Privacy Policy

Effective date: April 12, 2026

Ahmed Elflal ("I", "me", "my") operates ahmedelflal.com (the "Site"). This Privacy Policy explains how I collect, use, store, and protect your personal data when you visit the Site or interact with its forms and services.

This policy is aligned with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and its implementing regulations.

1. Data Controller

Ahmed Elflal, operating as a sole practitioner in digital marketing consulting, based in the United Arab Emirates. For data-related inquiries, contact: [email protected]

2. Personal Data I Collect

I collect only the data you voluntarily provide through site forms:

  • Contact/apply forms: Name, email address, company name (optional), phone number (optional), message content
  • Email subscription forms: Email address
  • Resource download forms: Email address, resource identifier

I do not collect sensitive personal data (health, biometric, financial, or government ID data).

3. Automatically Collected Data

When you visit the Site, my server may log:

  • Hashed IP address (truncated, not stored in raw form)
  • Browser type and version
  • Pages visited and timestamps
  • Referring URL

This data is used for security (rate limiting, abuse prevention) and performance monitoring. IP addresses are hashed before storage and cannot be used to directly identify you.

4. How I Use Your Data

Your personal data is used for the following purposes, each with a lawful basis under PDPL:

  • Responding to your inquiry: When you submit a contact or apply form, I use your name and email to respond. Lawful basis: performance of a contract or pre-contractual measures (PDPL Art. 5(1)).
  • Delivering requested resources: When you request a download, I use your email to send the resource link. Lawful basis: consent (PDPL Art. 5(2)).
  • Email communications: If you subscribe to the newsletter, I send periodic emails with marketing frameworks and insights. Lawful basis: consent (PDPL Art. 5(2)). You can unsubscribe at any time.
  • CRM and lead management: Contact data is synced to GoHighLevel (GHL), a CRM platform, for follow-up and relationship management. Lawful basis: legitimate interest (PDPL Art. 5(4)).

5. Third-Party Processors

I use the following third-party services to process your data:

  • GoHighLevel (GHL): CRM, contact management, and email automation. Data stored in GHL's US-based infrastructure. GHL's privacy policy: gohighlevel.com/privacy-policy
  • Hostinger: Web hosting. Server logs processed on Hostinger VPS infrastructure.
  • Cloudflare: CDN and DDoS protection. Processes request metadata for security filtering.

All processors are contractually obligated to protect your data. Where data is transferred outside the UAE, I ensure adequate safeguards are in place as required by PDPL Articles 22-23.

6. Data Retention

  • Contact form submissions: Retained in CRM for 24 months after last interaction, then deleted.
  • Newsletter subscribers: Retained until you unsubscribe.
  • Server logs: Retained for 90 days, then automatically purged.
  • Rate limit data: Automatically deleted within 30 minutes of creation.

7. Your Rights Under UAE PDPL

You have the right to:

  • Access: Request a copy of all personal data I hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Restriction: Request that I stop processing your data
  • Data portability: Receive your data in a structured, machine-readable format
  • Withdraw consent: Withdraw consent at any time for processing based on consent
  • Object: Object to processing based on legitimate interest

To exercise any right, email [email protected]. I will respond within 14 days.

8. Data Security

I implement the following security measures:

  • HTTPS encryption on all pages (TLS 1.2+)
  • HSTS enforcement with 1-year max-age
  • Content Security Policy (CSP) headers
  • Server-side input validation and sanitization on all form data
  • Rate limiting on all API endpoints
  • CSRF protection via Origin/Referer validation
  • API keys stored in environment variables, never in source code
  • IP addresses hashed before logging

9. Cookies

This Site does not use cookies for tracking or advertising purposes. If analytics cookies are added in the future, this policy will be updated and consent will be obtained before any cookies are set.

10. Children's Privacy

This Site is not directed at individuals under 18. I do not knowingly collect data from minors. If you believe a minor has submitted data, contact me immediately for deletion.

11. Changes to This Policy

I may update this policy to reflect changes in my practices or legal requirements. The effective date at the top of this page indicates when the latest revision was published. Material changes will be communicated via email to subscribers.

12. Contact

For any data protection questions, complaints, or requests:

Ahmed Elflal
Email: [email protected]
Website: ahmedelflal.com

If you are not satisfied with my response, you may lodge a complaint with the UAE Data Office established under PDPL Article 29.