Privacy Policy
Effective Date: January 01, 2025
At The Why Consulting Co. L.L.C (“The Why”, “we”, “us”), we are committed to protecting the personal data of our clients, collaborators, research participants, and website visitors. This Privacy Policy explains how we collect, use, and safeguard personal data in accordance with applicable data protection laws, including the United Arab Emirates Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (PDPL).
1. Who We Are
The Why Consulting Co. L.L.C is a strategy and innovation consultancy headquartered in the United Arab Emirates. We serve public and private sector clients both locally and internationally, and also produce independent thought leadership. When delivering consulting projects, we do so at the request of and in close collaboration with our clients, based on formal agreements and shared objectives.
These projects are governed by strict confidentiality protocols. We routinely sign and comply with our clients’ nondisclosure agreements and uphold their data governance standards. Additionally, all team members, collaborators, and affiliates working with or on behalf of The Why are required to sign our internal nondisclosure agreement before accessing any project-related information.
Depending on the project, we may act as either:
- a data processor (processing data on behalf of clients), or
- a data controller (when we collect data directly from stakeholders for research or consultation purposes)
2. What Data We Collect
We do not actively collect personal data through this website. However, in the course of our consulting and research work, we may process data provided by clients or collected directly through engagement activities.
This may include:
- Full name, job title, and organization
- Contact information such as email address or phone number
- Interview and survey responses
- Workshop input, insights, or statements
- Internal reports or documentation shared for project delivery
We do not collect financial, biometric, or health data unless expressly agreed upon in the project scope.
3. Legal Basis for Processing
We process personal data based on one or more of the following legal grounds:
- performance of a contract with our client
- informed consent, when data is collected directly by us such as through interviews or surveys
- legitimate interests of our clients or public service mandates, balanced against the rights of data subjects
All data collected directly by The Why is done with prior informed consent in line with ethical and legal standards.
4. How We Use Personal Data
We use personal data solely for the following purposes:
- delivering our consulting and advisory services
- conducting research and analysis to support client outcomes
- producing insights, strategies, or recommendations
- ensuring quality assurance and fulfilling contractual obligations
We do not use personal data for advertising, commercial profiling, or unsolicited communications. We never sell personal data.
5. Cookies and Tracking Technologies
Our website currently does not use cookies, tracking scripts, or analytics tools. If this changes in the future, such as with the use of Google Analytics, we will update this policy and provide a cookie consent notice in accordance with applicable regulations.
6. Data Sharing and International Transfers
We may share data with team members or collaborators working on specific projects. All collaborators are bound by nondisclosure agreements and granted access only to the data required for their responsibilities.
Where data is transferred outside the UAE, such as to international team members or cloud-based platforms, we use secure, encrypted services and apply appropriate safeguards. These include:
- Notion, for internal documentation and project collaboration
- Google Workspace, for secure file storage and communication
- Microsoft 365, including Outlook, Word, Excel, and Teams, used in select projects with enterprise-grade data security
- Zoom and similar tools for virtual engagements, secured with password protection and restricted access
- role-based permissions, two-factor authentication, and encryption at rest and in transit across all core platforms
We regularly review the compliance and security standards of our platforms, all of which are aligned with international benchmarks such as ISO 27001 and GDPR where applicable.
7. Data Security
We take robust measures to protect personal data, including:
- encryption at rest and in transit
- password-protected tools and secure cloud platforms
- role-based access restrictions
- internal security protocols for sharing, storage, and archival
In the unlikely event of a data breach involving personal data, we will:
- promptly investigate and mitigate the issue
- notify affected clients and stakeholders as required
- document the incident and take corrective action
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, meet our contractual and legal obligations, or as directed by our clients. After that, data is securely archived or deleted in accordance with our internal retention policies.
9. Your Rights
Subject to applicable data protection laws, you may have the right to:
- access the personal data we hold about you
- correct or update inaccurate information
- request deletion or restriction of your data
- object to certain types of processing
- request transfer of your data, where feasible
To exercise any of these rights, contact us at hello@thewhyimpact.com
10. Updates to This Policy
We may update this Privacy Policy periodically to reflect legal, operational, or technological changes. The most recent version will always be available on our website, with the updated effective date.
Return to Homepage: https://thewhyimpact.com