.svg){kind=icon}
Privacy Policy
Last Updated: January 2026
1. Introduction
C-Quest International ("C-Quest", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at www.c-quest.com (the "Website"), contact us, or engage our professional services.
C-Quest is an independent cost consultancy and an allied practice of KEO International Consultants, headquartered in Dubai, United Arab Emirates, with offices across the Middle East, Europe, and beyond. We are registered and regulated by RICS (Royal Institution of Chartered Surveyors) for the delivery of professional cost management services.
This Privacy Policy is designed to comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL"), as well as other applicable data protection laws in the jurisdictions where we operate, including the EU General Data Protection Regulation ("GDPR") where applicable to our Portugal operations.
Please read this Privacy Policy carefully to understand our practices regarding your personal data. By using our Website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
C-Quest International is the data controller responsible for your personal data. Our registered office is located at Rolex Tower, Level 4, Sheikh Zayed Road, P.O. Box 49100, Dubai, UAE.
For the purposes of the UAE PDPL, C-Quest is established in the UAE and processes personal data in accordance with UAE law. For individuals in the European Union interacting with our Portugal offices, the relevant C-Quest entity in Portugal acts as data controller in compliance with GDPR.
If you have any questions about this Privacy Policy or our data practices, please contact us using the details provided in Section 17.
3. Information We Collect
We collect and process various types of personal information depending on how you interact with us:
3.1 Information You Provide Directly
Contact and Inquiry Information: When you contact us through our Website, by email, telephone, or other means, we collect your name, email address, telephone number, company name, job title, and the content of your inquiry or correspondence.
Business and Professional Information: When you engage our services or submit a request for proposal (RFP), we collect information necessary for the provision of our services, including company details, project information, billing and payment details, and professional credentials.
Employment and Recruitment Information: If you apply for a position with C-Quest, we collect your CV/resume, cover letter, educational and professional qualifications, employment history, references, and any other information you provide in your application.
3.2 Information Collected Automatically
Technical and Usage Data: When you visit our Website, we automatically collect certain information about your device and your visit, including your IP address, browser type and version, operating system, referring URL, pages viewed, time and date of visit, time spent on pages, and other diagnostic data.
Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect and track information about your browsing activity. For detailed information about the cookies we use, please see our Cookies Policy.
3.3 Information from Third Parties
We may receive personal information about you from third parties, including business partners, professional networks (such as LinkedIn), recruitment agencies, referees you have nominated, and publicly available sources for the purposes of verifying information or conducting due diligence.
3.4 Sensitive Personal Data
Under the UAE PDPL, certain categories of personal data are considered sensitive, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, and biometric data. We do not generally collect sensitive personal data unless strictly necessary for a specific purpose (such as health information for employee records where required by law), and where we do, we will obtain your explicit consent or process such data only where permitted by applicable law.
4. Legal Basis for Processing
Under the UAE PDPL and other applicable data protection laws, we must have a valid legal basis to process your personal data. We rely on the following legal bases:
Consent: Where you have given clear consent for us to process your personal data for a specific purpose. Under UAE PDPL, consent must be clear, specific, informed, and unambiguous.
Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract.
Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject under UAE law or other applicable laws.
Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and interests. Under UAE PDPL, this is permitted where necessary to achieve legitimate interests without prejudice to your rights.
Vital Interests: Where processing is necessary to protect your vital interests or those of another person.
Public Interest: Where processing is necessary for the performance of a task carried out in the public interest.
5. How We Use Your Information
We use the personal information we collect for the following purposes:
6. Sharing Your Information
We may share your personal information with the following categories of recipients:
KEO International Consultants: As an allied practice of KEO, we may share information with KEO entities for operational, administrative, and service delivery purposes.
C-Quest Group Companies: We may share information with our offices in Abu Dhabi, Dubai, Kuwait, Qatar, Bahrain, Oman, Saudi Arabia, Jordan, and Portugal for the purposes of providing services and internal administration.
Service Providers: We engage third-party service providers to perform functions on our behalf, including IT and hosting providers, professional advisors (legal, accounting, audit), payment processors, marketing and analytics providers, and AI/technology service providers. These providers are contractually bound to protect your information and may only use it for the purposes specified by us.
Professional and Regulatory Bodies: We may share information with RICS and other professional bodies for regulatory compliance and professional standards purposes.
Legal and Governmental Authorities: We may disclose your information where required by law, court order, or governmental regulation, or where necessary to protect our rights, property, or safety, or that of our clients or others. This includes compliance with requests from UAE authorities, including the UAE Data Office.
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction, subject to applicable data protection requirements.
7. Use of Artificial Intelligence and Automated Processing
7.1 AI in Our Services
C-Quest utilizes artificial intelligence (AI), machine learning (ML), and other advanced digital technologies to enhance the quality, accuracy, and efficiency of our cost consultancy services. These technologies may be used for:
- Cost estimation and analysis
- Data processing and pattern recognition
- BIM (Building Information Modeling) integration and analysis
- Market benchmarking and trend analysis
- Document review and extraction
- Quality assurance processes
7.2 Human Oversight
All AI-assisted outputs are subject to review, validation, and professional judgment by our qualified chartered surveyors and cost consultants. AI tools are used to support, not replace, professional decision-making. Final deliverables and professional advice are always verified by appropriately qualified professionals.
7.3 Automated Decision-Making
We do not use fully automated decision-making (including profiling) that produces legal effects or similarly significantly affects you without human involvement. Where automated processing is used as part of our services, it is always subject to human review before any decisions are finalized.
7.4 Your Rights Regarding Automated Processing
You have the right to:
- Be informed about the use of automated processing in relation to your data
- Request human review of any automated processing that affects you
- Express your point of view and contest decisions influenced by automated processing
- Obtain meaningful information about the logic involved in automated processing
7.5 AI Service Providers
Where we use third-party AI tools or platforms, these providers act as data processors on our behalf and are bound by data processing agreements that require them to protect your personal data in accordance with applicable laws, including the UAE PDPL. We do not permit our AI service providers to use your personal data for their own purposes, including training their AI models, without your explicit consent.
8. International Data Transfers
As C-Quest operates across multiple jurisdictions, your personal information may be transferred to and processed in countries other than your country of residence.
8.1 Transfers from the UAE
Under the UAE PDPL, personal data may be transferred outside the UAE only where the receiving country or organization provides adequate levels of data protection, or where appropriate safeguards are in place. We ensure compliance with UAE cross-border transfer requirements through:
- Transferring data only to countries recognized as providing adequate protection
- Implementing appropriate contractual safeguards
- Obtaining your consent where required
- Ensuring the transfer is necessary for contract performance or legal claims
8.2 Transfers from the EU (Portugal)
For personal data originating from our Portugal operations or from individuals in the European Economic Area, we comply with GDPR transfer requirements through standard contractual clauses, adequacy decisions, or other legally recognized transfer mechanisms.
8.3 Our Operating Jurisdictions
Your data may be processed in any of our operating jurisdictions, including the United Arab Emirates, Saudi Arabia, Qatar, Kuwait, Bahrain, Oman, Jordan, and Portugal. Each of these jurisdictions has its own data protection framework, and we implement appropriate safeguards to ensure consistent protection of your data across all locations.
9. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the UAE PDPL requirement that data not be kept longer than necessary, and to satisfy any legal, regulatory, accounting, or reporting requirements.
Client and Project Records: In accordance with professional standards and legal requirements, we typically retain client and project records for a minimum of 6 years following completion of the engagement, or longer where required by applicable laws, professional indemnity insurance requirements, or limitation periods for legal claims.
Inquiry and Contact Records: General inquiries and contact records are typically retained for 2 years unless a business relationship is established.
Recruitment Records: Unsuccessful job applications are typically retained for 12 months. Successful candidate records become part of employee records.
Marketing Records: Marketing preferences and consent records are retained until you withdraw consent or opt out, and for a reasonable period thereafter to ensure we can honor your preferences.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by the UAE PDPL and other applicable laws. These measures include:
- Encryption of data in transit and at rest
- Access controls and authentication procedures
- Regular security assessments and testing
- Staff training on data protection and confidentiality
- Physical security measures at our offices
- Incident response and data breach procedures
While we take reasonable steps to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the UAE Data Office within 72 hours of becoming aware of the breach, as required by the UAE PDPL
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches and the remedial actions taken
- For breaches affecting EU residents, comply with GDPR notification requirements
12. Your Rights
Depending on your location and applicable laws, you have the following rights regarding your personal information:
12.1 Rights Under UAE PDPL
If you are in the UAE or your data is processed under UAE law, you have the right to:
- Access: Request a copy of your personal data held by us
- Rectification: Request correction of inaccurate or incomplete personal data
- Erasure: Request deletion of your personal data in certain circumstances
- Restriction: Request restriction of processing in certain circumstances
- Data Portability: Receive your personal data in a structured, commonly used format
- Object: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent at any time where processing is based on consent
- Complaint: Lodge a complaint with the UAE Data Office
12.2 Rights Under GDPR (EU/Portugal)
If you are in the European Economic Area or your data is processed under GDPR, you have equivalent rights as listed above, plus additional rights where applicable.
12.3 Exercising Your Rights
To exercise any of these rights, please contact us using the details provided in Section 17. We will respond to your request within the timeframe required by applicable law (generally 30 days under UAE PDPL, one month under GDPR). We may need to verify your identity before processing your request.
13. Marketing Communications
We may send you marketing communications about our services, industry insights, news, and events where you have consented to receive such communications or where we have a legitimate interest in doing so (such as where you are an existing client).
In accordance with UAE PDPL requirements, we will obtain your consent before sending electronic marketing communications unless an exemption applies.
You can opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in any marketing email, contacting us using the details in Section 17, or updating your preferences through any preference center we provide.
14. Third-Party Links
Our Website may contain links to third-party websites, including social media platforms (such as LinkedIn), professional bodies (such as RICS and SAVE International), and our parent company KEO International Consultants. We are not responsible for the privacy practices or content of these third-party websites. We encourage you to read the privacy policies of any third-party websites you visit.
15. Children's Privacy
Our Website and services are not directed at individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will take steps to delete such information.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any changes will be posted on this page with an updated "Last Updated" date. Where changes are significant, we may also notify you by email or through a notice on our Website.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.
17. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
C-Quest International
Rolex Tower, Level 4
Sheikh Zayed Road
P.O. Box 49100, Dubai, UAE
Email: info@c-quest.com
Telephone: +971 4 306 9888
For data protection specific inquiries, please mark your correspondence "Data Protection Inquiry."
18. Supervisory Authorities and Complaints
18.1 UAE Data Office
If you are not satisfied with our response to any privacy-related concern regarding data processed under UAE law, you have the right to lodge a complaint with the UAE Data Office, the supervisory authority responsible for overseeing compliance with the UAE PDPL.
18.2 EU Data Protection Authorities
For individuals in the European Union whose data is processed under GDPR (including through our Portugal operations), you may lodge a complaint with the data protection authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).
18.3 Other Jurisdictions
For individuals in other jurisdictions where we operate (Saudi Arabia, Qatar, Kuwait, Bahrain, Oman, Jordan), you may have rights to lodge complaints with relevant local authorities. Please contact us for information on the appropriate authority in your jurisdiction.
19. Jurisdiction-Specific Provisions
19.1 Saudi Arabia
For individuals in Saudi Arabia, we process personal data in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations. Data transfers outside Saudi Arabia comply with PDPL requirements.
19.2 Qatar
For individuals in Qatar, we process personal data in accordance with Qatar's Law No. 13 of 2016 on Personal Data Protection, where applicable.
19.3 Other GCC States
For individuals in Bahrain, Kuwait, and Oman, we comply with applicable local data protection requirements and sector-specific regulations.
This Privacy Policy was last reviewed and updated in January 2026.