Your data. Your rights. Our responsibility.

Protecting Consumer Data under DFSA Regulation

The purpose of this privacy notice is to provide a clear explanation of when, why and how we collect personal data and is applicable to any individual whose personal data is processed. It also explains who we may share your information with and provides details about your data rights and how you may use them.

We may amend this policy from time to time for example, to keep it up to date or to comply with legal requirement or changes in the way we operate our business.

This version of the privacy policy was published on 1st December 2025. Any subsequent updates are aimed to provide clearer information on how we collect and use your personal data. It is not anticipated there will be any material changes to the way in which we process your information.

Rhodium Re is licensed under the Dubai International Financial Centre and regulated by the Dubai Financial Services Authority (DFSA). The DIFC Commissioner of Data protection is responsible for the supervision and enforcement of the Data Protection Law, DIFC Law No. 5 of 2020.

Introduction

This policy outlines the privacy rights applicable to individuals whose data is collected and processed by Rhodium Re. The document details the types of data collected, the methods for storage and processing, and the consumer rights afforded under the DFSA regulatory framework. The aim is to provide transparency, ensure compliance with applicable DIFC and DFSA requirements, and foster trust with insurance consumers.

Overview of DFSA Privacy Regulations

The DFSA, as the financial services regulator for the DIFC, establishes clear obligations for firms handling personal information. These include requirements to collect and process data lawfully, fairly, and transparently; to maintain the accuracy and security of data; and to respect the rights of individuals.

Rhodium Re is required to implement appropriate policies and procedures to safeguard consumer data and to notify affected individuals and authorities in the event of a data breach.

Types of Consumer Data Collected

 As part of its insurance and reinsurance operations, Rhodium Re may collect the following categories of consumer data:

Personal Data: Names, dates of birth, identification numbers, contact details (address, email, phone), and demographic information.

Financial Data: Bank account information, payment card details, and transaction histories relevant to premium payments and claims settlements.

Transactional Data: Policy details, claims information, underwriting data, and communications related to insurance products and services.

The above is merely indicative and used for illustrative purposes. It is by no means exhaustive.

How Data is Stored

Consumer data is stored securely in accordance with DFSA and DIFC data protection requirements. Key aspects include:

• Security Measures: Use of encryption, secure servers, access controls, and regular security audits to prevent unauthorised access or disclosure.
• Location: Data is stored on servers within the DIFC or other approved jurisdictions, subject to adequate data protection safeguards.
• Retention Periods: Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, in line with regulatory and contractual obligations. Data no longer required is securely deleted or anonymised.

How Data is Processed

Consumer data is processed for legitimate business purposes, including:

• Underwriting, administering, and servicing insurance and reinsurance contracts.
  Processing claims and handling customer service requests.
  Complying with legal and regulatory requirements, such as anti-money laundering and sanctions screening.
• Data processing is based on lawful grounds, such as the necessity for contract performance, compliance with legal obligations, or the legitimate interests of Rhodium Re.
• Automated processing may be used for certain functions (e.g., risk assessment), but decisions with significant effects on individuals will not be made solely by automated means without appropriate safeguards.

Consumer Rights

Under the DFSA and DIFC framework, consumers have the following rights regarding their personal data:

• Access
• Correction
• Erasure
• Objection
• Data Portability
• Withdrawal – the right to remove consent.

Data Sharing and Third Parties

Consumer data may be shared with third parties only where necessary and in accordance with DFSA requirements. Typical recipients include:

• Insurance and reinsurance partners, claims handlers, and service providers engaged to deliver contracted services.
• Regulatory authorities and law enforcement, where required by law.
• All third parties receiving data are subject to contractual obligations to protect personal information and to use it only for the intended purposes.

Data Security Measures

Rhodium Re maintains comprehensive technical and organisational safeguards to protect consumer data, including:

• Regular risk assessments and security training for staff.
• Implementation of firewalls, intrusion detection systems, and secure backup procedures.
• Strict access controls and monitoring of data access and handling.

Complaints and Redress Mechanisms

Consumers who have concerns about the handling of their personal data can raise complaints through the following channels:

• Contacting the MGA’s Data Protection Officer (DPO) or designated privacy contact for prompt investigation and resolution.
• Escalating unresolved complaints to the DFSA or the DIFC Data Protection Commissioner, as appropriate.
• The MGA is committed to responding to all privacy-related complaints in a timely and fair manner.

Contact Information

For questions, requests, or concerns regarding this policy or the handling of personal data, consumers may contact:

Data Protection Officer, Rhodium Re Ltd, 15th Floor, Gate District, Gate Building.

Complaints

Rhodium Re takes complaints made against us very seriously. We maintain a procedure to ensure that complaints are dealt with promptly and in an equitable manner. If you have any complains about the handling of your personal data in the first instance please email us directly at complaints@rhodium-re.com

If after Rhodium Re has made every effort to resolve the complaint and you remain unsatisfied please contact the DIFC Data Commissioner:

Commissioner@dp.difc.ae

Conclusion

Rhodium Re is committed to upholding the highest standards of consumer privacy and data protection in accordance with DFSA and DIFC regulations. This policy will be reviewed and updated regularly to ensure ongoing compliance and to reflect changes in regulatory requirements or operational practices.