Shaffra AI Privacy Notice

Introduction & Terms

Shaffra Technology Labs Ltd and/or its affiliates and entities (collectively “Shaffra”, “we” or “us”) value your security and privacy. Shaffra is required to comply with the DIFC Authority’s Data Protection Law, DIFC Law No. 5 of 2020 (the “ DP Law ”), and, where processing of personal data takes place in or relates to the Kingdom of Saudi Arabia, with the Kingdom’s Personal Data Protection Law - Royal Decree No. M/19 of 9/2/1443H and amended by Royal Decree No. (M/148) dated 5/9/1444 AH (PDPL). For certain types of personal data processing, Shaffra may also be subject to laws from other jurisdictions.

As such, Shaffra's policy is to respect the privacy of its website services users. In accordance with DIFC DP Law and, as applicable, our Terms of Use, Shaffra collects information about you when you use or access our websites, use Shaffra email addresses for contact purposes, or avail of other web-based products, information or services (collectively, the “website services”).

This online data protection notice (the “Notice") sets out the basis on which any information, including any personal data we collect from you, or you provide to us, will be processed by Shaffra. Each time you access or use the website services or provide us with information, you acknowledge the practices described in this Policy. For use of Shaffra’s web-based services, as well as for the usage of website cookies, you may be asked to opt-in to our use of the information you submit there. Your rights described herein apply in these instances as well.

1. Scope and Application

This Policy applies to persons anywhere in the world who access or use Shaffra’s website services (“Users”).

2. Collection of Information

Information you give us

This is personal data you give us by providing information on any Shaffra-owned Website Service or by corresponding with us (for example, by telephone, e-mail or any other digital or electronic form). This includes, for example, the information you provide when you contact us, register for newsletters or other subscription services, or any of our web-based products & website services.

If you contact us, we will keep at least an electronic record of such correspondence, including personal information shared at that time, to reply to or process it as per your request. The personal information you give us may include your name, address, e-mail address and phone number, specific device information, username, password, residential building, work address, photograph, and other information you choose to provide (“Personal Information” or “Personal Data”).

Our website services and web-based products collect and process Personal Data in accordance with the DP Law and applicable laws, including for specific, lawful purposes explained herein or at the time of collection, or for the performance of tasks carried out in your interests or the legitimate interests of Shaffra.

The website services or web-based products are not targeted, intended, or expected to be of use to children. Apart from providing information for specific services or purposes, as directed by Shaffra processes, User-provided content contributions or contact information regarding or about children are expressly prohibited.

Information we collect about you and your device

Each time you use our website services or web-based products, we may and often will automatically collect the following information:

• technical information, including the type of mobile device you use, a unique device identifier for example, mobile network information, your mobile operating system, the type of mobile browser you use, device token, device type, time zone setting (“Device Information”);
• details of your use of our website services or web-based products including, but not limited to, traffic data, weblogs and other communication data, and the resources that you access (“Log Information”)

If you do not wish to share certain data with us or do not want us to use/share it for certain purposes (to the extent possible, in accordance with applicable laws and information in this notice), you can alter your preferences at any time. Where applicable, please check with your device provider's instructions for further details on how to do this.

Other Information We May Collect Through Your Use of the website services

When you use any website services or web-based products, we may collect Personal Data, including demographic information, for example, information that you submit or that we collect, which may include, but is not limited to, postcode, age/birth date, current residence, hometown, gender, username, mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting, device location, IP address, SMS data, transaction information, business activities and services/distribution locations.

3. Use of Personal Data

Shaffra processes your personal data based on one or more of the following legal bases, as permitted by the DIFC Data Protection Law:

• Consent: Where you have explicitly consented to the processing of your personal data for specific purposes, such as receiving marketing communications or using optional features of our services.
• Performance of a Contract: Where processing is necessary to perform a contract to which you are a party, such as providing the services or products you request.
• Compliance with Legal Obligations: Where processing is required to comply with a legal obligation, such as record-keeping or responding to requests from regulatory authorities.
• Legitimate Interests: Where processing is necessary for the purposes of Shaffra's legitimate interests, such as improving our website services, ensuring security, or fraud prevention, provided that these interests do not override your rights and freedoms.

We may use Personal Data which you provide to us, or we collect from you to:

• Provide, maintain, and improve our web-based products and website services, including, for example, facilitating payments, sending receipts, providing products and services you request (and sending related information about them), developing new features that will enhance your user experience and our efficiency, provide customer support to Users, authenticate users, and send administrative messages, whether information-only or required by applicable law;
• Perform internal regulatory, administrative and operational requirements, including, for example, preventing fraud or abuse of our website services; troubleshooting software bugs and operational problems; conducting permitted data analysis, testing, and research; to ensuring you and Shaffra are complying with internal or external legal requirements, including those that necessitate the use of digital systems; and to monitor usage and activity trends;
• Send you communications we think will be of interest to you based on your previous interactions with us, including information about products, services, promotions, news, and Shaffra events, where permissible under DIFC Laws and guidance and according to any other applicable laws; and to process contest, sweepstake, or other promotion entries and fulfil any related awards;
• Notify you about changes to this Policy or our web-based products and website services;
• Allow you to participate in any interactive features of our web-based products or website services;
• Keep our web-based products and website services safe and secure, or
• Personalise and improve the website services, including providing or recommending features, content, social connections, referrals, and advertisements, in accordance with your preferences, to the extent permissible by law.

4. Processing, Storage and Transfer of Personal Data

We will take all steps reasonably necessary to ensure your Personal Data is processed fairly and lawfully, in accordance with the DP Law, other applicable laws and this Policy. By submitting your Personal Data (including Log, Device and/or Demographic Information), we expect you to understand that such transfer, storing or processing for Shaffra to perform its general administrative functions is necessary and will be done in a proportionate, lawful manner, including but not limited to responding to enquiries you raise via website services, oversight of the business entities registered in DIFC’s jurisdiction and maintaining contacts for future informational or promotional activities. Unless otherwise notified, Shaffra does not ordinarily rely solely on automated decision-making when processing your Personal Data.

If we engage in automated decision-making, we will provide meaningful information about the logic involved, as well as the significance and potential consequences of such processing. You have the right to request human intervention, express your point of view, and contest the decision.

In order to conduct our operations or fulfil regulatory obligations, we must transfer the Personal Data described in this Policy to and from, and process and store it on AWS cloud in Bahrain and (where applicable or required) with processors in other countries, some of which may have less protective privacy laws than those where you reside. In all such cases, and generally for any processing operations, we take appropriate security measures to protect your Personal Data in accordance with this Policy. We ensure that any international transfers of personal data comply with applicable legal requirements, including the use of standard contractual clauses approved by the DIFC Commissioner.

To preserve the integrity of our databases and to carry out ongoing website services on behalf of all Users for research, analytics and statistics purposes and to ensure compliance with applicable laws and regulations, we retain Personal Data submitted by Users for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the type of data and the purpose of processing.

Shaffra is not responsible for the accuracy of the information you provide and will modify or update your Personal Data in our databases when you provide updated information or ad hoc upon your request, as further outlined below. We will erase or put beyond active use your Personal Data upon request unless we are required to retain it in accordance with DIFC or other applicable laws or to perform agreed services, in which case we align with applicable principles such as purpose specification and data minimisation.

If it is not disproportionate or prejudicial and required beyond this policy’s notices, we will contact you to let you know we are processing your personal information.

By accessing or using our website services to which this Policy applies, we can reasonably expect that you understand that all information submitted by you through the website services or otherwise to Shaffra may be used by Shaffra to support these processing operations, in accordance with applicable laws and its policies.

4.1 Cross-border data transfers from the Kingdom of Saudi Arabia

Where Shaffra processes or stores Personal Data that originates in, or relates to, individuals within the Kingdom of Saudi Arabia, the transfer or disclosure of such Personal Data outside the Kingdom will only occur in accordance with the Kingdom’s Personal Data Protection Law (PDPL) and its Implementing Regulations.

Shaffra will not transfer or disclose Personal Data outside the Kingdom unless:

• the transfer is required to perform an obligation under an agreement to which the data subject is a party, or to which the Kingdom is a party;
• the transfer serves a clear interest of the Kingdom; or
• such transfer otherwise complies with the purposes and conditions permitted by the PDPL and its Regulations.

Any cross-border transfer permitted under the PDPL will also comply with the following safeguards:

• the transfer will not prejudice national security or the Kingdom’s vital interests;
• the destination country or recipient will provide a level of protection for Personal Data that is at least equivalent to that provided under the PDPL, as assessed or approved by the competent Saudi authority; and
• the transfer will be limited to the minimum amount of Personal Data necessary to achieve the legitimate and defined purpose.

In cases of urgent necessity—such as to protect a data subject’s life or prevent or treat a disease—Shaffra may transfer Personal Data as permitted under the PDPL, applying appropriate security measures and notifying the competent authority as required.

5. Sharing of Personal Data

We may share Personal Data which we collect about you as described in this Policy or as described at the time of collection or sharing, including as follows:

Through Our website services or the web-based products

We may share Personal Data which we collect about you as described in this Policy or as described at the time of collection or sharing, including as follows:

Through Our website services

We may share your Personal Data:

• With third parties to provide you a service that you requested through a partnership or promotional offering made by a third party or us or
• With third parties with whom you choose to let us share your Personal Data, for example, other apps or websites that integrate with our API or website services, or those with an API or Service with which we integrate

Other Types of Data Sharing

We will only share your Personal Data in a manner that is directly connected to, and necessary for, fulfilling the purposes for which it was originally collected, or as required by applicable law.

Any sharing of Personal Data will:

• Be limited to the minimum data required to achieve the intended purpose;
• Occur only where consistent with your consent, contractual necessity, or a legal obligation; and
• Be subject to appropriate technical, legal, and organisational safeguards ensuring confidentiality, integrity, and compliance with both the DIFC Data Protection Law and the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL).

We do not disclose or transfer Personal Data to any third party for their own independent use unless you have provided explicit consent or such disclosure is legally required.

Where Shaffra shares Personal Data with third-party service providers or affiliated entities, these parties are contractually bound to use the data only for the agreed purpose and to provide equivalent levels of data protection and security.

We may share your Personal Data:

• With Shaffra subsidiaries and affiliated entities, to the extent permissible by law;
• With vendors, consultants, marketing and advertising partners, and other service providers who need access to such Personal Data to carry out work on our behalf or to perform a contract we enter into with them;
• If we otherwise notify you and you provide your affirmative opt-in to share your data, where needed,
• In response to a request for information by a competent authority or government entities if we determine that such disclosure is in accordance with, or is otherwise required by any applicable law, regulation, or legal process;
• With law enforcement officials, government entities or authorities, or other third parties as required by applicable law;
• With third parties in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company; or
• With third parties in an aggregated and/or anonymised or pseudonymised form that cannot reasonably be used to identify you

Government Data Sharing

In some circumstances, we are legally obliged to share information with public authorities or law enforcement. For example, we may be required to provide information related to a court order or where we must cooperate with supervisory authorities in handling complaints or investigations. In any scenario, we’ll attempt to satisfy ourselves that we have a lawful basis on which to share the information, document our decision-making, and satisfy ourselves we have a legal basis on which to share the information.

We may also share information in the event of the non-payment, including a monetary penalty or court-ordered costs. If the debt remains outstanding after the specified timeframe for payment, no payment plan is in place, or an agreed payment plan is not being adhered to, we may initiate formal proceedings to recover the full amount of the unpaid penalty.

As a result, Shaffra will share Personal Data with the litigation and recovery specialists it instructs in order for them to identify assets and undertake recovery action through the courts.

6. Your Rights and Choices

You have the following rights regarding your personal data:

1. Right to Access: You have the right to request confirmation as to whether we process your personal data and to access such data, along with additional information about our processing activities.
2. Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data about you. However, some third parties and third-party sites may continue to process inaccurate data about you until their databases and display of data are refreshed in accordance with their update schedules or until you contact them personally to ensure the correction is made in their own files.
3. Right to Erasure (“Right to be Forgotten”): You may request the deletion of your personal data if you withdraw consent or object to processing (where applicable), subject to any legal obligations requiring retention.
4. Right to Restrict Processing: You have the right to request that Shaffra cease or limit the processing of your Personal Data, or to request its deletion, where:
   • You have withdrawn consent to processing, and there is no other lawful basis for retention; or
   • Processing is unlawful under applicable law.

   Upon receiving such a valid request, Shaffra will take reasonable steps to cease further processing and to erase or put the data beyond active use, unless continued retention is required by applicable law or to establish or defend legal claims.

   Shaffra will ensure that any processors acting on its behalf also comply with this requirement.

5. Right to Object: You have the right to object to the processing of your personal data, including for direct marketing purposes or where processing is based on our legitimate interests.
6. Right to Data Portability: You can request a copy of your personal data in a structured, commonly used, and machine-readable format. You may also request that we transmit this data directly to another data controller where technically feasible.
7. Right to Withdraw Consent: Where we rely on your consent for processing, you can withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
8. Right to Complain: You have the right to lodge a complaint with the DIFC Commissioner of Data Protection if you believe your rights under the law have been violated.

To exercise any of these rights, please contact us at dpo@shaffra.com or through the contact form provided on our website. We may request proof of identity to ensure that your request is legitimate. We will respond to your request within one month, as required by law, unless an extension is necessary, in which case we will inform you.

As set out in Article 39 of the DP Law, we may not discriminate against you for exercising your rights by denying services or changing prices or quality of service unless reasonable to do so in general, as objectively determined, and applicable to all individuals offered or receiving such benefits.

Marketing and Preferences

Shaffra supports Users’ legal rights to opt-in or subsequently opt-out of receiving communications from us and our partners. You can ask us not to process your Personal Data for marketing purposes and to remove it from our database, not to receive future communications, or not to receive our website services.

You may change your preferences at any time.

Please note that we may continue to send you transactional or service-related e-mails despite your desire not to receive promotional or marketing e-mail messages. Additionally, please note that if you elect to opt out of or unsubscribe from receiving promotional or other similar e-mails or messaging from one of our website services or the web-based products, you may continue to receive promotional emails from our other websites, providers, or other, non-affiliated marketers whose services you may have accessed via Shaffra website services.

7. Security Precautions

Shaffra makes every effort to ensure your personal data is secure in its system. Shaffra has staff dedicated to maintaining our data protection and security policies, periodically reviewing them and ensuring that Shaffra employees know our data protection and security practices. Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. As a result, Shaffra cannot warrant or guarantee the security of any Personal Data you transmit to us, and you do so at your own risk.

Shaffra has implemented technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

1. Encryption: We use encryption protocols to protect personal data in transit (e.g., SSL/TLS encryption for data transmitted via our websites) and at rest, where applicable.
2. Access Controls: Access to personal data is restricted to authorised personnel only, based on role and necessity. Multi-factor authentication (MFA) is used for accessing sensitive systems.
3. Regular Security Testing: We conduct regular penetration testing, vulnerability assessments, and security audits to identify and address potential risks proactively.
4. Employee Training: All employees handling personal data undergo regular training on data protection and security practices to ensure compliance with Shaffra’s policies and applicable laws.
5. Incident Response: We have established procedures to detect, investigate, and respond to potential data breaches. If a breach occurs, we will notify affected individuals and the DIFC Commissioner of Data Protection, as required under Article 41 of the DIFC DP Law.
6. Third-Party Assessments: We ensure that all third-party service providers with access to personal data comply with relevant data protection laws and maintain robust security measures.

If you have any further questions about our security and processing activities, please contact the Shaffra team. To the extent permitted by applicable law, Shaffra expressly disclaims any liability that may arise should any other third parties obtain the Personal Data you submit through fraud or otherwise where it is no fault of Shaffra.

8. Cookies

A cookie is a small text file unique to the web browser on your computer or mobile device. It is used to retain user preferences and enhance browsing experience (“Cookie”). Shaffra uses Cookies to track overall site usage and provide a better user experience. We do not use Cookies to “see” other data on your computer or determine your email address.

Shaffra complies with the DIFC Data Protection Law by using cookies in a transparent and user-friendly manner. We categorise cookies as follows:

Essential - These cookies are necessary for the website to function properly. They include login authentication cookies and session management cookies. As these are essential, they do not require your consent.

Non-Essential - These include cookies used for site analytics, performance monitoring, and targeted advertising. Non-essential cookies will only be activated if you provide explicit opt-in consent.

You have the right to manage your cookie preferences at any time. When you first visit our website, a cookie banner will appear, requesting your consent for non-essential cookies. You can choose to:

• Accept all cookies
• Reject non-essential cookies
• Customise your cookie preferences

Most browsers accept and maintain Cookies by default. The DIFC Data Protection Law requires that Shaffra entities set such collection methods to collect the bare minimum necessary cookies to operate the relevant website or web-based products. Check the ’Help’ or ’Settings’ menu of your browser to learn how to change your Cookie preferences. You can choose to alter Cookies settings related to the use of our website services, but this may limit your ability to access certain areas of the Website.

Alternatively, you may visit an independent source of information, www.aboutcookies.org , which contains comprehensive information on how to alter settings or delete Cookies from your computer, as well as more general information about Cookies. For information on how to do this on your browser, you will need to refer to your handset manual or network operator for advice.

9. External Links

The Website may contain links to other websites on the Internet that are owned and operated by third parties (the “External Sites”). These links are provided solely as a convenience to you and not as an endorsement by Shaffra of the contents of or reliability of such External Sites. You acknowledge that Shaffra is not responsible for the availability of or the information and content of any External Site. You should contact the site administrator or webmaster for those External Sites if you have any concerns regarding such links or the content located on such External Sites.

You do so at your own risk if you decide to access linked third-party websites. Shaffra does not accept liability and shall not be liable to you for any loss or damage arising from or as a result of your acting upon the content of another website to which you may link from the website services.

10. Buildings Security and Contents

Building security records containing sign-in and sign-out information collected at the time of visiting and departing Shaffra offices will be maintained in accordance with the applicable building management policy.

To the extent permitted by applicable law, Shaffra is not responsible for any contents, whether or not they contain Personal data or other business information, that remain in our premises after you leave Shaffra offices.

11. Changes to this Policy

Shaffra may change this Policy from time to time and without notice. If we make significant changes in the way we treat your Personal Data or to the Policy, we will endeavour to provide you notice through our website services or by some other means, such as email. Your continued use of our website services after such notice constitutes your understanding of the changes. We encourage you to periodically review this Policy for the latest information on our privacy practices. We provide links to it through:

• The website services
• Referencing it in our EULA
• Incorporating it into our contracts, agreements, and other documents as necessary or appropriate

Contact Us

If you have any questions, comments and requests related to this Policy, or if you have any complaints related to how Shaffra processes your personal data, please contact:

dpo@shaffra.com

You may also contact the DIFC Commissioner of Data Protection’s Office at:

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with the DIFC Commissioner of Data Protection via the contact details provided above.

Shaffra has appointed a Data Protection Officer in accordance with Article 16 of the DP Law.