THE SEVEN FRIDAYS
PRIVACY POLICY
Last updated: 4 June 2026
1. Introduction
The Seven Fridays values the privacy of the individuals who use its marketplace and is committed to handling personal data lawfully, fairly, and transparently. The present Privacy Policy (the "Policy") explains how The Seven Fridays FZ-LLC collects, uses, discloses, transfers, and safeguards personal data when you access our website at https://www.thesevenfridays.com, use our mobile application once released, or otherwise interact with our services (together, the "Platform").
Because the Platform connects users with independent third-party suppliers of wellness, hospitality, dining, leisure, tourism, and adventure experiences, the processing of personal data is integral to the booking and payment functions we provide. By using the Platform, you acknowledge that you have read and understood the practices described herein. Where consent is the relevant legal basis, your agreement will be sought separately and may be withdrawn at any time.
2. Data Controller and Contact Details
For the purposes of this Policy, the data controller responsible for your personal data is The Seven Fridays FZ-LLC, a Free Zone Limited Liability Company registered with the Ras Al Khaimah Economic Zone Authority (RAKEZ) under licence number 45033186, with its registered office at Compass Building, Al Shohada Road, Al Hamra Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates.
Questions, requests, or concerns relating to this Policy or to the processing of your personal data may be directed to our privacy team at privacy@thesevenfridays.com. Where the volume or sensitivity of our processing requires it, we will designate a contact point or data-protection officer and publish the relevant details on the Platform.
3. Scope and Applicable Law
Our processing of personal data is governed by the data-protection legislation applicable to our establishment and to the individuals whose data we handle. As an entity established in the United Arab Emirates, we process personal data in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL"), as supplemented by its Executive Regulations. Where we offer goods or services to, or monitor the behaviour of, individuals located in the European Union, the processing of their personal data falls additionally within the scope of Regulation (EU) 2016/679, the General Data Protection Regulation (the "GDPR").
Although our launch is focused on the Middle East, our stated intention to expand into Europe and other markets means that European data-protection standards are observed across the Platform. Where the PDPL and the GDPR impose differing requirements, we apply the standard offering the higher level of protection to the relevant individual.
4. Categories of Personal Data We Collect
In the course of operating the Platform, we collect several categories of personal data, the precise scope of which depends on how you interact with us.
Identity and Account Data: Your name, date of birth where age verification is required, username, password in encrypted form, and profile details provided during registration.
Contact Data: Your email address, telephone number, and any postal or billing address you supply.
Booking and Transaction Data: Records of the experiences you book, the suppliers involved, dates, quantities, special requests, dietary or accessibility preferences communicated to a supplier, and your booking history.
Payment Data: Information necessary to process your payment, noting that full card details are handled by our third-party payment service providers and are not stored by us in their entirety.
User-Generated Content: Reviews, ratings, photographs, and communications you submit through the Platform.
Technical and Usage Data: Internet protocol address, device identifiers, browser type, operating system, and information regarding your interaction with the Platform, collected by automated means.
Communications Data: The content of your correspondence with our support team and your marketing preferences.
Certain experiences offered through the Platform, including adventure and physical activities, may require a supplier to obtain limited health or fitness information to assess eligibility. Such data, where it reveals health conditions, constitutes sensitive personal data and is collected only where necessary, with appropriate safeguards and, where required, your explicit consent.
5. How We Collect Personal Data
We obtain personal data through three principal channels. Data is provided directly by you when you register an account, complete a booking, submit a review, or contact our support team. Data is generated automatically when you navigate the Platform, by means of the technologies described in Section 11. In limited circumstances, data is received from third parties, including payment service providers confirming a transaction, suppliers communicating booking-related information, and, where you choose to register or log in by means of a third-party service, the provider of that service in accordance with its own terms.
6. Purposes of Processing and Legal Bases
We process personal data only where a lawful basis exists. Under the GDPR, that basis will be one of those set out in Article 6, and under the PDPL it will be consent or another recognised ground permitting processing without consent. The principal purposes for which we process your data, together with the corresponding legal bases, are as follows.
Provision of the Service: To create and administer your account, to process and confirm bookings, and to facilitate the delivery of experiences by suppliers, on the basis of the performance of our contract with you.
Payment and Financial Administration: To collect payment, to administer refunds, and to maintain accounting records, on the basis of contractual necessity and compliance with our legal obligations.
Customer Support and Complaint Handling: To respond to enquiries, to investigate complaints, and to assess refund eligibility, on the basis of our legitimate interest in operating a reliable marketplace and, where applicable, the performance of our contract.
Platform Improvement and Security: To maintain, secure, and improve the Platform and to prevent fraud, on the basis of our legitimate interests, balanced against your rights and freedoms.
Marketing Communications: To send you promotional messages about experiences that may interest you, on the basis of your consent or, where permitted, our legitimate interest, subject in every case to your right to opt out.
Legal Compliance: To comply with obligations imposed by tax, consumer-protection, anti-money-laundering, and other applicable laws, on the basis of compliance with a legal obligation.
Where processing of sensitive personal data is involved, we rely on your explicit consent or another condition permitted by the GDPR and the PDPL.
7. Disclosure of Personal Data
Given the marketplace nature of the Platform, the sharing of certain personal data is necessary to fulfil your bookings. We disclose personal data in the following circumstances and to the following categories of recipient.
Suppliers: When you book an experience, we share with the relevant supplier the information required to deliver that experience, which may include your name, contact details, booking particulars, and any special requirements or eligibility information you have provided. Each supplier acts as an independent controller in respect of the data it receives for the performance of its own services and is responsible for handling that data in accordance with applicable law.
Payment Service Providers: We transmit transaction data to regulated payment processors for the secure handling of payments and refunds.
Service Providers and Processors: We engage trusted vendors who process data on our behalf for hosting, communications, customer support, and analytics, under written agreements that bind them to confidentiality and to processing only on our documented instructions.
Legal and Regulatory Recipients: We may disclose personal data where required by law, court order, or a competent authority, or where necessary to protect our rights, property, or safety, or those of our users and the public.
Corporate Transactions: In connection with a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to a successor entity, subject to the protections described in this Policy.
We do not sell personal data, and we do not share it with third parties for their own independent marketing purposes without your consent.
8. International Data Transfers
Operating across multiple jurisdictions entails the transfer of personal data beyond the borders of the country in which it was collected, including transfers between the United Arab Emirates, the European Union, and other territories where our suppliers and service providers operate. Whenever we transfer personal data internationally, we implement safeguards designed to ensure an adequate level of protection.
For transfers governed by the GDPR, we rely on an adequacy decision of the European Commission where one exists, or, in its absence, on appropriate safeguards such as the Standard Contractual Clauses adopted by the Commission, supplemented where necessary by additional technical and organisational measures. For transfers governed by the PDPL, we ensure that the recipient jurisdiction affords an adequate level of protection or that an appropriate legal mechanism, such as a contractual undertaking or your explicit consent, is in place. Further information regarding the specific safeguards applied to a given transfer is available upon request to our privacy team.
9. Data Retention
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including the satisfaction of any legal, accounting, tax, or reporting requirements. Account and booking records are ordinarily retained for the duration of your relationship with the Platform and for a subsequent period determined by the limitation periods applicable to potential disputes and by statutory record-keeping obligations under United Arab Emirates law.
In determining an appropriate retention period, we consider the nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes of processing, and whether those purposes can be achieved by other means. Once data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.
10. Security of Personal Data
Protecting personal data against unauthorised access, loss, alteration, or disclosure is a central obligation we take seriously. To that end, we maintain technical and organisational measures appropriate to the risks presented by our processing, including encryption of data in transit, access controls restricting data to authorised personnel, secure hosting arrangements, and regular review of our security practices.
While we devote considerable effort to safeguarding your information, no method of transmission over the internet or of electronic storage is entirely secure, and absolute security cannot therefore be guaranteed. We encourage you to assist in protecting your account by maintaining the confidentiality of your login credentials and by notifying us promptly of any suspected compromise.
11. Cookies and Similar Technologies
The Platform may employ cookies and comparable technologies to operate essential functions, to remember your preferences, and, where you consent, to analyse usage and deliver tailored content. At present, the Platform does not deploy third-party advertising, analytics, or marketing tracking tools; should this change, we will update our practices, obtain consent where required, and reflect the relevant detail in our separate Cookie Policy, which forms part of this Policy by reference. You may manage your cookie preferences through the controls provided on the Platform and through your browser settings.
12. Your Data Protection Rights
Subject to the conditions and exemptions set out in the applicable legislation, you are entitled to exercise a number of rights in respect of your personal data. Under both the GDPR and the PDPL, these rights include the following.
Right of Access: You may request confirmation as to whether we process your personal data and obtain a copy of that data together with information about how it is processed.
Right to Rectification: You may request the correction of inaccurate data and the completion of incomplete data.
Right to Erasure: You may request the deletion of your personal data where it is no longer necessary, where consent is withdrawn, or where processing is otherwise unlawful, subject to our legal retention obligations.
Right to Restriction: You may request that we limit the processing of your data in defined circumstances, for instance while the accuracy of the data is being verified.
Right to Object: You may object to processing carried out on the basis of our legitimate interests and to the processing of your data for direct-marketing purposes.
Right to Data Portability: You may request that data you have provided to us be furnished to you, or transmitted to another controller, in a structured, commonly used, and machine-readable format, where processing is based on consent or contract and carried out by automated means.
Right to Withdraw Consent: Where processing relies on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@thesevenfridays.com. We will respond within the timeframe prescribed by the applicable law and may request information necessary to verify your identity before acting on a request. No fee is payable for a legitimate request, although we reserve the right to charge a reasonable fee, or to decline to act, where a request is manifestly unfounded or excessive.
13. Marketing Preferences
You retain control over the marketing communications you receive from us. Where you have consented to receive promotional messages, or where we are otherwise permitted to send them, you may opt out at any time by following the unsubscribe instructions contained in each message or by adjusting the preferences in your account. Withdrawal of marketing consent does not affect communications that are necessary for the administration of your bookings, such as confirmations and service notifications.
14. Children's Privacy
The Platform is intended for use by adults, and account registration requires that you be at least eighteen years of age or the age of majority in your jurisdiction. We do not knowingly collect personal data from children. Where we become aware that data relating to a child has been collected without appropriate authorisation, we will take steps to delete it. The PDPL affords heightened protection to the personal data of children, and we treat any such data with corresponding care.
15. Automated Decision-Making
We do not ordinarily make decisions producing legal or similarly significant effects concerning you that are based solely on automated processing without human involvement. Should we introduce any such processing in the future, we will inform you, identify the logic involved, and ensure that you are afforded the rights guaranteed by the applicable legislation, including the right to obtain human intervention and to contest the decision.
16. Data Breach Notification
In the event of a personal-data breach likely to give rise to a risk to your rights and freedoms, we will act without undue delay to contain and assess the incident. Where required by the GDPR, the PDPL, or other applicable law, we will notify the competent supervisory authority within the prescribed period and, where the breach is likely to result in a high risk to you, we will communicate the matter to you directly, together with information regarding the measures taken and the steps you may consider.
17. Complaints and Supervisory Authorities
Should you have concerns regarding our handling of your personal data, we encourage you to contact us first so that we may seek to resolve the matter. You retain, however, the right to lodge a complaint with the competent supervisory authority. In the United Arab Emirates, oversight of personal-data protection rests with the UAE Data Office established under the federal framework. Individuals in the European Union may lodge a complaint with the data-protection authority of the Member State of their habitual residence, place of work, or the place of the alleged infringement.
18. Changes to this Privacy Policy
We may update this Policy periodically to reflect changes in our practices, our services, or the legal landscape. The version in force is identified by the "Last updated" date appearing at the head of the document. Where a change is material, we will provide notice through the Platform or by electronic communication before the change takes effect. Continued use of the Platform following the effective date of a revised Policy signifies your awareness of the updated terms, save where your consent is separately required.
19. Contact
For any matter relating to this Privacy Policy or to the exercise of your rights, please contact:
The Seven Fridays FZ-LLC
Compass Building, Al Shohada Road, Al Hamra Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates
Email: privacy@thesevenfridays.com