Privacy Policy.

Effective: 19 May 2026 · Last updated: 19 May 2026 · Version 2.0

This Policy sets out, in detail, how Moore Law collects, uses, shares, retains, and protects personal information; the lawful bases on which we process it; the specific rights you hold in respect of that information; and the procedures for exercising them.

Moore Law is a group of independent professional firms practising under separate licences and regulators. This Policy applies to personal information processed in connection with the mooremichel.com website and the firm's professional engagements. Where a specific entity within the group is the controller for a particular processing activity, that entity is identified in §1 below.

§1 — Who We Are

The Moore Law group comprises three separate legal entities:

Moore Law (CVR 43 57 76 70) — a Danish law firm with registered office at Peder Skrams Gade 27, 1. tv, 1054 Copenhagen K, Denmark. Authorised to practise law in Denmark. Acts as the primary controller of personal information collected through the website and of personal information processed in connection with Danish legal-services engagements.

Moore Law Firm FZ-LLC (Trade Licence 2309392, Meydan Freezone, Dubai, United Arab Emirates) — a UAE-licensed corporate-services and structural-advisory firm. Acts as controller of personal information processed in connection with corporate-services engagements based in the United Arab Emirates.

Moore Law Firm Real Estate LLC (Trade Licence 998333, RERA Office No. 35776, Dubai, United Arab Emirates) — a UAE-licensed real-estate brokerage and advisory firm. Acts as controller of personal information processed in connection with UAE real-estate engagements.

The three entities operate under common branding but as separate controllers under applicable data protection law. Information shared between them in the routine course is governed by intra-group arrangements consistent with applicable cross-border transfer rules.

Where this Policy uses "we", "us", or "the firm", the term refers to the relevant controller for the processing activity in question, identified in context.

§2 — Information We Collect

We collect personal information in the following categories and circumstances:

Enquiry information. Information you provide when contacting the firm — typically your name, the entity you represent (if any), contact details, the jurisdiction and nature of your matter in general terms, and any further information you choose to provide. Submitted through the website, by email to [email protected], or through other professional channels.

Conflict-check information. When evaluating whether the firm can accept an enquiry, we conduct a conflict check against our existing and historical matter database. This may involve recording the names of relevant parties, entities, and the matter type. Conflict-check records are retained whether or not the firm proceeds to engagement.

Client identification and AML information. Where the firm proceeds to engagement, we are required by applicable anti-money-laundering law — including the Danish AML Act (hvidvaskloven) — to obtain identification documentation, beneficial-ownership information, source-of-funds documentation, and politically-exposed-person screening data. We process this information solely to comply with our legal obligations.

Engagement information. Information processed in connection with a professional engagement — typically including identification, contact details, financial information, transactional and corporate documentation, and any further information necessary to provide the engaged services. The scope and nature of this information varies by engagement and is documented in the engagement letter.

Communications. Correspondence, meeting records, call notes, and other communications associated with an enquiry or engagement.

Website usage information. Limited technical information collected through the website — including IP address, browser type, pages visited, and referrer information — as described in our Cookie Policy.

Information about third parties. In the course of engagements, the firm receives personal information about parties other than the direct client — counterparties, beneficial owners, family members, advisors, witnesses, and others. We process such information for the engagement's purposes and apply this Policy to it.

Special category data. Legal matters routinely involve information of a sensitive nature, including (depending on the matter): information about criminal proceedings or convictions; health information; information revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, sexual life, or sexual orientation; biometric or genetic information; and information about minors. We process such information only where necessary for the legal matter, under the conditions set out in §6 below.

§3 — How We Use Your Information

We use personal information to:

• Respond to enquiries submitted through the website, by email, or through other channels;
• Conduct conflict checks and engagement-acceptance assessments;
• Comply with anti-money-laundering, counter-terrorist-financing, and sanctions-screening obligations;
• Provide and administer professional services under engagement letters;
• Communicate with you about your engagement, including matter status, scheduling, deliverables, billing, and routine practice administration;
• Discharge the firm's professional duties under applicable rules and statutes;
• Operate, maintain, secure, and improve the website;
• Detect, investigate, and prevent fraud, abuse, or unauthorised access;
• Comply with legal, regulatory, professional-conduct, and contractual obligations;
• Establish, exercise, or defend legal claims;
• Any other purpose disclosed at the time of collection or to which you have consented.

§4 — Legal Bases for Processing

We process personal information under the legal bases provided by applicable data protection law, principally the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK General Data Protection Regulation, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), and where applicable the DIFC Data Protection Law No. 5 of 2020 (DIFC DPL). The specific bases on which we rely include:

Performance of a contract — where processing is necessary to perform an engagement letter with you or your organisation, or to take pre-engagement steps at your request.

Legitimate interests — where processing is necessary for the legitimate interests of the firm, balanced against your rights and freedoms. We rely on legitimate interests, among other things, for conflict checks, prospective-client evaluation, website operation, security, professional record-keeping, and the routine administration of the firm.

Legal obligation — where processing is necessary to comply with legal or regulatory obligations applicable to the firm, including obligations under anti-money-laundering, tax, bookkeeping, and professional-conduct law.

Consent — where you have given specific consent for a defined purpose, such as the use of optional cookies, subscription to communications, or processing of special category data where consent is the appropriate condition.

Establishment, exercise, or defence of legal claims — both for the firm's own claims and for those of clients in matters where we represent them.

Vital interests, public-interest tasks, or other bases — in the limited circumstances in which they apply.

§5 — Professional Confidentiality

Information disclosed to the firm by a client or prospective client in the course of a professional engagement (or in the course of evaluating an engagement) is treated as confidential. The firm maintains professional confidentiality as a matter of internal commitment and as a contractual obligation under engagement letters with clients. This commitment applies from the point of first contact, regardless of whether the firm proceeds to formal engagement.

These confidentiality commitments operate alongside, and reinforce, the requirements of applicable data protection law set out in this Policy.

§6 — Special Category Data

Legal matters routinely involve information of a particularly sensitive nature. Where the firm processes special category personal data — including data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, sexual life or sexual orientation, biometric or genetic information, health information, or information about criminal proceedings or convictions — we rely on the conditions provided in Article 9 GDPR and equivalent provisions of other applicable data protection laws. These include:

• The establishment, exercise, or defence of legal claims condition, applicable to most processing carried out in the course of engagements;
• Explicit consent, where appropriate and obtained;
• Substantial public interest under applicable national law, where applicable;
• The other Article 9 conditions where they apply.

§7 — Internal Use of AI Tools

The firm uses AI-based tools internally to support certain functions of its practice, including document review, translation between the firm's working languages, legal-research summarisation, and routine administrative tasks. The following commitments apply:

• Identifiable client information is not submitted to public consumer AI services without the client's specific instruction or consent.
• Where AI-based tools are used in connection with a client matter, the firm retains professional responsibility for the output and verifies all material produced before it is acted upon or communicated externally.
• The firm does not engage in any form of automated decision-making (within the meaning of Article 22 GDPR) that produces legal or similarly significant effects on data subjects.
• AI tools used in connection with client matters are evaluated for their data-handling practices, and processing arrangements (including, where appropriate, data processing agreements) are put in place with the relevant providers.

§8 — Sharing Your Information

We may share personal information:

• Within the Moore Law group — between Moore Law (Denmark), Moore Law Firm FZ-LLC, and Moore Law Firm Real Estate LLC, in circumstances where a matter spans more than one entity's scope and shared processing is necessary for the engagement;
• With service providers processing personal information on behalf of the firm under written data-processing agreements requiring confidentiality and data-protection compliance (including, for example, IT-infrastructure providers, document-management providers, secure-communications providers, and AI-tool providers);
• With locally-licensed specialist counsel acting in coordination with the firm on matters requiring their licensure in a particular jurisdiction;
• With counterparties, courts, regulators, tribunals, and other parties to the extent necessary in the course of representing or advising a client;
• Where required by law, court order, professional-conduct rules, or regulatory authority — including disclosure to financial-intelligence units in respect of anti-money-laundering reporting obligations;
• In connection with the establishment, exercise, or defence of legal claims;
• In connection with potential corporate transactions affecting the firm (merger, acquisition, restructuring) — in which case appropriate confidentiality protections are imposed;
• With your consent — where consent is the basis of the sharing.

The firm does not sell personal information to third parties, does not share personal information for cross-context behavioural advertising, and does not operate any advertising-based business model that depends on data sharing.

§9 — International Transfers

The Moore Law group operates across Denmark and the United Arab Emirates and routinely serves clients located internationally. Personal information collected through the website or in connection with an engagement may be transferred between the firm's entities and to or from other jurisdictions where necessary for the engagement.

Where personal information is transferred from the European Economic Area or the United Kingdom to a third country (including the UAE), we implement appropriate safeguards consistent with Chapter V of the GDPR / UK GDPR. These include:

• The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, where applicable;
• Reliance on European Commission adequacy decisions where they have been issued;
• Supplementary measures, where appropriate, in light of the destination jurisdiction;
• The derogations provided by Article 49 GDPR / UK GDPR, where applicable — including, importantly, the derogation for transfers necessary for the establishment, exercise, or defence of legal claims, which frequently applies in the firm's practice.

Transfers within the UAE between the firm's UAE-licensed entities, and transfers from the UAE to other jurisdictions, are conducted in accordance with the cross-border transfer rules of the UAE PDPL and (where applicable) the DIFC DPL.

§10 — Cookies and Tracking Technologies

The website uses cookies and similar technologies on a limited basis — essential cookies for the operation of the website and optional analytics cookies subject to consent. We do not run advertising cookies or social-media-tracking cookies on the website. Full detail is in our Cookie Policy.

§11 — Data Security

We maintain technical and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of personal information in transit using current Transport Layer Security standards;
• Encryption of sensitive personal information at rest, where applicable;
• Access controls limiting personal information to authorised personnel on a need-to-know basis;
• Secure document-management infrastructure for client matter files;
• Regular review of security practices, providers, and infrastructure;
• Documented incident-response procedures;
• Professional confidentiality and data-protection obligations binding all personnel, contractors, and consultants of the firm.

No system can guarantee complete security. The firm will notify affected individuals and relevant supervisory authorities of any personal information breach in accordance with applicable law and professional-conduct rules.

§12 — Data Retention

We retain personal information only for as long as necessary for the purposes for which it is processed, having regard to applicable legal, regulatory, professional-conduct, and contractual requirements.

Enquiry information (where no engagement follows) — typically 24 months from the date of last meaningful contact, after which it is securely deleted or anonymised.

Conflict-check records — retained for the duration necessary to discharge the firm's ongoing conflict-checking obligations, which may extend beyond the closure of any individual matter.

Client identification and AML information — retained for at least five (5) years from the end of the business relationship, in accordance with Section 30 of the Danish AML Act (hvidvaskloven) and equivalent obligations under other applicable AML regimes. May be retained for longer where required by law or where necessary for the establishment, exercise, or defence of legal claims.

Engagement matter files — typically ten (10) years from the conclusion of the engagement, consistent with the limitation periods applicable to professional liability and the firm's professional record-keeping standards. Longer retention may apply where the underlying matter has a longer limitation period, where ongoing professional obligations require it, or where the engagement letter provides for it.

Bookkeeping and accounting records — retained in accordance with applicable bookkeeping law (typically five years in Denmark under the Bogføringsloven).

Website analytics information — as specified in our Cookie Policy.

Information processed under a client data processing agreement — in accordance with that agreement, and not beyond.

On expiry of the applicable retention period, personal information is securely deleted, destroyed, or anonymised in accordance with the firm's data-retention procedures, subject to any continuing legal hold.

§13 — Your Rights

Subject to applicable law and to the firm's professional-confidentiality obligations to clients, you may have the following rights in respect of personal information that we hold about you:

• Access to your personal information and to information about how it is processed;
• Correction of inaccurate or incomplete information;
• Deletion of personal information, subject to the legal, regulatory, and professional limitations that apply (including the firm's retention obligations);
• Restriction of processing in defined circumstances;
• Portability of personal information you have provided to us, in a structured, commonly-used, machine-readable format, subject to applicable conditions;
• Objection to processing based on legitimate interests, including direct marketing;
• Withdraw consent at any time where processing is consent-based, without affecting the lawfulness of processing prior to withdrawal;
• Not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (which, in any event, the firm does not undertake);
• Lodge a complaint with a competent supervisory authority (see §15 below).

Certain rights may be limited where the firm's professional-confidentiality obligations to a client require limitation — for example, where exercising a right would require disclosure of confidential information about another data subject. Where a right is limited, we will tell you and explain the basis.

To exercise these rights, please contact us at [email protected] with the reference "Privacy request". We will respond within the timeframes required by applicable law (one month under the GDPR / UK GDPR, with possible extension for complex requests).

§14 — Specific Regional Rights

European Union / European Economic Area (GDPR): Data subjects in the EU/EEA hold the rights described in §13 and may lodge complaints with the supervisory authority of the EU/EEA Member State of their habitual residence, place of work, or place of the alleged infringement.

United Kingdom (UK GDPR and Data Protection Act 2018): Data subjects in the UK hold the rights described in §13 and may lodge complaints with the Information Commissioner's Office (ICO).

Denmark (Danish Data Protection Act): Data subjects in Denmark may lodge complaints with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.

United Arab Emirates (UAE Federal Decree-Law No. 45 of 2021): Data subjects in the UAE hold rights including access, correction, deletion, restriction, objection to automated decision-making, and the right to lodge complaints with the UAE Data Office.

DIFC (Data Protection Law No. 5 of 2020): Where personal information is processed in connection with a DIFC-based engagement, data subjects hold additional rights including against automated decision-making and the right to lodge complaints with the DIFC Commissioner of Data Protection.

§15 — Complaints

You have the right to complain to a competent supervisory authority. The relevant data-protection authorities include:

• Datatilsynet (Danish Data Protection Agency) — primary supervisory authority for the Danish-controlled processing operations;
• The Information Commissioner's Office (ICO) — for UK-resident data subjects;
• The supervisory authority of the data subject's Member State of habitual residence within the EU/EEA;
• The UAE Data Office — for processing operations subject to UAE PDPL;
• The DIFC Commissioner of Data Protection — for processing operations subject to DIFC DPL.

For complaints concerning the firm's professional services (distinct from data-protection complaints), please contact the firm in the first instance. Civil remedies are available through the courts of competent jurisdiction identified in our Terms of Use.

We encourage you to contact the firm first so that we may address your concerns directly.

§16 — Children's Privacy

The website is not directed at children. The firm does not knowingly collect personal information from individuals under the age of eighteen through the website. Where personal information about a minor is processed in connection with a professional engagement (for example, in family matters or where the minor is a beneficiary of a structure), it is processed under the engagement's specific framework, with appropriate parental or guardian authorisation where applicable, and in accordance with applicable law.

§17 — Third-Party Links

The website may contain links to third-party websites. We are not responsible for the privacy practices or content of any third-party website. Please review the privacy policy of any third-party website you visit.

§18 — Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. When we update this Policy, we will revise the "Last Updated" date at the top. Where the changes are material, we will provide additional notice by appropriate means.

§19 — Contact

Questions, comments, or requests in connection with this Privacy Policy or the firm's data-protection practices may be directed to: