Privacy Policy (GDPR/UK GDPR-aligned) — ISTAR Capital Ltd. (DIFC)

1) Who this policy applies to
This policy applies to personal data we process about:
Website visitors
People who contact ISTAR or request information
People who subscribe to insights/marketing (where available)
Event/webinar attendees
Portal users (including research portal access)
Clients/prospects/counterparties and their representatives (B2B context)
Job applicants (if ISTAR recruits via the website or email)
2) What personal data we collect
Depending on how you engage with ISTAR, we may collect:
A. Identity & contact data
Name, job title, company, business email, phone number, country, and professional details you provide.
B. Communications data
Emails/messages you send us, meeting notes, call summaries, and preference information.
C. Website, device & usage data
IP address, device/browser information, pages viewed, referral source, approximate location (derived from IP), and cookie/tracking data.
D. Event & marketing data
Registration details, attendance status, and communication preferences.
E. Client onboarding / due diligence data (where applicable)
If you become a client/counterparty or request regulated services, we may need additional information such as identification details, corporate/UBO information, and other compliance documentation. (ISTAR will confirm the exact scope and whether/when this is collected via the website.)
Children: ISTAR services are intended for professional/institutional audiences and not directed to children.
3) Sources of personal data
We collect personal data:
Directly from you (forms, emails, calls, meetings, registrations)
From your organisation/colleagues (in a B2B context)
From public/professional sources (e.g., company websites, professional profiles) where relevant
From service providers (e.g., website/analytics, event tools)
From screening/compliance sources where applicable to onboarding and risk checks.
GDPR expects we tell you the source when data is obtained indirectly.
4) How we use personal data and our lawful bases
We process personal data for the purposes below and rely on one or more lawful bases (as appropriate):
Responding to enquiries and providing information
Lawful basis: Legitimate interests (running our business and responding) and/or steps prior to entering a contract.
Managing business relationships (B2B) and providing services
Lawful basis: Contract / steps prior to contract; and/or legitimate interests.
Website operations, performance, and security
Lawful basis: Legitimate interests (security, diagnostics, service improvement).
Analytics and advertising measurement (where enabled)
Lawful basis: Consent for non-essential cookies/trackers, where required.
Marketing communications (where enabled)
Lawful basis: Consent (where required) and/or legitimate interests (especially in a B2B context), always subject to your right to opt out.
Events/webinars
Lawful basis: Contract/steps prior to contract; legitimate interests; and/or consent depending on the event and communications.
Recruitment
Lawful basis: Legitimate interests (hiring) and steps prior to entering a contract; legal obligations where applicable.
(These disclosure items are part of the GDPR “right to be informed” requirements for privacy notices.)
5) Cookies, analytics, and pixels
ISTAR uses cookies and similar technologies. Some are strictly necessary; others help us understand usage and measure marketing performance.
Based on current information, ISTAR may use:
Google Analytics 4 (GA4)
LinkedIn Insight Tag
Meta Pixel
These technologies may collect usage data and identifiers (including IP and cookie IDs) and may involve international data transfers depending on provider configurations.
Cookie choices: Where legally required, ISTAR will provide a cookie banner/consent tool allowing you to accept/reject non-essential cookies and change preferences later.
Cookie details: [Add link to Cookie Policy / cookie settings]
6) Who we share personal data with
We may share personal data with:
A. Service providers (processors) supporting our operations, such as:
Website hosting/platform: Wix (website hosting and related services)
CRM / communications: Wix CRM and (if enabled) Wix Ascend/Wix Email Marketing (to confirm exact products)
Analytics and marketing measurement: Google (GA4), LinkedIn, Meta
Research portal provider: Research Tree (as a third-party portal/service provider; to confirm role and data flows)
B. Professional advisers
Lawyers, auditors, consultants, and insurers where necessary.
C. Legal/regulatory disclosures
Authorities, regulators, courts, or law enforcement if required by law or to protect rights, safety, and integrity.
We require processors to protect personal data and process it only in line with our instructions and contracts where applicable.
7) International transfers
ISTAR is based in the UAE (DIFC), and our vendors and portal providers may process data in other countries (potentially including the UK/EU and the US), depending on hosting and service configurations.
Where GDPR/UK GDPR applies, we will use lawful transfer mechanisms such as adequacy decisions or appropriate contractual safeguards (e.g., Standard Contractual Clauses and/or the UK transfer addendum/IDTA), as applicable.
(ISTAR will confirm whether SCCs/UK IDTA are in place with each vendor.)
8) Data retention
ISTAR retains personal data only as long as necessary for the purposes described.
Current baseline provided: 90 days (for general enquiry/lead data), unless:
You become a client/counterparty, or
Longer retention is required/justified for legal, regulatory, compliance, dispute, or accounting reasons.
Example retention (to be confirmed and finalised by ISTAR):
Website enquiries/leads: 90 days from last interaction
Marketing lists: until you opt out (plus a minimal suppression record to respect your choice)
Portal access logs: [10 months]
Client onboarding/compliance files (if applicable): [2 years, depending on obligations]
9) Security
ISTAR implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful loss, misuse, alteration, unauthorised access, or disclosure (e.g., access control, least privilege, secure systems, vendor due diligence).
10) Your rights
If GDPR/UK GDPR applies to you, you may have rights including:
Access, rectification, erasure
Restriction and objection
Data portability (in some cases)
Withdrawal of consent at any time (where processing is based on consent)
To exercise rights, contact info@istar.capital (or the confirmed privacy contact). We may ask you to verify your identity.
11) Complaints and regulators
UK: You can lodge a complaint with the Information Commissioner’s Office (ICO).
EU/EEA: You can lodge a complaint with your local data protection authority.
DIFC: DIFC has its own Data Protection Law (DIFC Law No. 5 of 2020) and related transparency expectations.
UAE (federal): The UAE has a federal personal data protection law (Federal Decree-Law No. 45 of 2021).
12) Updates to this policy
We may update this Privacy Policy from time to time. The updated version will be posted on our website with a revised “Last updated” date.
13) Contact
ISTAR Capital Ltd. (DIFC)
Unit 604, Level 6, Index Tower, DIFC, PO Box 507268, Dubai, UAE
Email: info@istar.capital (confirm)
Phone: +971 4 563 7712