Privacy Policy

JDI Design — Joint Designs International ("JDI", "we", "us") is a design and build practice based in the United Arab Emirates. We are the data controller for personal data collected through jddesign.ae and the related admin and back-office systems we operate.

• Trading name: JDI Design
• Legal entity: Joint Designs International — UAE
• Registered office: [TO BE COMPLETED — registered office address from your trade licence]
• Trade licence no.: [TO BE COMPLETED]
• Privacy contact: [email protected]

This policy applies to personal data we process when you:

• visit jddesign.ae or any of its sub-pages,
• submit a contact form, request a quote, or send us an email,
• are issued a JDI back-office account (e.g. as an employee, contractor, or partner administrator), or
• interact with us through one of our social profiles linked from this site.

It does not cover personal data we receive solely in the course of a signed services agreement (project contracts) — those are governed by the Data Processing Schedule attached to the relevant contract.

We try to collect the minimum needed to do our job. The categories below reflect what is actually written to our systems today — they are not aspirational.

From visitors to the public site

• Contact submissions. Name, email, phone (if provided), project type, subject, message — only when you fill in the contact form.
• Page-view analytics. Path visited, referrer, browser user-agent, an anonymised session identifier, and a one-way hashed form of your IP address. The hash uses a daily rotating salt so the value is not linkable across days.
• Cookie preferences. Your consent decision (which categories you allowed), the policy version, the action you took (accept all / reject all / custom), the GPC signal sent by your browser, an anonymised IP hash, and the user-agent string — stored so we can prove your consent if asked.
• Cookie sightings. The names of cookies your browser actually carries when you make a decision, so our admins can detect undeclared third-party cookies (a drift alarm). No cookie values are read.

From holders of a back-office account

• Account record. Email, name, role (Admin/Editor/Viewer), an active flag, a bcrypt password hash, optional 2FA secret stored encrypted with AES-256-GCM, last login and last seen timestamps.
• Session and refresh tokens. Hashed token identifiers, issuing IP, user-agent, family ID, and lifetime metadata. Plain-text token values are never stored.
• Audit log.Every meaningful action you take against the back-office (login, content edit, password change, etc.) is recorded with the actor's ID, action name, target entity, IP, and user-agent. Audit rows are protected by an HMAC hash chain so any tampering is detectable.
• Recovery codes. One-time codes for 2FA recovery are stored as bcrypt hashes (cost ≥ 10) and become invalid after a single use.

We do not collect special-category data (health, biometrics, racial/ethnic origin, religious belief, etc.). If you put any in a contact form free-text field we will treat it as volunteered correspondence and delete it under the retention rules in §8.

We process each category of data only for the purposes listed below, on a specific legal basis under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and, where the EU/UK GDPR also applies, the corresponding GDPR Article 6 ground.

We split cookies into four categories. Only Necessary cookies are set without your consent; everything else waits for you to tick the corresponding box on the banner or via the button above.

• Necessary — keep you logged in, remember your consent decision, protect against CSRF. Cannot be disabled without breaking the site.
• Functional — remember preferences such as language or region. Off by default.
• Analytics — understand which pages are popular, measure traffic shape. Off by default. Drops the page-view tracker described in §3.
• Marketing— measure campaign performance and support remarketing. Off by default. The toggle has effect only when we have an active marketing tag deployed; if no marketing cookies are listed in your browser's cookie inspector, none are loaded.

We honour the browser-level Global Privacy Control (Sec-GPC) signal: when present, every non-essential category defaults to off and the consent ledger records the GPC state.

For the live, current list of cookies (name, party, provider, duration, purpose) see the disclosure inside Cookie Settings.

We never sell personal data. We share it only with:

• Service providers (processors) acting under our instructions and bound by data-processing agreements — listed in full below.
• Legal & regulatory authorities where we are compelled by law or a binding court order, or to protect our rights or the safety of users.
• Successors in interest in the event of a corporate restructuring, sale, or merger — bound to honour this policy or notify you of changes.

Subprocessors

Each vendor below has signed a data-processing agreement (DPA) covering the data we share with them and the protections they commit to.

On request we will provide a copy of the relevant DPA extract or additional region-specific assurances.

Our primary data is stored in the UAE. Some processors listed in §6 operate from the EU, the UK, or the United States. Where transfers leave the UAE, we rely on one of:

• an adequacy decision by the UAE Data Office or, where the EU GDPR applies, by the European Commission;
• the European Commission's Standard Contractual Clauses (2021) supplemented by appropriate technical measures (encryption in transit and at rest); or
• your explicit consent for an occasional, non-systematic transfer.

A copy of the safeguard for any specific transfer is available from the privacy contact below.

We delete or de-identify personal data once it is no longer necessary for the purpose it was collected for, on the schedule below. Where retention is set in months, the actual deletion runs on a calendar-quarter cadence.

• Contact submissions: 24 months from receipt, then deleted; sooner on request.
• Page-view analytics rows: 14 months (rolling).
• Cookie consent ledger: 24 months (kept for accountability under GDPR Art. 7).
• Cookie sightings: 12 months (rolling).
• Audit log (back-office actions): 24 months, with the HMAC hash-chain preserved for forensic integrity.
• Account records: while the account is active, and for 12 months after deactivation for security and audit purposes; then anonymised.
• Refresh / session tokens: 30 days max, rotated on every refresh; rotated-away tokens kept for 30 days for replay-attack detection.
• Password reset tokens: ≤ 60 minutes, single use.
• Backups: 35 days, after which the row is fully and irrecoverably gone.

• TLS 1.2+ in transit; encryption at rest at the database layer.
• Passwords stored as bcrypt hashes (cost ≥ 10). 2FA secrets envelope-encrypted with AES-256-GCM and a key version stored separately so rotation is possible.
• IP addresses are stored only as one-way hashes with a daily rotating salt — usable for fraud correlation within a day, no longer linkable after.
• Refresh tokens are stored as SHA-256 hashes and rotated on every use; reuse triggers automatic revocation of the entire token family.
• Audit-log rows are linked into an HMAC hash chain so tampering is detectable.
• Role-based access control (Admin, Editor, Viewer) on every back-office endpoint, double-submit CSRF on every state-changing request.
• Rate limiting on all authentication and consent endpoints to blunt brute-force and consent-spam.

No system is unbreakable. If we discover a personal-data breach that meets the notification threshold, we will notify the relevant authority within 72 hours and affected users without undue delay.

Subject to applicable law (UAE PDPL, EU GDPR, UK GDPR), you have the right to:

• Access — get a copy of the personal data we hold about you. Back-office users can self-serve via the Privacy Export endpoint, which packages account, sessions, audit logs, contact submissions, and consent history.
• Rectification — correct inaccurate data.
• Erasure — ask us to delete data we no longer need to keep. Some categories (audit logs, retained for security) may be redacted rather than wiped.
• Restriction & objection — pause or object to specific processing, especially anything based on legitimate interest.
• Portability — receive a machine-readable copy of data you provided.
• Withdraw consent at any time — and as easily as you gave it. Use the Cookie Settings page.
• Lodge a complaint with the UAE Data Office, or with your local supervisory authority if you are in the EU/UK.

We respond to verified rights requests within 30 days, extendable once by a further 60 days for complex requests (we'll tell you if it does). Verification is normally a reply from the email address we hold on file.

jddesign.ae is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has submitted data through our site, write to the privacy contact below and we will delete it.

We do not make decisions that produce legal or similarly significant effects about you using fully automated processing. Anti-abuse and rate-limiting decisions are algorithmic but reversible and subject to human review on request.

We bump the policy version at the top whenever we make a material change. Where the change affects the basis for cookies, we re-prompt for consent (your stored decision invalidates and the banner reappears). Cosmetic changes are noted under Last updated only.

For privacy questions, rights requests, or to escalate a concern:

• Email: [email protected]
• Postal: [TO BE COMPLETED — registered office address]

If you remain dissatisfied with our response, you can complain to the UAE Data Office (dataoffice.gov.ae). Visitors in the EU or UK can complain to their local supervisory authority — the lists are at edpb.europa.eu and ico.org.uk.