Privacy Policy

This Privacy Policy explains how DocuBay Services Provision Brokerage Via Electronic Media L.L.C ("DocuBay", "we", "us") collects, uses, stores, shares, and protects information when you access or use our website(s), web application(s), portals, mobile experiences, and related services (collectively, the "Platform").

Where relevant, this Privacy Policy also explains how personal data may be processed in connection with services provided by third-party service providers ("Vendors") that are listed on, routed through, or coordinated via the Platform, including legal services provided by New Age Legal Consultancy FZE (and/or other legal service providers engaged as Vendors).

This Privacy Policy is intended to align with applicable UAE data protection requirements, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) ("UAE PDPL"), as applicable.

1. Who We Are (Controller / Platform Operator)

Platform Operator. The Platform is operated by DocuBay Services Provision Brokerage Via Electronic Media L.L.C.

Service Delivery Model. Depending on the service:

• DocuBay may deliver certain corporate/government-related services directly (where covered by DocuBay's licensing scope).
• Many services are delivered by independent, third-party Vendors (e.g., audit/tax, legal translation, attestations, banking facilitation, insurance-related services, specialist legal services), who act within their own licensing and professional obligations.

Legal Services. Where legal services are offered through the Platform, such legal services may be delivered by New Age Legal Consultancy FZE (Trade License No. 441697401) and/or other licensed legal service Vendors (as applicable).

2. Scope of This Privacy Policy

This Privacy Policy applies to:

• Visitors of our websites (e.g., marketing website pages),
• Users of hub.docubay.ae (or any successor portals),
• Customers subscribing to DocuBay plans (e.g., Compliance Core/Pro),
• Individuals acting on behalf of a customer business (owners, directors, employees, authorised representatives),
• Individuals whose documents are uploaded to the Platform (e.g., employee passport/Emirates ID where relevant).

If you are a Vendor or applying to become a Vendor, your information may also be processed under this Privacy Policy and/or additional vendor onboarding terms.

3. Definitions

For this Privacy Policy:

• "Personal Data" means information relating to an identified or identifiable person (e.g., name, email, phone number, Emirates ID, passport details).
• "Sensitive Personal Data" (where applicable) includes higher-risk data types (e.g., identification documents, biometrics, certain financial data) as defined under applicable law.
• "Client" means a business customer and/or its authorised users using the Platform.
• "Vendor" means a third-party service provider listed on or providing services through the Platform.

4. What Information We Collect

We collect information in three main ways: (a) you provide it, (b) it is generated through your use, or (c) it is provided by third parties.

4.1 Information You Provide Directly

This may include:

• Account & profile data: name, email, mobile number, job title, company name, login credentials (or token-based login), user role/authorisation details.
• Business onboarding data: trade license details, company registry information, shareholder/manager information, UBO-related information (where relevant), authorised signatory details.
• Service request data: information you submit for an application or request (e.g., service category selected, notes, instructions, jurisdiction, deadlines).
• Document uploads (Document Vault): passports, Emirates IDs, visas, trade licenses, establishment cards, certificates, contracts, and other documents uploaded by you or on your behalf.
• Communications: emails, WhatsApp messages, call notes, support tickets, meeting booking details, and feedback.

4.2 Identity / Access Information (e.g., UAE PASS or OTP where used)

If the Platform supports UAE PASS or similar identity flows, we may receive confirmation attributes (e.g., verified name and identifiers) and technical tokens required to authenticate you, subject to the relevant identity provider's process and your consent where required.

4.3 Payments & Subscription Information

If you purchase subscriptions or pay fees through the Platform, we may process:

• subscription plan details,
• invoice and payment status,
• transaction references, timestamps, and receipts.

We do not store, process, or transmit cardholder data (credit/debit card numbers, CVV codes, or card expiration dates). All payment card processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Your card details are entered directly into Stripe's secure payment forms and never pass through DocuBay servers. For more information about Stripe's security practices, visit stripe.com/docs/security.

4.4 Usage, Device, and Log Data

When you use the Platform, we may collect:

• IP address, browser type, device identifiers, operating system,
• login timestamps and session security logs,
• feature usage, clicks, pages visited, and error logs (for stability/security).

4.5 Cookies and Similar Technologies

We may use cookies and similar technologies for:

• essential site functionality,
• analytics and performance measurement,
• security and fraud prevention,
• (where enabled) marketing/retargeting.

You can control cookies via your browser settings and, where available, our cookie preferences tool.

4.6 Information From Third Parties

Depending on your selected services and integrations, we may receive information from:

• Vendors (e.g., status updates, required documents, outcomes),
• government portals/authorities (where lawful and via authorised access),
• identity providers (e.g., verification attributes),
• payment providers (e.g., payment confirmation),
• analytics providers (for performance measurement).

5. Why We Use Your Information (Purposes)

We use Personal Data for the following purposes:

5.1 To Operate the Platform

Including creating accounts, managing access, enabling secure login, maintaining session logs, and providing core functionality.

5.2 To Provide Services and Coordinate Vendor Delivery

DocuBay's Platform helps route requests and coordinate delivery. This can include:

• organising and validating submissions,
• tracking service requests and statuses,
• coordinating between you and the relevant Vendor,
• facilitating document handling and secure sharing (where required).

5.3 To Provide DocuBay-Delivered Services (Where Applicable)

For service categories delivered directly by DocuBay (within its licensing scope), we use Personal Data to process those requests, coordinate submissions, and manage service completion.

5.4 To Manage Subscriptions, Billing, and Accounting

Including invoicing, receipts, collections, refunds (where applicable), and financial reconciliation.

5.5 To Maintain Security, Prevent Fraud, and Enforce Policies

Including access control, audit logs, monitoring suspicious activity, investigating misuse, and enforcing Platform rules.

5.6 To Communicate With You

Including onboarding messages, service updates, appointment coordination, document expiry reminders, and support responses.

5.7 To Improve and Develop the Platform

Including analytics, troubleshooting, internal reporting, and product improvements.

5.8 Marketing (Where Permitted)

If you opt in (or where lawful), we may contact you with updates about Platform features, service categories, and offers. You can opt out at any time.

6. Legal Basis for Processing

6.1 Standard Personal Data

We process standard personal data (name, email, phone, company details) on one or more of the following bases:

• Performance of a contract — to provide the Platform and coordinate requested services.
• Legitimate interests — security, fraud prevention, and improving services.
• Compliance with legal obligations — recordkeeping, tax, and regulatory requirements.
• Consent — optional marketing and certain identity flows.

6.2 Sensitive Personal Data

We process sensitive personal data (identity documents, passport copies, Emirates ID copies, visa copies, biometric verification data) only with your explicit consent, which is obtained through the Platform at the point of collection (e.g., document upload screens, identity verification flows).

You may withdraw consent for sensitive data processing at any time by contacting privacy@docubay.ae. Withdrawal does not affect the lawfulness of processing performed before withdrawal, but may limit our ability to provide certain services.

7. Sharing of Information (Who We Share With)

We share Personal Data only as needed, including:

7.1 Vendors (Third-Party Service Providers)

When you request a service, we may share relevant information and documents with the assigned Vendor so they can deliver the service. Vendors process such data under their own obligations and may be independent data controllers for their part of the processing.

7.2 Legal Services Provider (New Age Legal Consultancy FZE) and Other Legal Vendors

Where you request legal services, relevant information may be shared with the applicable licensed legal service provider(s) so they can deliver the requested service.

7.3 Payment Providers

We share necessary transaction information with payment processors to process payments securely.

7.4 Technology and Infrastructure Providers

Hosting, storage, email delivery, customer support tools, analytics, and security providers—only to the extent required to operate the Platform.

7.5 Government Authorities / Regulators (When Required)

Where services require submissions to authorities or where we are legally required to disclose information (e.g., lawful requests), we may share information as required by applicable law.

8. Cross-Border Transfers

Your data is primarily processed and stored in the United Arab Emirates. Depending on our service providers, your data may be transferred to and processed in countries outside the UAE, including the United States and the European Economic Area.

Where cross-border transfers occur, we rely on one or more of the following safeguards as required by applicable law, including the UAE Personal Data Protection Law:

1. Transfers to countries recognised as providing an adequate level of data protection by the UAE Data Office;
2. Standard contractual clauses or equivalent data transfer agreements approved by the relevant authority;
3. Where neither (a) nor (b) is available, your explicit consent to the transfer, provided after being informed of the potential risks; or
4. Other legally recognised transfer mechanisms under applicable law.

A list of our subprocessors and their locations is available upon request (see Section 14) or through our legal page.

9. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes described in this policy, after which it is securely deleted or de-identified. The following table provides general retention periods. Specific periods may vary based on legal obligations, active disputes, or regulatory requirements.

Upon account closure, we may retain certain data as required by law (e.g., tax records, audit trails). Where data is retained beyond the active account period, access is restricted to authorised personnel for compliance purposes only. You may request deletion of your data at any time (see Section 11), subject to our legal retention obligations.

10. Data Security

We maintain reasonable administrative, technical, and organisational safeguards designed to protect Personal Data, including:

• Access controls and role-based permissions
• Encryption in transit (TLS) and at rest
• Security event logging and monitoring
• Regular security assessments
• Documented incident response procedures with defined roles, escalation paths, and communication protocols

In the event of a security incident, our incident response process includes identification, containment, eradication, recovery, and post-incident review. For data breach notification procedures, see Section 10A below.

No system is perfectly secure; however, we work to prevent unauthorised access, loss, misuse, or disclosure.

10A. Data Breach Notification

In the event of a confirmed personal data breach that poses a risk to your rights and freedoms, DocuBay will:

1. Notify the relevant supervisory authority (UAE Data Office) without undue delay, and where feasible within 72 hours of becoming aware of the breach, where required by applicable law.
2. Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
3. Provide the following information in breach notifications: the nature of the breach and categories of data affected; the approximate number of individuals affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate harm.
4. Maintain an internal register of all personal data breaches, including facts, effects, and remedial actions taken, regardless of whether notification to the authority or individuals is required.

Where a breach involves data processed by a Vendor or Service Provider on our behalf, the relevant Vendor is contractually required to notify DocuBay without undue delay upon becoming aware of a breach.

11. Your Rights and Choices

Subject to applicable law, including the UAE Personal Data Protection Law, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your data where it is no longer necessary for the purposes for which it was collected, subject to legal retention obligations.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format, and (where technically feasible) request that we transmit such data directly to another controller.
• Objection: Object to processing based on legitimate interests.
• Consent Withdrawal: Withdraw consent at any time where processing is based on consent.
• Marketing Opt-Out: Unsubscribe from marketing emails using the link in any marketing email, or by contacting us.

How to Submit a Request

Submit requests to: privacy@docubay.ae. Include your full name, registered email address, and a description of your request. We may verify your identity before processing.

Response Timeline

We will acknowledge your request within 5 business days and provide a substantive response within 30 calendar days. If we require additional time (up to 30 additional days for complex requests), we will inform you of the reason for the extension.

How to Withdraw Consent

• Marketing emails: Click "Unsubscribe" in any marketing email, or update your communication preferences in your account settings.
• Cookie preferences: Click the cookie preferences link in the website footer to update your cookie settings at any time.
• Sensitive data processing: Email privacy@docubay.ae to withdraw consent for processing of identity documents or biometric data. Note that withdrawal may affect our ability to provide certain services.

Limitations

We may decline requests where: (a) we are required by law to retain the data; (b) the request is manifestly unfounded or excessive; or (c) fulfilling the request would adversely affect the rights of others. We will explain the reason for any refusal.

Complaints

If you are unsatisfied with our response, you may lodge a complaint with the UAE Data Office or the relevant supervisory authority.

11A. Automated Decision-Making

Certain Platform features may involve automated processing, including:

• Identity verification: Automated document checks and biometric matching through third-party providers to verify identity during onboarding or KYC processes.
• AML/compliance screening: Automated screening against sanctions lists, PEP databases, and adverse media sources.
• Fraud detection: Automated monitoring of login patterns and session activity to detect potentially unauthorised access.

These automated processes may produce recommendations or risk scores. However, no decision with legal or similarly significant effects on you is made solely on the basis of automated processing without human review. You have the right to request human intervention, express your point of view, and contest any decision that was significantly influenced by automated processing. Contact privacy@docubay.ae to exercise this right.

12. Third-Party Sites and Vendor Processes

The Platform may link to third-party sites or involve Vendor-operated processes. This Privacy Policy does not control third-party privacy practices. We recommend reviewing the relevant Vendor's privacy notices where applicable.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on the Platform and update the "Last Updated" date. If changes are material, we may provide additional notice through the Platform or by email.

14. Contact Us

For general privacy inquiries: privacy@docubay.ae

Data Protection Contact:
Email: privacy@docubay.ae
Response time: We aim to respond to all data protection inquiries within 14 business days.