Emeron operates in two distinct capacities. As a controller, we determine the purposes and means of processing personal information about our website visitors, our commercial counterparties, our employees, and our applicants. As a processor, we operate platforms on behalf of customers — governments, ministries, public enterprises — who are themselves the controllers of the personal information held inside those platforms.
This notice covers our processing as a controller. When we act as a processor for a customer, the customer's own privacy notice and our Data Processing Agreement govern. See our DPA for that scope.
| Website visitors | IP address (truncated), browser type, pages visited, referrer, approximate location at country level. Used for security, fraud prevention, and aggregate analytics. We do not run third-party advertising trackers. |
| Contact form & email | Name, organization, role, email, country, and the content of your message. Used to respond, and to maintain a commercial relationship record if you become a customer or partner. |
| Procurement materials | Information you provide in RFP responses, security questionnaires, and procurement reviews. Retained for the duration of the procurement plus six years. |
| Customer & partner records | Business contact information, contract records, financial records, and operational correspondence. Retained for the contractual term plus the statutory retention period under UAE law. |
| Job applicants | CV, application content, interview notes, references where you provide them. Unsuccessful applications retained for twelve months unless you ask us to delete sooner. |
| Employees | Standard employment records as required by UAE labour and tax law, plus the records needed to operate compensation, benefits, and security access. |
Where we process information to deliver a service you have contracted us for, or to take steps at your request before entering into a contract.
Where we process information to operate, secure, and improve our business, balanced against your interests. This covers website security, fraud prevention, and aggregate analytics.
Where we are required to retain or disclose information under UAE law, tax regulations, or regulatory orders binding on us.
Where you have actively opted into a specific processing activity, such as subscribing to a newsletter. You can withdraw consent at any time.
We do not sell personal information. We share it only with the following categories of recipient, under written contracts: (a) infrastructure and security sub-processors used to run our website and corporate systems; (b) professional advisers (auditors, lawyers, accountants) under their own professional confidentiality obligations; (c) regulators and authorities where we are legally required to do so; and (d) a successor entity in the event of a merger, acquisition, or restructuring, on the same terms as this notice.
For platform processing on behalf of customers, see the sub-processor list. We do not change sub-processors without notice to affected customers.
Our primary corporate data is held in the UAE. Engineering and support operations are based in the UAE and India. Where we transfer personal information across borders, we do so under appropriate safeguards — Standard Contractual Clauses for GDPR-scope data, equivalent mechanisms for other regimes, and customer-specific data-residency commitments under our DPA.
Subject to applicable law, you have the right to (a) access the personal information we hold about you, (b) correct it where it is inaccurate, (c) request deletion in certain circumstances, (d) object to or restrict our processing, (e) data portability where applicable, and (f) lodge a complaint with a competent supervisory authority.
To exercise any of these rights, write to privacy@emeron.io. We will respond within 30 days. We may need to verify your identity before acting on a request.
| Security | Industry-standard technical and organizational measures: encryption in transit, encryption at rest for sensitive data, role-based access control, audited access logs, and a documented incident response plan. |
| Retention | As stated against each category above. Where multiple periods apply, the longest applicable retention governs. |
| Children | Our services and website are not directed at children. We do not knowingly collect personal information from children. |
| Changes | Material changes to this notice are notified by email to active commercial counterparties and published here at least 30 days before they take effect. Version and effective-date are shown at the top of this page. |
Privacy questions go to a single inbox, monitored by a named person. We respond within statutory windows.