Byte Orbit Technologies Privacy Policy
Our Personal, Statement, cookies, third-parties
This Privacy Notice describes the ways in which Byte Orbit Technologies Ltd (Registration Number: 10957), a company registered in the Dubai International Financial Centre ("DIFC") and domiciled at Unit GA-00-SZ-L1-RT-208, Level 1 Gate Avenue - South Zone ("Byte Orbit", "we", "us"), processes and protects the Personal Data of our Clients, product users, test pilots, and business contacts
Last updated: January 2026
1. Introduction
Byte Orbit Technologies Ltd is a wholly owned subsidiary of Byte Orbit (Pty) Ltd, a company incorporated in the Republic of South Africa. We operate as a specialist software product design and development agency, offering services in UX/UI design, software engineering, and venture building.
We provide digital innovation and software solutions primarily to corporate clients and venture partners. The types of Personal Data we process are those necessary to design, build, test, and maintain digital products, conduct user research, and facilitate venture building initiatives locally, regionally and globally and to carry out various ancillary activities.
As an international software development and design studio, we take very seriously our professional and ethical duties and obligations to protect Personal Data. We have a robust information security management program in place to protect the Personal Data and other information that we process. These measures are monitored, reviewed and regularly enhanced in order to meet our professional responsibilities and the needs of our Clients.
In line with the transparency requirements of Articles 9 and 10 of the Dubai International Financial Centre Data Protection Law, DIFC Law No. 5 of 2020 (the “DIFC-DPL), this Privacy Notice sets out the following information:
Identification of the Data Controllers;
Details of Our Local Data Privacy Contact;
Sources and Categories of Personal Data That We Process, Why We Do So, and Lawful Bases for Processing;
Other Byte Orbit Offices And Operations as Well as Third Parties With Which Our Affected Offices May Share Personal Data;
Circumstances in Which We Transfer Personal Data to Countries Outside the DIFC for Processing, and the Safeguards We Put in Place to Protect the Personal Data so Transferred;
Our Retention Policy for Records Containing Personal Data;
Individual’s Rights in Relation to Their Personal Data; and
Definitions of Certain Terms Used in This Privacy Notice.
2. Definitions
For the purposes of this Privacy Notice, the following terms shall be defined as follows, namely:
"Client" means an Individual or legal entity that is or was a client of Byte Orbit pursuant to an existing or past Services Agreement, or that makes or made contact with or has or had discussions with Byte Orbit with a view to such a Services Agreement being established (whether or not such a Services Agreement was or is subsequently established);
"Controller" means an Individual or entity who or which, alone or jointly, determines the purposes and means of Processing of Personal Data (and, where relevant, this term shall have the specific meaning attributable to it for the purposes of the DIFC-DPL);
"Commissioner" means the person appointed by the President of the DIFC pursuant to Article 43(1) of the DIFC-DPL to administer the law;
"DFSA" means the Dubai Financial Services Authority;
"DIFC" means the Dubai International Financial Centre;
"DIFCA" means the Dubai International Financial Centre Authority;
"DIFC-DPL" means the DIFC Data Protection Law, DIFC Law No. 5 of 2020 as amended by DIFC Law No. 1 of 2025;
"DSAR" means Data Subject Action Request pursuant to the provisions of Articles 33 to 37 of the DIFC-DPL, relating to the rights of data subjects under the DIFC-DPL;
"Individual" means a human person (also sometimes referred to as a "natural" person).
"Joint Controller" means any Controller that jointly determines the purposes and means of Processing with another Controller.
"Legal Notices" means the Legal Notices page on the Byte Orbit website which hosts this Privacy Notice.
“Personal Data” means any information relating to an identified or identifiable Individual (a “Data Subject”). An identifiable Individual is one whose identity can be established by one or more identifiers (for example, their name) specific to that Individual;
“Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means an Individual or entity who or which processes Personal Data on behalf of a Controller;
“Profiling” means the automated Processing of Personal Data to evaluate the personal aspects relating to an Individual, in particular to analyse or predict aspects concerning the person's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements;
“Recipient” means an Individual or entity to whom or to which Personal Data are transmitted or disclosed;
"Services Agreement" means a contract established under the laws of the DIFC for the provision of software development, design, or consulting services by Byte Orbit to a Client;
“Third Party” when used to describe a Data Subject, means an Individual who is not a Client; and
“UAE” means the United Arab Emirates.
3. Data Controllers
The Data Controller for the purposes of this Privacy Notice is Byte Orbit Technologies Ltd.
In certain instances, particularly regarding venture studio or cross-border development projects, we may act as a Joint Controller with our parent company, Byte Orbit (Pty) Ltd (South Africa), or with venture partners.
The principal place of business for Byte Orbit Technologies Ltd is Unit GA-00-SZ-L1-RT-208, Level 1 Gate Avenue - South Zone, DIFC, Dubai, United Arab Emirates
4. Local Data Privacy Contact
Please direct all general communications or queries relating to this Privacy Notice or the firm’s compliance with the DIFC-DPL to our local data privacy contact. The details for our local data privacy contact are as follows:
By email:
compliance@byteorbit.com
By post:
Att: Data Protection Officer
Byte Orbit Technologies Ltd
Unit GA-00-SZ-L1-RT-208, Level 1 Gate Avenue - South Zone, DIFC, Dubai, UAE.
While not mandatory for all DIFC entities, due to the nature of our activities (including the Processing of sensitive data), we assess our Processing activities annually. Detailed inquiries regarding our DPO status or to contact the DPO directly can be made via the contact details above.
With regard to the exercise of Data Subject rights under the DIFC-DPL as further described in Section 9, Individuals wishing to submit a DSAR.
5. Sources and categories of business personal data that we process, why we do so and lawful bases for processing
To provide software design and development services:
We process Personal Data to deliver our core services, including:
UX/UI Design & Research: Processing survey responses, video interviews, and behavioural analytics to validate product design;
Software Engineering: Processing user credentials, logs, and test data during the development and QA lifecycle;
Venture Building: Processing founder CVs and pitch data for the 'Orbit X' and 'Next Orbit' programs.
Given the diverse nature of the digital products we build (Fintech, EdTech, HealthTech), the categories of data vary. However, they typically include:
Identity Data: Names, usernames, biometric identifiers (where applicable for KYC products).
Technical Data: IP addresses, login data, browser type and version, time zone setting.
Usage Data: Information about how you use our website and products.
In Product Testing ('Test Pilots')
We process the Personal Data of Individuals who register as 'Test Pilots' to participate in beta testing. This includes demographic data to ensure diverse testing groups and feedback data to improve product functionality.
To Comply with Commercial Due Diligence and Regulatory Obligations
We process Personal Data of Client representatives and venture founders to conduct commercial due diligence, fraud prevention, and to comply with DIFC anti-money laundering (AML) regulations applicable to Designated Non-Financial Businesses and Professions (DNFBPs), where relevant
To Facilitate Payments and Financial Transactions
For our fintech products) or Client billing, we process financial data including bank account details and transaction history. This Processing is necessary for the performance of a contract
To Engage With Our Vendors
For the purposes of dealing with suppliers, it is in our legitimate interests and those of our vendors for us to process the business contact details of the vendors’ Individual account representatives in order to communicate and otherwise conduct business with them. The information that we typically process for this purpose is provided by the vendor and includes the appointed business contact’s name, position, company affiliation, physical and email addresses, telephone numbers.
To Market Our Digital Solutions
We process business contact data to send updates on technology trends, new product launches, and invitations to events. We adhere to Regulation 9 of the DIFC Data Protection Regulations regarding consent for direct marketing.
To evaluate the use of our website
We use “cookies” and similar applications for the purposes of enabling us to evaluate the use of our website and improve the experience of visitors to it. For information on the way in which we use cookies to monitor and manage our website performance, please see our Cookie Notice.
To Facilitate Communications With Our Clients and Other Business Contacts
We use telephone conferencing services provided by third parties for the purposes of providing client services, and to deliver webinars. In some cases, we may electronically record a call to memorialise it for providing the services or further training use. In such cases, we will notify the participants that the call is being recorded. Depending on the circumstances, the lawful basis for recording the call will be the participants consent.
Lawful Basis
The lawful basis upon which we process such data will depend on the circumstances of each case, and may be carried out on the basis that the Processing is:
based on the explicit consent of the Individual concerned
based on Personal Data which are manifestly made public by the Data Subject
6. Data sharing within Byte Orbit and with third parties
7. International Transfers
We transfer Personal Data intra-group and externally to third countries outside the DIFC that are not considered to provide an adequate level of data protection. You may request a copy of the DIFC Standard Contractual Clauses or other relevant international transfer documentation by contacting our local data privacy contact using the contact details provided in Section 2 above.
Intra-group Transfers
We have put in place appropriate intra-group agreements using the DIFC Commissioner-approved Standard Contractual Clauses for Controllers or processors, as appropriate, to protect intra-group transfers of Personal Data from our Byte Orbit offices to our parent company, Byte Orbit (Pty) Ltd in South Africa.
Transfers to Unaffiliated Third Parties
Third-party vendors identified in Section 4 and business partners with whom we share Personal Data are in some cases located outside the DIFC. Unless the recipients are located in countries that have been deemed adequate by the Commissioner, we put in place data transfer agreements based on the applicable DIFC Commissioner-approved Standard Contractual Clauses or rely on other available data transfer mechanisms (Binding Corporate Rules, approved Certifications or Codes of Conduct) to protect the Personal Data so transferred. In exceptional cases, we may rely on statutory derogations for international data transfers.
8. Records Retention Policy
We (and other group companies that are recipients of Personal Data received from us) retain Personal Data only for as long as necessary for the purposes for which the data was collected, except where necessary to meet our legal obligations (for example, in relation to KYC requirements) or in order to pursue our legitimate interests.
9. Rights of individual in relation to their personal data
The DIFC-DPL provides certain rights to Data Subjects in relation to their Personal Data. These include the rights to:
request details about the Personal Data that we process, and obtain a copy of the data that we hold about them;
correct or update their Personal Data Subject to the above;
port Personal Data that the Data Subject has provided to us, in machine readable format, to another supplier
erase the data that we hold about them in some cases
restrict or object to its Processing;
object to Processing:
based on grounds relating to the Individual’s particular situation, where the Processing is based on the legitimate interest of Byte Orbit or our Clients;
where Personal Data is being processed for direct marketing purposes; or
where any decision based solely on automated Processing, including Profiling, produces seriously impactful consequences and to require such decision to be reviewed manually.
not be discriminated against in pricing and legal services for exercising any of their rights and, for the avoidance of doubt, unless permitted by the DIFC-DPL, Byte Orbit will not:
deny Data Subjects use of our services;
charge different prices or rates for our services, including through granting discounts or other benefits, or imposing penalties;
provide Data Subjects with a different level or quality of services in exchange for the retention or use of any Personal Data that Data Subjects have provided to us; and
suggest that Data Subjects may receive a different price or rate for our services or a different level or quality of services;
Where consent is the basis for Processing their Personal Data, the Individual may decline to give his or her consent, or to withdraw consent to the Processing at any time.
These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject in the performance of legal services.
In some cases, the exercise of these rights (for example, erasure, objection, restriction or the withholding or withdrawing of consent to Processing) may make it impossible for us to achieve the purposes identified in Section 5 of this Privacy Notice and provide effective services.
The Processing of requests for action by Byte Orbit in regard to the exercise of a Data Subject’s rights under the DIFC-DPL is overseen by the local data privacy contact and other professionals needed to respond to the particular request.
Any Individual wishing to assert his or her rights under the DIFC-DPL should address the relevant request to our local data privacy contact using the contact details provided in Section 2 above.
Further information and a form that can be used by a Data Subject at his discretion to exercise these rights may be downloaded
Data Subjects also have the right to submit a complaint concerning our Processing of their Personal Data to the Commissioner.
Further, if you have suffered material or non-material damage as a result of our contravention of the Law, you may also have the right to seek compensation directly through the DIFC Courts
10. Annex 1
Byte Orbit (MEA) LLP
Dubai International Financial Centre
Burj Daman Office Tower, Level 10
P.O. Box 111713
Dubai
United Arab Emirates
+971 4 447 8700
Byte Orbit (US) LLP
2 & A Half Devonshire Square
London EC2M 4UJ
England
+44 20 7655 1000
Byte Orbit (UK) LLP
4900 Key Tower
127 Public Square
Cleveland, Oh 44114
+1 216 479 8500
