Privacy Policy.

1. Introduction

GSDA Legal Consultants ("we," "our," or "the Firm"), with its principal office at 10 Place Vendôme, 75001 Paris, France, is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal data when you visit our website at www.gsdalegalconsultants.com(the "Website"), engage our legal services, or interact with us through any channel.

This policy applies to all individuals whose personal data we process, including website visitors, clients, prospective clients, business contacts, job applicants, and any other persons who provide personal data to the Firm. We process personal data in compliance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679), the French Data Protection Act (Loi Informatique et Libertés), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, the California Consumer Privacy Act (CCPA), and all other applicable data protection legislation in the jurisdictions in which we operate.

2. Data Controller

The data controller responsible for your personal data is GSDA Legal Consultants, registered in France. For all data protection inquiries, you may contact our Data Protection Officer at:

• Email: privacy@gsdalegalconsultants.com
• Address: Data Protection Officer, GSDA Legal Consultants, 10 Place Vendôme, 75001 Paris, France
• Phone: +33 6 47 76 11 23

3. Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Data You Provide Directly

• Identity data: First name, last name, title, date of birth, nationality, government-issued identification numbers (where required for legal proceedings or compliance checks).
• Contact data: Email address, postal address, telephone numbers.
• Professional data: Company name, job title, professional qualifications, business registration details.
• Financial data: Bank account details, billing information (for invoicing and payment processing only).
• Case data: Legal matter details, documents, correspondence, and other information provided in connection with our legal services.
• Recruitment data: CV/resume, cover letter, educational qualifications, employment history, references.

3.2 Data Collected Automatically

• Technical data: IP address, browser type and version, operating system, time zone setting, device type, screen resolution.
• Usage data: Pages visited, time spent on pages, click patterns, referral source, navigation paths (collected via Google Analytics 4 with anonymised IP).
• Cookie data: Session cookies, analytics cookies, and preference cookies (see Section 10 below).

3.3 Data from Third Parties

• Publicly available information from official registers, court records, or regulatory databases in connection with our legal work.
• Referral information from other legal professionals, business associates, or intermediaries.
• Background check data from authorised screening services (where required for compliance or engagement acceptance).

4. Legal Bases for Processing

We process your personal data on the following legal bases under the GDPR:

• Performance of a contract (Art. 6(1)(b)): To provide legal services, manage client engagements, issue invoices, and fulfil our contractual obligations.
• Legal obligation (Art. 6(1)(c)): To comply with anti-money laundering (AML) regulations, tax obligations, bar association rules, and court orders.
• Legitimate interests (Art. 6(1)(f)): To improve our services, maintain website security, conduct business development, and manage our professional practice — provided your interests and fundamental rights do not override those interests.
• Consent (Art. 6(1)(a)): For marketing communications, analytics cookies, and any processing that requires explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. How We Use Your Data

• Providing legal advice, representation, and related professional services.
• Managing client relationships, including conflict checks and engagement acceptance.
• Communicating with you regarding your legal matters, inquiries, or our services.
• Processing payments and maintaining financial records.
• Complying with regulatory, legal, and professional obligations (including AML/KYC checks).
• Operating, maintaining, and improving our Website.
• Analysing website usage to enhance user experience (with consent).
• Recruiting and evaluating job applicants.
• Protecting our legal rights and the security of our systems.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your data with:

• Affiliated offices: Our offices in Paris, Dubai, Riyadh, Cairo, Grenoble, Marseille, Doha, Manama, and Kuwait City may share data internally for the purpose of providing integrated legal services.
• Service providers: IT hosting providers (Vercel Inc.), email services, cloud storage, and analytics services (Google Analytics) that process data on our behalf under strict contractual data processing agreements.
• Legal and regulatory bodies: Courts, tribunals, arbitration centres, bar associations, regulatory authorities, and tax authorities — where required by law or professional obligation.
• Professional advisers: External counsel, barristers, experts, and auditors engaged in connection with our legal work — subject to appropriate confidentiality protections.
• Counterparties: Opposing parties and their legal representatives in the course of legal proceedings, negotiations, or transactions — only as necessary for your legal matter.

7. International Data Transfers

As an international law firm with offices across Europe, the Middle East, and North Africa, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission (where applicable).
• Binding Corporate Rules or equivalent intra-group agreements.
• Additional technical and organisational measures to protect data in transit and at rest.

For transfers to the United States (including our hosting provider Vercel Inc.), we rely on the EU-US Data Privacy Framework where applicable, or SCCs with supplementary measures.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Client matter files: Retained for a minimum of 10 years from the conclusion of the matter, in accordance with professional obligations and applicable limitation periods.
• Financial records: Retained for the period required by French tax law (typically 10 years).
• Website analytics data: Retained for 26 months from the date of collection (Google Analytics default).
• Contact form submissions: Retained for 2 years unless you become a client, in which case the data is retained as part of the client file.
• Job application data: Retained for 2 years from the conclusion of the recruitment process, unless you consent to longer retention.

9. Your Rights

Under applicable data protection laws, you have the following rights:

9.1 Under GDPR (EU/EEA Residents)

• Right of access (Art. 15): Obtain confirmation of whether your data is being processed and request a copy.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data where there is no compelling reason for its continued processing.
• Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: Where processing is based on consent, withdraw consent at any time.
• Right to lodge a complaint: File a complaint with the French data protection authority (CNIL) at www.cnil.fr, or your local supervisory authority.

9.2 Under CCPA (California Residents)

• Right to know: Request the categories and specific pieces of personal information we have collected.
• Right to delete: Request deletion of personal information we have collected.
• Right to opt-out: Opt out of the sale of personal information (we do not sell personal data).
• Right to non-discrimination: Exercise your rights without discriminatory treatment.

9.3 Under UAE Data Protection Law

• Right to access, rectify, erase, restrict processing, and port your data.
• Right to object to processing and to automated decision-making.
• Right to lodge a complaint with the UAE Data Office.

To exercise any of these rights, please contact us at privacy@gsdalegalconsultants.com. We will respond within 30 days (or the period required by applicable law). We may need to verify your identity before processing your request.

10. Cookies and Tracking Technologies

Our Website uses the following cookies:

Analytics cookies are only placed after you provide consent via our cookie banner. You can manage cookies through your browser settings or by using our cookie consent tool. Declining analytics cookies does not affect your ability to use the Website.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• TLS/SSL encryption for all data transmitted to and from the Website (HTTPS enforced with HSTS).
• Access controls and authentication mechanisms for internal systems.
• Regular security assessments and vulnerability scanning.
• Staff training on data protection and information security.
• Confidentiality obligations in employment contracts and service provider agreements.
• Secure destruction of physical and digital records at end of retention periods.

12. Professional Confidentiality

As a law firm, all client communications and information are protected by legal professional privilege (secret professionnel) under French law and equivalent protections in each jurisdiction in which we operate. This duty of confidentiality is in addition to — and separate from — our data protection obligations, and survives the termination of the client relationship.

13. Third-Party Links

Our Website may contain links to external websites (e.g., LinkedIn, court registries, regulatory bodies). We are not responsible for the privacy practices of these third-party sites. We encourage you to read their privacy policies before providing any personal data.

14. Children's Privacy

Our Website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data to us, please contact our Data Protection Officer and we will take steps to delete such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will publish the updated policy on this page with a revised "Last updated" date. Material changes will be communicated through a notice on the Website. Your continued use of the Website after any changes constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

• Email: privacy@gsdalegalconsultants.com
• Phone: +33 6 47 76 11 23
• Address: GSDA Legal Consultants, 10 Place Vendôme, 75001 Paris, France

You also have the right to lodge a complaint with the relevant supervisory authority. In France, the supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris CEDEX 07, France.