Privacy Policy

1. Introduction and Scope

This Privacy Policy (the "Policy") describes how MS Corporate Services (referred to in this document as "MS", "we", "us", or "our") collects, uses, stores, discloses, and protects personal data in connection with the operation of its website at ms-ca.com (the "Website") and the provision of corporate, compliance, tax, accounting, and related professional services (collectively, "Services").

MS operates from offices in the Abu Dhabi Global Market ("ADGM"), the Dubai International Financial Centre ("DIFC"), the Dubai Multi Commodities Centre ("DMCC"), and the Qatar Financial Centre ("QFC").

Where this Policy refers to "you" or "your", it refers to any individual whose personal data is collected or processed by MS, including prospective and existing clients, company officers, directors, shareholders, beneficial owners, authorised signatories, website visitors, and job applicants.

By using the Website, submitting any inquiry or service request, or engaging MS for any of its professional services, you acknowledge that you have read and understood this Policy and consent to the collection and use of your personal data as described herein. If you do not agree with the terms of this Policy, you should refrain from using the Website or engaging MS's Services.

2. Definitions
The following terms, when used in this Policy, shall bear the meanings set out below:
Personal Data: Personal Data means any information relating to an identified or identifiable natural person, whether directly or indirectly. This includes, but is not limited to, name, identification numbers, contact details, financial data, location data, or any factor specific to the physical, physiological, economic, cultural, or social identity of that person.
Processing: Processing means any operation or set of operations performed on personal data. This includes collection, recording, organisation, structuring, storage, adaptation, retrieval, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction of personal data.
Data Controller: Data Controller means MS Corporate Services, acting as the entity that determines the purposes and means of processing personal data.
Data Processor: Data Processor means any third party that processes personal data on behalf of and under the documented instructions of MS as the Data Controller.
KYC / AML Data: KYC / AML Data means identity verification, due diligence, and anti-money laundering data collected in fulfilment of statutory obligations applicable to designated non-financial businesses and professions ("DNFBPs"). This may include copies of passports, Emirates ID, visa documents, proof of address, source-of-funds declarations, and corporate ownership structures.
UBO: UBO means Ultimate Beneficial Owner. It refers to the natural person or persons who ultimately own or control a legal entity, whether directly or indirectly, and on whose behalf a transaction is conducted.
Cookies: Cookies mean small text files placed on your device by websites you visit. They store session and preference data and enable websites to recognise your device on return visits. The term also includes similar tracking technologies such as pixel tags and web beacons.
UAE PDPL: UAE PDPL means UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and Privacy, together with its implementing regulations.
DIFC DP Law: DIFC DP Law means DIFC Law No. 5 of 2020, also known as the Data Protection Law, together with its associated Data Protection Regulations, as may be amended from time to time.
ADGM DP Regs: ADGM DP Regs means the ADGM Data Protection Regulations 2021, as may be amended from time to time.
Consent: Consent means a freely given, specific, informed, and unambiguous indication of agreement to the processing of personal data, evidenced by a clear affirmative act.
Website: Website means the website operated by MS at ms-ca.com and all associated sub-pages and digital tools.
3. Data Controller and Contact Details
MS Corporate Services acts as the Data Controller in respect of all personal data collected through the Website and in the course of providing its professional services. For the purpose of data collected and processed within the DIFC, MS also acts as a Data Controller under the DIFC DP Law. For data collected and processed within ADGM, MS acts as a Data Controller under the ADGM DP Regs.
For all matters relating to this Policy, including data subject rights requests, privacy complaints, or data breach notifications, please contact MS's designated data protection contact using the following details:
Email: info@ms-ca.com
MS will acknowledge all data protection communications within five (5) business days and will endeavour to resolve substantive requests within thirty (30) calendar days of receipt, subject to the complexity of the matter and applicable legal timeframes.
4. Personal Data We Collect
MS collects personal data across several categories, depending on the nature of your interaction with us and the services we provide. The categories are described below.
4.1 Identity and Contact Data

Collected from clients, website visitors, and prospective clients:
1. Full legal name, including name as it appears on government-issued identification.
2. Residential address and/or registered business address.
3. Email address, telephone number, and other contact details.
4. Job title, designation, company name, and professional role.
4.2 Website and Technical Data

Automatically collected when you visit the Website:
1. Internet Protocol (IP) address and approximate geographic location.
2. Browser type, version, and operating system.
3. Device type and device identifiers.
4. Date, time, and duration of website visits.
5. Pages, sections, and features viewed, and the sequence of navigation.
6. Referring website or traffic source.
7. Cookie identifiers and session data (see Section 11 for details).
8. LinkedIn Pixel event data.
4.3 Inquiry and Correspondence Data

When you contact MS through the Website's contact form, email, telephone, or social media:
1. Your name, email address, telephone number, and organisation.
2. The nature of your service requirement (e.g., incorporation, tax, compliance).
3. The jurisdiction of interest (e.g., ADGM, DIFC, DMCC, QFC).
4. The content of your message or inquiry.
4.4 Recruitment and HR Data

If you apply for a position with MS:
1. Curriculum vitae, covering letter, and professional references.
2. Academic qualifications, professional certifications, and employment history.
3. Personal information disclosed in the context of a job application.
4.5 Marketing and Subscription Data

If you subscribe to MS Insights, newsletters, or regulatory updates:
1. Name, email address, and professional interests.
2. Records of your consent to or withdrawal from marketing communications.
5. How We Collect Personal Data
MS collects personal data through the following channels:
Website Contact Forms: When you complete and submit the service inquiry or contact form on the Website, the data you enter (including your name, email address, phone number, organisation, choice of service, and jurisdiction) is transmitted to and stored by MS.
Email and Telephone Communication: When you contact us directly at info@ms-ca.com or by telephone, we collect and retain the content of the communication and your contact details.
Client Onboarding and Engagement: When you engage MS for professional services, we collect the personal and corporate data necessary to provide those services, including KYC and AML documentation as described in Section 4 above.
Regulatory and Compliance Processes: We may receive personal data from ADGM, DIFC, DMCC, QFC, UAE Federal Tax Authority (FTA), or other regulatory authorities in the course of carrying out our statutory obligations on your behalf.
Social Media Interactions: When you interact with MS's official accounts on LinkedIn, Facebook, X (formerly Twitter), Instagram, or YouTube, data you make publicly available or submit to us through those platforms may be collected.
Website Analytics and Tracking Technologies: Automatically collected data via cookies, server logs, Google Tag Manager, and the LinkedIn Insight Tag (see Section 11 for full details).
Newsletter and Insights Subscriptions: When you subscribe to MS Insights, updates, or other publications through the Website.
Events and In-Person Meetings: When you attend or meet with MS at conferences, seminars, or business meetings, you may provide contact details directly.
Third-Party Referrals: We may receive your contact details from an existing client or professional referral source.
6. Legal Basis for Processing Personal Data
MS processes personal data only where one or more of the following legal bases apply. The applicable basis will depend on the specific category of data and the purpose for which it is processed.
6.1 Performance of a Contract

Processing is necessary to enter into, administer, or perform a professional services engagement with you, including the provision of incorporation, compliance, tax, accounting, payroll, and residency services.
6.2 Legal Obligation

Processing is required in order for MS to comply with its legal and regulatory obligations as a CSP and DNFBP, including AML/CFT obligations under UAE Federal Decree-Law No. 20 of 2018, ADGM's AML Rulebook, DIFC's Anti-Money Laundering Module, the UAE Federal Corporate Tax Law, the UAE VAT Law, and any other applicable law or regulatory requirement. The collection and retention of KYC, UBO, source-of-funds, and beneficial ownership data is mandatory under these frameworks.
6.3 Consent

Where you have provided express consent for a specific processing activity, such as receiving marketing communications, MS Insights newsletters, or regulatory updates. You may withdraw consent at any time without affecting the lawfulness of prior processing.
6.4 Legitimate Interests

Where processing is necessary for MS's legitimate business interests, provided such interests are not overridden by your rights and interests. This includes operating and improving the Website; business development and client relationship management; sending service-related communications and updates; maintaining professional records; fraud prevention and IT security; and analysing market trends and regulatory developments to improve our advisory services.
6.5 Vital Interests

In exceptional circumstances, where processing is necessary to protect the vital interests of you or another person.
7. Purposes for Which We Process Personal Data
7.1 Service Delivery

To provide corporate services, including company incorporation, SPV and foundation setup, and company secretarial services in ADGM, DIFC, DMCC, RAK ICC, and QFC.
To provide compliance services, including annual filings, AML compliance, and outsourced Compliance Officer, Finance Officer, and MLRO functions.
To provide tax services, including corporate tax registration and filing, VAT registration and returns, transfer pricing documentation, and economic substance requirements.
To provide accounting and bookkeeping services, including preparation of financial statements, management accounts, payroll processing, and audit support.
To provide residency and visa services, including Golden Visa applications and sponsored residency under ADGM and DIFC frameworks.
7.2 Regulatory Compliance and KYC / AML Obligations

To conduct client due diligence (CDD), enhanced due diligence (EDD), and ongoing monitoring as required under the UAE's AML/CFT regime, ADGM's AML Rulebook, and DIFC's AML framework.
To identify and verify the identity of clients, UBOs, directors, shareholders, and authorised signatories.
To file statutory returns, comply with regulatory reporting requirements, and respond to enquiries from ADGM, DIFC, DMCC, QFC, the UAE Federal Tax Authority, the UAE Central Bank, or other competent authorities.
To maintain records in compliance with the mandatory record-keeping periods prescribed by applicable law.
7.3 Website and Operational Management

To operate and maintain the Website, ensure its technical functionality, and improve the user experience.
To monitor and analyse website traffic, visitor behaviour, and interaction patterns using Google Tag Manager and the LinkedIn Insight Tag.
To manage and respond to inquiries submitted through the Website contact form.
7.4 Marketing and Business Development

To send you marketing communications, industry insights, regulatory updates, event invitations, and other information about MS's services, where you have given your consent or where MS has a legitimate interest in doing so.
To conduct client satisfaction surveys and market research.
To manage MS's social media presence and professional communications on LinkedIn, Facebook, X, Instagram, and YouTube.
7.5 Recruitment

To evaluate and process applications for employment, traineeship, or internship.
With your consent, to retain your application for future vacancies for a period not exceeding twelve (12) months.
8. Disclosure and Sharing of Personal Data
MS does not sell, rent, or trade personal data to third parties for their independent commercial purposes. Personal data may be shared only in the circumstances described below.
8.1 Regulatory and Government Authorities

As a licensed CSP and DNFBP, MS is required by law to share personal data with regulatory, supervisory, and government authorities in certain circumstances.
8.2 Third-Party Service Providers

MS engages third-party service providers (Data Processors) who support our operations, including Website hosting, cloud storage, IT infrastructure, email delivery services, analytics tools (including Google Analytics, Google Tag Manager, and LinkedIn Insight Tag), customer relationship management systems, and document management platforms. All Data Processors are contractually required to process personal data only in accordance with MS's instructions and to maintain appropriate technical and organisational security measures.
8.3 Professional Advisors

Personal data may be disclosed to MS's external legal counsel, auditors, accountants, or other professional advisors where necessary for them to provide professional services to MS, subject to obligations of professional confidentiality.
8.4 MS Group Entities

Personal data may be shared with other MS Group entities where necessary for group-level governance, referrals, co-operative service delivery, or compliance purposes, subject to equivalent data protection obligations.
8.5 Legal Compulsion

MS may disclose personal data to courts, law enforcement agencies, government bodies, or other competent authorities where required to do so by applicable law, legal process, court order, or binding regulatory directive. Where permitted, MS will endeavour to notify you of any such mandatory disclosure.
9. Cross-Border Data Transfers (Other Jurisdictions)
Personal data collected by MS may be transferred to and stored on servers or systems located in jurisdictions other than the UAE in connection with MS's use of third-party cloud and technology service providers, and in connection with the QFC operations in Qatar.
MS takes the following measures to ensure that all cross-border data transfers are made in compliance with applicable data protection law:
1. Transferring personal data only to jurisdictions or recipients that provide an adequate level of data protection as recognised by the originating jurisdiction.
2. Entering into contractual arrangements with overseas recipients that impose equivalent data protection obligations, such as standard data transfer agreements or data processing agreements.
3. Ensuring that any transfers made in connection with MS's DIFC operations are compliant with the transfer restrictions under the DIFC DP Law, including the requirement to transfer only to jurisdictions with adequate data protection standards or with the consent of the data subject.
4. Ensuring that transfers related to ADGM operations comply with the cross-border transfer requirements under the ADGM DP Regs.
You may request further information about the safeguards governing any specific cross-border transfer of your personal data by contacting us at info@ms-ca.com.
10. Data Retention
MS retains Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted under applicable law or regulatory requirements.
As a general guide, the following retention periods apply:

Inquiry and Contact Form Data: retained for a period of up to three (3) years from the date of last contact, unless an ongoing service relationship is established.

Client Engagement Data: retained for the duration of the engagement and for a period of at least five (5) years thereafter, or such longer period as required under applicable regulatory obligations (including AML and KYC record-keeping requirements).

Website Technical Data and Cookies: session cookies are deleted at the end of the browser session; persistent cookies and server log data are retained for up to thirteen (13) months.

Marketing and Consent Records: retained until consent is withdrawn or for a period of three (3) years from the date of last interaction, whichever is earlier.

Recruitment and HR Data: retained for up to twelve (12) months following the conclusion of a recruitment process in respect of unsuccessful applications, with your consent, or for such period as required if an employment relationship is established.

Legal and Compliance Records: retained for such periods as are required under applicable law, regulation, or court order, which may be up to seven (7) years or longer in certain jurisdictions.
Upon the expiry of the applicable retention period, Personal Data will be securely deleted, anonymised, or archived in accordance with MS's data disposal procedures.
11. Cookies and Tracking Technologies
The Website uses cookies and similar tracking technologies to enable core functionality, analyse visitor behaviour, and support marketing activities. Details of the specific technologies deployed are set out below.
11.1 Types of Cookies Used

Strictly Necessary Cookies: Essential for the operation of the Website and cannot be disabled. They enable page navigation, form submission, security features, and session management.

Performance and Analytics Cookies: Used to collect aggregated, anonymised information about how visitors use the Website, including pages visited, time on site, and traffic sources. We use Google Tag Manager (Container ID: GTM-KKZCPMG) to manage and deploy these tags.

Functional Cookies: Enable enhanced features such as remembering your service or jurisdiction preferences and personalising your browsing experience.

Marketing and Targeting Cookies: Enables audience tracking and remarketing.
11.2 Managing Your Cookie Preferences

You may manage or withdraw your consent to non-essential cookies at any time through your browser settings or, where a cookie preference manager is available on the Website, through that tool. Please note that disabling certain categories of cookies may impair the functionality of the Website.

For specific opt-out options in relation to Google Analytics, please visit: https://tools.google.com/dlpage/gaoptout.
12. Security of Personal Data
MS implements technical, physical, and organisational safeguards appropriate to the sensitivity of the personal data it processes. These measures include:
1. Encryption of personal data in transit using industry-standard protocols and, where applicable, at rest on secure servers.
2. Role-based access controls and authentication mechanisms to ensure that personal data is accessible only to authorised personnel on a strict need-to-know basis.
3. Data minimisation practices, ensuring that only the personal data necessary for a specific purpose is collected and retained.
4. Secure physical and digital storage of KYC documents and client records.
5. Regular security assessments, vulnerability testing, and staff training on data protection obligations.
6. Documented incident response procedures for detecting, containing, and reporting personal data breaches in compliance with applicable notification requirements.
Notwithstanding the above, no electronic transmission or storage method is completely secure, and MS cannot guarantee the absolute security of data transmitted over the internet. You transmit personal data to MS electronically at your own risk in respect of inherent internet security limitations.
In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, MS will notify you and, where legally required, the relevant supervisory authority within the timeframe prescribed by applicable law.
If you become aware of any actual or suspected security incident, fraudulent communication purporting to be from MS, or unauthorised use of your personal data, please contact us immediately at info@ms-ca.com with the subject line: "Security Incident Report".
13. Marketing Communications: Opt-In and Opt-Out
MS may send you marketing communications, including MS Insights articles, regulatory updates, event invitations, and information about our services, subject to the following conditions:
1. You have provided your prior consent through the Website's newsletter subscription or contact form (which includes a statement that completing the form authorises MS to send service-related updates); or
2. MS has a legitimate interest in communicating with you about services related to those you have already engaged or expressly inquired about.
You may withdraw your consent to marketing communications at any time by:
1. Clicking the "unsubscribe" link included in any MS marketing email;
2. Contacting MS at info@ms-ca.com with the subject line "Unsubscribe";
3. Calling MS on +971 2 309 3344 and requesting removal from marketing communications; or
4. Submitting an opt-out request directly through this Website.
Opting out of marketing communications will not affect your receipt of service-related communications in connection with an active professional services engagement.
14. Your Rights in Relation to Your Personal Data
Subject to applicable data protection law and any applicable legal exemptions or limitations (including mandatory KYC and AML record-keeping obligations that may override certain rights), you have the following rights in respect of your personal data held by MS:
14.1 Right of Access

You may request confirmation of whether MS holds personal data about you and, if so, receive a copy of that data together with information about the purposes for which it is processed, the categories of recipients with whom it is shared, and the applicable retention periods.
14.2 Right to Rectification

You may request that MS correct personal data that is inaccurate, incomplete, or out of date. MS will respond to such requests promptly and update records as appropriate.
14.3 Right to Erasure

You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and no other legal basis applies, or where the processing was unlawful. This right is subject to overriding legal obligations, including mandatory data retention requirements under UAE AML/CFT law, UAE Corporate Tax Law, and ADGM/DIFC regulatory requirements, which may prevent erasure during applicable statutory retention periods.
14.4 Right to Restriction of Processing

You may request that MS restrict the processing of your personal data in certain circumstances, for example while the accuracy of data is contested or while an objection to processing is under consideration.
14.5 Right to Data Portability

Where processing is based on consent or on a contract and is carried out by automated means, you have the right to receive the personal data you have provided to MS in a structured, commonly used, and machine-readable format, and to request that it be transmitted to another controller where technically feasible.
14.6 Right to Object

You may object to processing based on MS's legitimate interests, including direct marketing. MS will cease processing unless it can demonstrate compelling legitimate grounds that override your rights, or where processing is necessary for the establishment, exercise, or defence of legal claims.
14.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time by contacting MS at info@ms-ca.com. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.
14.8 Right Not to be Subject to Automated Decision-Making

MS does not make decisions with significant legal or similar effects solely by automated means. If this practice changes in the future, this Policy will be updated accordingly.
To exercise any of the rights described above, please submit a written request to info@ms-ca.com, clearly stating your identity and the specific right you wish to exercise. MS may require reasonable evidence of your identity before processing a request. MS will respond to verified requests within thirty (30) calendar days, subject to applicable legal timeframes.
15. Third-Party Websites and Links
The Website may contain links to third-party websites, including other entities within the MS Holdings group (such as ms-kapital.com, dot-and.com, e7estates.com, kitaab.ai, cedrah.org, and ms.foundation), as well as unrelated external platforms. This Policy does not apply to the data collection or processing practices of those third-party websites.
MS has no control over and accepts no responsibility for the content, privacy policies, or security practices of any third-party websites accessible via links on the MS Website. You are encouraged to review the privacy policy of any third-party site before providing personal data to it. The existence of a link to a third-party website does not constitute an endorsement of that site or its privacy practices by MS.
16. Personal Data of Minors
The Website and services of MS are directed exclusively at adults and business entities. MS does not knowingly collect personal data from individuals under the age of eighteen (18). If MS becomes aware that it has inadvertently collected personal data from a minor, it will take prompt steps to delete that data from its records.
If you believe that MS has received personal data relating to a minor, please contact us at info@ms-ca.com so that appropriate action may be taken.
17. Regulatory Compliance Framework
By virtue of its multi-jurisdictional operations, MS is subject to, and committed to complying with, the following data protection and privacy regulatory frameworks, in addition to its broader professional regulatory obligations:
17.1 UAE Federal Level

UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and Privacy ("UAE PDPL") and its implementing regulations, which govern the processing of personal data by entities registered and operating in mainland UAE and across the UAE generally.
17.2 Dubai International Financial Centre (DIFC)

DIFC Law No. 5 of 2020 (Data Protection Law) and the DIFC Data Protection Regulations, which establish an independent data protection regime within the DIFC. MS's DIFC-based operations are subject to the regulatory oversight of the Commissioner of Data Protection in the DIFC.
17.3 Abu Dhabi Global Market (ADGM)

The ADGM Data Protection Regulations 2021, which establish a GDPR-aligned data protection framework within ADGM. MS's ADGM-based operations are subject to the data protection oversight of the ADGM Registration Authority.
17.5 Qatar Financial Centre (QFC)

The QFC Data Protection Regulations (as may be amended), which govern data protection for entities operating within the QFC. MS's QFC office processes personal data in compliance with applicable QFC data protection requirements.
18. Regulatory Complaints and Supervisory Authorities
If you are dissatisfied with how MS handles your personal data or responds to a data subject rights request, you have the right to lodge a complaint with the appropriate supervisory authority.
19. Amendments to This Policy
MS reserves the right to update or amend this Policy at any time to reflect changes in our business practices, applicable law, or regulatory requirements. Where material changes are made, MS will take reasonable steps to notify affected individuals, which may include posting a prominent notice on the Website, updating the "Effective Date" and version number at the top of this document, or sending an email notification to those whose contact details we hold.
You are encouraged to review this Policy periodically. Your continued use of the Website or engagement with MS following any amendment will constitute acceptance of the revised Policy. Previous versions of this Policy are superseded by the most current version published on the Website.
20. Acceptance of This Policy
By using the Website, submitting any service inquiry or contact form, engaging MS for professional services, or otherwise providing personal data to MS, you confirm that you have read, understood, and accepted this Privacy Policy in full.
If you are a corporate entity, authorised representative, or agent submitting personal data on behalf of another individual (including a company director, shareholder, UBO, or authorised signatory), you represent and warrant that you have obtained all necessary consents from that individual and are authorised to submit their personal data to MS on their behalf.
If you do not agree with any part of this Policy, you should refrain from using the Website and from engaging MS's services.
21. Contact and Grievance Information
For any questions, requests, complaints, or concerns relating to this Policy, to the processing of your personal data, or to the exercise of your data subject rights, please contact MS using the details below:
Email: info@ms-ca.com
Telephone: +971 2 309 3344
MS is committed to responding to all privacy-related communications with professionalism, transparency, and respect for your legal rights, consistent with its obligations under applicable data protection law.