Legal

Privacy Policy

UAE Personal Data Protection Law (PDPL) Compliance

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data

Last updated: March 2026

1. Data Sovereignty and Residency

1.1 Infrastructure Location

All Personal Data and Corporate Financial Data processed by ComplianceOS is hosted on Microsoft Azure infrastructure within the UAE North region (Dubai/Abu Dhabi data centers). Yenova Labs guarantees that primary data storage, AI processing, and backup operations remain within the territorial boundaries of the United Arab Emirates.

1.2 No Cross-Border Transfer

Yenova Labs does not transfer Personal Data outside the UAE unless: (a) the User has provided explicit, informed consent; (b) the transfer is necessary for the performance of the Service and adequate safeguards are in place; or (c) the transfer is required by applicable law or regulation. Any permitted cross-border transfer shall comply with the requirements of the PDPL and any implementing regulations issued by the UAE Data Office.

1.3 Sub-Processors

Yenova Labs engages sub-processors for the delivery of the Service. A current list of sub-processors is available upon request.

2. Data We Collect and Process

2.1 Account Data

When you register for ComplianceOS, we collect: your name, email address, company name, Trade License Number (TLN), Tax Registration Number (TRN), and billing information. This data is necessary for the performance of the subscription agreement.

2.2 Financial Transaction Data

When you connect a third-party accounting system, ComplianceOS ingests transaction data including: invoices, bills, payments, journal entries, chart of accounts, customer/vendor names, and associated metadata. This data is processed solely for the purpose of compliance analysis and report generation.

2.3 Usage Data

We collect technical usage data including: login timestamps, feature usage patterns, AI Credit consumption, and system performance metrics. This data is used to improve the Service and for billing purposes.

2.4 Evidence Vault Data

Documents and records stored in the Evidence Vault are cryptographically hashed and archived. The content of Vaulted Data is encrypted at rest using AES-256 encryption and is accessible only to the User and their authorized team members.

3. Legal Basis for Processing

We process your data on the following legal bases under the PDPL:

  • Performance of Contract: Processing necessary to deliver the ComplianceOS service as described in the Terms of Service.
  • Legitimate Interest: Processing necessary for product improvement, security monitoring, and fraud prevention.
  • Legal Obligation: Processing required to comply with UAE tax procedure laws, including statutory data retention requirements.
  • Consent: Processing based on your explicit consent, such as marketing communications (which you may withdraw at any time).

4. Data Usage Restrictions

Specifically, Yenova Labs commits to the following data usage restrictions:

  • Financial transaction data is processed in ephemeral compute sessions and is not retained by the AI provider (Anthropic) after processing is complete.
  • Tenant data is logically isolated using PostgreSQL Row-Level Security (RLS), ensuring that no tenant can access another tenant's data.
  • Aggregate, anonymized usage statistics may be compiled for internal product improvement, but no individual or company-identifiable information is included in such statistics.
  • Yenova Labs will not share User data with any government authority unless compelled by a valid legal order, court order, or regulatory requirement, and will notify the User of such request to the extent permitted by law.

5. Data Subject Rights

In compliance with UAE Federal Decree-Law No. 45 of 2021 (PDPL), you have the following rights regarding your personal data:

  • Right of Access: You may request a copy of all personal data we hold about you, including financial transaction data and usage logs.
  • Right of Rectification: You may request correction of any inaccurate or incomplete personal data.
  • Right of Erasure: You may request deletion of your personal data, subject to our legal obligation to retain Evidence Vault data for the statutory seven (7) year period.
  • Right of Portability: You may request your data in a structured, machine-readable format (JSON/CSV) for transfer to another service provider.
  • Right to Restrict Processing: You may request that we limit processing of your data to storage only, pending resolution of a dispute.
  • Right to Object: You may object to processing based on legitimate interest, and we shall cease such processing unless we demonstrate compelling legitimate grounds.

All rights requests may be submitted through the platform dashboard or by emailing privacy@complianceos.ae. Requests will be processed within thirty (30) days. Yenova Labs reserves the right to verify the identity of the requester before fulfilling any data subject request.

6. Data Security Measures

Yenova Labs implements the following technical and organizational measures to protect your data:

  • Encryption at rest: AES-256 encryption for all stored data, including Evidence Vault contents.
  • Encryption in transit: TLS 1.3 for all data transmissions between the User, the Service, and third-party connectors.
  • Access controls: Role-based access control (RBAC) with multi-factor authentication (MFA) for all administrative access.
  • Audit logging: All access to financial data and Evidence Vault contents is logged with user identity, timestamp, and action performed.
  • Vulnerability management: Regular penetration testing and vulnerability scanning of the platform infrastructure.
  • Incident response: Documented incident response procedures with notification to affected Users within seventy-two (72) hours of a confirmed data breach, as required by the PDPL.

7. Data Retention Schedule

We retain different categories of data for different periods:

  • Evidence Vault data: Minimum 7 years from the relevant tax period, as required by UAE Federal Decree-Law No. 28 of 2022.
  • Account data: Duration of subscription plus 2 years for legal and audit purposes.
  • Usage data: 12 months from collection for active analytics; anonymized and aggregated thereafter.
  • Audit logs: 7 years, aligned with Evidence Vault retention.

8. Cookies and Tracking

ComplianceOS uses strictly necessary cookies for session management and authentication. We do not use third-party advertising cookies or tracking pixels. Analytics cookies (if used) are first-party only and do not track Users across other websites.

9. Children's Data

ComplianceOS is a business-to-business service and is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from minors.

10. Changes to This Policy

Yenova Labs may update this Privacy Policy from time to time to reflect changes in our data practices or applicable law. Material changes will be communicated to Users via email and/or an in-app notification at least thirty (30) days before the changes take effect. Continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

11. Contact Information

For questions, complaints, or data subject requests regarding this Privacy Policy, please contact:

Data Protection Officer
Yenova Labs FZ-LLC
Meydan Free Zone, Dubai, UAE
Email: privacy@complianceos.ae

Yenova Labs FZ-LLC • Meydan Free Zone • Dubai, United Arab Emirates