Privacy Policy

Introduction

At Underwings, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, engage our cybersecurity services, or communicate with us.

By using our services or website, you agree to the terms outlined in this policy.

Information We Collect

Personal Information

When you engage our services or contact us, we may collect:

  • Name and contact details (email, phone number, company name)
  • Job title and department
  • Business information relevant to security assessments
  • Payment and billing information

Technical Information

When you visit our website, we may automatically collect:

  • IP address and browser type
  • Device information and operating system
  • Pages visited and time spent on site
  • Referral source and navigation patterns

Service-Related Information

During penetration testing, compliance assessments, or training delivery, we may access:

  • System configurations and network architecture (with explicit authorization)
  • Vulnerability scan results and security findings
  • Employee training completion data
  • Compliance documentation and audit evidence

How We Use Your Information

We use collected information to:

  • Deliver penetration testing, GRC, and security training services
  • Communicate project updates and findings
  • Process payments and maintain business records
  • Improve our services and website experience
  • Comply with legal and regulatory requirements
  • Send relevant cybersecurity updates (with your consent)

We never sell your personal information to third parties.

Scope Builder submissions & marketing opt-in

When you use our Scope Builder, we collect the answers you provide (driver, scope selections, timeline, company size), your name, work email, company, and optional phone number. This information is used to:

  • Generate and email you a personalised penetration-testing scoping brief
  • Allow our team to follow up once with a written fixed-price quote
  • Store the lead in our internal CRM (Krayin) for opportunity management

On that form you may optionally opt in to receive our monthly UAE cybersecurity threat briefing. This is a separate marketing communication from the transactional scoping brief. We will only add you to the briefing list if you explicitly tick the opt-in checkbox. You can unsubscribe at any time via the unsubscribe link in any briefing email, or by emailing contact@underwings.org.

Our use of this data complies with the UAE Personal Data Protection Law (PDPL, Federal Decree-Law No. 45 of 2021). We retain Scope Builder submission data for up to 24 months for opportunity tracking, after which it is anonymised or deleted unless you have become a paying client.

Data Protection & Security

As a cybersecurity company, we practice what we preach:

  • All client data is encrypted in transit and at rest
  • Access to sensitive information is restricted to authorized personnel only
  • We maintain ISO 27001-aligned security controls
  • Penetration testing findings are stored securely and shared only with authorized stakeholders
  • We conduct regular security audits of our own systems

Your rights

You have the right to:

  • Access your personal information we hold
  • Correct inaccurate or incomplete data
  • Delete your information (subject to legal retention requirements)
  • Opt-out of marketing communications at any time
  • Request a copy of your data in portable format
  • Object to certain processing activities

To exercise these rights, contact us at privacy@underwings.org.

Cookies & Tracking Technologies

Our website uses cookies to:

  • Remember your preferences and settings
  • Analyze site traffic and usage patterns
  • Improve user experience

You can disable cookies through your browser settings, though this may limit certain website functionality.

Third-Party Services

We may use trusted third-party services for:

  • Website hosting and analytics
  • Payment processing
  • Email communications
  • Project management and collaboration

These providers are contractually obligated to protect your data and use it only for specified purposes.

Data Retention

We retain personal information only as long as necessary:

  • Active client data: Duration of engagement plus 7 years (for audit/legal purposes)
  • Marketing contacts: Until you opt out or request deletion
  • Security findings: Per contractual agreement and compliance requirements

International Data Transfers

If we transfer data outside the UAE, we ensure adequate protection through:

  • Standard contractual clauses
  • Privacy Shield frameworks (where applicable)
  • Explicit consent when required

Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will notify active clients directly.

Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Email: privacy@underwings.org