Welcome to GCCBusinessForSale.com — a premium M&A advisory and business listing platform serving the UAE and broader GCC region. This Privacy Policy governs the collection, use, protection, and disclosure of personal and business data across our platform, integrations, and advisory services. By accessing or using this Platform, you acknowledge and agree to the practices described herein.
When you engage with our Platform — whether as a prospective buyer, seller, or general enquirer — we collect the following categories of information:
- Account & Contact Data: Full name, business email address, corporate mobile number, phone number, physical or registered business address, and corporate profile information.
- M&A & Listing Data: Financial summaries, business descriptions, sector categories, operational histories, EBITDA and revenue figures, and any documentation submitted for data room access or NDA execution.
- Communication Data: Records of correspondence, enquiry submissions, and meeting notes generated during the advisory engagement process.
- Identity Verification Data: Government-issued identification or corporate registration documents where required for buyer or seller verification purposes.
Where you choose to connect your Facebook or Instagram Creator/Business account to our Platform using Meta integration tools, we request strictly business-limited permissions only. We may collect:
- Public Profile & Email: Your name, profile picture, and verified email address, solely to authenticate your identity on the Platform.
- Business Asset Data: Data permitted under your explicitly granted permissions (such as
instagram_basicorinstagram_content_publish), which may include your social handle, basic metrics, and content parameters used exclusively to authenticate, analyse, or publish business listing content on your behalf.
Meta API data is collected exclusively for the specific platform functionality you request. We do not use this data for advertising, profiling, or any purpose beyond what is explicitly described in this Policy.
When you access the Platform, certain technical data is collected automatically, including IP address, browser type, device type, referring URLs, pages visited, and time spent on the Platform. This data is used solely for platform security, performance analytics, and improving user experience.
We process your personal and business data strictly to deliver premium M&A advisory and marketplace listing services. All processing is conducted on the basis of either your explicit consent, contractual necessity, or our legitimate business interest in operating a confidential advisory platform.
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Identity authentication and secure portal access | Contract / Consent | Name, email, ID verification |
| Managing and showcasing confidential business listings to verified buyers | Contract / Legitimate Interest | M&A data, financial summaries |
| Facilitating structured buyer outreach and NDA execution | Contract | Contact data, business information |
| Operating and maintaining Meta API integration features | Consent / Contract | Meta API data (as granted) |
| Platform security, fraud prevention, and compliance | Legitimate Interest / Legal Obligation | Technical data, access logs |
| Sending advisory updates and service communications | Consent / Legitimate Interest | Email, contact preferences |
We will never sell, rent, or trade your personal data. We will never use your data for unsolicited marketing unrelated to our M&A advisory services. We will never use Meta API data for advertising targeting or third-party profiling.
Because our core operations centre on a strictly confidential M&A advisory process, data sharing is tightly controlled and governed by explicit authorisation at every stage.
Detailed company financials, operational data, and seller identity are disclosed exclusively to qualified, independently verified buyers — and only following the execution of a formal Non-Disclosure Agreement (NDA). No seller information is shared without the seller's explicit prior authorisation.
We may share limited data with trusted third-party service providers (such as cloud infrastructure, email delivery, or CRM platforms) solely for the purpose of operating the Platform. All such providers are bound by strict confidentiality obligations and are prohibited from using your data for any purpose beyond the contracted service.
We may disclose data if required to do so by applicable laws, regulations, or lawful orders within the United Arab Emirates (UAE) or broader GCC jurisdictions, including but not limited to requirements under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
- Seller identity or financials without a signed NDA and explicit seller consent
- Buyer identity without explicit buyer authorisation
- Any data with advertising networks, data brokers, or marketing platforms
- Meta API data with any third party for targeting or analytics beyond platform operations
In strict accordance with Meta's Platform Terms and Developer Policies, the following rules govern all data collected via Meta APIs without exception:
- We do not use Meta API data to build, influence, or augment user profiles for advertising, behavioural tracking, or remarketing purposes.
- We do not transfer, sell, license, or pass Meta API data to any third-party advertising networks, data brokers, analytics providers, or data aggregators.
- All data extracted via Facebook Login for Business is encrypted in transit and at rest and is retained only for as long as is necessary to provide the specific platform functionality you explicitly requested.
- Upon revocation of permissions or account deletion, all associated Meta API tokens and derived data are permanently purged from our systems within 48 business hours.
- We maintain a complete audit log of all Meta API data access, processing activities, and deletion events for compliance verification purposes.
If you connected your Facebook or Instagram account and wish to revoke access and delete all associated data, please contact info@gccbusinessforsale.com with the subject line "Meta Data Deletion Request". All data will be permanently deleted within 48 business hours.
You have the following rights with respect to your personal data held by GCC Business for Sale. We are committed to honouring these rights promptly and without undue burden.
- Right of Access: You may request a copy of all personal data we hold about you at any time.
- Right to Rectification: You may request correction of any inaccurate or incomplete personal data.
- Right to Erasure: You may request the permanent deletion of your personal data, subject to any legal or regulatory retention requirements.
- Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances.
- Right to Data Portability: Where technically feasible, you may request your data in a structured, machine-readable format.
- Right to Object: You may object to certain processing activities, including processing based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
To request the complete deletion of all data associated with your profile — including any data retrieved via Facebook Login for Business — use one of the following methods:
Via Email: Send an explicit request to info@gccbusinessforsale.com with the subject line "Data Deletion Request".
Upon receiving your request, we will verify your identity and permanently delete all personal profiles, linked asset data, and associated Meta API tokens from our systems within 48 business hours, unless legal or regulatory transaction requirements mandate a specific retention period.
We retain your data only for as long as is necessary to fulfil the purpose for which it was collected, or as required by applicable law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Active user account data | Duration of engagement + 2 years | Service delivery and legitimate interest |
| Transaction and M&A records | 7 years post-transaction | UAE regulatory and legal compliance |
| NDA and contractual documents | 10 years | Legal obligation |
| Meta API tokens and derived data | Until permission revoked + 48hrs | Meta Platform Policy compliance |
| General enquiry / contact form data | 3 years | Legitimate interest / follow-up |
| Security and access logs | 12 months | Platform security and fraud prevention |
Our Platform may use cookies and similar tracking technologies to enhance your user experience, maintain session state, and collect anonymous usage analytics. We do not use cookies for cross-site advertising or third-party behavioural tracking.
- Strictly Necessary Cookies: Essential for the Platform to function. Cannot be disabled.
- Analytics Cookies: Used to understand how visitors interact with the Platform in aggregate, anonymous form. You may opt out at any time.
- Preference Cookies: Store your settings and preferences for future visits.
You may control cookies through your browser settings. Disabling certain cookies may affect Platform functionality. We do not respond to "Do Not Track" signals at this time, as no universal standard has been established.
Our Platform may contain links to external websites, partner platforms, or third-party services. We are not responsible for the privacy practices, content, or data handling of any third-party site. We encourage you to review the privacy policies of any external sites you visit. The inclusion of a link does not imply our endorsement of that site or its practices.
We implement enterprise-grade security measures to protect your data from unauthorised access, alteration, disclosure, or destruction. These include:
- SSL/TLS encryption for all data transmission between your browser and our servers
- Encryption at rest for all stored personal and financial data
- Multi-layered access controls and role-based permissions for our transaction environments
- Regular security assessments and vulnerability testing
- Staff confidentiality obligations and data access controls on a need-to-know basis
While we take every reasonable precaution, no method of electronic transmission or storage is 100% secure. In the event of a data breach that materially affects your rights, we will notify you in accordance with applicable UAE data protection law.
This Privacy Policy is governed by and construed in accordance with the laws of the United Arab Emirates, including but not limited to:
- UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)
- UAE Federal Law No. 5 of 2012 on Combating Cybercrimes (as amended)
- Dubai International Financial Centre (DIFC) Data Protection Law, where applicable
- Applicable GCC jurisdiction laws where cross-border data transfer occurs
Any dispute arising from or related to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the UAE. Cross-border data transfers to jurisdictions outside the UAE are conducted in accordance with applicable international data transfer frameworks and with appropriate safeguards in place.
We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal obligations, or platform features. When material changes are made, we will:
- Update the "Last Updated" date at the top of this Policy
- Notify registered users by email where the changes materially affect their rights
- Post a prominent notice on the Platform where required
Your continued use of the Platform following the posting of any updated Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this Policy periodically.
If you have any questions, concerns, complaints, or feedback regarding this Privacy Policy or our data management practices, or if you wish to exercise any of your data rights, please contact our privacy team:
- Email: info@gccbusinessforsale.com
- Subject Line for Data Requests: "Data Deletion Request" or "Privacy Enquiry"
- Website: www.gccbusinessforsale.com
- Response Time: We aim to respond to all privacy-related requests within 5 business days and to complete deletion requests within 48 business hours of identity verification.
Questions About Your Data?
Our team is available to address any privacy concerns or data requests promptly and confidentially.
Email Our Privacy Team →