Legal · Privacy
Privacy Policy
This policy explains how Planets IX Technology Consulting FZCO collects, uses, stores, transfers, and protects personal and business information across all its platforms, websites, and services, in accordance with the law applicable to your use of the Service.
Governing law: UAE Federal Law (IFZA) · Contact: care@planets9.com
Section 01
Definitions
In this policy the following terms have the meanings set out below.
- Personal Data
- Any information relating to an identified or identifiable natural person, including name, email address, device identifiers, and any data that can — alone or in combination — identify an individual.
- Processing
- Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction.
- Controller
- The entity that determines the purposes and means of processing Personal Data. Planets IX acts as Controller (or local equivalent — Data Fiduciary, Business, Operator — as defined under applicable law) for data collected directly through the Service.
- Processor
- An entity that processes Personal Data on behalf of a Controller. Planets IX acts as Processor for Personal Data submitted by enterprise clients about their employees or candidates, under a Data Processing Agreement.
- Service
- All platforms, applications, websites, and services operated by Planets IX Technology Consulting FZCO — including PlanetsHR™, PlanetsClients™, PlanetsVendor™, PlanetsWellness™, PlanetsCapital™, planets9.com, planetshr.com, and associated subdomains — whether current or introduced in future.
- Intelligence Output
- Any report, profile, assessment, analysis, or other structured output generated by the Service from data submitted by or about a user or individual.
- Sensitive Data
- Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or medical information, biometric data, genetic data, sexual orientation, or criminal record, as defined under applicable law.
- Sub-processor
- A third-party processor engaged by Planets IX to assist in delivering the Service.
Section 02
Who We Are
Planets IX Technology Consulting FZCO is a human intelligence technology company registered with the International Free Zone Authority (IFZA), Dubai, UAE. We operate a suite of intelligence platforms under the Planets IX brand, accessible via planets9.com and associated platform domains.
| Legal Entity | Planets IX Technology Consulting FZCO |
| Registration | IFZA — International Free Zone Authority, Dubai, UAE |
| Address | IFZA Business Park, DSO, Dubai, United Arab Emirates |
| Master Website | https://planets9.com |
| Platform Domains | planetshr.com · aly9.planetshr.com · and associated subdomains |
| Privacy Contact | care@planets9.com |
| Grievance Officer | Privacy & Grievance Officer — care@planets9.com |
| DPO | To be designated where required under applicable law prior to operations in the relevant jurisdiction. Contact care@planets9.com for current status. |
Planets IX acts as Controller (or local equivalent) for Personal Data collected directly through the Service. Where an enterprise client engages Planets IX to process data about its employees or candidates, Planets IX acts as Processor, and a separate Data Processing Agreement (DPA) governs that relationship. This single Privacy Policy governs all Planets IX platforms and domains, current and future.
Data Protection Principles
Planets IX processes Personal Data in accordance with the following principles, applied globally:
- Lawfulness, fairness, and transparency — processing on a lawful basis with clear disclosure to individuals
- Purpose limitation — data collected for specified, explicit purposes and not processed incompatibly
- Data minimisation — only information reasonably necessary for the stated purposes is collected
- Accuracy — reasonable steps are taken to keep data accurate and up to date
- Storage limitation — data retained only as long as necessary or required by law
- Security — appropriate technical and organisational measures protect data against unauthorised access, loss, or destruction
- Accountability — records of processing activities are maintained and compliance with applicable law is demonstrable
Section 03
The Information We Collect
We collect only what is necessary for the purposes described in this policy.
3.1 Business and Statutory Information
- Legal business name, trading name, and company registration number
- Certificate of Incorporation and equivalent formation documents
- Tax identification numbers — GST/GSTIN, VAT, EIN, UEN, TRN, and equivalents across applicable jurisdictions
- Registered and principal operating addresses
- Details of directors, partners, beneficial owners, and authorised signatories
- Other documents submitted for verification, onboarding, or compliance purposes
Statutory documents are collected solely to verify your business, fulfil compliance obligations, and deliver the Service. We do not sell, lease, or trade these documents and do not use them for marketing.
3.2 Personal Information
- Full name, job title, and role within the organisation
- Business email address, telephone number, and other contact details
- Login credentials — passwords are stored in hashed, non-readable form and are never retained in plaintext
- Date of birth or other reference parameters, where voluntarily provided for generating an Intelligence Output
- Any Personal Data contained within documents you upload to the Service
3.3 Payment and Transaction Information
Payment is processed by authorised, PCI-DSS compliant third-party payment service providers. Planets IX does not store full card numbers, CVV codes, or sensitive authentication data. We retain only:
- Transaction reference number and payment status
- Amount, currency, and date of transaction
- Masked card or payment method identifier (e.g. last four digits) as provided by the payment processor
- Billing name and billing address
- Information required for dispute resolution, fraud prevention, and regulatory compliance
3.4 Intelligence Data
The Service generates Intelligence Outputs from data you or your organisation submits. These outputs are treated with the same protection as the underlying Personal Data from which they are derived. They do not constitute medical diagnoses, psychological evaluations, financial assessments, or predictions of future conduct. See Section 9 for full disclosure on automated processing.
3.5 Automatically Collected Information
- IP address, device type, operating system, and browser information
- Usage data — pages visited, features accessed, session duration, and session identifiers
- Cookies and similar tracking technologies (see Section 10)
We do not collect Sensitive Data except where strictly necessary for a disclosed purpose and with an appropriate lawful basis. Where Sensitive Data is collected, explicit consent is obtained.
3.6 AI Infrastructure Disclosure
Where Planets IX uses third-party AI infrastructure providers to assist in generating Intelligence Outputs, such providers operate solely under our contractual instructions, are bound by data protection obligations, and are listed in our sub-processor register available on request from care@planets9.com. We do not use your submitted data to train or improve any third-party AI model without your separate, explicit consent.
Section 04
Why We Collect Your Information — Lawful Basis
We process Personal Data for specific, disclosed purposes only. Where UAE law applies, processing is conducted on one or more grounds recognised under Federal Decree-Law No. 45 of 2021 on Personal Data Protection — including consent, contractual necessity, legal obligation, or other grounds permitted by applicable law. Where the laws of another jurisdiction apply, we rely on the equivalent lawful ground under that law.
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| Account & contact details | Create and manage accounts; deliver the Service | Contract |
| Statutory business documents | Verify business identity; fulfil compliance obligations | Legal obligation; legitimate interest in fraud prevention |
| Payment and transaction data | Process payments; maintain transaction records | Contract; legal obligation (financial record-keeping) |
| Reference parameters submitted for analysis | Generate Intelligence Outputs | Contract; explicit consent where outputs engage Sensitive Data |
| Transaction and account activity data | Fraud prevention, AML monitoring, chargeback defence | Legal obligation; legitimate interest in platform security |
| Contact details | Communicate about your account and the Service | Contract |
| Usage and device data | Improve, secure, and maintain the Service | Legitimate interest |
| Contact details, preferences | Marketing communications | Consent — withdrawable at any time without affecting prior processing |
| Account, payment, and statutory records | Comply with legal, regulatory, and tax obligations | Legal obligation |
| Account and transaction data | Respond to law enforcement and regulatory requests | Legal obligation; legitimate interest |
| Relevant case data | Defend or pursue legal claims | Legitimate interest; legal obligation |
Where multiple lawful bases apply simultaneously, we rely on each independently. We do not use Personal Data for purposes incompatible with those disclosed here without prior consent or a new lawful basis.
Legitimate Interest Assessments
Where we rely on legitimate interest as a lawful basis, we conduct an internal assessment to confirm that our interest in the processing is not overridden by the interests, rights, or freedoms of the individuals concerned. This assessment considers the nature of the data, the reasonable expectations of the individual, and the availability of less intrusive means of achieving the same purpose.
Data Protection Impact Assessments
Where processing is likely to present a high risk to the rights and freedoms of individuals — including certain profiling and automated processing activities described in Section 9 — Planets IX conducts a Data Protection Impact Assessment (DPIA) before that processing begins, in accordance with applicable law.
Records of Processing
Planets IX maintains records of its processing activities as required under applicable data protection law, including UAE PDPL and, where applicable, UK GDPR and equivalent frameworks. These records are available to the relevant supervisory authority on request and, in summary form, to enterprise clients conducting due diligence.
Section 05
How We Share Your Information
We do not sell, lease, rent, or trade Personal Data. We share it only in the following limited circumstances and only to the extent strictly necessary.
| Payment Processors | PCI-DSS compliant payment service providers and payment orchestration platforms. Bound by contract to use data only for transaction processing, fraud prevention, and regulatory compliance. |
| Service Providers | Cloud hosting, identity verification, analytics, communications, and security providers. All bound by written contract to protect data and act only on our instructions. |
| AI Infrastructure | Where used, third-party AI infrastructure providers operating solely under our contractual instructions. Listed in our sub-processor register, available on request. |
| Enterprise Clients | Where a client has engaged the Service to generate Intelligence Outputs about individuals within their organisation, outputs are shared with the client under a DPA. Individuals are informed of this at or before the point of data collection. |
| Legal Authorities | Where required by applicable law, court order, or regulatory directive, or to protect our legal rights, safety, or platform security. All requests are reviewed for legal validity before disclosure. |
| Fraud and AML Bodies | Where required by applicable anti-money laundering, counter-fraud, or payment compliance obligations. |
| Business Transfers | In a merger, acquisition, or restructuring, your information may transfer to the successor entity subject to equivalent privacy protections. You will be notified in advance. |
A current sub-processor register is available on request from care@planets9.com.
Section 06
International Data Transfers
Planets IX is headquartered in Dubai, UAE. Because the Service is accessed globally, Personal Data may be transferred to, stored in, and processed in countries other than the one from which it was submitted.
Data residency. Our primary data residency is in the UAE. Data may additionally be stored within cloud infrastructure operated by contracted infrastructure providers in other regions. We do not promise UAE-only localisation; we promise that wherever data is stored, it is subject to contractual protections equivalent to those required under UAE PDPL and, where applicable, other relevant data protection frameworks. Contact care@planets9.com for current infrastructure details.
Transfer mechanisms. Where we transfer Personal Data to a country not recognised as providing adequate protection under the laws of the originating country, we rely on one or more of the following, as applicable: Standard Contractual Clauses (SCCs); the UK International Data Transfer Addendum or UK IDTA; Binding Corporate Rules; an applicable adequacy decision; explicit consent obtained at collection; or other transfer mechanisms recognised under applicable law.
Subprocessor notification. Enterprise customers will be notified of material new subprocessors at least 30 days before appointment and may raise an objection during that period through the channel specified in their Data Processing Agreement. A current subprocessor register is available on request from care@planets9.com.
EEA / UK Representative. Planets IX does not currently target the European Economic Area or the United Kingdom as a primary market. Where our operations expand such that an EU or UK Representative is required under applicable law, we will appoint one and publish their contact details here.
Transfer impact assessments. We maintain transfer impact assessments for material data transfer corridors. These are available to regulators and, on request, to enterprise clients conducting due diligence. Contact care@planets9.com.
Section 07
How Long We Retain Your Information
We retain Personal Data only for as long as necessary for the purposes set out in this policy, or as required by applicable law.
| Account & Profile | Active account duration plus 3 years after closure or last active use, unless a longer statutory period applies. |
| Statutory Documents | 8 years from receipt, consistent with UAE commercial law and equivalent statutory minimums across operating jurisdictions. |
| Payment Records | 7 years from the transaction date, required for tax, audit, and dispute resolution obligations across operating jurisdictions. |
| Intelligence Outputs | Duration of client engagement plus 3 years. Enterprise clients may specify periods in the DPA, subject to legal minimums. |
| Usage Logs | Identifiable logs: 12 months. Aggregated or irreversibly anonymised analytics: no fixed limit. |
| Marketing Data | Until consent is withdrawn or you unsubscribe, after which contact details are suppressed unless you request erasure. |
| Legal Claims Data | Where data is relevant to an ongoing or anticipated legal claim, retained for the duration of that claim plus any applicable limitation period, notwithstanding deletion requests. |
When data is no longer required and no retention obligation applies, we securely delete or irreversibly anonymise it across live systems and routine backups within a reasonable operational cycle. Deletion requests are processed within 30 days, subject to retention obligations that may defer or limit deletion. Where deletion is deferred — including where data is subject to a legal hold for anticipated or ongoing litigation, investigation, or regulatory proceeding — we will inform you of the reason and, where determinable, the expected deletion date.
Jurisdiction hierarchy. Where the law of the jurisdiction from which you access the Service grants you privacy rights stronger than, or in addition to, those described in this policy, those local rights prevail and apply to you in full.
Section 08
How We Protect Your Information
- AES-256 encryption for data and documents at rest, including backups; TLS 1.2 or higher for all data in transit
- Passwords stored in hashed, non-readable form — never in plaintext
- Role-based access controls enforced at the infrastructure layer on a need-to-know basis
- User-permissioned data model — Intelligence Outputs accessible only to parties you or your organisation authorise
- Multi-factor authentication (MFA) for platform administrative access
- Continuous monitoring, intrusion detection, and access logging
- Periodic security audits and vulnerability assessments by internal and external reviewers
- PCI-DSS compliant payment infrastructure — payment credentials never touch our servers
- Employee confidentiality obligations covering all Personal Data processed
- Vendor security due diligence and contractual review before and during engagement of any sub-processor
- Formal incident response programme including post-incident review and remediation
- Privacy and security considerations incorporated into product design and development from the earliest stages
Planets IX may maintain or pursue industry-recognised security certifications and frameworks as the platform matures. Enterprise customers may request our current security posture, standard Data Processing Agreement, and subprocessor register from care@planets9.com.
Suspected security incidents affecting your data may be reported immediately to care@planets9.com. In the event of a Personal Data breach posing material risk to affected individuals, we will notify the relevant supervisory authority within legally required timeframes under applicable law in the affected jurisdiction, and notify affected individuals without undue delay. Notification will describe the nature of the breach, data affected, steps taken, and recommended protective action.
Section 09
Automated Processing and Profiling
The Service uses automated processing to generate Intelligence Outputs from data you or your organisation submits.
What it does. Our proprietary analytical framework processes reference parameters — including dates, role information, and structured business data you submit — to produce structured behavioural profiles, role-fit assessments, and compatibility analyses. The framework applies Planets IX's proprietary methodology consistently. These outputs are interpretive decision-support tools, not statements of fact. They do not constitute medical, psychological, financial, legal, or investment advice.
What it does not do. Our framework is non-predictive by design. It does not produce predictions of future behaviour, health outcomes, financial performance, or legal status. It does not make legally or materially significant decisions about individuals autonomously. No employment, promotion, compensation, termination, credit, or clinical decision is made by the Service without human involvement.
Processing on documented instructions. Where Planets IX processes employee, contractor, or candidate information on behalf of an enterprise client, that processing is performed solely under the client's documented written instructions and the applicable Data Processing Agreement. Planets IX does not independently determine the purposes of that processing.
Solely automated decisions. Planets IX is not intended to make solely automated decisions producing legal or similarly significant effects on individuals. Enterprise clients and individual users must ensure meaningful human review before any employment, investment, compensation, promotion, or comparable decision is made on the basis of an Intelligence Output.
Human judgment requirement. All Intelligence Outputs are intended to supplement, not replace, professional human judgment. Individuals and enterprise clients are responsible for verifying the accuracy, completeness, and suitability of any output before relying upon it for any significant decision.
Your rights. Where applicable law confers rights in relation to automated processing — including the right to contest a decision, express your point of view, object to the processing, and request human review — we fulfil those rights in full. On request, we provide meaningful information about the significance and likely consequences of the output for the individual concerned, without disclosing Planets IX's proprietary analytical methodology.
Human review workflow. Requests for human review are handled by a member of the Planets IX team with relevant subject-matter familiarity, independent of the original output. We acknowledge within 5 business days and respond substantively within 30 days. Possible outcomes include confirmation, correction, supplementary clarification, or withdrawal of the output.
Fairness review. We periodically evaluate our analytical methodology for consistency and unintended bias as part of our ongoing product governance. No analytical methodology can eliminate all potential bias, and Enterprise Clients and individual users remain responsible for ensuring outputs are used fairly and lawfully.
Output accuracy. Like any analytical or computational system, Intelligence Outputs may occasionally contain inaccuracies, omissions, or interpretations that require human verification before reliance.
Section 10
Cookies and Similar Technologies
| Essential | Required for the Service to function — session management, authentication, security. Typically expire at end of session or within 30 days. Cannot be disabled without impairing functionality. No consent required. |
| Analytics | Aggregate platform usage understanding (e.g. usage analytics, performance monitoring tools). Typically persist up to 24 months. Used in anonymised or pseudonymised form. Subject to prior consent where required by applicable law. |
| Preference | Store your settings and personalisation choices between sessions. Typically persist up to 12 months. Subject to consent where required. |
| Marketing | Used only with your explicit prior consent (e.g. campaign attribution and retargeting tools). Typically persist up to 12 months. Withdrawable at any time. |
The specific third-party providers used for analytics, marketing, payment, and support cookies may change over time as our vendor relationships evolve. A current list of active cookie providers is available through the Cookie Preference Centre.
You may withdraw or modify cookie consent at any time through the Cookie Preference Centre, accessible from the footer of all platform pages, or reject all non-essential cookies at any time. Withdrawing consent does not affect the lawfulness of prior processing. Where required by applicable law, a consent banner is displayed on first visit and consent is recorded before any non-essential cookies are set.
We honour recognised browser-based privacy signals, including the Global Privacy Control (GPC), as an opt-out of non-essential tracking where technically supported and legally required. We do not currently respond differently to the Do Not Track (DNT) browser signal, as no common industry standard for its interpretation has been adopted.
Section 11
Your Rights
You have rights in relation to your Personal Data under the law of the jurisdiction from which you access the Service. We honour the rights available to you under applicable law without requiring you to justify your request. Rights include, where available under applicable law:
- Access — obtain confirmation of whether we process your Personal Data and receive a copy
- Rectification — correct inaccurate or incomplete Personal Data
- Erasure — request deletion of Personal Data, subject to legal retention obligations
- Portability — receive Personal Data in a structured, machine-readable format where technically feasible
- Object or opt out — object to processing based on legitimate interest, or opt out of the sale or sharing of your data, or opt out of profiling used for decisions with legal or similarly significant effects, where applicable
- Restrict processing — request that processing be limited to storage only in certain circumstances
- Withdraw consent — withdraw consent at any time without affecting prior lawful processing
- Appeal — where a rights request is refused, appeal that refusal within the timeframe specified in our refusal notice; we will explain the reason and the appeal process
- Nominate a representative or authorised agent — in certain jurisdictions, nominate another individual or a verified authorised agent to exercise your rights on your behalf, including in the event of death or incapacity
- Lodge a complaint — complain to the relevant supervisory authority in your jurisdiction
We do not sell Personal Data, and we do not share Personal Information for cross-context behavioural advertising. Where applicable US state law distinguishes "sale" from "sharing," both statements apply.
To exercise any right, contact care@planets9.com. We will acknowledge within 5 business days and respond substantively within 30 days (or such other timeframe required under applicable law in your jurisdiction), extendable by a further 30 days for complex requests with notice to you. Before processing a request, we may take reasonable steps to verify your identity, to ensure Personal Data is not disclosed to the wrong person. Where you act through a verified authorised agent, we may require evidence of the agent's authority and may verify your identity directly before processing the request. We will not charge a fee for reasonable requests; manifestly unfounded, repetitive, or excessive requests may be refused or subject to a reasonable administrative fee, with our reasoning explained to you.
Grievance Redressal
| Officer | Privacy & Grievance Officer, Planets IX Technology Consulting FZCO |
| care@planets9.com | |
| Address | IFZA Business Park, DSO, Dubai, United Arab Emirates |
| Response | Acknowledged within 5 business days; resolved within 30 days |
If you are not satisfied with our response, you may appeal in writing to care@planets9.com with "Appeal" in the subject line; appeals are reviewed by a member of the team not involved in the original decision and decided within 30 days. If still unresolved, you may escalate to the relevant supervisory or consumer authority in your jurisdiction — including, where applicable, the UK Information Commissioner's Office, Singapore's Personal Data Protection Commission, or the relevant UAE data protection authority. We will provide the appropriate authority contact upon request.
Section 12
Children's Privacy
The Service is directed exclusively at businesses and professionals. We do not knowingly collect Personal Data from individuals under 18 without verifiable parental or guardian consent. Where a jurisdiction defines a child at a lower age threshold, that threshold applies additionally. If we discover Personal Data has been collected from a child without appropriate consent, we will delete it promptly. Contact care@planets9.com immediately if you believe we hold information from a minor in error.
Section 13
Law Enforcement, Regulatory Requests, and Fraud Monitoring
We may disclose Personal Data to law enforcement, regulatory authorities, or courts where legally required. All such requests are reviewed for legal validity, jurisdiction, and proportionality before any disclosure is made. We do not disclose more data than required to fulfil the specific lawful request. Where legally permitted, we notify you of a request for your data.
We conduct fraud monitoring, anti-money laundering screening, and payment abuse detection as required by applicable law and by our obligations to payment processors and acquiring banks. Transaction data may be shared with fraud prevention bodies and payment processors for these purposes.
Section 14
Data Accuracy and Output Disclaimer
The quality and relevance of Intelligence Outputs depends materially on the accuracy and completeness of the data submitted. You are responsible for ensuring that all information you provide is accurate, current, and submitted with proper authority.
Individuals and enterprise clients remain responsible for verifying the accuracy, completeness, and suitability of any Intelligence Output before relying upon it for employment, commercial, regulatory, investment, or other significant decisions. Planets IX provides decision-support tools and does not replace professional judgment, legal advice, medical evaluation, or any other form of regulated professional opinion. Intelligence Outputs are interpretive and analytical in nature and should not be treated as statements of fact.
Section 15
Links to Third-Party Websites
The Service may contain links to third-party websites, integrations, or services not operated by Planets IX. We are not responsible for the privacy practices, content, or security of those third parties. We encourage you to review the privacy policy of any external website before providing Personal Data.
Section 16
Changes to This Policy
We may revise this policy at any time. Material changes will be communicated by updating the effective date and notifying registered users via email or in-platform notice at least 14 days before changes take effect. We will seek fresh consent where applicable law requires it. Non-material changes take effect immediately. Prior versions are available on request from care@planets9.com.
Section 17
Contact Us
| Entity | Planets IX Technology Consulting FZCO |
| Address | IFZA Business Park, DSO, Dubai, United Arab Emirates |
| care@planets9.com | |
| Website | https://planets9.com |