These projects are governed by strict confidentiality protocols. We routinely sign and comply with our clients’ nondisclosure agreements and uphold their data governance standards. Additionally, all team members, collaborators, and affiliates working with or on behalf of The Why are required to sign our internal nondisclosure agreement before accessing any project-related information.

Depending on the project, we may act as either:

• a data processor (processing data on behalf of clients), or
• a data controller (when we collect data directly from stakeholders for research or consultation purposes)

2. What Data We Collect

We do not actively collect personal data through this website. However, in the course of our consulting and research work, we may process data provided by clients or collected directly through engagement activities.

This may include:

• Full name, job title, and organization
• Contact information such as email address or phone number
• Interview and survey responses
• Workshop input, insights, or statements
• Internal reports or documentation shared for project delivery

We do not collect financial, biometric, or health data unless expressly agreed upon in the project scope.

3. Legal Basis for Processing

We process personal data based on one or more of the following legal grounds:

• performance of a contract with our client
• informed consent, when data is collected directly by us such as through interviews or surveys
• legitimate interests of our clients or public service mandates, balanced against the rights of data subjects

All data collected directly by The Why is done with prior informed consent in line with ethical and legal standards.

4. How We Use Personal Data

We use personal data solely for the following purposes:

• delivering our consulting and advisory services
• conducting research and analysis to support client outcomes
• producing insights, strategies, or recommendations
• ensuring quality assurance and fulfilling contractual obligations

We do not use personal data for advertising, commercial profiling, or unsolicited communications. We never sell personal data.

5. Cookies and Tracking Technologies

Our website currently does not use cookies, tracking scripts, or analytics tools. If this changes in the future, such as with the use of Google Analytics, we will update this policy and provide a cookie consent notice in accordance with applicable regulations.

6. Data Sharing and International Transfers

We may share data with team members or collaborators working on specific projects. All collaborators are bound by nondisclosure agreements and granted access only to the data required for their responsibilities.

Where data is transferred outside the UAE, such as to international team members or cloud-based platforms, we use secure, encrypted services and apply appropriate safeguards. These include:

• Notion, for internal documentation and project collaboration
• Google Workspace, for secure file storage and communication
• Microsoft 365, including Outlook, Word, Excel, and Teams, used in select projects with enterprise-grade data security
• Zoom and similar tools for virtual engagements, secured with password protection and restricted access
• role-based permissions, two-factor authentication, and encryption at rest and in transit across all core platforms

We regularly review the compliance and security standards of our platforms, all of which are aligned with international benchmarks such as ISO 27001 and GDPR where applicable.

7. Data Security

We take robust measures to protect personal data, including:

• encryption at rest and in transit
• password-protected tools and secure cloud platforms
• role-based access restrictions
• internal security protocols for sharing, storage, and archival

In the unlikely event of a data breach involving personal data, we will:

• promptly investigate and mitigate the issue
• notify affected clients and stakeholders as required
• document the incident and take corrective action

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, meet our contractual and legal obligations, or as directed by our clients. After that, data is securely archived or deleted in accordance with our internal retention policies.

9. Your Rights

Subject to applicable data protection laws, you may have the right to:

• access the personal data we hold about you
• correct or update inaccurate information
• request deletion or restriction of your data
• object to certain types of processing
• request transfer of your data, where feasible

To exercise any of these rights, contact us at hello@thewhyimpact.com

10. Updates to This Policy

We may update this Privacy Policy periodically to reflect legal, operational, or technological changes. The most recent version will always be available on our website, with the updated effective date.