top of page

Marketing Alchemist -Privacy Policy

Last updated: April 2026

Marketing Alchemist respects your privacy and is committed to protecting the personal data you share or entrust to us. This Privacy Policy explains what data we collect, how it is used, and your rights under applicable data protection laws. It applies to all users of our website (www.marketing-alchemist.co), clients engaging our services, and individuals whose business contact data we process on behalf of clients.

1. Who We Are

Marketing Alchemist is a marketing consultancy based in Dubai, United Arab Emirates, operating globally. We work primarily with B2B clients across the UAE, UK, KSA, Singapore, and other international markets.

Contact: natalie@marketing-alchemist.co

Our role in relation to your data:

  • Website visitors, enquirers, and direct clients: Marketing Alchemist is the data controller.

  • Data processed on behalf of a client (for example, research databases, contact lists, or campaign data): the client is the data controller; Marketing Alchemist acts as a data processor under written instructions from that client.

2. Data We Collect

We collect the following categories of personal data:

  • Contact Information: name, company name, job title, business email, phone number, country/city.

  • Enquiry and Project Information: details submitted via forms or email, including business challenges, goals, and context relevant to consulting services.

  • Website Usage Data: IP address, browser type, pages visited, timestamps, and cookies.

  • Marketing Preferences: if you opt in to receive communications.

  • Client Project Data: where we are engaged as a processor, we handle business contact data provided by or collected on behalf of a client. This is limited to B2B business contact data (company name, business email, business phone, job title, publicly listed social media handles). We do not process consumer personal data, special category data, biometric data, or financial data in this context unless specifically instructed in writing by the client.

3. How We Collect Data

  • Directly from you via forms, emails, meetings, or LinkedIn.

  • Automatically via cookies and analytics when you browse our website.

  • Through project documents or strategic briefs shared to receive services.

  • From publicly available business directories, company websites, published exhibitor lists, and publicly listed social media business profiles, where we are building or enriching a B2B database on behalf of a client.

4. Purpose of Processing

We use personal data to:

  • Respond to enquiries and provide services

  • Research and prepare strategies, proposals, and reports

  • Use tools (including AI) to generate or refine project deliverables under human supervision, subject to the restrictions set out in our AI Usage Policy

  • Send marketing communications (only with consent)

  • Improve website and services

  • Comply with legal obligations (e.g. tax, contracts)

5. Legal Basis for Processing

We rely on:

  • Consent – e.g. for newsletter subscriptions

  • Contract – to provide services you request

  • Legitimate Interests – e.g. to follow up with leads, improve our services, or conduct B2B outreach to business contacts in their professional capacity where this is proportionate and consistent with applicable law

  • Legal Obligations – e.g. to retain invoices or meet UAE or international regulatory requirements

Where we act as a processor on behalf of a client, the lawful basis for processing is determined by that client as the controller.

6. Sub-processors and Data Sharing

We do not sell or rent your data. We may share data with:

  • Service Providers – e.g. web hosting, analytics, CRM platforms, all bound by contracts to protect data.

  • Trusted Collaborators and Sub-processors – for example, research or telecalling agencies engaged to deliver a specific project. All sub-processors are engaged under written Data Processing Agreements that flow down equivalent obligations on confidentiality, security, breach notification, and deletion. Sub-processors are engaged only with the prior written consent of the client (where applicable).

  • Third-party Tools (including AI) – used strictly to fulfil your request. See our AI Usage Policy for details on how AI tools are used and what categories of data are excluded from AI processing.

  • Legal Authorities – if required for compliance or legal proceedings.

7. International Transfers

Your data may be processed outside your home country, including in the UAE, UK, EU, and US. We ensure appropriate safeguards (e.g. Standard Contractual Clauses, vendor due diligence) to maintain equivalent data protection across borders in line with GDPR, UAE PDPL, Bahrain PDPL, KSA PDPL, and Singapore PDPA.

8. Security

We apply appropriate technical and organisational measures to protect personal data, including:

  • Named-user access to systems holding personal data, with access restricted on a need-to-know basis

  • Strong passwords and two-factor authentication on accounts with access to personal data

  • Encryption at rest and in transit, through use of commercial cloud platforms (such as Google Workspace) and equivalent encrypted transfer mechanisms

  • Disk encryption and password protection on working devices

  • No storage of personal data on removable media or unmanaged cloud services

  • Access reviewed at each project milestone and revoked on project completion

9. Data Retention

We keep personal data:

  • For active service relationships, and

  • As needed for legal, operational, or contractual purposes (typically up to 5–7 years for financial records)

  • Client project data held as a processor is returned or deleted within 30 days of project completion, or earlier on written instruction from the client, except where retention is required by law

  • We delete or anonymise data when no longer needed

10. Data Breach Notification

In the event of a personal data breach, we will notify affected clients without undue delay and, where required, within 24 hours of becoming aware of the breach. Where we act as a processor, we will cooperate fully with the client (as controller) in investigating, mitigating, and where necessary notifying regulators and affected individuals.

11. Your Rights

Depending on your jurisdiction, you may have rights to:

  • Access, correct, or delete your data

  • Restrict or object to processing

  • Withdraw consent (e.g. unsubscribe from emails)

  • Data portability (receive a copy in machine-readable format)

  • Lodge a complaint with a supervisory authority

Where we hold your data as a processor on behalf of a client, rights requests should be directed to that client as the controller; we will support the client in responding. Contact natalie@marketing-alchemist.co to exercise your rights or to be directed to the appropriate controller.

12. Cookies

Cookies are used for site functionality and analytics. By using our site, you consent to this use. You can manage cookies via your browser settings.

13. Changes to this Policy

We may update this policy periodically. Material changes will be posted clearly. The current version will always be available on our website with the effective date.

Questions? Contact Natalie Gurney at natalie@marketing-alchemist.co.

Your trust is important to us. We are committed to ethical, lawful, and transparent data practices in all our work.

bottom of page