Privacy Policy

Table of Contents

1. Who We Are
2. Information We Collect
3. How We Use Your Information
4. Legal Basis for Processing
5. Who We Share Your Information With
6. International Data Transfers
7. How Long We Keep Your Information
8. Your Privacy Rights
9. How to Exercise Your Rights
10. Cookies and Tracking Technologies
11. Security Measures
12. Children's Privacy
13. Data Breach Notification
14. Changes to This Policy
15. Contact Us and Complaints

1. Who We Are

Temple Rock Design Build ("TRDB," "we," "us," or "our") is a commercial interior design and construction company operating across the Gulf Cooperation Council (GCC) region and Ireland.

Regulatory Registration

We are registered as a data controller with the following authorities:

• Ireland: Data Protection Commission (DPC) - Registration Number: [To be obtained]
• United Arab Emirates: UAE Data Protection Authority - Registration Number: [To be obtained]
• Saudi Arabia: Saudi Data & AI Authority (SDAIA) - Registration Number: [To be obtained]

This Privacy Policy applies to our TRDB Cost Estimator tool, a web-based application that provides free commercial fit-out cost estimates in exchange for contact information.

2. Information We Collect

We collect different types of information depending on how you use our service:

3. How We Use Your Information

3.1 To Provide Our Service

• Generate Cost Estimates: Calculate and deliver customized fit-out cost estimates based on your project parameters
• Send Your Estimate: Deliver estimates via email, PDF download, or WhatsApp sharing
• Save Your Estimates: Store your estimates in your account for future reference (if you create an account)
• Provide Customer Support: Respond to your questions and assist with technical issues

3.2 To Follow Up on Your Project

• Project Discussion: Contact you to discuss your fit-out requirements in detail
• Provide Quotations: Prepare and send formal quotations for your project
• Schedule Consultations: Arrange meetings or site visits
• Answer Questions: Provide additional information about our services

Your Control: You can opt-out of follow-up communications at any time. See Section 8 for details.

3.3 To Improve Our Service

• Analyze Usage Patterns: Understand how users interact with our tool to improve usability
• Optimize Performance: Identify and fix technical issues
• Enhance Accuracy: Refine our cost calculation algorithms
• Develop New Features: Build features that users find valuable

3.4 To Improve Market Insights (Crowdsourced Data)

If you voluntarily contribute actual project cost data, we use it to:

• Improve Estimate Accuracy: Compare estimated costs against real-world project costs
• Market Analysis: Understand cost trends across different markets and project types
• Quality Assurance: Validate and refine our pricing models

Important Safeguards:

• ✅ Your contributions are anonymized before aggregation
• ✅ We aggregate data across 100+ projects minimum before using it
• ✅ Individual project details are never published or shared
• ✅ Contractor names are used only for internal verification and are never disclosed publicly
• ✅ You can request deletion of your contributions at any time

3.5 To Send Marketing Communications (With Your Consent)

• Newsletter: Occasional market insights, construction trends, and TRDB updates
• Service Announcements: New features, tools, or services that may interest you
• Educational Content: Guides, tips, and industry best practices

Your Control: Marketing communications are optional. You must explicitly opt-in, and you can unsubscribe at any time via the link in every email.

3.6 For Legal and Compliance Purposes

• Comply with Laws: Meet legal obligations in the jurisdictions where we operate
• Prevent Fraud: Detect and prevent fraudulent use of our service
• Enforce Terms: Enforce our Terms of Service and other policies
• Legal Proceedings: Respond to lawful requests from authorities, court orders, or subpoenas
• Protect Rights: Defend our rights, property, or safety, and that of our users

4. Legal Basis for Processing

Under data protection laws (including GDPR, UAE PDPL, and Saudi PDPL), we must have a legal basis to process your personal data. Here's the legal basis for each type of processing:

Processing Activity	Legal Basis (GDPR Art. 6)	Explanation
Generating and sending cost estimates	Contractual Necessity & Consent	You request an estimate; we need your contact info to provide it. By submitting the form, you consent to this processing.
Following up on your project	Consent & Legitimate Interest	You consent when requesting an estimate. We have a legitimate interest in discussing potential projects with interested parties.
Creating and managing user accounts	Contractual Necessity & Consent	You choose to create an account; we process data to provide account services.
Processing crowdsourced contributions	Explicit Consent	You explicitly consent to sharing your project data when you submit a contribution.
Sending marketing communications	Explicit Consent	You explicitly opt-in to receive marketing emails. You can withdraw consent anytime.
Analytics and service improvement	Legitimate Interest & Consent	We have a legitimate interest in improving our service. Analytics cookies require your consent.
Fraud prevention and security	Legitimate Interest	We have a legitimate interest in protecting our service and users from fraud and abuse.
Complying with legal obligations	Legal Obligation	We must comply with applicable laws, court orders, and regulatory requirements.

For UAE and Saudi Arabia: We ensure all processing complies with UAE PDPL and Saudi PDPL requirements, including obtaining clear and informed consent where required by these laws.

5. Who We Share Your Information With

We do NOT sell or rent your personal information to third parties. We only share your data with trusted service providers who help us operate our service, and only to the extent necessary.

5.1 Service Providers

Provider	Purpose	Data Shared	Location	Safeguards
Supabase Inc. Privacy Policy	Database hosting and user authentication	All personal data you provide, including contact info, project details, and account credentials	European Union (EU region configured)	• Data Processing Agreement (DPA) in place • SOC 2 Type II certified • ISO 27001 certified • GDPR compliant
Google LLC Privacy Policy	Analytics (website usage tracking)	Anonymized IP address, browser info, usage patterns, session data	United States (with EU presence)	• Data Processing Agreement (DPA) in place • EU-US Data Privacy Framework certified • IP anonymization enabled • Standard Contractual Clauses (SCCs)
Netlify Inc. Privacy Policy	Website hosting and content delivery	Technical information (IP addresses, access logs)	Global CDN (EU, US, Asia)	• Data Processing Agreement (DPA) in place • SOC 2 Type II certified • GDPR compliant • ISO 27001 certified

5.2 Email Service Providers

We use email service providers to deliver your estimates and communications:

• Contact information shared: Email address, name
• Purpose: Deliver estimates, project follow-ups, and (if you opt-in) marketing communications
• All providers have Data Processing Agreements and are GDPR/PDPL compliant

5.3 Legal and Regulatory Authorities

We may disclose your information to legal or regulatory authorities when:

• Required by Law: To comply with legal obligations, court orders, subpoenas, or regulatory requests
• Protect Rights: To enforce our Terms of Service or protect our rights, property, or safety
• Prevent Harm: To prevent fraud, abuse, or illegal activities
• Public Interest: When disclosure is in the public interest or required for law enforcement

5.4 Business Transfers

If TRDB is involved in a merger, acquisition, sale of assets, or bankruptcy:

• Your information may be transferred to the acquiring entity
• We will notify you via email at least 30 days before the transfer
• The acquiring entity will be bound by this Privacy Policy unless you consent to a new policy
• You will have the right to delete your data before the transfer

5.5 With Your Consent

We may share your information with other third parties if you explicitly consent to such sharing.

5.6 We Do NOT Share With:

• ❌ Advertisers or ad networks for targeted advertising
• ❌ Data brokers or companies that buy/sell personal data
• ❌ Social media platforms (we don't integrate with social login or sharing)
• ❌ Marketing partners for their own marketing purposes
• ❌ Competitors or other construction companies

6. International Data Transfers

We operate across multiple countries (UAE, Saudi Arabia, Qatar, Oman, Ireland). Your personal data may be transferred to and processed in countries outside your country of residence, including countries that may not have the same level of data protection laws.

6.1 Where Your Data Is Stored

• Primary Database: European Union (Supabase EU region)
• Analytics Data: United States (Google Analytics) with EU presence
• Website Hosting: Global Content Delivery Network (Netlify) with EU nodes

6.2 Safeguards for International Transfers

A. For Transfers to the European Union

The European Union is recognized as providing an adequate level of data protection.

B. For Transfers to the United States

We ensure transfers to U.S.-based providers comply with applicable laws through:

• Standard Contractual Clauses (SCCs): EU-approved contract terms with Google and other U.S. providers
• EU-US Data Privacy Framework: Google LLC is certified under this framework
• Data Processing Agreements: Written agreements requiring U.S. providers to protect your data according to EU/GCC standards
• Supplementary Measures: Encryption, access controls, and contractual commitments beyond SCCs

C. For Transfers from GCC Countries (UAE, Saudi Arabia, Qatar, Oman)

For data transfers from GCC countries, we implement:

• UAE PDPL Article 21 Compliance: Standard Contractual Clauses and adequate safeguards for transfers outside the UAE
• Saudi PDPL Article 24 Compliance: SDAIA-approved transfer mechanisms or appropriate safeguards
• Explicit Consent: We obtain your explicit consent for international transfers where required by GCC laws
• Data Minimization: We only transfer data that is necessary for the specific purpose

D. For Transfers from Ireland

For data transfers from Ireland (subject to GDPR):

• GDPR Article 46 Compliance: Standard Contractual Clauses for all non-EU transfers
• Adequacy Decisions: Reliance on EU Commission adequacy decisions where applicable
• Irish DPC Compliance: All transfers comply with Irish Data Protection Commission guidance

6.3 Your Rights Regarding International Transfers

You have the right to:

• Obtain information about safeguards in place for international transfers
• Request a copy of Standard Contractual Clauses
• Object to international transfers in certain circumstances
• Withdraw consent for transfers based on consent (though this may affect service availability)

To request information or copies of transfer safeguards: Contact us at privacy@thetemplerock.com

7. How Long We Keep Your Information

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Data Category	Retention Period	Reason
Lead Contact Information (from estimate requests without account)	2 years from last interaction	To follow up on potential projects and maintain business relationship. After 2 years of inactivity, data is automatically deleted.
User Account Data (for registered users)	Until you request account deletion, or 3 years of account inactivity	To provide ongoing account services. Inactive accounts (no login for 3 years) are automatically deleted after email notification.
Saved Estimates	As long as your account is active, or 2 years for non-account estimates	To allow you to reference past estimates. Deleted when account is deleted or after 2 years for non-account users.
Crowdsourced Contribution Data	Until you request deletion, or 5 years from contribution date	To maintain historical market data for estimate accuracy. Data is anonymized and aggregated. After 5 years, individual contributions are deleted, though aggregated insights may be retained.
Analytics Data (Google Analytics)	26 months	Google Analytics default retention. IP addresses are anonymized. Data is used for service improvement.
Server Logs and Security Data	90 days	For security monitoring, fraud prevention, and technical troubleshooting.
Marketing Communications Data (if opted-in)	Until you unsubscribe, or 2 years of no engagement	To send you updates. If you don't open/click emails for 2 years, you're automatically unsubscribed and data is deleted.
Legal/Compliance Records	7 years from last interaction	To comply with legal obligations (tax, accounting, regulatory requirements in UAE, Saudi Arabia, Ireland).

7.1 Automatic Deletion Notifications

Before automatically deleting your data due to inactivity, we will:

• Send you an email notification 30 days before deletion
• Give you the option to keep your data active by logging in or responding
• Confirm the deletion once completed

7.2 Early Deletion

You can request deletion of your data at any time, regardless of the retention periods above. See Section 8 for details on exercising your Right to Erasure.

7.3 Exceptions to Deletion

We may retain certain information beyond the retention periods above if:

• Legal Requirement: Required by law to retain for regulatory, tax, or legal purposes
• Ongoing Legal Proceedings: Necessary for litigation, dispute resolution, or enforcement of our rights
• Fraud Prevention: Needed to prevent fraud or abuse of our service
• Aggregated/Anonymized Data: Once fully anonymized (no longer identifiable to you), data may be retained indefinitely for statistical purposes

8. Your Privacy Rights

You have significant rights regarding your personal data under GDPR, UAE PDPL, Saudi PDPL, and other applicable data protection laws. Here are your rights and how to exercise them:

8.1 Right to Access (GDPR Art. 15, UAE PDPL Art. 12, Saudi PDPL Art. 8)

What it means: You can request a copy of all personal data we hold about you.

What you'll receive:

• A copy of your personal data in a readable format
• Information about how we use your data
• Information about who we share it with
• How long we'll keep it
• Your rights regarding the data

Response time: Within 30 days (GDPR/PDPL requirement)

Cost: Free for the first request per year. Subsequent requests may incur a reasonable administrative fee.

8.2 Right to Rectification (GDPR Art. 16, UAE PDPL Art. 13, Saudi PDPL Art. 8)

What it means: You can correct inaccurate or incomplete personal data.

Examples:

• Update your email address or phone number
• Correct your company name
• Update project details in saved estimates

How to do it: Log into your account to update most information directly, or contact us at privacy@thetemplerock.com

8.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17, UAE PDPL Art. 14, Saudi PDPL Art. 8)

What it means: You can request deletion of your personal data.

When this applies:

• You withdraw consent and we have no other legal basis to process your data
• Your data is no longer necessary for the purpose it was collected
• You object to processing and we have no overriding legitimate grounds
• Your data has been unlawfully processed
• Legal obligation requires deletion

What gets deleted:

• Your contact information (name, email, phone)
• Your account and login credentials
• Your saved estimates
• Your crowdsourced contributions (individual data; aggregated anonymized data may remain)
• Your marketing preferences

Exceptions: We may retain data if required by law (e.g., tax records for 7 years) or for legal defense purposes.

How to request: Use our Privacy Dashboard or email privacy@thetemplerock.com

8.4 Right to Restrict Processing (GDPR Art. 18, UAE PDPL Art. 15, Saudi PDPL Art. 8)

What it means: You can ask us to limit how we use your data without deleting it.

When this applies:

• You're contesting the accuracy of your data (we'll restrict processing until verified)
• Processing is unlawful but you don't want deletion
• We no longer need the data but you need it for legal claims
• You've objected to processing (we'll restrict while verifying our legitimate grounds)

What happens: We'll store your data but not use it, except with your consent, for legal claims, or to protect another person's rights.

8.5 Right to Data Portability (GDPR Art. 20)

What it means: You can receive your data in a machine-readable format and transfer it to another service.

What you'll receive:

• Your personal data in JSON or CSV format
• Your saved estimates in PDF format
• Your crowdsourced contributions data

Note: This right only applies to data you provided to us and when processing is based on consent or contract.

How to request: Use our Privacy Dashboard "Download My Data" feature

8.6 Right to Object (GDPR Art. 21, UAE PDPL Art. 16, Saudi PDPL Art. 8)

What it means: You can object to processing of your data in certain circumstances.

A. Object to Direct Marketing

• Absolute right: You can always object to marketing communications
• How: Click "Unsubscribe" in any marketing email or adjust preferences in your account
• Effect: We'll immediately stop sending marketing emails (though we may still send service-related communications)

B. Object to Processing Based on Legitimate Interest

• When: If we process your data based on our legitimate interest (e.g., service improvement, fraud prevention)
• How: Contact us at privacy@thetemplerock.com explaining your objection
• Effect: We'll stop processing unless we can demonstrate compelling legitimate grounds that override your interests

8.7 Right to Withdraw Consent (GDPR Art. 7(3), UAE PDPL Art. 7, Saudi PDPL Art. 6)

What it means: If we process your data based on your consent, you can withdraw that consent at any time.

What happens:

• We'll stop processing your data for that purpose
• Withdrawal doesn't affect the lawfulness of processing before withdrawal
• May affect our ability to provide certain services

Examples:

• Withdraw consent for marketing emails (click unsubscribe)
• Withdraw consent for analytics cookies (adjust cookie settings)
• Withdraw consent for crowdsourced data contribution (request deletion)

8.8 Right Not to Be Subject to Automated Decision-Making (GDPR Art. 22)

Our Position: We do NOT use automated decision-making or profiling that produces legal or similarly significant effects.

Our cost estimates are generated by algorithms, but they are:

• ❌ Not legally binding (they're estimates, not quotes or contracts)
• ❌ Not used for significant decisions about you (credit, employment, insurance, etc.)
• ✅ Transparent (you see the inputs and can adjust them)
• ✅ Subject to human review (our team reviews estimates before formal quotations)

Therefore, GDPR Article 22 protections don't apply. However, you can always request human review of any estimate.

8.9 Right to Lodge a Complaint with Supervisory Authority

What it means: If you believe we've violated your privacy rights, you can complain to your local data protection authority.

Relevant Authorities:

• Ireland: Data Protection Commission (DPC)
  Website: www.dataprotection.ie
  Email: info@dataprotection.ie
  Phone: +353 57 868 4800
• United Arab Emirates: UAE Data Protection Authority
  Website: www.tdra.gov.ae
  Email: [To be updated with official DPA email]
• Saudi Arabia: Saudi Data & AI Authority (SDAIA)
  Website: sdaia.gov.sa/en/PDPL
  Email: [To be updated with official SDAIA email]
• Qatar: Ministry of Transport and Communications
  Website: www.motc.gov.qa

We Encourage Direct Contact First: While you have the right to lodge a complaint, we'd appreciate the opportunity to resolve any concerns directly. Please contact us at privacy@thetemplerock.com first.

9. How to Exercise Your Rights

9.1 Privacy Dashboard (Recommended - Fastest Method)

If you have an account, log in to access your Privacy Dashboard:

Available Self-Service Actions:

• ✅ View Your Data: See all personal data we store about you
• ✅ Download Your Data: Export your data in JSON/CSV/PDF format
• ✅ Update Your Information: Correct your contact details and preferences
• ✅ Delete Your Account: Permanently delete your account and all associated data
• ✅ Manage Marketing Preferences: Opt-in or opt-out of marketing communications
• ✅ Manage Cookie Preferences: Control which cookies you accept
• ✅ View Your Estimates: Access all your saved estimates
• ✅ Delete Crowdsourced Contributions: Remove any project data you've contributed

9.2 Email Requests

If you don't have an account or prefer email, send your request to:

Please include in your email:

• Your full name
• Email address associated with your estimate/account
• Specific request (access, deletion, rectification, etc.)
• Any relevant details (e.g., which estimate, what data to correct)

9.3 Verification for Security

To protect your privacy, we must verify your identity before processing requests. We may ask for:

• Confirmation from the email address associated with your account
• Answers to security questions (if account exists)
• Additional identifying information (if necessary for verification)

Why we verify: To prevent unauthorized access to your data or fraudulent deletion requests.

9.4 Response Timeframes

• Standard Requests: Within 30 days (GDPR/PDPL requirement)
• Complex Requests: Up to 60 days (we'll notify you if we need more time)
• Urgent Requests (e.g., data breach): As soon as possible, typically within 72 hours

9.5 No Charge (Usually)

We don't charge fees for most requests. However, we may charge a reasonable administrative fee if:

• Your request is clearly unfounded or excessive
• You request multiple copies of the same data within a short period
• The request requires disproportionate effort

We'll notify you of any fees before processing your request.

9.6 Refusing Requests

We may refuse requests if:

• We can't verify your identity
• The request is manifestly unfounded or excessive
• We're legally required to retain the data
• The request would harm others' rights and freedoms

If we refuse, we'll explain why and inform you of your right to complain to a supervisory authority.

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device (computer, smartphone, tablet) when you visit our website. They help us recognize you, remember your preferences, and understand how you use our service.

10.2 Types of Cookies We Use

A. Essential Cookies (No Consent Required)

These cookies are necessary for our website to function properly. You cannot opt out of these.

Cookie Name	Purpose	Duration
session_id	Maintains your session while using the calculator	Session (deleted when you close browser)
auth_token	Keeps you logged into your account securely	7 days or until logout
csrf_token	Prevents cross-site request forgery attacks (security)	Session
language_preference	Remembers your language choice (English/Arabic)	1 year

B. Analytics Cookies (Requires Consent)

These cookies help us understand how users interact with our tool so we can improve it.

Cookie Name	Provider	Purpose	Duration
_ga	Google Analytics	Distinguishes unique users	2 years
_ga_*	Google Analytics	Persists session state	2 years
_gid	Google Analytics	Distinguishes users (short-term)	24 hours

Important: Google Analytics is configured with IP anonymization, which means your IP address is shortened before being stored, preventing precise geolocation tracking.

C. Preference Cookies (Requires Consent)

These cookies remember your preferences to enhance your experience.

Cookie Name	Purpose	Duration
unit_preference	Remembers if you prefer sqm or sqft	1 year
currency_preference	Remembers your preferred currency	1 year
cookie_consent	Stores your cookie consent preferences	1 year

10.3 We Do NOT Use:

• ❌ Advertising/Marketing Cookies: We don't show targeted ads or use ad networks
• ❌ Social Media Cookies: We don't integrate with Facebook, LinkedIn, etc.
• ❌ Third-Party Advertising Trackers: No ad tech companies track you on our site

10.4 Managing Cookies

A. Cookie Consent Banner

When you first visit our site, you'll see a cookie consent banner where you can:

• Accept All: Allow all cookies (essential, analytics, and preferences)
• Reject Non-Essential: Only essential cookies (site won't work without these)
• Customize: Choose which cookie categories to allow

B. Cookie Settings

You can change your cookie preferences anytime:

• In Your Account: Go to Settings > Privacy > Cookie Preferences
• Via Banner: Click "Cookie Settings" link in the footer

C. Browser Settings

You can also control cookies through your browser settings:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Options > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and website data
• Edge: Settings > Cookies and site permissions

Note: Blocking all cookies may affect website functionality (e.g., you won't be able to log in).

D. Google Analytics Opt-Out

To opt out of Google Analytics across all websites, install the Google Analytics Opt-out Browser Add-on.

10.5 Do Not Track (DNT)

Some browsers have a "Do Not Track" (DNT) setting. Our response:

• ✅ We respect DNT signals for analytics cookies (we won't load Google Analytics if DNT is enabled)
• ⚠️ Essential cookies will still be set (necessary for site functionality)

11. Security Measures

We take the security of your personal data very seriously and implement industry-leading technical and organizational measures to protect it.

11.1 Technical Security Measures

A. Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security), the highest standard
• At Rest: All data stored in our database is encrypted using AES-256 encryption (military-grade)
• Passwords: Never stored in plain text; hashed using bcrypt with salt (industry standard)

B. Infrastructure Security

• Hosting: Supabase (SOC 2 Type II and ISO 27001 certified)
• Servers: Located in secure, tier-4 data centers with 24/7 monitoring
• Firewall: Web Application Firewall (WAF) protects against common attacks (SQL injection, XSS, DDoS)
• Backups: Daily automated backups encrypted and stored in multiple geographic locations

C. Access Controls

• Principle of Least Privilege: Employees only access data necessary for their role
• Multi-Factor Authentication (MFA): Required for all employee accounts
• Audit Logging: All data access is logged and monitored
• Role-Based Access: Different permission levels based on job function

D. Application Security

• Secure Coding: Following OWASP Top 10 security guidelines
• Input Validation: All user inputs are sanitized to prevent injection attacks
• CSRF Protection: Tokens prevent cross-site request forgery
• Rate Limiting: Prevents brute-force attacks and abuse
• Regular Updates: Dependencies and libraries kept up-to-date with security patches

11.2 Organizational Security Measures

A. Staff Training

• All employees complete data protection training upon hiring
• Annual refresher training on GDPR, PDPL, and security best practices
• Phishing and social engineering awareness training

B. Policies and Procedures

• Data Protection Policy governing how we handle personal data
• Incident Response Plan for security breaches
• Data Retention and Deletion Policy
• Third-Party Vendor Management Policy

C. Regular Security Assessments

• Vulnerability Scanning: Automated weekly scans for security vulnerabilities
• Penetration Testing: Annual third-party penetration testing
• Code Reviews: All code changes reviewed for security issues
• Compliance Audits: Quarterly internal audits of data protection practices

11.3 Your Security Responsibilities

While we do our part, security is a shared responsibility. You should:

• Use Strong Passwords: At least 12 characters with mix of letters, numbers, and symbols
• Don't Share Passwords: Keep your login credentials confidential
• Log Out: Especially on shared or public computers
• Keep Software Updated: Update your browser and operating system regularly
• Beware of Phishing: We'll never ask for your password via email
• Report Suspicious Activity: Contact us immediately if you notice unauthorized access

11.4 What Security Cannot Guarantee

Despite our best efforts, no system is 100% secure. We cannot guarantee:

• Complete protection against all security threats
• Prevention of all unauthorized access by sophisticated attackers
• Immunity from bugs or vulnerabilities in third-party software

However, we continuously monitor, update, and improve our security measures to minimize risks.

12. Children's Privacy

Age Restriction: Our service is intended for individuals aged 18 years and older. We do not knowingly collect personal information from children under 18.

12.1 Age Verification

When you use our Cost Estimator, you must confirm:

• ☐ "I confirm I am 18 years of age or older"

By checking this box, you represent and warrant that you are at least 18 years old.

12.2 If We Discover Child Data

If we become aware that we've inadvertently collected personal data from someone under 18:

• We will delete the data immediately (within 48 hours of discovery)
• We will not use, disclose, or retain the data
• We will notify the parent/guardian if we have their contact information

12.3 Parental Notice

If you're a parent or guardian and believe your child under 18 has provided personal data to us:

We will promptly investigate and delete any such data.

12.4 GDPR Protections for Children

Under GDPR Article 8, children under 16 (or 13-16 depending on EU member state) require parental consent for online services. Since we don't offer services to anyone under 18, this doesn't apply.

12.5 GCC Protections for Minors

UAE PDPL and Saudi PDPL have similar protections for minors. Our 18+ age restriction exceeds these requirements and ensures compliance.

13. Data Breach Notification

13.1 Our Commitment

Despite our robust security measures (Section 11), data breaches can occur. If they do, we are committed to transparency and will comply with all legal notification requirements.

13.2 What Constitutes a Breach

A personal data breach means any security incident leading to:

• Unauthorized access to personal data
• Accidental or unlawful destruction of personal data
• Loss, alteration, or disclosure of personal data

13.3 Notification to Authorities

If a breach poses a risk to your rights and freedoms, we will notify the relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by:

• GDPR Article 33: Notify Irish Data Protection Commission (if EU/Ireland users affected)
• UAE PDPL Article 20: Notify UAE Data Protection Authority (if UAE users affected)
• Saudi PDPL Article 26: Notify SDAIA (if Saudi users affected)

13.4 Notification to You (Affected Individuals)

If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly within 72 hours via:

• Email: To the email address on file
• In-App Notification: When you log into your account
• Website Banner: Prominent notice on estimator.thetemplerock.com

13.5 What We'll Tell You

Our breach notification will include:

• Nature of the Breach: What happened and what type of data was affected
• Categories and Number of Individuals Affected: Scope of the breach
• Likely Consequences: What risks you may face
• Measures Taken: What we've done to contain and mitigate the breach
• Recommended Actions: What you should do to protect yourself (e.g., change passwords)
• Contact Information: How to reach us with questions

13.6 Examples of High-Risk Breaches

Breaches requiring direct notification to you include:

• Exposure of passwords (even if hashed)
• Unauthorized access to financial information
• Large-scale exposure of contact information to malicious actors
• Identity theft risk
• Discrimination or reputational harm risk

13.7 Exceptions to Individual Notification

We may not notify you individually if:

• Technical Protection: Data was encrypted and attacker doesn't have decryption keys
• Subsequent Measures: We've taken steps that eliminate the high risk (e.g., reset all passwords immediately)
• Disproportionate Effort: Contacting everyone would require disproportionate effort, so we'll use public communication instead

Even in these cases, we'll inform supervisory authorities of our reasoning.

13.8 Our Breach Response Procedure

1. Detection: Automated monitoring + user reports
2. Containment: Immediately stop the breach (isolate systems, revoke access)
3. Assessment: Determine scope, affected data, and risk level (within 24 hours)
4. Authority Notification: Notify DPC, DPA, SDAIA within 72 hours
5. Individual Notification: Notify affected users within 72 hours (if high risk)
6. Remediation: Fix vulnerabilities, enhance security
7. Documentation: Record breach details, response actions, and lessons learned
8. Review: Post-incident review to prevent recurrence

13.9 Your Rights After a Breach

If your data is affected by a breach, you have the right to:

• Request deletion of all your data
• File a complaint with a supervisory authority
• Seek compensation for damages suffered (if we were negligent)
• Request detailed information about the breach and our response

14. Changes to This Policy

14.1 Why We May Update This Policy

We may update this Privacy Policy from time to time due to:

• Changes in data protection laws (GDPR, UAE PDPL, Saudi PDPL, etc.)
• New features or services we offer
• Changes in how we process data
• Feedback from users or regulators
• Industry best practices evolution

14.2 How We'll Notify You

A. Minor Changes (Non-Material)

For minor updates that don't affect your rights (e.g., clarifications, formatting, contact info updates):

• ✅ We'll update the "Last Updated" date at the top of this policy
• ✅ Changes take effect immediately upon posting
• ❌ No separate notification required

B. Major Changes (Material)

For significant changes that affect how we collect, use, or share your data:

• ✅ Email Notification: We'll email you at least 30 days before the changes take effect
• ✅ In-App Banner: Prominent notice when you log in
• ✅ Highlighted Changes: Updated sections will be highlighted in the policy for 90 days
• ✅ Opt-Out Period: You'll have 30 days to object or delete your account if you disagree

14.3 Version History

We maintain a version history of this Privacy Policy for transparency:

• Current Version: 1.0 (January 3, 2026)
• Previous Versions: View History

14.4 Your Continued Use

By continuing to use our service after changes take effect, you accept the updated Privacy Policy. If you don't agree:

• You should stop using our service
• You can delete your account and request data deletion
• Contact us at privacy@thetemplerock.com with concerns

15. Contact Us and Complaints

15.1 Privacy Questions and Requests

For any privacy-related questions, requests to exercise your rights, or concerns about our data practices:

15.2 General Inquiries

For non-privacy questions about our services:

15.3 Mailing Address

15.4 Data Protection Officer (DPO)

If and when required by law, we will appoint a Data Protection Officer. Until then, privacy matters are handled by our management team via privacy@thetemplerock.com.

15.5 Complaints and Dispute Resolution

Step 1: Contact Us First

If you have a complaint about our privacy practices, we encourage you to contact us first:

• Email: privacy@thetemplerock.com
• Subject: "Privacy Complaint"
• Describe the issue clearly

We'll investigate and respond within 30 days. Most issues can be resolved through direct communication.

Step 2: Escalation to Supervisory Authority

If you're not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

Ireland: United Arab Emirates: Saudi Arabia: Qatar:

Step 3: Legal Action

You also have the right to bring legal action against us if you believe we've violated your data protection rights. We hope this won't be necessary and that we can resolve any issues through dialogue.

15.6 Language of Communication

We can communicate with you in:

• ✅ English (primary)
• ✅ Arabic (for GCC users - please request if needed)