity verification services for validating driver licenses and customer credentials;
Credit assessment and background check providers for evaluating customer eligibility;
Insurance providers and claims processing services;
Vehicle tracking and telematics service providers;
Customer communication platforms including SMS, email, and messaging services;
Analytics and website optimization tools;
Cloud storage and data hosting providers;
Customer support and help desk platforms.
When Data Subjects interact with these Third Party services through our platform, their Personal Data may be collected, processed, and stored by such Third Parties in accordance with their respective privacy policies and terms of service.
The Company conducts due diligence on Third Party service providers to ensure they maintain appropriate data protection standards and comply with applicable UAE Data Protection Laws.
Where Personal Data is shared with Third Parties for the purposes outlined in section 5, the Company enters into appropriate Data Processing Agreements or similar contractual arrangements to ensure adequate protection of Personal Data.
Data Subjects acknowledge that Third Party services may have their own privacy policies and data collection practices that are separate from and additional to this Privacy Policy.
The Company is not responsible for the privacy practices, data security measures, or content of Third Party services, and Data Subjects are encouraged to review the privacy policies of any Third Party services they interact with.
Data Subjects may opt out of certain Third Party services where technically feasible, though this may limit the availability or functionality of certain Rental Services.
The Company will notify Data Subjects of any material changes to Third Party integrations that may affect the processing of their Personal Data through updates to this Privacy Policy or direct communication.
Marketing Communications
The Company may send Marketing Communications to Data Subjects who have provided Consent or where the Company has Legitimate Interests to do so in accordance with UAE Data Protection Laws.
Marketing Communications may include promotional offers, service updates, newsletters, special discounts, seasonal promotions, and information about new vehicle additions to our fleet.
The Company will only send Marketing Communications to Data Subjects who have:
Provided explicit Consent through our website, mobile application, or booking forms; or
Are existing customers where the communications relate directly to similar Rental Services previously purchased.
All Marketing Communications will clearly identify the Company as the sender and include our contact information as specified in Section 17 of this Privacy Policy.
Data Subjects have the right to opt-out of receiving Marketing Communications at any time by:
Clicking the unsubscribe link provided in all electronic Marketing Communications;
Contacting the Company directly using the contact details provided in Section 17;
Updating their communication preferences through their customer account portal; or
Sending a written request to the Company’s business address.
The Company will process opt-out requests within seventy-two (72) hours of receipt and confirm the cessation of Marketing Communications to the Data Subject.
Opting out of Marketing Communications will not affect:
Essential service communications related to existing bookings or rentals;
Legal notices or regulatory communications; or
Communications necessary for the performance of contractual obligations.
The Company may use Third Party marketing platforms and email service providers to deliver Marketing Communications, and such Third Parties will be bound by appropriate Data Processing Agreements to protect Personal Data.
Data Subjects who have opted out may re-subscribe to Marketing Communications at any time by providing fresh Consent through the same channels described in clause 14.3.1.
Data Breach Notification
The Company shall maintain documented procedures for the detection, investigation, assessment, and response to Personal Data Breaches affecting Personal Data under its control.
Upon becoming aware of a Personal Data Breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, assess the nature and severity of the breach and determine appropriate response measures.
Where a Personal Data Breach is likely to result in a risk to the rights and freedoms of Data Subjects, the Company shall notify the relevant Data Protection Authority in accordance with UAE Data Protection Laws.
The notification to the Data Protection Authority shall include at minimum:
A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
The contact details of the designated data protection officer or other contact point where more information can be obtained.
A description of the likely consequences of the Personal Data Breach.
A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
Where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Company shall communicate the breach to the affected Data Subjects without undue delay.
The communication to Data Subjects shall be in clear and plain language and shall include:
A description of the nature of the Personal Data Breach.
The contact details of the designated data protection officer or other contact point where more information can be obtained.
A description of the likely consequences of the Personal Data Breach.
A description of the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.
The Company shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, which shall be made available to the Data Protection Authority upon request.
The Company shall implement appropriate technical and organizational measures to prevent Personal Data Breaches and shall regularly review and update its breach response procedures.
Children’s Privacy
Age Restrictions for Rental Services. The Company does not provide Rental Services to individuals under the age of 21 years, and accordingly does not knowingly collect Personal Data from minors for the purpose of vehicle rental agreements.
Incidental Collection of Minors’ Data. Where the Company may incidentally collect Personal Data relating to minors through website usage, marketing inquiries, or as passengers listed on rental agreements, such Processing shall be subject to enhanced protections under this section.
Parental or Guardian Consent. Any Processing of Personal Data relating to individuals under 18 years of age shall require verifiable consent from a parent or legal guardian, except where such Processing is necessary for the performance of a contract to which the minor is a party or for compliance with legal obligations.
Limited Data Collection from Minors. The Company shall limit collection of Personal Data from minors to information that is strictly necessary for the specific purpose for which it was collected, and shall not collect Sensitive Personal Data from individuals under 18 years without explicit parental or guardian consent.
Passenger Information of Minors. Where minors are listed as authorized additional drivers or passengers on rental agreements by adult customers, the Company shall process such information solely for insurance, safety, and legal compliance purposes.
Website and Application Protections. The Company’s website and mobile applications include age-appropriate privacy protections and do not knowingly collect Personal Data through cookies, tracking technologies, or account registration from users under 18 years.
Data Retention for Minors. Personal Data relating to minors shall be retained for the shortest period necessary to fulfill the purpose for which it was collected, and shall be deleted immediately upon the minor reaching the age of majority unless continued retention is required by law.
Enhanced Security Measures. The Company implements additional technical and organizational security measures when Processing Personal Data of minors, including restricted access controls and enhanced encryption protocols.
Right to Deletion Upon Majority. Upon reaching the age of 18 years, former minors may request deletion of Personal Data collected during their minority, subject to any legal retention requirements and legitimate business interests.
Contact for Minors’ Privacy Matters. Parents, guardians, or individuals who believe the Company has collected Personal Data from minors in violation of this Policy may contact the Company using the details provided in Section 17 for immediate investigation and remediation.
Contact Information
Data Protection Officer Contact Details
All inquiries, requests, and complaints relating to Personal Data processing, Data Subject rights, or this Privacy Policy should be directed to our designated Data Protection Officer.
The Data Protection Officer can be contacted through the following channels:
– Email: privacy@aurumwheels.ae
– Phone: +971 6 740 xxxx
– Post: Data Protection Officer, Aurum Wheels Cars rental S.P.S LLC, City Center Sector, Rashideya 3, Ajman, United Arab Emirates
Response Timeframes
We will acknowledge receipt of all data protection inquiries within three (3) business days of receiving your request.
We will provide a substantive response to Data Subject rights requests within thirty (30) days of receipt, or inform you if additional time is required due to the complexity of the request.
Required Information for Requests
To process your request efficiently and verify your identity, please include:
– Full name and contact details
– Copy of valid identification document
– Specific details of your request or complaint
– Rental agreement number or booking reference (if applicable)
Escalation Process
If you are not satisfied with our response to your data protection inquiry or complaint, you may escalate the matter to the UAE Data Protection Authority.
The UAE Data Protection Authority can be contacted at: [Authority contact details to be updated when available]
Emergency Data Breach Reporting
Suspected data breaches affecting your Personal Data can be reported immediately to: security@aurumwheels.ae
Policy Updates
The Company reserves the right to modify, update, or revise this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations.
Material changes to this Privacy Policy will be communicated to Data Subjects through one or more of the following methods:
Email notification to registered customers using the email address provided during account registration or rental booking.
Prominent notice on the Company’s website homepage and rental booking platforms.
In-app notifications for users of the Company’s mobile applications.
Written notice provided at the time of vehicle collection or return for active rental agreements.
For non-material changes or updates that do not significantly affect Data Subjects’ rights or the Company’s data processing activities, notification will be provided by updating the “Last Updated” date at the top of this Privacy Policy and posting the revised version on the Company’s website.
Data Subjects will have thirty (30) days from the date of notification to review any material changes and may object to such changes by contacting the Company using the details provided in Section 17.
Continued use of the Company’s Rental Services after the effective date of any Privacy Policy updates constitutes acceptance of the revised terms, unless the Data Subject has formally objected within the timeframe specified in clause 18.4.
Previous versions of this Privacy Policy will be archived and made available upon request for a period of three (3) years from the date they were superseded.
The Company will maintain a record of all Privacy Policy updates including the nature of changes made, the date of implementation, and the notification methods used.
Governing Law and Jurisdiction
This Privacy Policy and all matters relating to the collection, processing, storage, and protection of Personal Data by the Company shall be governed by and construed in accordance with the laws of the United Arab Emirates.
The Company’s data processing activities are subject to UAE Data Protection Laws, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and any regulations, guidelines, or amendments issued thereunder.
Where applicable, the Company shall comply with emirate-specific data protection regulations and requirements imposed by competent authorities in the Emirate of Ajman and other emirates where services are provided.
Any disputes, claims, or proceedings arising out of or in connection with this Privacy Policy, the Company’s data processing activities, or the exercise of Data Subject rights shall be subject to the exclusive jurisdiction of the courts of the United Arab Emirates.
Data Subjects may file complaints regarding the Company’s data processing activities with the UAE Data Protection Authority or other competent regulatory authorities as established under UAE Data Protection Laws.
In the event of any conflict between the provisions of this Privacy Policy and applicable UAE Data Protection Laws, the requirements of such laws shall prevail.
The Company reserves the right to seek legal remedies in appropriate UAE courts for any violations of this Privacy Policy or unauthorized use of Personal Data.
By visiting, accessing, or using the Company’s website, mobile applications, or any of our digital platforms, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. Your continued use of our services constitutes your ongoing acceptance of any updates or modifications to this Privacy Policy.