Privacy Policy

DATA CONTROLLER AND REGULATORY STATUS

1. Data Controller

1.1 Oliva DB Properties Co. L.L.C S.O.C ("Oliva," "Company," "we," "us," or "our") is the data controller responsible for your personal data under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"). As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring such processing complies with applicable data protection laws.

1.2 Our regulatory credentials and contact details are:

1.3 This Privacy Policy applies to all personal data we collect when you:

1. access or use our website, mobile application, or platform (collectively, the "Platform");
2. register an account or complete our onboarding process;
3. engage our brokerage services for property transactions;
4. communicate with us via email, telephone, WhatsApp, or other channels;
5. sign RERA-mandated documentation (Form A, Form B, or Form F); or
6. interact with us in any other manner in connection with Dubai residential property transactions.

2. Regulatory Status — Important Clarifications

2.1 Oliva is a real estate brokerage licensed by the Dubai Land Department ("DLD") and registered with the Real Estate Regulatory Agency ("RERA") under Bylaw 85 of 2006. We are subject to RERA's regulatory oversight for our brokerage activities.

2.2 We are also a Designated Non-Financial Business and Profession ("DNFBP") under Federal Decree-Law No. 20 of 2018 concerning Anti-Money Laundering and Combating the Financing of Terrorism, which imposes specific data collection and retention obligations upon us.

2.3 What We Are NOT: We are NOT regulated by the Securities and Commodities Authority (SCA), Dubai Financial Services Authority (DFSA), or Central Bank of UAE (CBUAE). We do not provide financial, investment, legal, or tax advice, and we do not hold or manage client funds for investment purposes.

DEFINITIONS AND INTERPRETATION

3. Definitions

3.1 In this Privacy Policy, unless the context otherwise requires, the following expressions shall have the following meanings:

"AML" means anti-money laundering, as governed by Federal Decree-Law No. 20 of 2018 and its implementing regulations.

"Biometric Data" means personal data resulting from specific technical processing relating to physical, physiological, or behavioral characteristics of a natural person, including facial images captured during identity verification.

"CDD" means Customer Due Diligence as required under UAE AML regulations.

"Consent" means any freely given, specific, informed, and unambiguous indication of your wishes by which you, by a clear affirmative action, signify agreement to the processing of your personal data.

"Data Subject" means an identified or identifiable natural person whose personal data is processed; in this Privacy Policy, this refers to "you."

"EDD" means Enhanced Due Diligence required for higher-risk customers under UAE AML regulations.

"FIU" means the UAE Financial Intelligence Unit established under Federal Decree-Law No. 20 of 2018.

"goAML" means the UAE's online reporting portal for suspicious transaction reports and other AML-related filings.

"KYC" means Know Your Customer verification procedures conducted pursuant to UAE AML regulations.

"PDPL" means Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and any implementing regulations or amendments thereto.

"PEP" means a Politically Exposed Person as defined under Cabinet Decision No. 10 of 2019 and subsequent amendments.

"Personal Data" means any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

"Platform" means the Oliva website (joinoliva.com), and any associated digital services.

"Processing" means any operation or set of operations performed on personal data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means a natural or legal person who processes personal data on behalf of and under the instructions of the data controller.

"Sensitive Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning a person's sex life or sexual orientation.

"STR" means Suspicious Transaction Report filed with the FIU through the goAML portal.

"UAE Data Office" means the regulatory authority established under PDPL responsible for data protection oversight in the UAE.

"UBO" means Ultimate Beneficial Owner as defined under Cabinet Resolution No. 58 of 2020 and subsequent amendments.

3.2 Terms defined in our Terms and Conditions have the same meaning in this Privacy Policy unless otherwise specified. In the event of any conflict between this Privacy Policy and our Terms and Conditions, the Terms and Conditions shall prevail to the extent of the inconsistency.

PERSONAL DATA WE COLLECT

4. Categories of Personal Data

4.1 We collect and process the following categories of personal data. The specific data collected depends on how you interact with us and which services you use.

4.1.1 Identity Data

1. Full legal name (as appearing on official documents)
2. Nationality and country of citizenship
3. Date of birth and place of birth
4. Passport number, issue date, expiry date, and full passport copy
5. Emirates ID number and copy (for UAE residents)
6. Visa status and visa copy (for UAE residents)
7. Photographs (passport photograph and live verification images)
8. Biometric identifiers (facial geometry captured during KYC verification)
9. Gender
10. Signature

4.1.2 Contact Data

1. Email address (personal and/or business)
2. Mobile telephone number (with country code)
3. Landline telephone number (if provided)
4. WhatsApp number (if different from mobile)
5. Residential address (current and previous if recent)
6. Mailing address (if different from residential)
7. Country of residence and tax residency
8. Proof of address documentation

4.1.3 Financial Data

1. Source of funds documentation and declarations
2. Source of wealth information
3. Bank statements (typically 6 months)
4. Bank account details for transaction purposes
5. Employment details (employer name, position, tenure)
6. Salary certificates and income verification
7. Investment budget and financial capacity
8. Payment history and commission payment records
9. Credit card information (processed by third-party payment processors, not stored by Oliva)

4.1.4 Transaction Data

1. Property search preferences and requirements
2. Property viewing history
3. Offers made and negotiation history
4. Signed RERA documentation (Form A, Form B, Form F)
5. Sales and Purchase Agreements (SPAs)
6. Property portfolio information
7. Transaction completion records
8. DLD registration information
9. Oqood registration details (for off-plan purchases)

4.1.5 Technical Data

1. IP address
2. Browser type, version, and settings
3. Device type, operating system, and unique device identifiers
4. Approximate location data (derived from IP address)
5. Website and Platform usage data
6. Pages visited and time spent
7. Referral source
8. Cookie data and tracking identifiers

4.1.6 Communication Data

1. Email correspondence (content and metadata)
2. WhatsApp messages and communications
3. Telephone call records and, where disclosed and consented to, call recordings
4. Video call records
5. Survey responses and feedback
6. Marketing preferences and consent records
7. Complaint records

4.1.7 Corporate Data (for Corporate Clients)

1. Company name and legal form
2. Trade license and registration details
3. Memorandum and Articles of Association
4. Shareholder register and ownership structure
5. Ultimate Beneficial Owner (UBO) information
6. Board resolutions and corporate authorizations
7. Authorized signatory details and powers of attorney
8. Financial statements

5. Sensitive Personal Data

5.1 We may process the following categories of Sensitive Personal Data:

1. Biometric Data: Facial geometry and images captured during KYC verification through our processor iDenfy. This is processed solely for identity verification purposes as required by AML regulations.
2. Nationality and Ethnic Origin: Collected as part of identity verification and may be required for transaction reporting to DLD and RERA.
3. Political Exposure: We screen for PEP status as required by AML regulations, which may reveal political affiliations or positions.

5.2 We process Sensitive Personal Data only where:

1. processing is necessary for compliance with UAE AML/KYC legal obligations;
2. processing is necessary for the establishment, exercise, or defense of legal claims; or
3. you have given explicit consent to such processing for specified purposes.

6. How We Collect Personal Data

6.1 Directly from You: We collect personal data that you provide directly, including when you register an account, complete our investor questionnaire, submit KYC documentation, make offers on properties, sign RERA forms, communicate with your advisor, or contact our support team.

6.2 Automatically: When you use our Platform, we automatically collect Technical Data through cookies, server logs, and similar technologies. See Part 12 for details on cookies.

6.3 From Third Parties: We may receive personal data from:

1. iDenfy: KYC verification results, including identity confirmation, document authenticity assessment, sanctions screening results, and PEP screening results.
2. Property Developers: Transaction-related information for off-plan purchases.
3. DLD and RERA: Property registration information and regulatory records.
4. Referral Sources: Basic contact information where you have been referred to us by an existing client or partner.
5. Publicly Available Sources: Information from public registers, news sources, and sanctions lists for compliance screening.

LEGAL BASES FOR PROCESSING

7. Legal Bases Under PDPL

7.1 Under PDPL, consent is the default requirement for processing personal data. However, PDPL permits processing without consent in specific circumstances. We process your personal data under the following legal bases:

7.1.1 Contractual Necessity (PDPL Article 4)

Processing necessary to perform our brokerage services agreement with you or to take steps at your request before entering into such agreement. This includes:

1. creating and managing your account;
2. matching you with suitable properties based on your requirements;
3. arranging property viewings;
4. facilitating negotiations between you and sellers/developers;
5. preparing and processing RERA-mandated documentation;
6. coordinating transactions with DLD;
7. processing commission payments; and
8. providing post-transaction support.

7.1.2 Legal Compliance (PDPL Article 4)

Processing necessary to comply with UAE legal obligations to which we are subject. This includes:

1. AML/KYC Obligations: Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019, and Cabinet Decision No. 24 of 2022 require us to verify customer identity, conduct customer due diligence, screen against sanctions and PEP lists, document source of funds, identify beneficial owners, and retain records for prescribed periods.
2. RERA Record-Keeping: Bylaw 85 of 2006 requires us to maintain private records of all transactions with supporting documentation.
3. DLD Transaction Reporting: We must submit transaction information to DLD as part of the property registration process.
4. FIU Reporting: Where we identify suspicious activity, we are legally required to file reports with the FIU through the goAML portal. We cannot inform you if such a report is filed.
5. Tax Reporting: Compliance with applicable tax regulations, including VAT reporting.

7.1.3 Explicit Consent (PDPL Article 6)

For processing that is not covered by contractual necessity or legal compliance, we obtain your explicit, informed consent. Consent-based processing includes:

1. sending marketing communications about new developments and investment opportunities;
2. sharing your contact information with mortgage broker referral partners;
3. sharing your information with property management referral partners;
4. sharing your information with inspection and snagging referral partners;
5. processing optional data not required for our core services; and
6. international transfers to jurisdictions without adequate protection (where not covered by other safeguards).

7.2 Withdrawing Consent: Where we process your personal data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent, contact us at [email protected]. Note that withdrawal of consent for certain processing may affect our ability to provide services to you.

7.1.4 Legal Claims (PDPL Article 4)

Processing necessary for the establishment, exercise, or defense of legal claims, including:

1. maintaining records to defend against potential claims;
2. sharing data with legal advisors in connection with actual or threatened litigation; and
3. pursuing or defending claims in courts, arbitration, or regulatory proceedings.

HOW WE USE YOUR PERSONAL DATA

8. Processing Purposes

8.1 We use your personal data for the following purposes:

8.1.1 Service Delivery

1. Creating and managing your Oliva account
2. Assigning you a dedicated real estate advisor
3. Matching you with suitable properties based on your stated requirements, budget, and preferences
4. Providing personalized weekly property recommendations
5. Arranging property viewings (in-person or virtual)
6. Facilitating negotiations between you and sellers or developers
7. Preparing, processing, and registering RERA-mandated documentation
8. Coordinating with DLD for transaction registration
9. Processing Oqood registration for off-plan purchases
10. Processing commission and fee payments
11. Providing post-transaction support and documentation

8.1.2 Legal and Regulatory Compliance

1. Conducting KYC verification through our processor iDenfy
2. Performing CDD and, where required, EDD
3. Screening against international sanctions lists
4. Screening for PEP status
5. Verifying and documenting source of funds
6. Identifying and verifying Ultimate Beneficial Owners
7. Maintaining transaction records as required by RERA and DLD
8. Filing reports with the FIU where legally required
9. Responding to regulatory enquiries, audits, and investigations
10. Complying with court orders and legal process

8.1.3 Communication

1. Sending transaction updates and documentation
2. Providing customer support and responding to inquiries
3. Sending service-related notifications
4. With your consent, sending marketing communications about new developments and investment opportunities
5. Conducting customer satisfaction surveys

8.1.4 Business Operations and Improvement

1. Analyzing service usage to improve our offerings
2. Developing and enhancing our Platform
3. Training staff on customer service and compliance
4. Quality assurance and performance monitoring
5. Internal reporting and analytics

8.1.5 Security and Fraud Prevention

1. Protecting against unauthorized access to accounts
2. Detecting and preventing fraud and financial crime
3. Monitoring for suspicious activity
4. Ensuring Platform security and integrity
5. Investigating potential breaches or violations

8.1.6 Legal Claims and Dispute Resolution

1. Establishing, exercising, or defending legal claims
2. Responding to complaints and disputes
3. Cooperating with RERA dispute resolution processes
4. Maintaining records for litigation support

DATA SHARING AND DISCLOSURE

9. Categories of Recipients

9.1 We share your personal data with the following categories of recipients. We require all recipients to respect the security of your personal data and to treat it in accordance with applicable law.

9.1.1 Service Providers (Processors)

These parties process personal data on our behalf and under our instructions:

1. iDenfy (Lithuania, EU): KYC/AML identity verification, document authentication, sanctions screening, and PEP screening. iDenfy processes biometric data for identity verification purposes.
2. Hostinger: Secure storage and hosting of Platform data.
3. Stripe: Processing of commission and fee payments. We do not store full credit card details.
4. CRM and Communication Platforms: Customer relationship management and communication facilitation.
5. Analytics Providers: Website and Platform analytics (see Part 12 on Cookies).

9.2 We have entered into Data Processing Agreements with all processors requiring them to:

1. process personal data only on our documented instructions;
2. ensure that personnel are bound by confidentiality obligations;
3. implement appropriate technical and organizational security measures;
4. assist us with data subject rights requests;
5. notify us of any data breaches;
6. delete or return personal data upon termination; and
7. not engage sub-processors without our authorization.

9.1.2 Regulatory Authorities (Independent Controllers)

These parties receive personal data under their own legal authority and process it as independent controllers:

1. Dubai Land Department (DLD): Transaction registration, title deed issuance, and Oqood registration.
2. Real Estate Regulatory Agency (RERA): Regulatory compliance, broker supervision, and dispute resolution.
3. Financial Intelligence Unit (FIU): Receipt of STRs and SARs where legally required. We cannot inform you if a report is filed.
4. UAE Data Office: Data protection regulatory oversight (once operational).
5. Tax Authorities: VAT reporting and compliance.
6. Courts and Law Enforcement: Where required by court order, legal process, or applicable law.

9.1.3 Transaction Parties (Independent Controllers)

To facilitate property transactions, we share relevant personal data with:

1. Property Developers: For off-plan purchases, we share your identity, contact, and transaction data with the developer to facilitate the SPA and registration.
2. Property Sellers and Their Representatives: For resale transactions, we share necessary information to facilitate negotiations and complete the transaction.
3. Escrow Account Trustees: Off-plan payment verification and processing.
4. Cooperating Brokers: Where other RERA-licensed brokers are involved in a transaction under Form I arrangements.

9.1.4 Third-Party Referrals (With Your Consent)

Where you request referrals to third-party service providers, we may share your contact information with:

1. Mortgage Brokers and Banks: To facilitate financing arrangements.
2. Property Management Companies: To facilitate property management services.
3. Inspection and Snagging Services: To facilitate property inspections.

9.3 Important: When we refer you to third-party service providers, those providers become independent data controllers and process your data under their own privacy policies. We are not responsible for their data processing practices.

9.1.5 Professional Advisors

We may share personal data with our professional advisors including:

1. Legal advisors (in connection with legal claims or advice)
2. Auditors (for statutory audit purposes)
3. Accountants (for tax and financial reporting)
4. Consultants (for compliance and operational purposes)

10. We Do NOT Sell Your Data

10.1 We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

10.2 We do NOT share your personal data with third parties for purposes unrelated to our services or legal obligations without your explicit consent.

INTERNATIONAL DATA TRANSFERS

11. Transfers Outside the UAE

11.1 Given our global investor base and use of international service providers, your personal data may be transferred to and processed in countries outside the United Arab Emirates.

11.1.1 Transfers to the European Union

We use iDenfy, an EU-based identity verification provider headquartered in Lithuania, to conduct KYC/AML verification. Personal data transferred to iDenfy includes identity documents, biometric data (facial images), and screening information. These transfers are protected by:

1. A comprehensive Data Processing Agreement requiring PDPL-equivalent protections;
2. The EU General Data Protection Regulation (GDPR), which provides robust data protection standards; and
3. Technical and organizational security measures implemented by iDenfy.

11.1.2 Transfers to Other Jurisdictions

Where we transfer personal data to countries that have not received an adequacy determination from the UAE Data Office (noting that no adequacy list has been published as of the date of this Policy), we implement appropriate safeguards including:

1. Binding contractual clauses requiring the recipient to comply with PDPL-equivalent standards;
2. Technical security measures including encryption of data in transit and at rest;
3. Assessment of the legal framework and data protection standards in the destination country; and
4. Where required by PDPL, obtaining your explicit consent for such transfers.

11.2 By using our services, you acknowledge that your personal data may be transferred internationally as described in this Part 7. You may request information about the specific safeguards we have implemented for any particular transfer by contacting us at [email protected].

DATA RETENTION

12. Retention Periods

12.1 We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

12.2 The following retention periods apply:

12.3 After the applicable retention period expires, personal data is either:

1. securely deleted using industry-standard deletion methods; or
2. anonymized so that it can no longer be associated with you.

12.4 Exceptions: We may retain personal data for longer periods where:

1. required by applicable law or regulation;
2. necessary for ongoing or anticipated legal proceedings;
3. necessary to establish, exercise, or defend legal claims; or
4. required by a regulatory authority or court order.

YOUR DATA SUBJECT RIGHTS

13. Rights Under PDPL

13.1 Under PDPL, you have the following rights in relation to your personal data:

13.1.1 Right to Access (Article 13)

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data free of charge. Information provided includes: categories of data processed, purposes of processing, recipients or categories of recipients, retention periods, your rights, information about data sources (where not collected from you), and details of any automated decision-making.

13.1.2 Right to Rectification (Article 15)

You have the right to request correction of inaccurate personal data and completion of incomplete data. We will notify relevant third parties of corrections where practicable.

13.1.3 Right to Erasure (Article 15)

You have the right to request deletion of your personal data where:

1. the data is no longer necessary for the purposes for which it was collected;
2. you withdraw consent (where consent is the legal basis) and there is no other legal basis;
3. the processing violates PDPL; or
4. erasure is required to comply with UAE law.

Exception: We cannot delete data where retention is required by AML law (minimum 5 years), for ongoing or anticipated legal proceedings, or to comply with other legal obligations.

13.1.4 Right to Data Portability (Article 14)

Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller. We will facilitate such transfer where technically feasible.

13.1.5 Right to Restrict Processing (Article 16)

You have the right to request restriction of processing where:

1. you contest the accuracy of the data (restriction applies while we verify accuracy);
2. processing is unlawful but you prefer restriction over erasure;
3. we no longer need the data but you require it for legal claims; or
4. you have objected to processing pending verification of our grounds.

13.1.6 Right to Object (Article 17)

You have the right to object to processing for direct marketing purposes at any time. Upon objection, we will cease processing for marketing purposes without delay.

13.1.7 Right Regarding Automated Decision-Making (Article 18)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant effects concerning you. See Part 14 for details on our automated processing.

14. Exercising Your Rights

14.1 How to Submit Requests: Submit data subject requests to [email protected]. Please provide sufficient information to identify yourself (full name, email address, account details) and clearly describe your request.

14.2 Identity Verification: To protect your privacy, we may verify your identity before processing requests. We may request additional information if we cannot verify your identity from the information provided.

14.3 Response Time: We will respond to valid requests within one (1) calendar month. This period may be extended by two (2) additional months for complex requests or where we receive multiple requests from the same individual. We will inform you of any extension within the first month.

14.4 Fees: We do not charge fees for processing data subject requests unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act on the request.

14.5 Right to Complain: If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office (once operational). See Part 16 for complaint procedures.

DATA SECURITY

15. Security Measures

15.1 We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or damage. These measures include:

15.1.1 Technical Measures

1. Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security).
2. Encryption at Rest: Personal data stored on our systems is encrypted using AES-256 encryption.
3. Access Controls: Role-based access controls limiting data access to authorized personnel with a legitimate business need.
4. Multi-Factor Authentication: Required for all system access by our personnel.
5. Network Security: Firewalls, intrusion detection systems, and monitoring tools.
6. Secure Development: Security-focused development practices for our Platform.

15.1.2 Organizational Measures

1. Confidentiality Obligations: All personnel are bound by confidentiality obligations.
2. Staff Training: Regular training on data protection, security awareness, and compliance.
3. Vendor Management: Due diligence on third-party processors and contractual security requirements.
4. Physical Security: Security measures at our offices including access controls and visitor management.
5. Incident Response: Documented procedures for responding to potential security incidents and data breaches.
6. Regular Assessments: Periodic security assessments and testing.

15.2 Security Disclaimer: While we implement robust security measures consistent with industry standards, no method of data transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your personal data. You acknowledge that you provide personal data at your own risk.

15.3 Your Responsibility: You are responsible for maintaining the confidentiality of your account credentials and for all activities under your account. Please notify us immediately at [email protected] if you suspect unauthorized access to your account.

DATA BREACH NOTIFICATION

16. Breach Response

16.1 In the event of a personal data breach that would prejudice the privacy, confidentiality, or security of your personal data, we will:

1. Regulatory Notification: Immediately notify the UAE Data Office (once operational) of the breach and provide the nature, form, and reasons for the breach; approximate number of affected records; the breached records; contact details for our data protection contact; and investigation results and remedial measures taken.
2. Data Subject Notification: Where the breach poses a direct and serious threat to your privacy, we will notify you of the breach, its scope, potential consequences, and measures we have taken or recommend you take.
3. Documentation: Document the breach and our response in accordance with PDPL Article 9.

16.2 We maintain incident response procedures to ensure timely detection, assessment, and response to potential breaches.

COOKIES AND TRACKING TECHNOLOGIES

17. Cookies Overview

17.1 Our Platform uses cookies and similar tracking technologies to improve user experience, analyze usage, and deliver relevant content. A cookie is a small text file stored on your device when you visit a website.

18. Types of Cookies We Use

18.1 Strictly Necessary Cookies: Essential for Platform operation. These cookies enable core functionality such as security, account access, and session management. They cannot be disabled.

18.2 Functional Cookies: Remember your preferences and settings to enhance your experience. Examples include language preferences and display settings.

18.3 Analytics Cookies: Help us understand how visitors interact with our Platform by collecting information anonymously. We use this data to improve our services.

18.4 Marketing Cookies: Track visitors across websites to display relevant advertisements. We only use marketing cookies with your consent.

19. Managing Cookies

19.1 When you first visit our Platform, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time through our cookie settings.

19.2 You can also control cookies through your browser settings. Note that disabling certain cookies may affect Platform functionality.

19.3 For detailed information on cookies we use, see Schedule 3: Cookie Policy.

CHILDREN'S DATA

20. Age Restrictions

20.1 Our services are not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal data from children under 18.

20.2 If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us immediately at [email protected]. We will take steps to delete such data from our systems.

AUTOMATED DECISION-MAKING

21. Automated Processing

21.1 We may use automated processing in the following areas:

1. KYC Verification: Automated document verification and facial recognition through iDenfy. Results are subject to human review before final decisions.
2. Sanctions and PEP Screening: Automated screening against international sanctions lists and PEP databases. Matches are subject to human review.
3. Property Matching: Algorithm-assisted matching of properties to your stated preferences. Final recommendations are curated by your advisor.
4. Fraud Detection: Automated monitoring for suspicious activity patterns.

21.2 Human Review: We do not make solely automated decisions with significant legal effects without human oversight. All significant decisions affecting your ability to use our services involve human review.

21.3 Your Rights: You have the right to request human intervention in automated decisions, to express your point of view, and to contest decisions. Contact [email protected].

LIMITATION OF LIABILITY FOR DATA PROCESSING

IMPORTANT — PLEASE READ THIS SECTION CAREFULLY — This section contains important limitations on our liability for data processing activities. These limitations are subject to and should be read in conjunction with Part 9 (Limitation of Liability) of our Terms and Conditions.

22. Liability Limitations

22.1 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND WITHOUT PREJUDICE TO YOUR RIGHTS UNDER PDPL:

22.2 Liability Cap: Our total aggregate liability for any claims arising from or relating to our processing of your personal data, whether in contract, tort (including negligence), statutory duty, or otherwise, shall not exceed the lower of: (a) the total fees actually paid by you to us in the twelve (12) months preceding the claim; or (b) FIFTY THOUSAND DIRHAMS (AED 50,000).

22.3 Excluded Losses: We shall not be liable for any:

1. indirect, incidental, consequential, special, or punitive damages;
2. loss of profits, revenue, business, or anticipated savings;
3. loss of goodwill or reputation;
4. losses arising from third-party processor actions beyond our reasonable control;
5. losses arising from your failure to maintain account security; or
6. losses arising from circumstances beyond our reasonable control,
7. regardless of whether we were advised of, or should have been aware of, the possibility of such losses.

22.4 Non-Excludable Liability: Nothing in this Privacy Policy excludes or limits our liability for:

1. fraud or fraudulent misrepresentation;
2. gross negligence or willful misconduct;
3. any liability that cannot be lawfully excluded under UAE law or PDPL; or
4. penalties imposed directly on us by the UAE Data Office for our own regulatory violations.

22.5 Security Disclaimer: You acknowledge that: (a) no data transmission or storage method is completely secure; (b) you provide personal data at your own risk; and (c) the security measures we implement are consistent with industry standards but do not guarantee absolute protection.

22.6 Third-Party Processors: While we require our processors to implement appropriate security measures and comply with contractual data protection obligations, we cannot guarantee their performance. Our liability for processor actions is limited to the extent we have failed to exercise appropriate due diligence or oversight.

COMPLAINTS AND DISPUTE RESOLUTION

23. Complaint Procedure

23.1 Step 1 — Contact Us: If you have concerns about our data processing practices or wish to make a complaint, please contact us first at:

Email: [email protected]

Address: Ontario Tower - C1801-06, Business Bay, Dubai

Please provide: your full name and contact details, a clear description of your concern, any relevant documentation, and your desired resolution.

23.2 Our Response: We will acknowledge your complaint within two (2) business days and aim to provide a substantive response within fourteen (14) days. Complex complaints may require additional time, in which case we will keep you informed of progress.

23.3 Step 2 — Escalation: If you are not satisfied with our initial response, you may request escalation to senior management by emailing [email protected].

23.4 Step 3 — Regulatory Complaint: If you remain unsatisfied, you have the right to lodge a complaint with the UAE Data Office. Contact details will be published when the UAE Data Office becomes operational. In the interim, you may also contact RERA through the Real Estate Violation System (RVS) at rvs.dubailand.gov.ae for complaints related to our brokerage services.

23.5 Step 4 — Legal Proceedings: Nothing in this Privacy Policy limits your right to pursue legal remedies in accordance with the dispute resolution provisions of our Terms and Conditions.

CHANGES TO THIS PRIVACY POLICY

24. Policy Updates

24.1 We may update this Privacy Policy periodically to reflect changes in our data processing practices, regulatory requirements, or business operations.

24.2 Material Changes: For material changes that significantly affect how we process your personal data, we will notify you via email at least fourteen (14) days before the changes take effect. Material changes include: new categories of personal data collected, new processing purposes, significant changes to data sharing arrangements, and changes to your rights.

24.3 Non-Material Changes: For non-material changes (clarifications, formatting, corrections), we may update the Policy without prior notice. The "Last Updated" date at the top of this Policy indicates the most recent revision.

24.4 Continued Use: Your continued use of our services after changes take effect constitutes acceptance of the updated Privacy Policy. If you disagree with any changes, you should discontinue use of our services and may exercise your data subject rights including erasure (subject to legal retention requirements).

GOVERNING LAW AND JURISDICTION

25. Governing Law

25.1 This Privacy Policy is governed by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and, to the extent not addressed by PDPL, the laws of the United Arab Emirates and the Emirate of Dubai.

26. Jurisdiction

26.1 Subject to the dispute resolution provisions in our Terms and Conditions (including arbitration provisions for claims exceeding AED 500,000), the courts of Dubai shall have exclusive jurisdiction to settle any disputes arising from or in connection with this Privacy Policy.

27. Language

27.1 This Privacy Policy is provided in English and may be translated into Arabic for regulatory compliance purposes.

27.2 In the event of any conflict between the English and Arabic versions:

1. the Arabic version shall prevail in proceedings before UAE Courts; and
2. the English version shall prevail in DIAC arbitration where English is selected as the language.

CONTACT INFORMATION

28. How to Contact Us

SCHEDULE 1: DATA PROCESSING DETAILS

The following table provides a detailed overview of our data processing activities:

SCHEDULE 2: THIRD-PARTY PROCESSORS

The following third-party processors may process your personal data on our behalf:

Note: Specific processor names may change. Contact [email protected] for current processor details.

SCHEDULE 3: COOKIE POLICY

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They serve various purposes including remembering your preferences, enabling functionality, and providing analytics.

Cookies We Use

Managing Your Cookie Preferences

You can manage cookie preferences through:

• Cookie Banner: When you first visit our Platform, use the cookie consent banner to accept or reject non-essential cookies.
• Cookie Settings: Access our cookie settings page at any time to update your preferences.
• Browser Settings: Configure your browser to block or delete cookies. Note that this may affect Platform functionality.

Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages. We do not control these cookies. Please refer to the respective third-party privacy policies for more information.