Privacy Policy

Last updated: 15 June 2026

Sandstone respects your privacy and handles personal data with care. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, how we protect it, and what rights you have.

This Privacy Policy applies to the Sandstone website, contact forms, client communication, project communication, proposals, contracts, and the services we provide as a digital agency.

1. Who we are

Sandstone Project Management Services L.L.C. is a company registered in the United Arab Emirates, trading as Sandstone.

Sandstone provides digital agency services, including strategy, branding, design, technology, marketing, advertising, AI solutions, and digital growth systems.

For the purposes of applicable data protection laws, Sandstone Project Management Services L.L.C. is the data controller for the personal data we collect through our website, contact forms, client communication, and business relationships.

Company details

Legal name: Sandstone Project Management Services L.L.C.
Trading name: Sandstone
License No: 1275831
TRN: 104337349500003
Email: info@sandstone.cx
Website: sandstone.cx

For privacy related questions, you can contact us using the contact details above.

2. Personal data we collect

We only collect personal data that is necessary for our website, services, communication, administration, security, and business operations.

2.1 Data you provide to us

When you contact us, request a proposal, apply for a service, subscribe to updates, or become a client, we may collect:

Name
Business name
Job title
Business email address
Phone number
Website URL
Company details
Billing details
Payment related information, where applicable
Project information
Briefings, feedback, files, brand assets, and other client supplied content
Communication history
Information you provide through forms, email, calls, or meetings

If you contact us about advertising, Google Ads, cashback structures, media budgets, or campaign related services, we may also process:

Estimated advertising budget
Advertising account information
Campaign information
Website performance information
Eligibility information needed to assess your request

2.2 Project and client data

During a client relationship, we may collect and process project related information, such as:

Brand assets and brand guidelines
Design files
Website content
Product information
Marketing materials
Campaign data
Analytics data
Technical access information, where needed
Feedback and approval history
Client supplied documents and files
Commercial information related to the project

We use this information only to deliver the agreed services, manage the project, improve the work, and maintain the business relationship.

2.3 Data collected automatically

When you visit our website, we may automatically collect technical and usage data, such as:

IP address
Browser type and version
Device type
Operating system
Pages visited
Date and time of visit
Referring website
General website behaviour
Cookie preferences
Approximate location based on technical data

Where possible, we anonymise or aggregate this data.

3. How we use your personal data

We use personal data for the following purposes:

To respond to your message or request
To prepare proposals, quotes, and project scopes
To provide our agency services
To manage client projects and communication
To deliver strategy, design, development, marketing, advertising, and AI related work
To process contracts, invoices, payments, and administration
To assess eligibility for specific services, where applicable
To manage Google Ads related requests, where applicable
To improve our website, services, and user experience
To secure our website, systems, and business operations
To measure website performance
To send service related updates
To send marketing communication only where legally allowed or where you have given consent
To comply with legal, tax, accounting, and regulatory obligations
To establish, exercise, or defend legal claims

We do not use your personal data for purposes that are incompatible with the reasons for which it was collected.

4. Legal basis for processing

We process personal data based on one or more of the following legal bases.

4.1 Contract

We process personal data when this is necessary to provide our services, prepare a proposal, manage a project, deliver work, communicate with you, or fulfil an agreement with you.

4.2 Legitimate interest

We process personal data when this is necessary for our normal business operations, website security, service improvement, client communication, administration, fraud prevention, or the protection of our legal interests.

When we rely on legitimate interest, we consider your privacy rights and interests.

4.3 Consent

We process personal data based on consent where legally required, for example for certain cookies, newsletter subscriptions, or specific marketing communications.

You can withdraw your consent at any time.

4.4 Legal obligation

We process personal data when this is necessary to comply with legal, tax, accounting, or regulatory obligations.

5. Cookies and tracking technologies

Our website uses cookies and similar technologies.

We may use:

Essential cookies needed for the website to work
Analytics cookies to understand website performance
Preference cookies to remember user choices
Marketing cookies, only with consent where required

Where legally required, we ask for your consent before placing non essential cookies or tracking technologies.

You can change or withdraw your cookie preferences through the cookie settings on our website, if available, or through your browser settings.

If we use analytics tools, we aim to configure them in a privacy conscious way where possible.

6. Marketing communication

We only send marketing emails where this is legally allowed or where you have given consent.

You can unsubscribe from marketing emails at any time by using the unsubscribe link in the email or by contacting us directly.

Service related emails, such as project updates, contract communication, invoices, or administrative messages, may still be sent when necessary for our relationship with you.

7. Sharing personal data

We do not sell your personal data.

We only share personal data when this is necessary for our services, business operations, or legal obligations. This may include sharing data with:

Hosting providers
Website and security providers
Email and communication tools
CRM systems
Project management tools
Cloud storage providers
Analytics tools
Advertising platforms, where relevant
AI and automation tools, where relevant for service delivery
Payment and accounting providers
Legal, tax, or professional advisors
Government authorities, if legally required

When we use service providers that process personal data on our behalf, we take appropriate measures, such as data processing agreements where required.

8. Google and advertising services

Sandstone may provide services related to Google Ads, advertising platforms, analytics tools, campaign management, and performance marketing.

If you request these services, we may process information related to your website, campaigns, advertising accounts, budgets, performance data, and eligibility for specific advertising or cashback related structures.

We only access or process advertising related data where this is necessary to deliver the requested service, assess eligibility, manage communication, or comply with legal and contractual obligations.

Where access to third party platforms is required, access should be limited to what is necessary for the agreed work.

9. AI and automation

Sandstone may use AI, automation, or digital tools to support strategy, content, design, development, marketing, analysis, internal workflows, or service delivery.

When using these tools, we aim to limit the personal data shared with such tools to what is necessary. Where possible, we use anonymised, aggregated, or non personal data.

We do not intentionally use confidential client data or personal data in public AI tools unless this is necessary for the service, agreed with the client, or covered by appropriate safeguards.

10. Client data and processor role

In some cases, Sandstone acts as a data controller. This applies when we determine why and how personal data is processed, for example for website enquiries, client communication, proposals, contracts, invoicing, and our own business administration.

In other cases, Sandstone may act as a data processor. This applies when we process personal data on behalf of a client and according to the client’s documented instructions.

If required, we enter into a data processing agreement with the client.

11. International data transfers

Sandstone Project Management Services L.L.C. is registered in the United Arab Emirates.

If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data transfer requirements, your personal data may be transferred to and processed in the United Arab Emirates or other countries where our service providers operate.

When personal data is transferred internationally, we take appropriate safeguards where required by applicable data protection laws. This may include contractual safeguards, data processing agreements, standard contractual clauses, or other legally accepted transfer mechanisms.

12. Data retention

We do not keep personal data longer than necessary.

In general, we apply the following retention periods:

Website and contact form data: up to 24 months after the last contact
Proposal and sales communication: up to 24 months after the last contact, unless a client relationship starts
Client and project data: for the duration of the client relationship and up to 7 years after completion where needed for administration, legal, tax, or reference purposes
Financial and accounting records: as required by applicable law
Newsletter data: until you unsubscribe or withdraw consent
Cookie consent records: for as long as needed to manage or prove consent
Technical logs: for as long as necessary for security, troubleshooting, and website performance

We may retain certain data longer if this is required by law, necessary for legal claims, or needed to protect our legitimate business interests.

13. Security

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration, and destruction.

These measures may include:

Secure hosting
SSL or TLS encryption
Access control
Password protection
Two factor authentication where appropriate
Regular software updates
Limited access for team members and suppliers
Confidentiality obligations
Backups and recovery measures
Security monitoring where appropriate

No system is completely secure. We therefore review and improve our security measures where needed.

14. Your rights

Depending on your location and the applicable data protection laws, you may have the following rights:

The right to access your personal data
The right to correct inaccurate or incomplete data
The right to request deletion of your data
The right to restrict processing
The right to object to processing
The right to data portability
The right to withdraw consent, where processing is based on consent
The right not to be subject to automated decision making with legal or similarly significant effects

You can submit a request by contacting us through the contact details in this Privacy Policy.

We may ask you to verify your identity before handling your request. We will respond within the timeframe required by applicable law.

15. Automated decision making

We do not use personal data for automated decision making that has legal or similarly significant effects on you.

16. Children’s privacy

Our website and services are intended for businesses and professionals.

We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us. We will delete the data where required.

17. Complaints

If you have a privacy concern, please contact us first so we can try to resolve it.

Depending on your location, you may also have the right to file a complaint with a competent data protection authority, such as the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, if you are located in the Netherlands or if GDPR applies.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.

If we make significant changes, we will take reasonable steps to inform you where appropriate.

19. Contact

For questions about this Privacy Policy or the way we handle your personal data, please contact:

Sandstone Project Management Services L.L.C.
Trading as Sandstone
License No: 1275831
TRN: 104337349500003
Email: info@sandstone.cx
Website: sandstone.cx