Skip to content

Privacy Policy

This comprehensive privacy policy outlines how Outperform W.L.L. collects, processes, shares, and protects personal data in compliance with Bahrain's Personal Data Protection Law (PDPL) and the European Union's General Data Protection Regulation (GDPR).

 

  1. Introduction

1.1. Company Overview

Outperform W.L.L. is a management consulting and recruitment firm based in Bahrain, providing professional services to clients both locally and internationally. We offer comprehensive consultancy and talent acquisition services, which necessitate the processing of personal data from various stakeholders including clients, candidates, employees, and business partners.

1.2. Purpose of Privacy Policy

This Privacy Policy aims to transparently inform you about how we collect, use, share, and protect your personal information in compliance with applicable data protection laws, particularly Bahrain's Personal Data Protection Law (Law No. 30/2018) and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679).

1.3. Scope of Application

This Privacy Policy applies to all personal data processed by us through our:

  • Services of Management Consultancy, Computer Consultancy and Computer Facilities Management, and Attraction and Nomination for Senior Executive Positions (Talent Acquisition)
  • Office locations and premises
  • Communications and marketing activities

1.4. Definitions of Key Terms

For the purposes of this Privacy Policy, the following terms shall have the meanings defined below:

“Personal Data”: Any information of any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through their personal identification number, or physical, physiological, intellectual, cultural or economic characteristics or social identity.

“Data Subject”: The individual to whom personal data relates.

“Data Controller”: The entity that determines the purposes and means of processing personal data.

“Data Processor”: An entity that processes personal data on behalf of the Data Controller.

“Processing”: Any operation carried out on personal data such as collecting, recording, organizing, storing, modifying, retrieving, using, transmitting, blocking, or deleting.

“Sensitive Personal Data”: Personal data that reveals racial or ethnic origin, political or philosophical views, religious beliefs, union affiliation, criminal record, or data related to health and physical behaviour.

1.5. Data Controller Information

Outperform W.L.L. acts as a Data Controller for the personal data we collect and process. Our contact details are:

  • Outperform W.L.L. Bahrain FinTech Bay, Office no 302, Arcapita Building, Building 551, Road 4612, Block 346, Manama Water Bay, Kingdom of Bahrain
  • Email: privacy@outperform-digital.com
  • Commercial Registration Number CR182911-1

1.6. Data Protection Officer/Guardian Contact Details

We have appointed a Data Protection Guardian (DPG) in accordance with Bahrain's PDPL and EU GDPR requirements. Our DPG can be contacted at:

  • Andrew Sims, Director
  • E-mail: andrew.sims@outperform-digital.com

 

  1. Personal Data Collection

2.1. Categories of Personal Data Collected

Depending on your relationship with us, we may collect and process the following categories of personal data:

  • For Candidates and Job Applicants:
    • Contact information (name, address, email, phone number)
    • Professional details (CV/resume, work history, qualifications, skills)
    • Educational background
    • Professional references
    • Assessment results and interview notes
    • Immigration status and right to work information
    • Compensation expectations
    • Where permitted, demographic information for diversity monitoring
  • For Clients and Business Contacts:
    • Contact information (name, job title, company, email, phone number)
    • Professional details and preferences
    • Service history and interactions with our company
    • Financial information for billing purposes
    • Contractual details and service requirements
  • For Website Visitors:
    • Device information and IP addresses
    • Browsing behaviour and preferences
    • Login credentials (where applicable)
    • Information provided through forms or surveys

2.2. Sources of Personal Data

We collect personal data through:

  • Direct submission by data subjects (applications, forms, emails)
  • Professional networks and platforms (LinkedIn, industry websites)
  • Referrals from other individuals or organizations
  • Public sources and directories
  • Client organizations (when providing consulting services)
  • Cookies and similar technologies on our website
  • Third-party service providers (with appropriate permissions)

2.3. Special Categories of Personal Data

In certain circumstances, we may collect and process special categories of personal data (sensitive personal data) as defined by the PDPL and GDPR. This includes data revealing racial or ethnic origin, political opinions, religious beliefs, health information, or data concerning criminal convictions. We process sensitive data only when:

  • You have provided explicit written consent
  • Processing is necessary to protect your vital interests or those of another person
  • Processing is necessary for the establishment, exercise, or defence of legal claims
  • The data has been manifestly made public by you
  • Processing is necessary for employment-related legal obligations
  • Processing is specifically authorized by applicable data protection authorities

Pre-employment medical information will only be collected after a job offer has been made, unless such information is necessary to assess an intrinsic requirement of the job that cannot be accommodated with reasonable adjustments.

2.4. Purposes for Data Collection

We collect personal data for specific, explicit, and legitimate purposes, including:

  • For Recruitment Services:
    • Evaluating suitability for specific roles and positions
    • Matching candidates with appropriate job opportunities
    • Conducting pre-employment screening and verification
    • Managing the recruitment and placement process
    • Maintaining a talent pool for future opportunities
    • Providing career advice and guidance to candidates
    • Meeting legal and regulatory obligations in recruitment
  • For Consulting Services:
    • Providing management consulting services to clients
    • Managing client relationships and contracts
    • Delivering professional advice and solutions
    • Conducting industry and market analysis
    • Improving and developing our services
    • Maintaining business records and documentation
  • For Administrative and Business Operations:
    • Managing our relationship with you
    • Processing payments and financial transactions
    • Ensuring security of our information and premises
    • Analysing and improving our business operations
    • Complying with legal and regulatory obligations
    • Resolving disputes and enforcing our agreements

2.5. Legal Basis for Processing

We process personal data only when we have a valid legal basis to do so. Depending on the specific processing activity, our legal bases include:

  • Consent: When you have given clear consent for us to process your personal data for a specific purpose.
  • Contractual Necessity: When processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract.
  • Legal Obligation: When processing is necessary for compliance with a legal obligation to which we are subject under Bahrain law or other applicable legislation.
  • Legitimate Interests: When processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by your fundamental rights and freedoms.
  • Vital Interests: When processing is necessary to protect the vital interests of the data subject or another natural person.

For sensitive personal data, we rely on specific provisions under the PDPL and GDPR that permit such processing, including explicit written consent, employment law obligations, and the establishment or defence of legal claims.

2.6. Consent Management

Where we rely on consent as the legal basis for processing, we ensure that:

  • Consent is freely given, specific, informed, and unambiguous
  • Consent is provided through a clear affirmative action
  • For PDPL compliance, consent is obtained in writing where required
  • For GDPR compliance, any valid form of explicit consent is acceptable
  • Consent for children under the age of legal capacity is obtained from parents or legal guardians

You can withdraw consent at any time through accessible mechanisms

When we request your consent, we will clearly explain:

  • What personal data we will process
  • The purposes for which the data will be used
  • Any third parties who will have access to the data
  • Your rights regarding the data, including the right to withdraw consent
  • Use and Processing of Personal Data

3.1. Consulting Services Data Processing

When providing management consulting services, we process personal data to:

  • Deliver agreed consulting services to clients
  • Analyse business challenges and develop strategic solutions
  • Provide expert advice and recommendations
  • Implement business improvement initiatives
  • Measure and report on project outcomes
  • Maintain records of consulting engagements and deliverables

We implement strict confidentiality measures to protect client information, including:

  • Categorizing information as strictly confidential, internally shareable, or externally communicable
  • Ensuring consultants understand client confidentiality requirements
  • Maintaining separation between competing client engagements
  • Implementing need-to-know access controls for sensitive client data
  • Conducting regular training on confidentiality obligations

3.2. Recruitment Services Data Processing

For recruitment services, we process candidate data to:

  • Evaluate qualifications and suitability for specific positions
  • Match candidates with appropriate job opportunities
  • Communicate with candidates about positions and status
  • Conduct pre-employment screening with explicit consent
  • Coordinate interviews and assessments with potential employers
  • Maintain a database of qualified candidates for future opportunities
  • Comply with employment and immigration laws

We act as a data controller when sourcing candidates independently, maintaining our candidate database, or providing temp workers. We may act as a data processor when managing client-owned databases or recruitment systems.

3.3. Marketing and Communication Processing

We process personal data for marketing and communications purposes, including:

  • Providing information about our services and offerings
  • Sending newsletters, updates, and invitations to events
  • Conducting surveys and market research
  • Analysing interactions with our marketing communications
  • Improving our marketing effectiveness and relevance

We will inform you when your personal data will be used for direct marketing and provide clear options to opt-out or object to such processing. All marketing communications will include simple mechanisms to unsubscribe or manage preferences.

3.4. Automated Decision Making and Profiling

We may use certain automated processes to streamline our recruitment and consulting services. However, we do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect data subjects without:

  • Your explicit consent
  • Contractual necessity
  • Authorization under applicable law

Where automated processes are used, we implement suitable safeguards, including:

  • Human oversight and verification of outcomes
  • Regular testing and quality assurance of algorithms
  • Procedures to challenge automated decisions
  • Clear information about the logic involved and potential consequences

For recruitment, any automated pre-screening tools are used as a supplement to, not a replacement for, human decision-making.

3.5. Data Minimization Principles

We adhere to data minimization principles by:

  • Collecting only personal data that is adequate, relevant, and limited to what is necessary
  • Regularly reviewing data collection practices to eliminate unnecessary data points
  • Anonymizing or pseudonymizing data where possible for analytics and reporting
  • Implementing appropriate retention periods and deletion procedures
  • Training staff on data minimization requirements
  • Regularly auditing our data holdings to ensure compliance

3.6. Controller vs. Processor Relationships

Our company may act in different data protection roles depending on the services provided:

  • As a Data Controller:
    • When collecting and maintaining our own database of candidates
    • When processing employee and contractor data
    • When sourcing candidates independently for multiple clients
    • When providing temporary staffing services where we employ the workers
    • When processing personal data for our own business operations
  • As a Data Processor:
    • When managing a client's talent pool in their systems
    • When processing data strictly according to client instructions
    • When handling candidate information solely on behalf of a client
    • Independent Controller Relationships:
    • When sharing candidate information with clients for their hiring decisions, both parties act as independent controllers for their respective processing activities

Where we act as a processor, we will execute appropriate data processing agreements as required by law.

 

  1. Data Sharing and Disclosure

4.1. Categories of Recipients

We may share personal data with the following categories of recipients:

  • For Recruitment Services:
    • Potential employers and hiring clients
    • Reference providers and former employers (with consent)
    • Background screening providers
    • Skills assessment platforms
    • Immigration and work authorization authorities (when required)
  • For Consulting Services:
    • Client team members and stakeholders
    • Subcontractors and specialist consultants
    • Professional advisors (legal, accounting, etc.)
    • Industry experts and partners (as agreed with clients)
  • For Business Operations:
    • IT and system service providers
    • Professional advisors and auditors
    • Insurance providers
    • Administrative service providers
    • Regulatory and governmental authorities (when legally required)

4.2. Third-Party Service Providers

When we engage third-party service providers who process personal data on our behalf, we:

  • Conduct appropriate due diligence on their data protection practices
  • Enter into data processing agreements that include confidentiality obligations
  • Ensure they provide sufficient guarantees to implement appropriate technical and organizational measures
  • Regularly monitor and audit their compliance
  • Require prompt notification of any data breaches or security incidents
  • Ensure they only process data according to our documented instructions

4.3. Legal Requirements for Disclosure

We may disclose personal data to comply with legal obligations, including:

  • Court orders and judicial proceedings
  • Regulatory investigations and compliance requirements
  • Law enforcement requests in accordance with applicable law
  • Protection of our legal rights and interests
  • Prevention of fraud or other illegal activities
  • Protection of vital interests of any individual
  • Any such disclosures will be made in accordance with applicable data protection laws and with appropriate safeguards where possible.

4.4. International Data Transfers

As a company operating internationally, we may transfer personal data across national borders, including to countries outside Bahrain or the European Economic Area (EEA).

  • Under the PDPL, we will not transfer personal data outside Bahrain unless:
    • The recipient country provides an adequate level of protection
    • You have provided explicit consent to the specific transfer
    • The transfer is necessary for the performance of a contract with you
    • The transfer is necessary for important reasons of public interest
    • The transfer is necessary to establish, exercise, or defend legal claims
  • Under GDPR, we implement appropriate safeguards for international transfers, which may include:
    • Adequacy decisions from the European Commission
    • Standard Contractual Clauses (SCCs)
    • Binding Corporate Rules
    • Explicit consent for specific transfers
    • Necessary transfers for important reasons of public interest
    • Transfers necessary for the performance of a contract

4.5. Safeguards for Cross-Border Transfers

For all international data transfers, we implement appropriate safeguards, including:

  • Comprehensive data transfer agreements with recipients
  • Technical measures such as encryption and pseudonymization
  • Contractual commitments regarding data protection standards
  • Regular assessment of recipient country legal frameworks
  • Additional protections for sensitive personal data
  • Data minimization principles to limit transfer risks

4.6. Data Processing Agreements

We ensure that appropriate contractual provisions are in place when sharing data with third parties, including:

  • Clear definition of responsibilities and processing activities
  • Confidentiality commitments from all data recipients
  • Security requirements aligned with industry standards
  • Sub-processor management and oversight provisions
  • Breach notification procedures and timelines
  • Audit rights and compliance verification mechanisms
  • Data return or deletion procedures at contract termination
  • Indemnification and liability provisions for data protection violations

 

  1. Data Subject Rights

5.1. Right to Access Personal Data

You have the right to obtain confirmation about whether we process your personal data and to access that data. Upon request, we will provide:

  • Confirmation of processing activities
  • A copy of your personal data in our possession
  • Information about the purposes of processing
  • Categories of personal data concerned
  • Recipients or categories of recipients of your data
  • Retention periods or criteria for determining them
  • Information about the source of the data (if not collected directly from you)
  • Information about automated decision-making, if applicable

5.2. Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete personal data in our systems. We will respond promptly to such requests and notify relevant third parties of corrections where appropriate and feasible.

For candidates, maintaining accurate information is particularly important to ensure effective matching with suitable positions and proper assessment of qualifications.

5.3. Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, including when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • The personal data has been unlawfully processed
  • Erasure is required for compliance with a legal obligation
  • The data was collected in relation to the offer of information society services to a child
  • We will carefully assess each erasure request and respond within the timeframes required by applicable law. Where we are obligated to retain certain information for legal or regulatory purposes, we will inform you accordingly.
  • Right to Restriction of Processing

You can request restriction of processing of your personal data when:

  • You contest the accuracy of the data, during the verification period
  • The processing is unlawful, but you oppose erasure
  • We no longer need the data, but you require it for legal claims
  • You have objected to processing, pending verification of legitimate grounds
  • When processing is restricted, we will store the data but not process it further without your consent, except for legal claims, protection of another person’s rights, or important public interest reasons.

5.5. Right to Data Portability

Where processing is based on consent or contractual necessity and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit this data to another controller without hindrance.

Where technically feasible, you may request that we transmit the data directly to another controller.

5.6. Right to Object to Processing

You have the right to object to:

  • Processing based on legitimate interests or public interest
  • Direct marketing (including profiling for marketing)
  • Processing for scientific, historical research, or statistical purposes
  • For legitimate interests or public interest processing, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
  • For direct marketing, we will cease processing your data for these purposes when you object.

5.7. Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you, unless:

  • It is necessary for a contract with you
  • It is authorized by law
  • It is based on your explicit consent
  • Where such decisions are made, we implement measures to safeguard your rights, including:
  • Human intervention capability
  • Expression of your point of view
  • Contestation of the decision

5.8. Procedure for Exercising Rights

To exercise any of your rights, you may submit a request:

  • By email to our Data Protection Guardian at sims@outperform-digital.com
  • By mail to our office address: Outperform W.L.L. Bahrain FinTech Bay, Office no 302, Arcapita Building, Building 551, Road 4612, Block 346, Manama Water Bay, Kingdom of Bahrain

To protect your privacy and security, we may need to verify your identity before processing your request. Please provide:

  • Your full name
  • Contact information
  • Relationship with our company
  • Specific right(s) you wish to exercise
  • Any additional information to help us locate your data

5.9. Timeframes for Responding to Requests

We will acknowledge receipt of your request within business days and provide a substantive response within:

  • 30 days from receipt of your request under GDPR
  • 15 days from receipt of your request under Bahrain PDPL

If we need additional time due to complexity or the number of requests, we will inform you of any extension within the initial response period, explaining the reasons for the delay. Any extension will not exceed an additional 60 days.

If we decide not to take action on your request, we will inform you of the reasons and your right to lodge a complaint with the supervisory authority and to seek judicial remedy.

 

  1. Data Retention and Deletion

6.1. Retention Periods for Different Data Categories

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, or protect our legitimate interests. Our retention periods vary by data category:

  • Recruitment Data:
    • Successful candidates' data: Throughout the employment relationship plus 2 years after termination
    • Unsuccessful candidates' data: 1-2 years from the date of application or last contact
    • Candidate consent for future consideration: Valid for 2 years unless renewed
  • Client and Business Contact Data:
    • Active clients: Duration of the business relationship plus 5 years
    • Prospective clients: 2 years from last meaningful interaction
    • Project documentation: 7 years following project completion
  • Website User Data:
    • Account information: Until account closure plus 1 year
    • Usage data: 1 year from collection
    • Cookies and similar technologies: Varies by purpose (see Cookies section)
  • Financial and Legal Records:
    • Transaction records: 7 years as required by financial regulations
    • Contracts and agreements: Duration of agreement plus 7 years

6.2. Criteria for Determining Retention Periods

We consider the following factors when setting retention periods:

  • Legal and regulatory requirements applicable in Bahrain and other jurisdictions
  • Statutes of limitations for potential legal claims
  • Business operational needs and administrative purposes
  • Industry best practices and standards
  • Risks associated with different types of data
  • Legitimate interests in maintaining records for reference and quality improvement
  • Data subject expectations and preferences

6.3. Specific Retention for Recruitment Data

For recruitment data, we apply specific retention principles:

  • CV/resume data from non-hired candidates will be retained for a maximum of 2 years
  • If you consent to remain in our talent pool for future opportunities, we will retain your data for that purpose until you withdraw consent or for a maximum of 2 years
  • If we'd like to retain your data beyond 2 years, we will contact you to refresh your consent
  • Background check information is retained for no longer than 1 year from hiring decision
  • Interview notes and assessments are retained for 1 year from hiring decision
  • If a candidate is hired, relevant recruitment data becomes part of the employment record

6.4. Data Deletion and Anonymization Procedures

At the end of the applicable retention period, personal data will be:

  • Securely deleted from all systems
  • Physically destroyed (for paper records)
  • Anonymized so that it no longer identifies individuals
  • Aggregated for statistical purposes with all identifiers removed

Our deletion procedures include:

  • Regular automated deletion of expired data
  • Quarterly manual reviews of data requiring deletion
  • Secure destruction methods for all media containing personal data
  • Verification processes to confirm complete deletion
  • Documentation of deletion activities for compliance purposes

6.5. Exceptions to Standard Retention Periods

In certain circumstances, we may retain data beyond standard retention periods:

  • When required by applicable law or regulation
  • To comply with a legal hold or preservation order
  • To resolve pending disputes or ongoing investigations
  • When necessary to protect our legal rights or those of others
  • Where retention is required by contract with clients
  • Where alternative retention periods have been specifically agreed with data subjects

In such cases, we will implement additional security measures and access restrictions to protect the data during the extended retention period.

 

  1. Data Security Measures

7.1. Technical Security Measures

We implement appropriate technical measures to protect personal data, including:

  • Encryption of personal data at rest and in transit
  • Strong authentication mechanisms and access controls
  • Regular security updates and patch management
  • Firewalls and intrusion detection/prevention systems
  • Secure network architecture and segmentation
  • Regular vulnerability scanning and penetration testing
  • Data loss prevention technologies
  • Secure backup systems and disaster recovery procedures
  • Anti-malware and anti-virus protection
  • Technical measures as specified in Executive Order No. 43 of 2022

7.2. Organizational Security Measures

Our organizational security measures include:

  • Role-based access controls following least privilege principles
  • Regular security awareness training for all staff
  • Background checks for employees handling sensitive data
  • Confidentiality agreements with employees and contractors
  • Clear desk and clear screen policies
  • Physical security controls for premises and equipment
  • Visitor management procedures
  • Incident response and management processes

7.3. Employee Training and Awareness

We ensure our employees are educated about data protection through:

  • Comprehensive initial privacy training upon joining
  • Regular refresher training on data protection principles
  • Specific training on handling sensitive personal data
  • Awareness of breach notification procedures
  • Education on recognizing and reporting security incidents
  • Training on secure remote working practices
  • Documentation of all training activities
  • Regular assessment of privacy knowledge

7.4. Data Breach Detection and Response

We maintain robust procedures to detect, investigate, and respond to data breaches:

  • Automated monitoring systems to detect unusual activities
  • Clear protocols for reporting suspected incidents
  • Dedicated response team for breach investigation
  • Documentation requirements for all incidents
  • Impact assessment procedures to evaluate risks to data subjects
  • Containment measures to limit breach impact
  • Remediation processes to address vulnerabilities
  • Post-incident review to prevent recurrence

7.5. Notification Procedures

In the event of a personal data breach that could affect the rights of data subjects, we will:

  • Notify the Personal Data Protection Authority within 72 hours of discovering the breach, as required by the PDPL
  • Provide information on the nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken or proposed
  • Communicate with affected data subjects without undue delay when the breach poses a high risk to their rights and freedoms
  • Document all breaches, including facts, effects, and remedial actions taken
  • Cooperate fully with regulatory authorities during their investigations

7.6. Security Risk Assessment Process

We conduct regular security risk assessments to identify and mitigate risks to personal data:

  • Annual risk assessments of all data processing activities
  • Assessments prior to implementing new systems or processes
  • Evaluation of third-party service providers before engagement
  • Identification of high-risk processing requiring additional safeguards
  • Documentation of risks, mitigation measures, and residual risks
  • Review and approval by senior management
  • Regular reassessment of previously identified risks
  • Implementation of recommended security enhancements
  • Cookies and Tracking Technologies

8.1. Types of Cookies Used

Our website uses various types of cookies and similar technologies:

  • Essential cookies: Required for website functionality and security
  • Preference cookies: Remember your settings and preferences
  • Analytics cookies: Help us understand how visitors interact with our website
  • Marketing cookies: Used to deliver relevant advertisements and track marketing effectiveness
  • Social media cookies: Enable integration with social networks

8.2. Purposes of Cookies

We use cookies and similar technologies for the following purposes:

  • To ensure proper functioning of our website and services
  • To enhance and personalize your browsing experience
  • To remember your preferences and settings
  • To analyse website traffic and user behaviour (anonymized where possible)
  • To improve our website design and content
  • To measure the effectiveness of our marketing campaigns
  • To enable certain interactive features and integrations

8.3. Third-Party Cookies

Our website may contain cookies from third parties, including:

  • Analytics providers (such as HubSpot and Google Analytics)
  • Advertising networks and platforms
  • Social media platforms
  • Content delivery networks
  • Functionality providers (chat services, video players, etc.)

These third parties may collect information about your online activities over time and across different websites. We have limited control over third-party cookies and recommend reviewing the privacy policies of these third parties.

8.4. Cookie Management and Opt-Out Options

You can manage cookies and similar technologies through:

  • Our cookie consent banner when you first visit our website
  • Your browser settings (to block or delete cookies)
  • Third-party opt-out mechanisms (for analytics and advertising)

Most web browsers allow control of cookies through settings. Please note that blocking certain cookies may impact website functionality.

8.5. Other Tracking Technologies

In addition to cookies, we may use other tracking technologies:

  • Web beacons and pixel tags
  • Local storage objects
  • Device fingerprinting
  • Log files and server data
  • Mobile identifiers for app users

These technologies help us deliver and measure our services, understand user behaviour, and provide relevant content and features.

 

  1. Children's Privacy

9.1. Age Restrictions

Our services are not directed to children under the age of 18. We do not knowingly collect personal data from individuals under 18 years of age. For recruitment services, we only process data of individuals who have reached the legal working age in their jurisdiction.

9.2. Parental Consent Requirements

If we discover that we have collected personal data from a child under 18 without parental consent, we will promptly:

  • Delete the data from our records
  • Implement measures to prevent further collection
  • Notify the appropriate supervisory authority if required by law

In cases where we may legitimately need to process data of individuals under 18 (such as for specific educational recruitment programs), we will obtain verifiable parental consent before collecting or using such information.

9.3. Processing of Children's Data

In the limited circumstances where we may process personal data of individuals under 18 with proper parental consent:

  • We will collect only the minimum data necessary
  • We will implement enhanced security measures
  • We will not use the data for marketing or profiling purposes
  • We will provide clear, age-appropriate privacy information
  • We will respect the rights of both the child and parent/guardian
  • We will delete the data when no longer necessary or when requested

 

  1. Policy Updates and Changes

10.1. Process for Policy Updates

We regularly review and update this Privacy Policy to reflect:

  • Changes in our data processing activities
  • New legal and regulatory requirements
  • Evolving best practices in data protection
  • Feedback from data subjects and regulatory authorities
  • Updates to our services and business operations
  • Our update process includes:
  • Review by legal and privacy professionals
  • Approval by senior management
  • Documentation of all changes and justifications
  • Archiving of previous versions for reference

10.2. Notification of Material Changes

When we make material changes to this Privacy Policy, we will notify affected data subjects through:

  • Notices on our website
  • Email notifications to registered users
  • Updates to our mobile applications
  • Direct communication for significant changes affecting client data
  • We will provide reasonable advance notice before implementing material changes and, where required by law, seek refreshed consent for new processing activities.

10.3. Version History

This Privacy Policy was last updated on 23rd March 2025.

Previous versions of our Privacy Policy are available upon request by contacting our Data Protection Guardian at andrew.sims@outperfrm-digital.com

Key changes in this version include:

  • The version published on 23rd March 2025 is the first version of the privacy policy.

 

  1. Complaints and Contact Information

11.1. Internal Complaint Procedure

If you have concerns about our data processing activities, we encourage you to contact us first to resolve the issue:

  • Submit the details of your concern via email to privacy@outperform-digital.
  • Include your contact information, details of your concern, and any supporting documentation
  • We will acknowledge receipt within 3 business days
  • We will investigate your complaint and provide a substantive response within 15 days
  • If more time is needed, we will notify you and provide an estimated timeline

11.2. Regulatory Authority Complaints

You have the right to lodge a complaint with the relevant supervisory authority:

In Bahrain:

  • Personal Data Protection Authority, Ministry of Justice, Islamic Affairs and Endowments
    • In the European Union:
    • For GDPR-related matters, you may contact the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

11.3. Contact Details for Privacy Inquiries

For general privacy inquiries or to exercise your data subject rights:

Data Protection Guardian

  • Outperform W.L.L. Bahrain FinTech Bay, Office no 302, Arcapita Building, Building 551, Road 4612, Block 346, Manama Water Bay, Kingdom of Bahrain
  • Email: sims@outperform-digital.com

 

  1. Governing Law and Jurisdiction

12.1. Applicable Law

This Privacy Policy is governed by the laws of the Kingdom of Bahrain, primarily Law No. 30/2018 with respect to Personal Data Protection. Where applicable, and for processing activities within its scope, the EU General Data Protection Regulation (GDPR) may also apply.

12.2. Dispute Resolution

Any disputes arising from or relating to this Privacy Policy or our data processing activities will be resolved:

  • First, through our internal complaint procedure
  • Second, through alternative dispute resolution mechanisms where available
  • Finally, through the competent courts of the Kingdom of Bahrain, or where required by mandatory law, the relevant EU member state

12.3. Relationship with Other Agreements

This Privacy Policy may be supplemented by:

  • Service-specific privacy terms
  • Data processing agreements with clients and service providers
  • Confidentiality agreements for consulting engagements
  • Candidate consent forms for recruitment services
  • Website terms of use and cookie policies

In case of any inconsistency between this Privacy Policy and service-specific terms, the more specific terms will prevail to the extent of the inconsistency.