Privacy

Privacy Policy

How Legends collects, uses, and protects your personal data.

Version 1.5  ·  Effective Date: 7 May 2026

Legends Elite Events L.L.C
Commercial Licence No. 1558637  |  Commercial Register No. 2716651
Department of Economy and Tourism, Dubai, United Arab Emirates

1. Introduction

Legends Elite Events L.L.C (“Legends,” the “Company,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, store, share, transfer, and otherwise process personal data when you visit belegends.club, register for an account on the Legends platform, apply for or hold Membership in the Legends Club, attend our events, communicate with us, or otherwise interact with our services (collectively, the “Services”).

This Privacy Policy should be read together with our Website Terms of Use (which incorporates the Eligibility Criteria, the conduct standards applicable to all Users, and the operator information required for EU disclosure compliance) and (where you are a Member) the Codex of Honour. Capitalised terms not defined herein have the meanings given in the Website Terms of Use.

1.1 Who We Are — Controller Identity

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), the United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”), the Kingdom of Saudi Arabia Personal Data Protection Law (“KSA PDPL”), the Bahrain Personal Data Protection Law (“Bahrain PDPA”), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), and other applicable data protection laws, the controller of your personal data is:

Legends Elite Events L.L.C
a limited liability company (single owner) registered with the Department of Economy and Tourism, Dubai, United Arab Emirates
Commercial Licence No. 1558637  |  Commercial Register No. 2716651  |  DCCI Membership No. 644865
Email: admin@belegends.club  |  Website: belegends.club

1.2 Scope

This Privacy Policy applies to personal data we process about: (a) Visitors who browse the public website without registering; (b) applicants who register an account or submit an application for Membership; (c) Members of the Legends Club; (d) attendees at events organised, hosted, or co-hosted by us; (e) persons who communicate with us through any channel, including email, telephone, messaging platforms, video calls, and chat; and (f) representatives, contacts, and authorised users of business customers and other counterparties.

1.3 Important Notice for Members

If you are a Member, the data processing carried out in connection with your Membership is governed by this Privacy Policy together with the Website Terms of Use, including the recording, transcription, and AI-analysis consents in Section 9 of the Terms of Use, the Pre-Payment Acknowledgement in Schedule B of the Terms of Use, and the conduct and confidentiality obligations in Section 5 of the Terms of Use. In the event of any conflict between this Privacy Policy and the Website Terms of Use with respect to the protection of Personal Data, this Privacy Policy shall prevail.

1.4 Defined Terms

In this Privacy Policy: “personal data” or “Personal Data” means any information relating to an identified or identifiable natural person; “processing” or “process” means any operation performed on Personal Data; “data subject” means the natural person to whom Personal Data relates; “controller” means the entity that determines the purposes and means of processing; and “processor” means an entity that processes Personal Data on behalf of the controller.

2. Personal Data We Collect

We collect Personal Data in the following categories. Not all categories will apply to every individual; what we collect about you depends on your relationship with us.

2.1 Identity and Contact Data

Full legal name; date of birth; nationality; preferred name; gender (where voluntarily provided); residential address; country of residence; email address; mobile telephone number; messaging-platform handles (e.g., Telegram, WhatsApp); time zone; and language preferences.

2.2 Government-Issued Identification and Biometric Data

Passport number, national identity card number, or other government-issued identification document number, together with images of the document and extracted data; live selfie photograph; biometric facial scan and template; liveness-detection results; and deepfake-detection results. The collection and processing of biometric data is described further in Section 7.

2.3 Eligibility, Professional and Business Data

To verify Membership eligibility under our published Eligibility Criteria (Schedule A to the Website Terms of Use), we collect: industry; role; job title; employer; company name; trade licence number; commercial registration details; business registration documents; LinkedIn profile URL; professional network data; qualifications; certifications; business capabilities; expertise; geographic focus; years of experience; portfolio companies; investment history; and any other professional information you provide as part of the Capability Audit, the verification process, or otherwise through the Services.

2.4 Financial and Verification Data

Payment-method information (provided to and stored by our payment processor; we receive only tokens and transaction metadata, not full payment-card numbers); payment history; bank-statement excerpts and financial-document data submitted for verification; recurring-deposit and salary information extracted from financial documents; deal-value indicators; trade-licence details; and financial-standing data sufficient to verify eligibility under the applicable Category and (for Senior Executive applicants) the applicable salary Zone.

2.5 Communication Data

All messages, voice communications, and interactions you exchange via the Platform, Telegram, WhatsApp, email, telephone, video conferencing, in-person meetings facilitated by the Company, or any other channel made available or facilitated by us. This includes the content, attachments, metadata, timestamps, recipient/sender identifiers, and delivery receipts of such communications.

2.6 Meeting and Recording Data

Where you participate in any video meeting, call, onboarding session, mastermind, masterclass, online event, or facilitated introduction conducted, organised, or facilitated by the Company or by a Relationship Manager (including meetings conducted via Zoom links generated and shared manually by Company personnel during the initial product phase): complete audio and video recordings; transcriptions; AI-generated summaries; talk-time ratios; and any derivative analytics described in Section 4.

2.7 Behavioural and Engagement Data

Engagement metrics; response rates and times; meeting attendance; no-show records; survey responses; activity patterns; login frequency; channel participation; inactivity periods; and usage telemetry across the Platform.

2.8 AI-Generated and Derived Data

AI capability tags; vector embeddings; multi-dimensional match scores; trust scores; credibility scores; churn-risk assessments; engagement scores; communication-style classifications derived from text and transcripts; and other outputs of the AI Matching System.

2.9 Sanctions, AML and Risk Data

Sanctions and watchlist screening results (including OFAC, EU, UK HM Treasury OFSI, UN, and other applicable lists); politically-exposed-person (PEP) status; adverse-media screening results; and risk classifications.

2.10 Device and Technical Data

IP address; device identifiers; device type, model, and operating system; browser type and version; user-agent string; referring URL; pages visited; clickstream data; date and time stamps; cookie and similar-technology identifiers (see Section 14 below); diagnostic and crash logs; and approximate geographic location derived from IP address.

2.11 Image and Likeness

Photographs and video footage taken at events, in marketing contexts, or in connection with case studies and promotional materials, in each case to the extent you are visible or identifiable in such materials.

2.12 User-Generated Content

Capability descriptions; resource requests; feedback; survey responses; event RSVPs; discussion contributions; profile photographs; and any other content you submit through the Services.

2.13 Third-Party Source Data

Information we receive about you from third parties, including: identity-verification and KYC providers; sanctions-screening and adverse-media providers; payment processors; LinkedIn and other publicly available professional sources; mutual contacts who refer you; and (where applicable) data providers used to enrich or validate the information you provide.

2.14 Special Categories of Personal Data

In limited circumstances we process special categories of Personal Data, specifically biometric data for the purpose of uniquely identifying you in the verification process. We do not intentionally collect data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, health data, or data concerning sex life or sexual orientation. You should not provide such information through the Services unless we specifically request it.

3. How We Collect Personal Data

We collect Personal Data:

  • directly from you — when you visit our website, register an account, complete the pre-payment acknowledgement at checkout, complete the Capability Audit, submit verification documentation, communicate with us through any channel, attend an event, participate in a recorded meeting, or otherwise interact with the Services;
  • automatically — through cookies, similar tracking technologies, server logs, and analytics tools when you access or use the Services. See Section 14 below for full details on cookies and similar technologies;
  • from third parties — including the Verification Provider (Persona Identities, Inc.), sanctions and adverse-media databases, payment processors (Stripe), publicly available professional sources (such as LinkedIn), referrers, and (where applicable) other Members who introduce you;
  • from AI processing — derived data, embeddings, scores, and analytical outputs generated by the AI Matching System and other AI components from the data you provide and from the transcripts of meetings and communications.

4. Purposes of Processing

We process your Personal Data for the following purposes. Where we rely on your consent for a particular purpose, you may withdraw that consent at any time as described in Section 12.

4.1 Account and Membership Administration

To create, manage, and maintain your account; to process your application for Membership; to administer the pre-payment acknowledgement; to verify your identity, business standing, and financial eligibility under the published Eligibility Criteria; to communicate with you; to process payments; to enforce eligibility and verification deadlines; and to issue receipts, invoices, and tax-compliant documentation.

4.2 Service Delivery and Service Communications

To deliver the features and functionality of the Services, including the Capability Audit, Member directory (where applicable), introductions, concierge support delivered by Relationship Managers, event registration, calendaring, messaging, notifications, and meeting facilitation.

This includes proactively contacting the Member through any channel the Member has provided or connected — including the Legends Platform itself (in-app messaging and notifications, the primary Member-facing channel), email, mobile telephone (voice and SMS), WhatsApp (via the Company’s WATI / Clare.AI WhatsApp Business infrastructure), Telegram, push notifications, and any other channel managed by the Company or by a Relationship Manager — using whichever channel is most convenient and effective in the circumstances. Such Service Communications include, without limitation: delivery of Match Proposals and recommendations; Relationship Manager outreach and follow-up; event invitations, RSVPs, and logistics; verification-flow communications; deadline reminders; security and account-status notices; billing, payment, and renewal communications; and Codex of Honour and conduct matters. Service Communications are necessary for the Services to function and the Member may not opt out of them without terminating Membership. Marketing Communications (general newsletters and promotional content beyond the scope of the Services) are governed separately by Section 4.9 and are sent only on the basis of separate opt-in consent.

4.3 AI-Powered Matchmaking, Scoring and Analysis

To generate Match Proposals, compatibility scores, vector embeddings, and other recommendation outputs through our AI Matching System, using natural-language processing, machine learning, and large language models. AI-generated recommendations are subject to human review by our concierge team. We will indicate when AI technology was materially involved in a recommendation. AI outputs may contain inaccuracies and are provided without warranty (see the Website Terms of Use, Section 9.2).

4.4 Recordings, Transcripts and Text-Based AI Analysis (Active)

To record, transcribe, store, and analyse the text content of: (a) video meetings, calls, and sessions conducted, organised, or facilitated by the Company or by a Relationship Manager (including meetings via manually-shared Zoom links during the initial product phase); (b) calls between the Member and any Relationship Manager or Company personnel; (c) communications via the Platform’s in-app messaging; (d) communications via WhatsApp (or WATI), Telegram, email, and other Company-facilitated channels; and (e) attendance and participation in Company-organised online and offline events. Active analysis includes generating summaries, extracting deal signals, identifying topics and intents, assessing communication style from transcript content, scoring relevance and trust indicators, and producing quality metrics.

4.5 Future Features — Voice Sentiment and Video Micro-Expression Analysis

Voice sentiment analysis (tone, stress, confidence, hesitation, energy, and talk-time analysis from audio recordings) and video micro-expression analysis (facial expression and emotional indicator analysis from video recordings) are NOT currently active processing. The Company may, in future, introduce these features. Their activation will be subject to a separate, specific, informed, and freely given opt-in consent presented to the Member at the time the relevant feature is made available, in accordance with the EU AI Act and other applicable laws. The Member’s decision to grant or withhold any such future consent will not affect the validity of this Privacy Policy or the Member’s Membership.

4.6 Engagement Monitoring, Quality and Network Health

To track activity, responsiveness, participation, and compliance with engagement standards (including the thirty (30) calendar-day responsiveness standard); to identify Members at risk of disengagement; to support the operational determination of Membership Guarantee eligibility under Section 7 of the Website Terms of Use; and to maintain the overall health and quality of the network.

4.7 Codex Enforcement and Ecosystem Protection

To monitor for and investigate violations of the Website Terms of Use (including Section 5 conduct standards) and the Codex of Honour, including spam, bypass attempts, unsolicited pitching, confidentiality breaches, and behavioural violations; and to take enforcement action where appropriate.

4.8 KYC, Sanctions Screening and Risk Assessment

To verify your identity, business standing, and financial eligibility through our independent third-party Verification Provider; to screen against sanctions, watchlists, PEP, and adverse-media databases; and to assess and manage risks. Further detail is provided in Section 7.

4.9 Marketing and Promotional Communications

To send you marketing communications about our events, services, and updates, where you have opted in (or where applicable law permits us to send such communications without separate opt-in to existing customers); to publish anonymised case studies and statistical data; and to use anonymised, aggregated information for promotional materials. We will seek your specific approval before publishing any materials that contain details specific enough to identify you personally.

4.10 Image and Likeness for Promotion

To use your name, image, likeness, voice, and biographical information in connection with marketing and promotional activities, where you have consented to such use (for example, by ticking the recordings and AI consent in the Pre-Payment Acknowledgement, by signing an event release, or by separately consenting to a specific case study or testimonial).

4.11 Algorithm Training and Service Improvement

To train, calibrate, validate, and improve our AI models; to develop new features; and to enhance the quality of the Services. Where we use Personal Data for these purposes, we will, wherever practicable, anonymise or de-identify it first; anonymised and de-identified data may be retained and used in perpetuity (see Section 9).

4.12 Security, Fraud Prevention and Abuse Mitigation

To detect, investigate, prevent, and respond to security incidents, fraud, abuse, unauthorised access, deepfake or impersonation attempts, and other harmful activity; to enforce our Terms; and to protect the rights, property, and safety of the Company, our Users, and the public.

4.13 Legal and Regulatory Compliance

To comply with applicable laws and regulations; to respond to lawful requests from courts, tribunals, regulators, and law-enforcement authorities; to enforce our Terms; to establish, exercise, or defend legal claims (including in connection with refund disputes, Membership Guarantee determinations, or termination decisions); and to support audits, investigations, and dispute-resolution processes.

4.14 Business Operations

To plan, manage, and improve our business; to support corporate transactions; and to manage our records and accounting.

5. Legal Bases for Processing

Where Applicable Data Protection Law requires us to identify a legal basis for processing, we rely on one or more of the following:

5.1 Performance of a Contract

Processing necessary to perform a contract with you (the Website Terms of Use, including the Pre-Payment Acknowledgement, or steps taken at your request prior to entering into a contract). EU/UK GDPR Article 6(1)(b); UAE PDPL Article 5; equivalents in other jurisdictions. Examples: account creation, processing payments, delivering core Services, AI-powered matchmaking and scoring as a contractually-bargained-for feature of Membership, recording and transcribing Company-facilitated meetings and communications, anonymised algorithm training, and transmission of data to service providers for Club operations.

5.2 Consent

Processing carried out on the basis of your specific, informed, freely given, and unambiguous consent. EU/UK GDPR Article 6(1)(a) and (for special categories) Article 9(2)(a); UAE PDPL Article 6; equivalents in other jurisdictions. Examples: biometric verification under KYC; image and likeness use for promotional purposes; future voice-sentiment and video-micro-expression analysis (when activated); event filming and photography; international data transfers (where applicable); and certain marketing communications. The pre-payment acknowledgement at checkout (described in Section 11) operates as a consent vehicle for several of these purposes.

5.3 Legitimate Interests

Processing necessary for the legitimate interests pursued by us or a third party, except where overridden by your interests or fundamental rights and freedoms. EU/UK GDPR Article 6(1)(f). Examples: security, fraud prevention, network defence, abuse mitigation, enforcement of our Terms and Codex, internal analytics, service improvement, and the protection of our Members and ecosystem.

5.4 Legal Obligation

Processing necessary to comply with a legal obligation. EU/UK GDPR Article 6(1)(c). Examples: AML and counter-terrorism-financing record-keeping, sanctions screening, tax reporting, responding to lawful requests from authorities, and retention of records for the periods required by law.

5.5 Vital Interests and Public Interest

In limited circumstances, we may process Personal Data to protect the vital interests of you or another natural person, or where processing is necessary for the performance of a task carried out in the public interest. EU/UK GDPR Article 6(1)(d) and (e).

6. AI Transparency and Automated Decision-Making

6.1 AI Components

The Services use AI extensively. AI components currently active include: (a) the AI Matching System, which generates Match Proposals, compatibility scores, vector embeddings, and other analytical outputs; (b) meeting transcription, summarisation, and text-based analysis tools; (c) automated KYC checks (image authenticity, face matching, liveness detection, deepfake detection, document data extraction) operated by our Verification Provider; (d) automated AML screening and risk classification; and (e) automated abuse-detection tools.

6.2 Future AI Components — Subject to Separate Opt-In

Voice sentiment analysis and video micro-expression analysis are NOT currently active. Their activation will be subject to: (a) prior published notice on the Platform; (b) a separate explicit opt-in consent presented to each Member at activation; (c) compliance with EU AI Act requirements applicable to such systems (including, as relevant, Article 5 prohibitions on emotion recognition in workplace contexts and Article 50 transparency obligations); and (d) updated documentation in this Privacy Policy. Until activated and consented to, no Member’s Personal Data is processed by such features.

6.3 AI Service Providers

We use AI services provided by third parties, including, without limitation, OpenAI, Inc.; Anthropic, PBC; Google LLC; AssemblyAI, Inc.; and other AI providers as designated from time to time. Personal Data may be transmitted to these providers under contractual safeguards designed to limit further use, prohibit training on our customer data without authorisation (where supported by the provider’s terms), and ensure adequate security. The list of providers may change from time to time, and the Company will inform Members of material changes through this Privacy Policy or by direct notice.

6.4 Human Review and Article 22 Rights

AI outputs that materially affect you (for example, an automatic rejection following the Verification Provider’s automated KYC decision, or material recommendations affecting your Member experience) involve automated decision-making. You have the right under EU/UK GDPR Article 22 (and equivalent provisions in other jurisdictions) not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except: (a) where necessary for entering into or performing a contract with you (subject to safeguards including the right to obtain human intervention, to express your point of view, and to contest the decision); (b) where authorised by applicable law; or (c) based on your explicit consent. With respect to the Verification Provider’s automated decisions specifically, the Member acknowledges that the Verification Provider operates independent automated decision systems pursuant to its own published methodology. The Company nonetheless makes available a right to human review of adverse Verification Outcomes alleged to result from material factual or technical error, on the procedure and within the time limits set out in Section 3.3A of the Website Terms of Use.

6.5 Right to Manual Service

If you withdraw consent for AI-powered matching, you may continue to receive Services on a manual-only concierge basis, subject to the operational practicality of providing such service in your case.

7. Identity Verification, Biometrics and AML

7.1 KYC Process

To verify the identity, business standing, and financial eligibility of applicants, we operate a multi-step verification process administered by our independent third-party Verification Provider, Persona Identities, Inc. (“Persona”). Verification is mandatory and must be completed within fourteen (14) calendar days of payment, as set out in Section 3.4 of the Website Terms of Use. The process typically involves: (a) submission of an information form; (b) submission of a government-issued photographic identification document (passport or national ID); (c) capture of a live selfie with liveness and deepfake detection; (d) automated screening against sanctions, PEP, and adverse-media databases; (e) submission of business documents (such as trade licence, employment letter, fund registration); (f) submission of financial documents (such as bank statements or financial reports); and (g) automated decision and, where required, manual review.

7.2 Biometric Data

In the verification process, we collect biometric data (specifically, a biometric facial template derived from your live selfie and your identification-document photograph) for the sole purpose of confirming that you are the same person as the holder of the document. We process biometric data on the basis of your explicit consent, given as part of the pre-payment acknowledgement and reconfirmed during the verification flow. Biometric templates are processed by our Verification Provider on our behalf and are retained for the period set out in Section 9. You may decline to provide biometric data, but we will be unable to verify you and you will not be admitted to Membership.

7.3 Verification Service Providers

We engage Persona Identities, Inc. (“Persona”) as our Verification Provider, and may from time to time engage other identity-verification providers as the Company designates. The Verification Provider acts as our processor for verification purposes (and, where it performs sanctions screening using its own databases, as an independent controller for that limited purpose). The Verification Provider is bound by contractual obligations to process your data only for verification purposes, to apply appropriate technical and organisational security measures, and to delete or return data on instruction.

7.4 Sanctions and AML Screening

We screen all applicants and Members against UN, US (OFAC), EU, UK (HM Treasury OFSI), and other applicable sanctions lists, PEP databases, and global adverse-media sources. A confirmed sanctions match results in automatic rejection or termination. PEP or adverse-media flags are reviewed manually before any decision is made.

7.5 Adverse Verification Outcomes — No Refund

As described in the Website Terms of Use Section 3.3, the Verification Provider’s automated decisions are independent. Adverse outcomes (rejection on grounds of identity, sanctions, document authenticity, role qualification, or financial threshold) do not entitle the applicant to a refund of the Membership Fee, because the applicant confirmed eligibility under the published Eligibility Criteria prior to payment as part of the pre-payment acknowledgement (see Section 11).

8. How We Share Personal Data

We do not sell your Personal Data. We share Personal Data with the following categories of recipients, in each case under appropriate safeguards:

8.1 Service Providers (Processors)

We share Personal Data with third-party service providers acting as our processors (or, in limited cases, as independent controllers, as further described in their own terms). The categories of service providers we use evolve over time as our infrastructure and product evolve. As at the Effective Date, our principal categories of service providers and representative (non-exhaustive) examples include:

  • Payment, billing, and financial infrastructure — Stripe, Inc. and other payment service providers, fraud-screening tools, and tax-calculation services that the Company designates from time to time, including (in future) for B2B bank transfers and alternative payment methods.
  • Identity verification, KYC, AML, sanctions, PEP, and adverse-media screening — Persona Identities, Inc. and other identity, document-authenticity, biometric, liveness, deepfake-detection, and risk-screening providers as designated from time to time.
  • AI, machine-learning and language-model providers — OpenAI, Inc.; Anthropic, PBC; Google LLC; Mistral AI; Cohere; ElevenLabs; Deepgram; AssemblyAI, Inc.; and other AI infrastructure providers used for matchmaking, scoring, transcription, summarisation, embeddings, and related processing.
  • Cloud hosting, storage, computing, content-delivery and edge infrastructure — DigitalOcean LLC (with the principal automation server hosted in Frankfurt, Germany — within the European Union); Cloudflare, Inc.; AWS; Google Cloud; and similar.
  • Database, authentication, and session-management services — managed-database providers, single-sign-on providers, and authentication-as-a-service tools.
  • Email, SMS, and messaging infrastructure — Postmark; SendGrid; Mailgun; Brevo; Resend; Twilio; Vonage; and other transactional and marketing email and SMS providers.
  • Communication, video, and meeting platforms — Zoom Video Communications, Inc.; Telegram FZ-LLC; WhatsApp Business via WATI; Daily.co; Google Meet; Microsoft Teams; and similar.
  • Calendaring, event scheduling, and booking systems — Cal.com, Inc.; Calendly, LLC; and similar.
  • Workflow, CRM, sales-pipeline, marketing automation, and recording-management tools — Airtable, Inc.; Kommo, Inc.; HubSpot, Inc.; Notion Labs, Inc.; Pipedrive; Zapier; Make; n8n; Pipedream; Claap; and similar.
  • Meeting transcription, summarisation, and meeting-intelligence tools — AssemblyAI; Otter; Fireflies; Claap; and similar.
  • Customer support, helpdesk, and live-chat tools — Intercom; Crisp; Zendesk; and similar.
  • Vector databases, semantic search, and matching infrastructure — Pinecone; Weaviate; Qdrant; Algolia; Meilisearch; and similar.
  • Analytics, product telemetry, A/B testing, error monitoring, and observability — PostHog; Mixpanel; Amplitude; Google Analytics (with IP anonymisation); Sentry; Datadog; and similar.
  • Document signing and electronic signature platforms — DocuSign; Dropbox Sign (formerly HelloSign); and similar.
  • Survey, form, polling, and feedback tools — Typeform; Tally; and similar.
  • Image, video, media processing, hosting and delivery infrastructure;
  • Other infrastructure, software, and platform tools that the Company determines, in its sole discretion, to be useful or necessary to the operation, security, scalability, or improvement of the Services.

The Company will inform Members of material changes to its sub-processor stack through this Privacy Policy or by direct notice. We require all processors to be bound by written contracts that impose obligations consistent with applicable data protection laws, including the EU Standard Contractual Clauses where required for restricted transfers.

8.2 Other Members

In the course of facilitating introductions, we may share certain elements of your Member profile (such as your name, professional information, and capability description) with other Members, but only after both parties have consented to the introduction in accordance with our Blind Brokerage process. Communications you initiate with other Members are visible to those Members.

8.3 Event Co-Hosts and Partners

Where you attend an event we organise jointly with one or more partners, we may share your registration and attendance information with those partners as necessary to organise the event.

8.4 Professional Advisers

Our auditors, lawyers, accountants, insurers, and other professional advisers, in each case under duties of confidentiality.

8.5 Authorities and Legal Requirements

Government, regulatory, law-enforcement, judicial, or arbitral authorities where required by applicable law or where we reasonably believe disclosure is necessary to protect rights, property, or safety, to enforce our Terms, or to investigate suspected unlawful activity.

8.6 Corporate Transactions

In connection with any actual or proposed merger, acquisition, sale of assets, financing, restructuring, or similar transaction, we may share or transfer Personal Data to the counterparty and its advisers, subject to appropriate confidentiality undertakings.

8.7 With Your Direction

We may share your Personal Data with any other recipient at your express direction or with your consent.

9. Data Retention

We retain Personal Data for the periods set out below.

9.1 Account and Membership Data

Active Members: for the duration of Membership. Following termination or non-renewal: for a period of seven (7) years thereafter, to support legal-claim defence, regulatory inquiries, and the integrity of our Member network.

9.2 KYC and Identity Verification Data

For the duration of Membership plus ten (10) years thereafter, or such longer period as required by AML, counter-terrorism financing, sanctions, or tax-reporting legislation. This obligation survives termination regardless of cause.

9.3 Meeting Recordings and Event Films

Audio and video recordings: three (3) years from the date of recording. Recordings forming part of the evidence base for any pending or reasonably anticipated dispute, investigation, or regulatory inquiry: for the duration of such proceedings plus one (1) year.

9.4 Communications

Email, messaging, and chat content (including WhatsApp, Telegram, and Platform messages): typically up to seven (7) years for content directly related to Membership; shorter periods may apply for ephemeral communications. Backup copies are retained for one hundred and eighty (180) days, then automatically purged.

9.5 Financial Records

Records of transactions, invoices, and tax-relevant documentation: for the period required by applicable tax and accounting legislation, typically seven (7) to ten (10) years.

9.6 Marketing Data

Where you have opted in to marketing, your contact details are retained until you withdraw consent, after which we retain a record of your opt-out indefinitely (so we can respect it).

9.7 Anonymised, De-identified and Aggregated Data

Personal Data anonymised, de-identified, or aggregated such that you can no longer be identified (including, without limitation, vector embeddings, anonymised match scores, anonymised behavioural patterns, and AI-training datasets) is retained in perpetuity for AI training, calibration, statistical analysis, benchmarking, service improvement, and product development. Such data does not constitute Personal Data and is not subject to deletion requests.

9.8 Backups

Encrypted backup copies of operational data are retained for one hundred and eighty (180) days from the date of backup, then automatically purged.

9.9 Legal Hold

Notwithstanding the periods above, we may retain any Personal Data for such additional period as is necessary in connection with any pending or reasonably anticipated legal proceeding, arbitration, regulatory investigation, audit, or dispute.

10. International Data Transfers

10.1 Global Operations

We operate globally and our service providers, infrastructure, and personnel are located in multiple jurisdictions. Personal Data may be transferred to, and accessed from, locations outside your country of residence, including the United Arab Emirates, the European Union (notably Germany, where our principal automation server is hosted), the United Kingdom, the United States, and other locations from time to time.

10.2 Transfer Mechanisms

Where we transfer Personal Data from the EEA, UK, Switzerland, UAE, KSA, or other jurisdiction with cross-border-transfer restrictions, we use appropriate transfer mechanisms, including:

  • EU Standard Contractual Clauses (“SCCs”) (Commission Implementing Decision (EU) 2021/914), supplemented as necessary by the UK International Data Transfer Addendum or UK International Data Transfer Agreement;
  • Adequacy decisions — for example, the EU–US Data Privacy Framework where the recipient is certified;
  • Binding Corporate Rules, where applicable to the recipient;
  • Your explicit consent to a specific transfer, after being informed of the possible risks; or
  • Other valid mechanisms under applicable law, including derogations for specific situations.

We carry out transfer impact assessments where required and apply supplementary technical, contractual, and organisational measures (such as encryption, pseudonymisation, and contractual restrictions on government-access disclosures).

10.3 Data Residency

Our principal automation server is hosted in Frankfurt, Germany (within the European Union), satisfying EU data-residency expectations for the corresponding processing activities.

10.4 GCC Cross-Border Transfers

Members resident in the Kingdom of Saudi Arabia, Bahrain, or other GCC jurisdictions with cross-border data-transfer controls acknowledge that Personal Data may be transferred outside such jurisdictions for the purposes described herein, and the Company ensures appropriate contractual and technical safeguards in line with applicable national requirements.

10.5 Information About Transfer Mechanisms

You may request a copy of the relevant transfer mechanism (with confidential and commercially sensitive information redacted) by contacting us at admin@belegends.club.

11. Pre-Payment Acknowledgement and Layered Disclosure

To support the lawfulness, transparency, and informed-consent requirements of EU GDPR, UK GDPR, UAE PDPL, KSA PDPL, Bahrain PDPA, CCPA/CPRA, and other Applicable Data Protection Law, the Company operates a layered disclosure framework:

  • Public Eligibility Disclosure: the Eligibility Criteria, including the Founder, Senior Executive, and Investor categories and the Zone A/Zone B salary thresholds, are set out in Schedule A of the Website Terms of Use, which is publicly available on the Company’s website prior to any application or payment.
  • Pre-Payment Acknowledgement (Stripe checkout): the Member is required to tick a non-pre-checked acknowledgement box at checkout, the recommended text of which is set out in Schedule B to the Website Terms of Use. The acknowledgement covers eligibility self-certification, the verification process and deadlines, the strict no-refund consequences of an adverse Verification Outcome or deadline lapse, the recording and AI-analysis consents, and acceptance of these Terms.
  • Verification Flow (Persona): the Verification Provider re-presents disclosures and consents specific to the verification process (including biometric processing) at the start of the verification flow.
  • First-Login Re-Confirmation (Platform): on first login following a positive Verification Outcome, the Platform displays a banner re-presenting the Capability Audit deadline, the recording and AI-analysis consents, and the Codex of Honour standards.

This layered disclosure ensures that the Member is informed at multiple points and that consent is documented in a manner aligned with EDPB and UAE PDPL guidance on consent renewal and informed processing.

12. Your Rights

Subject to applicable law, you have the following rights with respect to your Personal Data.

12.1 Right of Access

You may request confirmation as to whether we process Personal Data about you and, if so, a copy together with information about how we process it.

12.2 Right to Rectification

You may request that we correct inaccurate or incomplete Personal Data.

12.3 Right to Erasure (“Right to Be Forgotten”)

You may request deletion, subject to exceptions where retention is required by law (for example, AML, tax, or sanctions retention obligations described in Section 9), where retention is necessary for the establishment, exercise, or defence of legal claims, where retention is necessary to protect another person’s rights, or where the data has been anonymised.

12.4 Right to Restriction of Processing

You may request that we restrict processing in certain circumstances.

12.5 Right to Data Portability

Where we process your Personal Data on the basis of consent or contractual necessity by automated means, you may request a copy in a structured, commonly used, machine-readable format.

12.6 Right to Object and Right to Withdraw Consent

You may object to processing based on legitimate interests on grounds relating to your particular situation. Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawal of consent for AI matching results in transfer to manual-only concierge service, where operationally practicable. Withdrawal of consent for verification or recording means we may be unable to continue providing Membership.

12.7 Rights in Relation to Automated Decision-Making

As described in Section 6.4, you have rights with respect to decisions based solely on automated processing.

12.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a competent supervisory authority. We would, however, appreciate the opportunity to address your concerns first; please contact us at admin@belegends.club.

12.9 California-Specific Rights (CCPA/CPRA)

If you are a California resident, you have additional rights, including: (a) the right to know categories and specific pieces of personal information collected, sources, business purpose, and categories of recipients; (b) the right to delete personal information, subject to legal exceptions; (c) the right to correct inaccurate personal information; (d) the right to opt out of the “sale” or “sharing” of personal information (we do not currently sell or share personal information for cross-context behavioural advertising); (e) the right to limit the use and disclosure of “sensitive personal information” to that which is necessary; and (f) the right not to be discriminated against for exercising your rights. We honour Global Privacy Control (“GPC”) browser signals as required.

12.10 Other Jurisdiction-Specific Rights

Residents of other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana and others), Brazil (LGPD), Canada (PIPEDA), Singapore (PDPA), Australia (Privacy Act), and other jurisdictions may have additional or analogous rights, which we will honour as required.

12.11 How to Exercise Your Rights

Send a written request to admin@belegends.club. Specify clearly the right you wish to exercise and provide sufficient information for us to verify your identity. We will respond within thirty (30) days, or within such shorter period as required. We may extend by sixty (60) days for complex requests. We may charge a reasonable fee or refuse manifestly unfounded, excessive, or repetitive requests.

12.12 Authorised Agents

You may designate an authorised agent to make a request on your behalf. We will require evidence of authorisation.

13. Children’s Personal Data

The Services are not directed at children under eighteen (18). We do not knowingly collect Personal Data from children. If you believe we may have inadvertently collected Personal Data from a child, please contact admin@belegends.club.

14. Cookies and Similar Technologies

This Section 14 describes how the Company uses cookies and similar tracking technologies on belegends.club. It is intended to satisfy the disclosure and consent requirements of the EU ePrivacy Directive (Directive 2002/58/EC, as amended), the UK Privacy and Electronic Communications Regulations (PECR), the German Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG), and equivalent provisions in other jurisdictions.

14.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work, to make them work more efficiently, and to provide information to website operators. Similar technologies include pixel tags, web beacons, local storage, session storage, and software development kits (SDKs).

14.2 Categories of Cookies We Use

Strictly Necessary cookies. Essential for the operation of the Services (authentication, session management, security, load balancing, fraud prevention). These are set without consent because the Services cannot function without them. Lawful basis: Article 6(1)(f) GDPR (legitimate interests) and Article 5(3) ePrivacy Directive (strictly necessary exemption).

Functional cookies. Enhance functionality and personalisation (language preference, region preference, accessibility settings). Set only with your consent.

Analytics cookies. Help us understand how visitors interact with the Services so we can improve performance, content, and user experience. Set only with your consent. Where technically feasible, we configure analytics tools with IP anonymisation enabled.

Marketing cookies. Used (where deployed) to deliver relevant content, measure campaign effectiveness, and limit the frequency with which you see advertisements. Set only with your consent. As at the Effective Date, the Company does not deploy third-party advertising or cross-context behavioural advertising tracking.

14.3 Consent and Preference Management

On your first visit to the Services, you will be presented with a cookie consent banner that allows you to accept all non-essential cookies, reject all non-essential cookies, or set granular preferences by category. You may change your preferences at any time through the cookie preferences link in the website footer or by contacting admin@belegends.club. Strictly necessary cookies are set without consent because they are essential for the Services to function. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

14.4 Third-Party Cookies

Certain features of the Services (for example, video playback embedded from third-party platforms, payment processing through Stripe, identity verification through Persona) may set cookies controlled by those third parties. The Company is not responsible for the operation or accuracy of third-party cookies. The third-party providers used in the Services are described in Sections 6.3, 7, and 8 above.

14.5 Browser Controls and Do-Not-Track Signals

Most web browsers allow you to view, manage, delete, and block cookies through their settings. Disabling strictly necessary cookies will impair or prevent your use of the Services. The Services honour Global Privacy Control (GPC) signals as required by applicable law (notably under the California Consumer Privacy Act, as amended by the California Privacy Rights Act). Browser-based Do-Not-Track signals are not currently subject to a uniform technical standard, and the Services do not respond to such signals other than as required by GPC.

14.6 Specific Cookies in Use

The cookies and similar technologies set on belegends.club, together with their respective providers, purposes, durations, and categories, are presented to the Member through the in-banner cookie preference centre on first visit and through the cookie preferences link in the website footer. The list may change from time to time as the Company adds, removes, or replaces tools.

14.7 Updates to This Section

This Section 14 may be updated from time to time to reflect changes in technology, applicable law, or the cookies and similar technologies we use. Material changes will be announced through the cookie banner and the Privacy Policy effective-date update.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The version, effective date, and a summary of material changes will be displayed at the top of the policy. Material changes will be notified at least fourteen (14) days prior to taking effect. The Company further reserves the right to require existing Members to re-acknowledge a materially updated Privacy Policy as a condition of continued access to the Services.

16. Contact and Complaints

If you have any questions, comments, complaints, or wish to exercise any data subject right, please contact us:

Legends Elite Events L.L.C
Office 333, M35, Al Muraqabat, Dubai, United Arab Emirates
Department of Economy and Tourism, Government of Dubai
Commercial Licence No. 1558637  |  Commercial Register No. 2716651
Email: admin@belegends.club
Website: belegends.club

16.1 EU Representative

Where required by Article 27 of Regulation (EU) 2016/679, the Company will appoint and publish details of a representative in the European Union. As at the Effective Date, the Company operates on an invitation-only basis, does not actively offer goods or services to data subjects in the European Union within the meaning of GDPR Article 3(2), and accordingly is not currently required to appoint such a representative. An EU representative will be appointed and published in this Privacy Policy and on the Company’s website prior to any active marketing into the European Union.

16.2 UK Representative

Where required by Article 27 of the United Kingdom General Data Protection Regulation, the Company will appoint and publish details of a representative in the United Kingdom on the same terms as set out in Section 16.1 above with respect to the European Union.

16.3 Privacy Contact

Our designated point of contact for all data protection matters is admin@belegends.club.

17. Jurisdiction-Specific Addenda

This Section provides additional disclosures required under specific jurisdictions, which apply in addition to (and prevail over, in case of conflict for that jurisdiction’s residents) the foregoing provisions.

17.1 European Union and EEA (EU GDPR)

Controller, legal bases, transfers, rights, and complaint procedures are described in Sections 1.1, 5, 10, 12. EU representative: as identified in Section 16.1.

17.2 United Kingdom (UK GDPR + DPA 2018)

This Privacy Policy applies in substantially the same form. The Information Commissioner’s Office (ICO) is the competent supervisory authority. UK representative: Section 16.2. We rely on the UK International Data Transfer Addendum or UK International Data Transfer Agreement for restricted UK-originated transfers.

17.3 United Arab Emirates (UAE PDPL + DIFC + ADGM)

This Privacy Policy is intended to comply with UAE Federal Decree-Law No. 45 of 2021, the DIFC Data Protection Law (DIFC Law No. 5 of 2020), and the ADGM Data Protection Regulations 2021, as applicable. The UAE Data Office, the DIFC Commissioner of Data Protection, and the ADGM Commissioner are the relevant authorities.

17.4 Kingdom of Saudi Arabia (KSA PDPL)

Processing of KSA residents’ Personal Data is conducted on the basis of consent or other lawful basis under the KSA Personal Data Protection Law (2023). The Saudi Data and Artificial Intelligence Authority (SDAIA) is the competent authority.

17.5 Bahrain (PDPA)

Processing is conducted in accordance with the Bahrain Personal Data Protection Law (Law No. 30 of 2018). The Personal Data Protection Authority is the competent authority.

17.6 California (CCPA/CPRA)

17.6.1 Categories of Personal Information Collected (Last 12 Months). Identifiers; customer records; characteristics of protected classifications (only where voluntarily provided); commercial information; internet/network activity; geolocation (approximate); audio/visual (meeting recordings, photographs); professional/employment information; inferences; and sensitive personal information (government identifiers, biometric data for KYC, account log-in credentials, contents of communications).

17.6.2 Sources, Purposes, and Disclosures. Sources: Section 3. Business and commercial purposes: Section 4. Categories of recipients: Section 8.

17.6.3 No Sale or Sharing for Cross-Context Behavioural Advertising. We do not sell Personal Information for monetary or other valuable consideration, nor share Personal Information for cross-context behavioural advertising as defined under the CPRA. We honour Global Privacy Control signals.

17.6.4 Sensitive Personal Information. We use sensitive personal information only as necessary and for the limited purposes permitted by CPRA Section 1798.121.

17.6.5 Notice at Collection. This Privacy Policy serves as our Notice at Collection.

17.7 Other US States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other US states with comprehensive privacy laws have rights substantially analogous to those described above.

BY USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY AND UNDERSTAND HOW WE COLLECT, USE, STORE, SHARE, AND PROTECT YOUR PERSONAL DATA, INCLUDING THE CONSENTS GRANTED AS PART OF THE PRE-PAYMENT ACKNOWLEDGEMENT AND THE COMPREHENSIVE RECORDING AND ANALYSIS CONSENTS IN SECTION 9.3 OF THE WEBSITE TERMS OF USE.