GCC Comply

Privacy Policy

Last updated: 2 May 2026

1. Who we are

GCC Comply is a service operated by Booktidge ("Booktidge", "we", "us", "our"). This Privacy Policy explains what personal data we collect, how we use it, and your rights. For privacy questions, contact us at support@gcccomply.com.

2. Our role

We act as the data controller for personal data of our direct customers (contractor account administrators and their internal users) when they sign up for and use the Service.

We act as the data processor for personal data that contractors upload about their subcontractors (for example, identity documents, trade licences, and insurance certificates). The contractor is the controller for that data; we process it solely on their instructions to provide the Service.

3. Data we collect

  • Account data: name, email, password (hashed), organisation name, role.
  • Subcontractor compliance data uploaded by customers: names, email addresses, phone numbers, Emirates ID numbers and copies, passport copies, trade licence numbers, insurance certificates, and similar documents required to verify compliance.
  • Usage data: log data, IP address, browser type, pages viewed, actions taken in the platform.
  • Billing data: handled by our payment processor Paddle. We receive a customer reference and subscription status — we do not see or store full card numbers.
  • Communications: support emails and any feedback you send us.

4. How we use data

  • Provide, maintain, and improve the Service.
  • Send transactional emails (account, billing, expiry alerts) and respond to support requests.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.
  • With your consent where required, send product updates.

We do not sell your personal data, and we do not use Customer Data to train machine-learning models.

5. Legal bases (where GDPR or similar laws apply)

  • Contract: processing necessary to provide the Service you signed up for.
  • Legitimate interests: securing the platform, preventing abuse, improving the product.
  • Legal obligation: tax, accounting, and lawful-request compliance.
  • Consent: for optional marketing emails — you may withdraw consent at any time.

6. Sub-processors

We engage carefully selected vendors to operate the Service. Each is bound by contractual confidentiality and data-protection obligations.

  • Supabase — application database and document storage.
  • Render — application hosting and background jobs.
  • Paddle — merchant of record and payment processing.
  • Resend — transactional email delivery.
  • Cloudflare — DNS, CDN, and DDoS protection.
  • Google Analytics — aggregated traffic and engagement analytics.

7. International transfers

Some sub-processors are located outside the GCC region (for example, in the EU or US). Where required by applicable law, we rely on appropriate safeguards (such as Standard Contractual Clauses) to protect personal data transferred across borders.

8. Retention

We keep personal data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations and resolve disputes. Customer Data uploaded by contractors is retained for the life of the contractor's subscription; on termination, we will delete or return it on request, subject to legal retention requirements.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Object to or restrict processing.
  • Receive a copy of your data in a portable format.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@gcccomply.com. If you are a subcontractor whose data was uploaded by a contractor, please contact that contractor first — they are the controller of your data.

10. Security

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit (HTTPS), encryption at rest, access controls, audit logging, and least-privilege role design. No system is perfectly secure, however — please notify us at support@gcccomply.com if you suspect a security issue.

11. Cookies

We use a small number of cookies:

  • Strictly necessary — a session cookie used to keep you signed in and a CSRF token cookie used to protect form submissions.
  • Analytics — Google Analytics sets first-party cookies (_ga, _ga_*) used to measure aggregated visitor traffic and engagement. These do not identify you personally to us.

We do not use advertising or cross-site tracking cookies. You can opt out of Google Analytics via Google's browser add-on.

12. Children

The Service is intended for business use only and is not directed at individuals under 18. We do not knowingly collect data from children.

13. Changes

We may update this Privacy Policy from time to time. The "Last updated" date above will reflect the most recent change. Material changes will be communicated by email or in-product notice.

14. Contact

For privacy questions or to exercise your rights, email support@gcccomply.com.