Privacy Policy

About Us and This Policy

Meridion Advisory FZE is a professional services firm licensed and established in the Dubai World Trade Centre Free Zone, Dubai, United Arab Emirates. The firm provides specialist advisory services to digital asset businesses, fintech companies, virtual asset service providers, and regulated financial institutions, including audit and accounting, transaction advisory, skilled person appointments, enforcement advisory, forensic investigations, and restructuring advisory.

This policy applies to all personal data processed by Meridion Advisory FZE in connection with its website at meridionadvisory.com, its service delivery activities, client engagements, business development, and general business operations. It covers data collected from clients, prospective clients, website visitors, business contacts, and third parties whose data we receive in the course of our professional engagements.

Meridion Advisory FZE acts as the data controller in respect of personal data collected directly from individuals. In certain professional engagements, we may also act as a data processor on behalf of clients or as a controller jointly with other parties, in which case separate engagement-specific agreements will govern data handling.

Legal Framework

This policy is designed to comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its Executive Regulations, which constitute the UAE's principal federal data protection framework applicable to entities outside the DIFC and ADGM special economic zones.

Meridion Advisory FZE is licensed within the Dubai World Trade Centre Free Zone. The DWTC Free Zone is subject to UAE federal law, including the UAE PDPL. Where Meridion Advisory FZE processes data involving individuals in other jurisdictions, or where cross-border data transfers are made, we apply applicable international standards and ensure appropriate transfer safeguards are in place.

Certain professional engagements may engage additional regulatory frameworks, including UAE anti-money laundering legislation, VARA, DFSA, and FSRA regulatory requirements, and applicable court or regulator instructions. Where legally mandated data processing obligations apply, they take precedence over the preferences of individual data subjects.

Personal Data We Collect

We collect and process personal data across several categories depending on the nature of our relationship with you:

• Identity and contact data: name, title, employer, business address, email address, telephone number, and related professional contact information provided directly by you or obtained through legitimate business channels.
• Engagement and instruction data: information provided in connection with a professional engagement, including background information, financial records, transaction data, regulatory correspondence, and other materials provided to enable us to perform our services.
• Website and communications data: information submitted through the contact form on our website, email correspondence, and records of communications between you and Meridion Advisory FZE.
• Due diligence and compliance data: information we are required to collect for anti-money laundering, know-your-client, and regulatory compliance purposes, including identity verification documents and beneficial ownership information.
• Technical data: IP addresses, browser type, and standard web server log data collected automatically when you access our website. We do not use tracking cookies for advertising or profiling purposes.
• Third-party sourced data: in the context of forensic, enforcement, or skilled person engagements, we may receive personal data concerning third parties from regulators, courts, clients, or law firms. Such data is handled strictly in accordance with the terms of the relevant engagement mandate.

Meridion Advisory FZE does not collect sensitive personal data (as defined under the UAE PDPL, including biometric, health, or genetic data) in the ordinary course of its advisory services. Where sensitive data is received in the context of a formal regulatory or court-instructed engagement, it is handled under the specific legal authority and conditions applicable to that mandate.

How We Use Personal Data

We use personal data only for the purposes for which it was collected or for which we have a legitimate legal basis. Our primary purposes are:

• Providing professional advisory, audit, accounting, tax, forensic, transaction, and restructuring services to clients and instructing parties.
• Responding to enquiries submitted through our website or received by other means, and managing prospective client relationships.
• Performing anti-money laundering, know-your-client, and conflict checks as required by applicable UAE law and our professional obligations.
• Complying with legal, regulatory, and court obligations, including responding to lawful requests from regulators, courts, and law enforcement authorities.
• Managing and administering our business operations, including invoicing, engagement administration, and internal records management.
• Sending professional communications relevant to our services, including insight publications and firm updates, where you have not objected to receiving such communications.
• Improving our website and services through aggregated, non-identifying analysis of website usage patterns.

Legal Basis for Processing

Under the UAE PDPL, we process personal data on the following legal bases depending on context:

• Contractual necessity: processing required to perform services under an engagement letter or client agreement.
• Legal obligation: processing required to comply with UAE AML legislation, regulatory directions, court orders, or other mandatory legal requirements applicable to our activities.
• Legitimate interests: processing necessary for our legitimate business interests, including business development, firm administration, and professional communications, where such interests are not overridden by the interests of the individual.
• Consent: in circumstances where none of the above bases apply and where we seek your agreement to process data for a specific purpose, including subscribing to our professional insights.
• Vital interests or public interest: in limited circumstances, where processing is necessary to protect vital interests or to perform a task in the public interest, including where Meridion Advisory FZE is acting under a formal regulator or court instruction.

Disclosure and Third-Party Sharing

Meridion Advisory FZE does not sell, rent, or trade personal data. We disclose personal data only in the following circumstances:

• Client instruction: where you instruct us as part of an engagement to share data with named third parties, including co-advisors, law firms, or counterparties.
• Professional advisors and delivery partners: including legal counsel, sub-contractors, or specialist experts engaged to assist in delivering a mandate, bound by confidentiality obligations no less restrictive than our own.
• Regulators, courts, and law enforcement: where required by applicable law, court order, regulatory direction, or in the exercise of a skilled person appointment or similar formal mandate.
• Technology and infrastructure providers: including cloud hosting, email, and document management service providers that process data on our behalf as data processors under appropriate contractual terms.
• Professional body or indemnity insurer: where disclosure is required in connection with a professional indemnity claim, disciplinary process, or quality review.

Where Meridion Advisory FZE acts in a capacity instructed by a regulator or court, including as a skilled person, forensic investigator, or monitor, our disclosure obligations may be governed by that instruction and may limit our ability to provide data subjects with the usual level of transparency or to respond to data subject requests in the normal way. We will communicate any such limitations clearly where we are permitted to do so.

International Data Transfers

Given the cross-border nature of Meridion Advisory FZE's work across the UAE, UK, and other international jurisdictions, personal data may be transferred outside the UAE in the course of service delivery. The UAE PDPL permits international transfers where the destination country provides an adequate level of data protection or where appropriate safeguards are in place.

Where data is transferred to jurisdictions not recognised as providing adequate protection, we apply appropriate contractual protections, including standard contractual clauses or binding arrangements that ensure an equivalent standard of protection for data subjects' rights and interests.

Transfers required by a regulator, court, or law enforcement authority acting under lawful authority are treated as legally mandated and processed accordingly.

Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law or professional standards. Our retention periods are guided by the following principles:

• Client engagement records: retained for a minimum of seven years following the conclusion of an engagement, in line with UAE commercial records requirements and professional indemnity standards.
• AML and KYC records: retained for a minimum of five years following the end of a business relationship, in accordance with UAE Federal Decree-Law No. 20 of 2018 on anti-money laundering.
• Prospective client and contact data: reviewed periodically and deleted where the relationship has not progressed or where the individual has requested removal.
• Website enquiry data: retained for the period necessary to respond to and manage the relevant enquiry and for a reasonable period thereafter for record-keeping purposes.
• Regulator or court-instructed engagement records: subject to the retention requirements set out in the relevant instruction or applicable regulatory framework, which may extend beyond our standard periods.

Your Rights

Under the UAE PDPL, individuals have the following rights in respect of their personal data. These rights are subject to applicable legal exceptions, including where processing is required for compliance with legal obligations or is carried out under a formal regulatory or court mandate:

• Right of Access: You may request confirmation of whether we hold your personal data and, if so, obtain a copy of it along with information about how it is processed.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data held about you.
• Right to Erasure: You may request deletion of your personal data where it is no longer required for the purposes for which it was collected, subject to overriding legal retention obligations.
• Right to Restriction: You may request that we limit the processing of your personal data in certain circumstances, such as where accuracy is contested or processing is objected to.
• Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we have compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us using the details set out in Section 12 below. We will acknowledge your request within five business days and respond within 30 days. Where we are unable to fulfil a request fully, we will explain the reason. Identity verification may be required before we can process your request.

If you are dissatisfied with our response, you have the right to raise a complaint with the UAE Data Office or, where applicable, the data protection authority of your jurisdiction.

Data Security

Meridion Advisory FZE implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These measures include encrypted communications and document storage, access controls limiting data access to authorised personnel on a need-to-know basis, confidentiality obligations binding all personnel and engaged third parties, and regular review of our security practices.

Where a personal data breach occurs that is likely to result in a risk to the rights and interests of affected individuals, we will notify the UAE Data Office and, where required, affected individuals in accordance with the UAE PDPL and its Executive Regulations.

Transmission of information over the internet carries inherent risks that we cannot eliminate. We encourage all parties communicating with us to use secure channels and to exercise caution in sharing sensitive information by email.

Website and Cookies

Our website at meridionadvisory.com is a static informational website. We do not use tracking cookies, advertising technologies, or third-party analytics platforms that profile individual visitors. Standard web server logs may capture technical data such as IP addresses and browser information for security and performance purposes only. This data is not used to identify individual visitors and is not shared with third parties for commercial purposes.

Our website contains a contact form powered by a third-party form service. Information submitted through this form is transmitted to us and handled in accordance with this policy. By submitting an enquiry, you consent to us using your contact information to respond to your request.

Contact and Data Enquiries

All data protection enquiries, access requests, and complaints should be directed to the person responsible for data protection at Meridion Advisory FZE: