Legal

Privacy Policy.

Last updated: February 2026 · Governing regulation: EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679

1. Identity and Contact Details of the Data Controller

The data controller responsible for your personal data is:

RiskComms FZCO

Represented by: Philippe Borremans (Founder)

Registered in the United Arab Emirates (Free Zone Company)

Contact for data protection matters: [email protected]

Although RiskComms FZCO is incorporated in the UAE, the GDPR applies to this website by virtue of Article 3(2) GDPR, because we offer services to individuals located in the European Economic Area (EEA) and monitor their behaviour. We are committed to full compliance with the GDPR and applicable EU member-state data protection law.

2. Scope of This Policy

This Privacy Policy applies to personal data collected through the RiskComms website at riskcomms.com (the "Website"), including via the enquiry contact form on the Book a Briefing page, and any direct communications initiated through the Website. It does not apply to personal data processed under separate contractual or engagement agreements with clients.

3. Personal Data We Collect

We collect only the personal data that is necessary for the purposes described below. The categories of data we may collect are:

Contact and identity data: full name, job title/role, and organisation name, provided voluntarily via the enquiry form.
Contact details: email address, provided voluntarily via the enquiry form.
Enquiry content: the text of any message you submit through the contact form.
Technical and usage data: IP address, browser type, device type, pages visited, and time of visit, collected automatically via server logs and analytics tools.
Scheduling data: if you book a briefing via Cal.com, that booking is processed directly by Cal.com under their own privacy policy. We receive only the name, email address, and time of the appointment.

We do not collect special categories of personal data (Article 9 GDPR), financial data, or data relating to children under 16 years of age.

4. Purposes of Processing and Legal Bases

We process your personal data only where we have a valid legal basis under Article 6 GDPR. The table below sets out each processing activity, its purpose, and the applicable legal basis.

Processing Activity	Purpose	Legal Basis (Art. 6 GDPR)
Enquiry form submission	Responding to your message and assessing whether our services are relevant to your needs	Art. 6(1)(b) — necessary for pre-contractual steps at your request; or Art. 6(1)(f) — legitimate interests (responding to business enquiries)
Briefing scheduling	Confirming and managing a booked 30-minute briefing session	Art. 6(1)(b) — necessary for pre-contractual steps at your request
Website analytics	Understanding how visitors use the Website to improve content and performance	Art. 6(1)(f) — legitimate interests (improving our Website)
Security and fraud prevention	Detecting and preventing malicious or fraudulent activity	Art. 6(1)(f) — legitimate interests (protecting our systems and users)
Legal compliance	Meeting our obligations under applicable law	Art. 6(1)(c) — compliance with a legal obligation

Where we rely on legitimate interests as our legal basis, we have conducted a balancing test and concluded that our interests are not overridden by your interests or fundamental rights. You have the right to object to processing based on legitimate interests at any time (see Section 8).

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Enquiry form data: retained for 24 months from the date of submission, or until you request erasure, whichever is earlier. If an enquiry leads to a client engagement, data is retained for the duration of the engagement plus 5 years for legal and accounting purposes.
Briefing scheduling data: retained for 12 months from the date of the scheduled session.
Website analytics data: retained in anonymised or aggregated form; any personal identifiers are deleted within 14 months.
Server logs: retained for a maximum of 90 days for security purposes.

6. Recipients and Third-Party Processors

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients, only to the extent necessary:

Hosting and infrastructure: the Website is hosted on Manus cloud infrastructure. Data is processed in accordance with Manus's data processing terms.
Scheduling: Cal.com Inc. processes booking data when you use the scheduling link. Cal.com acts as an independent data controller for that processing. Please review Cal.com's Privacy Policy.
Analytics: aggregated, anonymised usage data may be processed by analytics tools. No personal data is shared with advertising networks.
Legal and regulatory: we may disclose data to competent authorities where required by law or to protect our legal rights.

All third-party processors are subject to appropriate data processing agreements and are required to implement adequate technical and organisational security measures.

7. International Transfers of Personal Data

RiskComms FZCO is based in the UAE. The UAE is not currently subject to an EU adequacy decision under Article 45 GDPR. Where personal data of EEA residents is transferred to or accessible from the UAE, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR as the appropriate safeguard. You may request a copy of the relevant SCCs by contacting us at [email protected].

Where data is processed by Cal.com (a US-based company), Cal.com relies on SCCs and/or the EU–US Data Privacy Framework as applicable. Please refer to Cal.com's privacy documentation for current transfer mechanisms.

8. Your Rights Under the GDPR

Subject to applicable conditions and limitations under the GDPR, you have the following rights in relation to your personal data:

Right of access (Art. 15): to obtain confirmation of whether we process your data and to receive a copy of it.
Right to rectification (Art. 16): to have inaccurate or incomplete data corrected.
Right to erasure / "right to be forgotten" (Art. 17): to request deletion of your data where there is no longer a lawful basis for its retention.
Right to restriction of processing (Art. 18): to request that we limit processing of your data in certain circumstances.
Right to data portability (Art. 20): to receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
Right to object (Art. 21): to object at any time to processing based on legitimate interests or for direct marketing purposes.
Rights related to automated decision-making (Art. 22): we do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month of receiving your request. We may ask you to verify your identity before processing your request.

9. Right to Lodge a Complaint with a Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a data protection supervisory authority. You may contact the supervisory authority in the EU member state where you habitually reside, work, or where the alleged infringement occurred. A list of EU supervisory authorities is available at edpb.europa.eu.

We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority. Please contact us first at [email protected].

10. Security of Personal Data

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (Article 32 GDPR). These measures include encrypted data transmission (TLS/HTTPS), access controls, and regular security reviews. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.

11. Cookies and Similar Technologies

The Website uses cookies and similar technologies. Strictly necessary cookies are used to ensure the Website functions correctly (e.g., session management). These do not require your consent under the ePrivacy Directive. Where we use non-essential cookies (e.g., analytics), we will request your consent before placing them.

You may control or delete cookies through your browser settings at any time. Note that disabling certain cookies may affect the functionality of the Website.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last updated" date at the top of this page will reflect the date of the most recent revision. Where changes are material, we will take reasonable steps to bring them to your attention. We encourage you to review this Policy periodically.

13. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact:

Philippe Borremans — Data Controller

RiskComms FZCO

Email: [email protected]

Legal note: This Privacy Policy has been prepared to reflect best-practice GDPR compliance for a B2B consultancy operating internationally. It is not a substitute for legal advice. RiskComms FZCO recommends that this document be reviewed periodically by a qualified data protection practitioner, particularly following any material change in processing activities, applicable law, or regulatory guidance.