uaelaw.ai

Privacy Policy

UAE PDPL-aligned. We collect the minimum we need and never sell personal data.

Last updated: 2026-04-28

1. Who we are

Avangate Hospitality Services FZE (the "Company," "we," "us"), operating uaelaw.ai (the "Service"), is the data controller for personal information processed through the Service.

Contact our Data Protection Officer at: dpo@uaelaw.ai.

2. What we collect

Information you provide

  • Account information: name, email, phone (Pro signup), password (hashed with Argon2 — never plaintext).
  • Profile information: emirate, language preference (optional).
  • Questions: the text of legal questions you ask.
  • Vault uploads (Pro): documents you upload to your encrypted Personal Vault.
  • Payment information: collected by Stripe; we do not see or store full card details.

Information collected automatically

  • Usage data: pages viewed, features used, click patterns.
  • Device data: IP address, browser type, operating system.
  • Cookies: see Cookie section below.

Information we do NOT collect

  • Sensitive personal data (race, religion, political views, health, biometrics) unless you voluntarily share it in a question.
  • Children's data (the Service is not for users under 18).
  • Bank account numbers, government IDs, or full credit card numbers (Stripe handles payment data).

3. Why we collect it (lawful bases under PDPL)

PurposeLawful basis
Providing the Service (answers, account management)Contract performance
Pro subscriptions and paymentsContract performance
Service improvement and securityLegitimate interest
Marketing emailsConsent (opt-in only)
Lead routing to SponsorsConsent (you initiate)
Legal and regulatory complianceLegal obligation
Anonymized analyticsLegitimate interest

4. Who we share it with

We share personal data with:

  • Sponsors (law firms) — only when you explicitly request a lawyer match, and only the information described in the Terms of Service.
  • Service providers acting on our instructions: Anthropic, Voyage AI, Supabase, Vercel, Stripe, Twilio, Sendy + AWS SES, Sentry, DataForSEO (anonymized only).
  • Authorities when legally required (court order, regulatory request) or to protect against fraud or harm.
  • Successor entity in case of merger, acquisition, or asset sale — with notice to users.

We do not sell personal data, do not use it for advertising targeting, and do not share question content except as described.

5. PII redaction

When you submit a question, our system automatically redacts personal information (names, phone numbers, ID numbers, addresses) before storing it for retrieval, generating an AI response, or logging for monitoring. The redacted version is what we process. The original remains accessible only to you in your account history (encrypted at rest, row-level-security protected).

6. International data transfers

Some service providers operate outside the UAE. By using the Service, you acknowledge that your data may be transferred to:

  • United States (Anthropic, Voyage AI, Stripe, Twilio, Sentry)
  • Various jurisdictions depending on Vercel and Supabase region (currently AWS Bahrain me-south-1)

We use providers that maintain industry-standard security and contractually commit to data protection obligations equivalent to UAE PDPL where possible.

7. How long we keep it

Data typeRetention period
Account dataWhile account is active + 30 days post-deletion
Questions and Q&A historyWhile account is active; anonymized after deletion
Vault uploadsWhile account is active; hard-deleted after deletion
Payment records7 years (UAE corporate records standard)
Notification logs90 days post-account-deletion
Audit logs (admin actions)7 years
Analytics (anonymized)Indefinite
Backups7-14 days rolling

8. Your rights under PDPL

You have the right to:

  • Access — receive a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion ("right to be forgotten").
  • Portability — receive your data in machine-readable format.
  • Restrict processing — limit how we use your data.
  • Object — opt out of processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent.
  • Lodge a complaint with the UAE Data Office or TDRA.

To exercise these rights, contact dpo@uaelaw.ai. We respond within 30 days as required by PDPL.

9. Security

We protect your data with:

  • TLS encryption in transit (HTTPS everywhere)
  • AES-256-GCM encryption at rest for Vault contents
  • Argon2 password hashing
  • Row-level security on all personal data tables
  • Multi-factor authentication for admin accounts
  • Quarterly security audits and penetration testing
  • 24/7 monitoring via Sentry and Cloudflare WAF

If a data breach affects your personal data, we will notify you within 72 hours of confirmed assessment, in compliance with PDPL.

10. Cookies

Strictly necessary (always on)

  • session — authentication and session management
  • csrf-token — cross-site request forgery protection
  • cookie-consent — records your cookie preferences

Functional (default on, can be disabled)

  • language, theme, recent-searches

Analytics (default off, opt-in)

  • Vercel Analytics, PostHog (logged-in users only)

We use no advertising or remarketing cookies. The Service respects the "Do Not Track" browser signal — when DNT is enabled, we disable analytics and product-tracking cookies.

11. Children's privacy

The Service is not directed at users under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data, contact dpo@uaelaw.ai for immediate deletion.

12. Changes to this Privacy Policy

We may update this Privacy Policy. Material changes will be communicated via email to registered users and via banner on the Service for 30 days before the effective date.

Disclaimer: uaelaw.ai provides legal information, not legal advice. Content is generated by AI and reviewed by independent lawyers — not a substitute for professional legal counsel. Always consult a UAE-licensed lawyer for advice on your specific situation. uaelaw.ai is operated by Avangate Hospitality Services FZE and is not a law firm.