Privacy Policy

This Privacy Policy explains how MC&A Consulting ("we", "us", "our") collects, uses and safeguards personal data through our website https://mccoyassociates.net. MC&A Consulting is the data controller for the personal data described below.

We are based in the United Arab Emirates and operate worldwide. This policy is written to comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and the EU General Data Protection Regulation 2016/679 ("GDPR").

We only collect personal data that you voluntarily provide to us through our contact form. Specifically:

• Your name
• Your email address
• The content of the message you send us

We do not collect data through analytics tools, advertising trackers, retargeting pixels or newsletter sign-ups. We do not operate user accounts.

Under the GDPR, we rely on the following legal bases:

• Consent — Article 6(1)(a) — you actively choose to send us a message via the contact form.
• Legitimate interests — Article 6(1)(f) — to respond to your inquiry, maintain a record of our correspondence, and follow up on potential business relationships.

Under the UAE PDPL, processing is based on your consent and on our legitimate interest in responding to inquiries directed to us.

We use the personal data you provide solely to:

• Reply to your inquiry;
• Keep an internal record of the conversation; and
• Continue any business discussion you initiate.

We do not sell, rent or share your personal data for marketing purposes. We do not use your data for automated decision-making or profiling.

To operate the website and respond to your messages we rely on the following service providers, who act as data processors on our behalf:

• Resend (transactional email delivery, built on AWS SES, EU region) — used to send the notification email to us and the confirmation email to you.
• Google Workspace — used to receive and store emails sent to info@mccoyassociates.net.
• Cloudflare — provides DNS, CDN and basic security services for the website.
• Lovable — hosts the website and its underlying database.

Each of these providers processes data under their own published privacy and security commitments, with contractual safeguards in place.

Because we work with global cloud providers, some personal data may be processed outside of the UAE or the European Economic Area. Where personal data is transferred to jurisdictions that do not have an adequacy decision, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses — and equivalent mechanisms under UAE PDPL.

Contact form submissions are retained for 24 months from the date of submission, unless a longer period is required to support an ongoing business relationship or to comply with a legal obligation. After that period, the data is deleted or anonymised.

If the GDPR applies to you, you have the right to:

• Access the personal data we hold about you;
• Request rectification of inaccurate or incomplete data;
• Request erasure of your data ("right to be forgotten");
• Request restriction of processing;
• Receive your data in a portable format;
• Object to processing based on legitimate interests;
• Lodge a complaint with the supervisory authority in your country of residence.

If the UAE PDPL applies to you, you have the right to:

• Access your personal data;
• Request correction of inaccurate data;
• Request deletion of your data;
• Request restriction of processing;
• Object to processing;
• Request data portability;
• Lodge a complaint with the UAE Data Office if you believe your rights have been infringed.

To exercise any of the rights above, please email us at info@mccoyassociates.net with the subject line "Data Subject Request". We will respond within the timeframes required by applicable law (generally one month under the GDPR).

We protect your data through industry-standard technical and organisational measures, including encrypted transport (HTTPS/TLS), encrypted storage at the cloud-provider level, strict access controls and the principle of least privilege for anyone with access to the database or inbox.

This website is intended for a professional audience and is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors.

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. The updated version will be published on this page with a revised "Last updated" date.

For any question about this policy or our data practices, please contact:

MC&A Consulting
Email: info@mccoyassociates.net
Website: https://mccoyassociates.net