Privacy Policy

1. Who we are

This Privacy Policy explains how Tristar Middle East LLC ("Tristar", "we", "us", "our") collects and uses personal data when you visit tristar-me.com (the "Website") or contact us via the Website's enquiry form.

Data controller:
Tristar Middle East LLC
5 El Somal Street, El Korba
Heliopolis, Cairo — Egypt
Email: info@tristar-me.com
Phone: +2 (02) 26 90 91 80

Tristar provides training, consulting and supervisory services to corporate clients in the energy, industrial and corporate sectors across the MENA region. This Website is an informational marketing site with a lead-capture enquiry form. We do not sell training or accept online enrolment through this Website.

2. Scope of this Policy

This Policy covers personal data we collect through:

• The enquiry form on our Contact page
• Direct email or phone enquiries sent to addresses or numbers listed on the Website
• Automated website analytics (described in Section 5)

This Policy does not cover:

• Personal data we collect under a separate signed contract with a corporate client (governed by the client agreement)
• Third-party websites we link to (those sites have their own policies)
• Data processed inside a CIPS training cohort or accredited examination delivery (governed by the awarding body's own privacy terms; see Section 11)

3. What personal data we collect

3.1 Data you give us through the enquiry form

When you submit our enquiry form, we collect: first name, last name, work email (all required); and optionally — phone, organisation, role, interest area, team size, preferred timing, and any message you choose to share.

Please do not include sensitive personal data (e.g., health information, ID numbers, religious or political views, financial account numbers) in the free-text message field. We do not need it and would prefer you didn't send it.

3.2 Data you give us by email or phone

If you contact us by email or phone, we collect whatever personal data you choose to share with us in that communication (typically: name, email address, phone number, employer, and the content of your message).

3.3 Data we collect automatically (analytics)

When you visit the Website, our analytics provider may collect: IP address (truncated or hashed where supported), approximate geographic location (country / city), device type, operating system, browser, pages visited, time spent, referring URL, and date/time of visit.

We use a single privacy-respecting analytics provider — the active provider is named in Section 5. We do not use marketing or advertising cookies. We do not run remarketing campaigns.

4. Why we use your data, and our legal basis

Under GDPR Article 6, we rely on the following lawful bases:

• Performance of pre-contractual steps (Art. 6(1)(b)) — to reply to your enquiry, prepare and send a proposal
• Legitimate interest (Art. 6(1)(f)) — to keep a record of the conversation in our CRM / email; and for aggregated, non-identifying website analytics where used
• Consent (Art. 6(1)(a)) — for analytics cookies if our active analytics provider sets them
• Legal obligation (Art. 6(1)(c)) — to comply with tax, regulatory, and court-order obligations

For KSA PDPL purposes, we rely on contractual necessity (Art. 6(2)), legitimate interest (Art. 6(5)) and explicit consent (Art. 6(1)) as applicable to each processing activity.

5. Cookies and analytics

Strictly necessary cookies (always on, no consent required): a session cookie for basic site function (e.g., remembering whether you have dismissed any banner). Expires when you close your browser, or after a maximum of 30 days.

Analytics: The active analytics provider for this Website will be confirmed before public launch. Our preference is a cookie-less, privacy-first provider (e.g., Plausible Analytics) that requires no consent banner under EU ePrivacy rules. If a cookie-based provider is later adopted, we will display a cookie consent banner with Accept / Reject of equal prominence before any analytics cookies are set.

Marketing / advertising cookies: None. We do not run advertising or remarketing campaigns from this Website.

6. Who we share your data with

We share personal data only with the parties listed below, only for the purposes stated, and only under appropriate written agreements (data processing agreements / DPAs where required):

• Our website host (Hetzner Cloud) — hosting the Website and receiving enquiry submissions. Location: EU (Germany)
• Our analytics provider — aggregated traffic analytics only
• Our email / CRM provider — receiving and responding to enquiries
• Our form handler (if used, e.g., Formspree) — receiving form submissions and forwarding to our inbox
• Professional advisers (lawyers, auditors, accountants) — where reasonably necessary
• Government authorities — where required by law (e.g., tax authority, court order)

We do not sell your personal data. We do not share it with third-party advertisers or data brokers.

7. International data transfers

Tristar operates across MENA and serves visitors from the EU, GCC and beyond. Personal data may be transferred and stored outside your home country, including in Egypt (our HQ), the EU (hosting), and potentially the United States (only if a US-based provider is in use, under the EU-U.S. Data Privacy Framework and standard contractual clauses).

For data subjects in KSA, transfers comply with KSA PDPL Article 29 and implementing regulations. For data subjects in the UAE, transfers comply with UAE Federal Decree-Law No. 45 of 2021 (PDPL) and applicable free-zone rules.

8. How long we keep your data

• Enquiry submissions that do not convert — 24 months from the date of submission
• Enquiry submissions that do convert — duration of the engagement plus 7 years thereafter (Egyptian commercial / tax law)
• Email correspondence — 24 months for non-converting prospects; longer where related to a live or past client engagement
• Analytics data — varies by provider (Plausible: aggregated, indefinite; GA4: 14 months event-level then aggregated)

You can ask us to delete your data sooner — see Section 9.

9. Your rights

Depending on where you are located, you have rights over your personal data under one or more regimes:

9.1 Under GDPR (EU/EEA and UK visitors)

Access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent, and the right to lodge a complaint with your national supervisory authority.

9.2 Under KSA PDPL (Saudi Arabia visitors)

To be informed, of access, to a readable copy, to rectification, to destruction, and to lodge a complaint with the Saudi Data and AI Authority (SDAIA).

9.3 Under UAE PDPL (UAE visitors)

Information, access, data portability, rectification, erasure, restriction of processing, objection (including to automated decision-making, which we do not currently undertake), and the right to lodge a complaint with the UAE Data Office.

9.4 How to exercise your rights

Email info@tristar-me.com with the subject line "Data Request" and tell us: (1) which right you want to exercise, (2) your full name and the email address you used when contacting us, (3) a copy of a government-issued ID only if we cannot otherwise verify your identity (we will ask, not assume).

We will respond within 30 calendar days of receiving a verified request (extendable by a further 60 days for complex requests, where local law permits). There is no charge for the first request in any 12-month period.

10. Data Protection Officer

Under GDPR Article 37 we are not required to appoint a DPO because our core activities do not involve large-scale processing of special-category data or large-scale, regular and systematic monitoring of data subjects. Under KSA PDPL implementing regulations, our website processing does not meet the thresholds requiring a Personal Data Protection Officer.

Nevertheless, our designated contact point for all data protection matters is info@tristar-me.com (subject line: "Data Request" or "Privacy Question").

11. CIPS programmes and other accredited training

When you enrol in a CIPS programme (or another accredited programme we deliver), you also enter a relationship with the awarding body (e.g., the Chartered Institute of Procurement & Supply). The awarding body is an independent data controller for examination, certification and registration purposes, and has its own privacy policy. We will provide a link to the awarding body's privacy policy at the point of enrolment. This Website itself does not enrol you — enrolment is handled separately after you contact us.

12. Security

We protect personal data using appropriate technical and organisational measures, including HTTPS / TLS encryption for all Website traffic, encrypted storage on our hosting provider, access controls limiting who at Tristar can view enquiry submissions, staff confidentiality obligations, and regular review of third-party providers' security posture.

No system is 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR Art. 33) and, where the risk is high, notify affected individuals without undue delay.

13. Children

This Website is directed at corporate L&D and procurement professionals — not children. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please email info@tristar-me.com and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Material changes will be highlighted on the Website for a reasonable period after the change takes effect.

15. Contact us

For any privacy question, data request, or complaint:

Email: info@tristar-me.com
Post: Tristar Middle East LLC, 5 El Somal Street, El Korba, Heliopolis, Cairo — Egypt
Phone: +2 (02) 26 90 91 80