WAYFARER CAFE DIFC
DATA PROTECTION, PRIVACY, COOKIE, AND MARKETING CONSENT POLICY
(Conforming to DIFC Data Protection Law No. 5 of 2020 and Associated Regulations)
Effective Date: 25.05.2025
Trade License No.: CL7180
Registered Entity: Dubai International Financial Centre (DIFC), United Arab Emirates

1. LEGAL BASIS, JURISDICTION, AND PURPOSE OF THIS POLICY
This Privacy and Data Protection Policy (the "Policy") is adopted by Wayfarer Cafe DIFC, a legal entity duly incorporated and operating under the jurisdiction of the Dubai International Financial Centre (DIFC), pursuant to the regulatory oversight of the DIFC Commissioner of Data Protection and subject to relevant obligations under the DIFC Data Protection Law No. 5 of 2020 ("DIFC DP Law").
This Policy sets forth the internal and public-facing standards governing the collection, processing, transfer, retention, storage, and destruction of Personal Data by Wayfarer Cafe DIFC, in its capacity as Data Controller, and, where relevant, as Joint Controller or Processor.
Where applicable, and to the extent processing occurs outside the DIFC, this Policy is aligned with the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), as well as global best practices derived from the EU General Data Protection Regulation (GDPR) for adequacy-based processing and international transfers.

2. POLICY APPLICABILITY AND SCOPE
This Policy applies to:
  • Any data subject whose Personal Data is processed by Wayfarer Cafe DIFC, including but not limited to: customers, website visitors, marketing recipients, loyalty program members, job applicants, and vendors;
  • All forms of Personal Data collected via online interfaces (including websites, forms, QR-code campaigns, and mobile applications), in-person communications, physical records, or telephonic interactions;
  • All employees, contractors, processors, and sub-processors engaged in data handling on behalf of Wayfarer Cafe DIFC.

3. CONTROLLER IDENTIFICATION
Data Controller: Wayfarer Cafe DIFC
Trade License Number: CL7180
Jurisdiction: DIFC, Dubai, United Arab Emirates
Registered Address: Limestone House
Privacy Contact Point: welcome@wayfarer.ae

4. DEFINITIONS AND INTERPRETATION
The terms used in this Policy shall have the meaning ascribed to them under Article 2 of the DIFC DP Law. For clarity:
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
  • "Processing" refers to any operation performed on Personal Data including collection, recording, structuring, storage, adaptation, use, disclosure, alignment, restriction, or erasure.
  • "Consent" means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they signify agreement to the processing.
  • "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means any party that processes Personal Data on behalf of the Controller.
  • "Commissioner" means the DIFC Commissioner of Data Protection.

5. PRINCIPLES OF DATA PROCESSING
All Personal Data processed by Wayfarer Cafe DIFC is handled in accordance with the following principles (Article 9, DIFC DP Law):
  • Lawfulness, Fairness, and Transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality
  • Accountability
The lawful bases for processing Personal Data include:
  • Explicit consent (Art. 10(1)(a))
  • Necessary for the performance of a contract (Art. 10(1)(b))
  • Compliance with legal obligations (Art. 10(1)(c))
  • Legitimate interests, balanced against the rights and freedoms of the Data Subject (Art. 10(1)(f))

6. CATEGORIES OF PERSONAL DATA AND PROCESSING PURPOSES6.1 Personal Data Categories
  • Identity Information: full name, date of birth, nationality (optional)
  • Contact Details: phone number, email address, physical address
  • Preference and Interaction Data: order history, dietary preferences, marketing engagement
  • Location and Device Data: IP address, device ID, geolocation
  • Social Identifiers: social media handles, WhatsApp ID (if voluntarily submitted)
  • Consent Records: timestamped logs and audit trails of opt-ins and withdrawals

6.2 Purposes of Processing
  • Processing reservations and responding to customer inquiries
  • Sending marketing materials and promotional campaigns
  • Administering loyalty or invitation-only experiences
  • Enabling website functionality and user analytics
  • Complying with regulatory obligations under DIFC law
  • Internal reporting, risk management, and legal defense

7. COOKIE POLICY7.1 Purpose and Scope of Cookie Use
Wayfarer Cafe DIFC (“Wayfarer”) utilizes cookies and related tracking technologies on its websites and digital services to ensure optimal user experience, provide necessary site functionality, conduct analytical research, enable security protocols, and support direct and behavioural marketing initiatives.

7.2 Legal Basis for Cookie Deployment
Pursuant to Articles 10 and 13 of the DIFC DP Law, cookies that are not strictly necessary are deployed only upon obtaining informed, specific, freely given, and affirmative consent of the data subject, evidenced through a positive act (e.g., clicking “Accept” on a cookie banner).

7.3 Types of Cookies
Wayfarer may deploy the following types of cookies:
  • Strictly Necessary Cookies: These are essential to enable navigation and core functionality (e.g., reservation submission, language settings). Consent is not required.
  • Performance Cookies: These gather anonymised statistical data on how users interact with the website, to improve site structure, navigation, and functionality.
  • Functionality Cookies: These remember choices made by users to personalise site experience (e.g., saving user preferences, account history).
  • Targeting and Advertising Cookies: These track browsing habits across websites to build user profiles for interest-based advertising campaigns.

7.4 Duration and Retention of Cookies
Cookies may be:
  • Session-based: Automatically deleted upon browser closure.
  • Persistent: Stored for a predefined period, typically no longer than 12 months, unless renewed by user interaction.

7.5 Third-Party Cookies
Cookies placed by third-party platforms (e.g., Google Analytics, Facebook Pixel, Meta Business Tools) may be used for performance monitoring or behavioural targeting. Wayfarer discloses such use in its banner and obtains consent.

7.6 Consent Management Platform (CMP)
Wayfarer maintains a Consent Management Platform, allowing users to:
  • Provide granular consent to categories of cookies;
  • Withdraw or modify consent at any time;
  • Access a log of prior consent activity (where technically feasible).

8. RIGHTS OF DATA SUBJECTS UNDER DIFC LAW
Pursuant to Articles 32–38 of the DIFC DP Law, all natural persons whose Personal Data is processed by Wayfarer Cafe DIFC are entitled to exercise the following legally protected rights:
8.1 Right of Access
You may request confirmation as to whether we are processing your Personal Data, and where that is the case, access to the data and additional details regarding processing purposes, categories, recipients, and safeguards in place for international transfers.
8.2 Right to Rectification
You may request the correction or update of inaccurate or incomplete Personal Data we maintain.
8.3 Right to Erasure (“Right to Be Forgotten”)
You may request deletion of Personal Data where:
  • The data is no longer necessary for the purposes for which it was collected;
  • You have withdrawn your consent and no other legal ground exists;
  • The processing was unlawful;
  • Erasure is required under DIFC law.
8.4 Right to Restriction of Processing
You may request limitation of processing where:
  • The accuracy of the data is contested;
  • Processing is unlawful and you oppose erasure;
  • You require data for legal claims while we no longer need it.
8.5 Right to Object
You may object to processing based on legitimate interests or for direct marketing, including profiling related to such purposes.
8.6 Right to Data Portability
You may request to receive your data in a structured, commonly used, and machine-readable format, or request its direct transmission to another controller.
8.7 Right to Lodge a Complaint
You may submit a complaint to the DIFC Commissioner of Data Protection regarding any alleged breach of your data protection rights.

9. MARKETING COMMUNICATIONS AND CONSENT FRAMEWORK
Wayfarer shall not use any Personal Data for direct electronic marketing (including via email, SMS, WhatsApp, or push notifications) unless the Data Subject has provided prior, informed, and unambiguous opt-in consent in accordance with Article 10(2)(b) of the DIFC DP Law.
9.1 Consent Parameters
  • Consent must be obtained through affirmative action (e.g., checkbox, form submission).
  • Pre-ticked boxes or inactivity shall not constitute valid consent.
  • Records of consent shall be retained in accordance with Section 11 of this Policy.
9.2 Scope of Marketing Communications
Marketing content may include:
  • Promotions, discounts, and offers;
  • Invitations to events and seasonal menus;
  • Announcements regarding loyalty programs or affiliate experiences.
9.3 Consent Withdrawal
Data Subjects may withdraw consent at any time by:
  • Clicking the “unsubscribe” link provided in electronic communications;
  • Replying “STOP” to an SMS or WhatsApp message;
  • Emailing a request to: [Insert Email Address].
Such withdrawal shall be honoured without undue delay, and the Data Subject shall be added to a suppression list to prevent further contact unless reconsented.