Privacy Policy

Policy Code

AR-PRV-001

Version

1.1

Effective Date

April 2026

Last Reviewed

April 2026

Policy Owner

Senior Management / Compliance

Approved By

Senior Management

Classification

Public – External Notice

Applies To

All visitors and users of www.archireef.co

Archireef Limited and its affiliates (together, "Archireef", "we", "us", or "our") respect your privacy. This Privacy Policy explains how we collect, use, share, and protect personal data when you visit www.archireef.co (the "Site"), interact with us through forms, email, or social channels, or otherwise engage with Archireef.

This Policy applies to all visitors and users of the Site, regardless of the country or region from which you access it. It is published in accordance with global data-protection best practice and the specific requirements of the jurisdictions in which we operate, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the ADGM Data Protection Regulations 2021; the Hong Kong Personal Data (Privacy) Ordinance, Cap. 486; the EU and UK General Data Protection Regulation; and the California Consumer Privacy Act / California Privacy Rights Act.

1.  Who We Are

Archireef is a marine nature-tech company headquartered in Hong Kong, with an operating presence in the Abu Dhabi Global Market (ADGM), United Arab Emirates.

For the purposes of applicable data-protection laws, the data controller is:

Archireef Ltd

15F Al Khatem Tower, ADGM Square,

Al Maryah Island, Abu Dhabi, United Arab Emirates

Email: info@archireef.co

Website: www.archireef.co

If you have questions about this Policy or wish to exercise any of the rights described below, you can contact us using the details in section 14.

2.  Scope of this Policy

This Policy applies to personal data we collect through the Site, regardless of where you access it from. Specifically, it covers data collected when you:

  • Submit the Contact form on the Site.
  • Submit the Brochure-Download form to receive Archireef materials.
  • Subscribe to the Archireef newsletter.
  • Browse, navigate, or otherwise interact with the Site (including chat or contact widgets).
  • Apply for a role with us or submit a CV / expression of interest.
  • Engage with us as a client, supplier, investor, advisor, or other counterparty.
  • Interact with us on social media platforms (LinkedIn, Instagram, X, YouTube, etc.).
  • Attend our events, webinars, or industry forums.

This Policy does not apply to third-party websites, products, or services that link to or from the Site. We encourage you to review the privacy practices of those third parties.

3.  Personal Data We Collect

3.1  Information you provide to us

  • Name and email address — collected through the Contact form, Brochure-Download form, and Newsletter sign-up.
  • Message content — the message and any supporting information you choose to share through the Contact form.
  • Marketing preferences — your subscription status and any topic preferences you indicate.
  • Recruitment data — CV, work history, education, references, and right-to-work documentation, where you apply for a role.
  • Commercial counterparty data — contact and billing information for clients, suppliers, partners, advisors, and investors, and any data you provide for due-diligence or KYC purposes.

3.2  Information we collect automatically

browser type and version, operating system, device identifiers, language settings, and approximate location derived from IP.

  • Usage data — pages viewed, time spent, click paths, referring URLs, downloads, and session duration.
  • Cookies and similar technologies — see section 7 and the separate Archireef Cookie Policy (AR-CP-001).

3.3  Information from third parties

  • Aggregated audience insights from our analytics and social-media platforms.
  • Public sources — corporate registries, professional directories, and publicly available profiles, where lawfully permitted.
  • Service providers and partners acting on our behalf, including referrals.

3.4  Special / sensitive categories of data

We do not knowingly collect special categories of personal data (e.g., health, religion, biometric, or political-opinion data) through the Site. If such data is shared with us incidentally — for example, in a recruitment application — we will process it only with your explicit consent or where another lawful basis applies, and only to the extent necessary for the relevant purpose.

3.5  Children's data

The Site is not directed at children, and we do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected personal data from a child, please contact us so that we can delete it.

4.  How We Use Your Personal Data

The table below sets out each purpose for which we process your data, the lawful basis we rely on, and the typical data involved.

Table

5.  Lawful Basis for Processing

We rely on the lawful bases set out in the table in section 4. Where the EU GDPR or UK GDPR applies, the available bases are: (a) consent, (b) performance of a contract, (c) legitimate interests, (d) legal obligation, (e) vital interests, and (f) public interest. Under the UAE PDPL and the Hong Kong PDPO, we collect personal data only for lawful purposes directly related to a function or activity of Archireef, in a manner that is fair and not excessive, and we will inform you of the purposes at or before the time of collection. Where consent is required, we will obtain it before we process your data, and you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

6.  How We Share Your Data — Third-Party Processors

We do not sell personal data and we do not share personal data with third parties for their independent marketing without your consent. We use a small number of trusted service providers ('processors') to operate the Site and our communications. The principal processors who handle personal data collected through the Site are listed below.

Table

Other recipients may include:

  • Affiliates and group entities of Archireef, on a need-to-know basis.
  • Professional advisors — lawyers, auditors, consultants, and bankers, where the engagement requires it.
  • Government authorities, regulators, and law-enforcement agencies, where required or permitted by applicable law.
  • Business-transfer counterparties, in the context of a merger, acquisition, restructuring, or sale of assets, subject to confidentiality and applicable data-protection requirements.

If we add a new processor that materially changes how your data is handled (for example, a CRM, marketing automation, or advertising tag such as LinkedIn Insight Tag or Meta Pixel), we will update this Policy and the Cookie Policy and, where required, seek fresh consent.

7.  Cookies and Similar Technologies

We use cookies for two purposes: (a) to make the Site work (strictly-necessary cookies), and (b) to understand aggregate Site usage through Google Analytics 4 (analytics cookies). Analytics cookies fire only after you accept them via the Site's cookie banner. Full details — including each cookie name, expiry, and how to manage your preferences — are set out in the Archireef Cookie Policy (AR-CP-001), which is linked alongside this Policy in the Site footer.


Table

8.  International Data Transfers

Both of our principal processors — HubSpot and Google — process personal data on servers located outside Hong Kong and the United Arab Emirates, principally in the United States. As a result, your personal data may be transferred to, stored in, or processed in countries with data-protection laws that differ from those of your country of residence.

Where we transfer personal data internationally, we apply appropriate safeguards, including:

  • Adequacy decisions issued by competent authorities, where available.
  • Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms, supplemented by additional technical and organisational measures where needed.
  • Binding contractual undertakings with our processors and sub-processors requiring equivalent protection (HubSpot's DPA, Google's Data Processing Terms).
  • Applicable derogations for specific situations, such as your explicit consent or the necessity of the transfer for a contract you have entered into.

If you would like more information about the safeguards we use for a particular transfer, please contact us using the details in section 14.

9.  Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements, and to defend or assert legal claims. Typical retention periods are:

Data category

Table

After the applicable period, data is deleted, irreversibly anonymised, or securely archived under access controls.

10.  How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These include encryption in transit, access controls and least-privilege provisioning, multi-factor authentication for administrative access, secure development practices, vendor due diligence, and staff training. No system is perfectly secure, however, and we cannot guarantee absolute security. Where we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority and, where required, affected individuals, in line with applicable law.

11.  Your Privacy Rights

Your rights depend on the law that applies to the processing of your personal data. We aim to honour all rights described below regardless of jurisdiction, where reasonably practicable.

11.1  UAE — Personal Data Protection Law (Decree-Law 45/2021)

If your data is processed under the UAE PDPL, you have the right to:

  • Be informed about how your data is processed.
  • Request access to your personal data and to receive a copy.
  • Request correction of inaccurate or incomplete data.
  • Request erasure of your data, where the legal grounds permit.
  • Restrict or object to certain processing.
  • Request data portability, where applicable.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the UAE Data Office (https://u.ae).

11.2  Hong Kong — Personal Data (Privacy) Ordinance, Cap. 486

If your data is processed under the Hong Kong PDPO, you have the right to:

  • Submit a Data Access Request (DAR) to confirm whether we hold your personal data and to obtain a copy.
  • Submit a Data Correction Request (DCR) for inaccurate data.
  • Object to direct-marketing use of your data; we will stop using your data for direct marketing on receipt of an opt-out request.
  • Lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), at https://www.pcpd.org.hk.

We may charge a reasonable fee for complying with a Data Access Request, as permitted under section 28 of the PDPO.

11.3  EU and UK — GDPR / UK GDPR

If you are in the European Economic Area, the United Kingdom, or otherwise covered by GDPR, you have the right to:

  • Be informed about the processing of your personal data.
  • Access your personal data.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"), in defined circumstances.
  • Restrict processing.
  • Data portability.
  • Object to processing, including direct marketing and profiling.
  • Not be subject to a decision based solely on automated processing producing legal or similarly significant effects.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local supervisory authority (e.g., the UK Information Commissioner's Office, or your EU member-state authority).

11.4  California — CCPA / CPRA

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share.
  • Access the specific pieces and categories of personal information we have collected about you in the prior 12 months.
  • Delete personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising. Archireef does not sell personal information; where applicable, you can exercise your opt-out via the "Do Not Sell or Share My Personal Information" link in the Site footer.
  • Limit the use and disclosure of sensitive personal information.
  • Be free from retaliation or discrimination for exercising your privacy rights.

You can designate an authorised agent to make a request on your behalf. We will verify the identity of the requester (and the agent's authority) before fulfilling a request, as required by law.

11.5  How to exercise your rights

To exercise any of the rights above, contact us at info@archireef.co with the subject line "Privacy Rights Request" and a clear description of your request. We will acknowledge receipt promptly and respond within the timeframe required by the law that applies to your request — generally within 30 days under the GDPR / UK GDPR, 40 days under the PDPO, and 45 days under the CCPA, with a permitted extension where circumstances require it.

We may need to verify your identity before fulfilling certain requests; we will only request information necessary to do so. There is no fee for most requests, except where permitted by law (for example, manifestly unfounded or excessive requests, or fees permitted under section 28 of the PDPO).

12.  Children's Privacy

The Site is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us so that we can delete it.

13.  Third-Party Links and Embedded Content

The Site may contain links to, or embed content from, third-party websites and services (for example, YouTube videos, social-media feeds, mapping services). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices before providing personal data to them.

14.  Contact Us

Questions, concerns, or requests under this Policy should be sent to:

Archireef Ltd — Privacy

15F Al Khatem Tower, ADGM Square,

Al Maryah Island, Abu Dhabi, United Arab Emirates

Email: info@archireef.co

If you are not satisfied with our response, you may also contact the data-protection authority in your jurisdiction (see section 11).

15.  Updates to this Policy

We may update this Policy from time to time to reflect changes in our practices, our services, applicable law, or industry standards. Material changes will be communicated through a prominent notice on the Site. The "Effective Date" and "Last Reviewed" fields in the document control panel above indicate when this Policy was last updated. Your continued use of the Site after an update takes effect constitutes acceptance of the revised Policy.

Table

"—" indicates the right is not separately codified under that framework; we will still consider equivalent requests on a best-efforts basis.

+971 2 584 5112info@archireef.coUAE: Hub71, Al Maryah Island, Abu Dhabi
Hong Kong: Hong Kong Science Park
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Partnerships + Media
info@archireef.co
Privacy Policy
Cookie Policy
Icon Arrow
Icon Arrow
© Archireef 2026. All Rights Reserved.