Privacy Policy

1. Introduction

This Privacy Policy explains how Stronghold Capital Management Limited ("Stronghold", "we", "us", "our") collects, uses, shares, and otherwise processes personal data in accordance with the DIFC Data Protection Law No. 5 of 2020 (as amended) ("DP Law 2020") and applicable DIFC regulations.

Stronghold is committed to protecting the privacy and personal data of individuals whose data it processes in connection with its regulated financial services activities, employee administration, and business operations.

For any questions or requests regarding this Privacy Policy, please contact us at:

Stronghold Capital Management Limited

DIFC Funds Center

Dubai International Financial Centre (DIFC)

Dubai, United Arab Emirates

Email: privacy@stronghold.capital

2. Personal Data We Collect

We may collect and process the following categories of personal data:

  • Personal Details

  • Employment Details

  • Identification documents

  • Photographs

We do not process Special Categories of Personal Data as defined under DP Law 2020.

3. Categories of Data Subjects

We process personal data relating to the following data subjects:

  • Clients and Customers

  • Advisors, Consultants, Professional Experts

  • Staff, Agents, Workers, and Board Members

4. Purpose and Legal Basis for Processing

We process personal data for the following purposes:

  • Licensing & Registration: to comply with DIFC and DFSA regulatory obligations.

  • Provision of Financial Services: to provide regulated financial services to clients.

  • Staff Administration: for HR purposes including recruitment, onboarding, payroll, visa processing, and ongoing employment administration.

We rely primarily on the following lawful bases under Article 10 of DP Law 2020:

  • Processing necessary for the performance of a contract;

  • Processing necessary for compliance with applicable law;

  • Processing necessary to protect vital interests (where applicable).

We do not rely on legitimate interests or consent as a legal basis for processing, except where required under applicable law.

5. Data Transfers

We do not transfer personal data outside the jurisdiction of the DIFC.

In the limited event that a transfer may occur in the future, we will ensure that any such transfer is conducted strictly in accordance with the DP Law 2020 requirements.

6. Data Sharing

Personal data may be shared internally within Stronghold and externally on a strictly limited basis to:

  • Regulatory authorities

  • Professional advisors

  • Service providers under written agreements

  • Banks, custodians, and intermediaries as necessary to perform financial services.

All third parties are contractually obligated to process personal data in accordance with DP Law 2020.

7. Data Retention

We retain personal data in accordance with applicable legal and regulatory retention periods. Where no specific retention period applies, we retain data only as long as necessary to fulfill the purposes for which it was collected.

8. Data Subject Rights

Under DP Law 2020, data subjects have the following rights:

  • Right to access personal data

  • Right to rectification of inaccurate personal data

  • Right to erasure where applicable

  • Right to restrict processing in certain circumstances

  • Right to data portability where applicable

  • Right to object to processing

  • Right to lodge a complaint with the DIFC Commissioner of Data Protection

Requests to exercise these rights can be submitted to the Data Protection Contact above.

9. Data Security

Stronghold implements appropriate technical and organizational measures to protect personal data against unauthorized access, misuse, loss, or destruction. Measures include but are not limited to:

  • Access controls

  • Encryption and secure storage

  • Confidentiality obligations

  • Employee training

  • Vendor due diligence

10. Automated Decision-Making and Profiling

We do not rely on automated decision-making or profiling in any of our processing activities.

11. Data of Minors

Stronghold does not intentionally collect or process personal data of individuals under the age of 18.

12. Personal Data Breach Notification

In the event of a personal data breach that compromises data subjects' rights, we will notify the DIFC Commissioner of Data Protection as required by DP Law 2020 and inform affected data subjects where applicable.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The most recent version will always be available on request.

14. Complaints

If you believe we have not handled your personal data properly, you may contact:

DIFC Commissioner of Data Protection

Dubai International Financial Centre Authority

Level 14, The Gate Building

DIFC, Dubai, UAE

commissioner@dp.difc.ae