1. Who We Are & Scope
Aqari ("we", "us", "our") operates an AI-first sales and operations platform for GCC real-estate developers (the "Service"). This Privacy Policy describes what personal data we collect, how we use it, with whom we share it, and your rights under applicable law.
This Policy applies to: (a) Customers and their team members who use the Aqari dashboard; and (b) End Users who interact with an Aqari-powered chat widget embedded on a Customer's website.
If you are a Customer, you are also a data controller for the personal data of your leads and buyers. You are responsible for providing your own privacy notice to those individuals.
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person.
- Customer — the organisation or individual operating an Aqari workspace.
- End User — a website visitor who interacts with a Customer's Aqari chat widget.
- Sub-processor — a third-party service provider that processes Personal Data on our behalf.
3. Data We Collect
Account & registration data — name, email address, password (hashed), company name, job title, and billing details provided during sign-up or account management.
Usage & technical data — IP address, browser type and version, operating system, device identifiers, pages visited, features used, click-stream data, request timestamps, and error logs.
Customer Data / content — documents, project specifications, lead profiles, deal information, installment records, KYC files, widget chat transcripts, and any other content you upload or generate within your workspace.
AI interaction data — messages sent to and received from the AI chat widget and admin assistant, including inferred intent, language preference, and topic classification (used solely to operate and improve AI quality within your workspace).
Cookie & session data — authentication tokens stored in HTTP-only cookies; visitor identifiers (visitorId) stored in localStorage by the embeddable widget; and first-party analytics events if Google Tag Manager (GTM) is configured.
Third-party integration data — data received from Stripe (payment status, card metadata), WhatsApp (message delivery receipts), and other connected services, subject to their respective privacy notices.
4. Sources of Data
- Directly from you — when you register, configure your workspace, upload documents, or contact us.
- Via your widget deployment — End Users who interact with your embedded widget (data processed as Customer Data under your instruction).
- From third-party integrations — data shared with us when you connect an external service (Stripe, WhatsApp, etc.).
- Automatically — through cookies, server logs, and analytics instrumentation when you or your End Users use the Service.
5. How We Use Data
| Purpose | Legal basis |
|---|---|
| Provide and operate the Service | Performance of contract |
| Authenticate users and maintain session security | Performance of contract / Legitimate interest |
| Process Customer Data to power AI features | Performance of contract |
| Send transactional emails (verification, invitations, alerts) | Performance of contract |
| Send service updates and product announcements | Legitimate interest (opt-out available) |
| Detect, prevent, and investigate fraud or abuse | Legitimate interest / Legal obligation |
| Comply with applicable legal obligations | Legal obligation |
| Improve Service quality and AI accuracy (using anonymised or aggregated data only) | Legitimate interest |
6. Legal Basis
We process Personal Data on the following legal bases under UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL) and, where applicable for residents of the EU/EEA, the General Data Protection Regulation (GDPR):
- Performance of contract — processing necessary to deliver the Service you have contracted for.
- Legitimate interests — processing that is necessary for our legitimate business interests and is not overridden by your rights and interests.
- Legal obligation — processing required to comply with UAE law, DIFC law, or other applicable regulations.
- Consent — where we rely on consent (e.g. marketing emails), you may withdraw it at any time.
7. Sharing & Sub-processors
We do not sell Personal Data. We share data only with the following categories of recipients:
| Sub-processor | Location | Purpose |
|---|---|---|
| OpenAI | United States | AI inference (LLM API calls for chat, embeddings, assistant) |
| Stripe | EU / United States | Payment processing and fraud prevention |
| Resend | United States | Transactional email delivery |
| Spider / Spider Cloud | United States | Website crawling and content extraction |
| Tavily | United States | Real-time web search for AI responses |
| Cloudflare | Global (edge) | CDN, DDoS protection, DNS, WAF |
| Vercel | United States / EU | Frontend hosting and edge functions |
| Render | United States | Backend API hosting |
| PostgreSQL hosting (Neon / Supabase) | United States / EU | Primary relational database |
We may also share data with: (a) professional advisers (lawyers, auditors) under confidentiality; (b) law enforcement or regulators when legally compelled; or (c) a successor entity in the event of a merger, acquisition, or asset sale, subject to equivalent protections.
8. International Transfers
Our sub-processors (OpenAI, Resend, Vercel, Render) are primarily located in the United States. Stripe maintains infrastructure in both the EU and US. Where we transfer Personal Data of EU/EEA residents outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For UAE residents, we apply measures consistent with the UAE PDPL's transfer requirements.
9. Data Retention
| Category | Retention period |
|---|---|
| Account data | Active workspace lifetime + 30 days after deletion |
| Audit logs and security events | 24 months |
| Conversation and chat transcripts | 12 months from creation (configurable per workspace) |
| Payment records | 7 years (tax/regulatory requirement) |
| KYC documents | Per Customer instruction; default 5 years |
| Deleted records | Purged from production within 30 days; from backups within a further 30 days |
10. Security
We implement and maintain the following controls:
- Encryption in transit — TLS 1.2 minimum on all connections between clients, APIs, and databases.
- Encryption at rest — database-level and storage-level encryption for all Customer Data.
- Row-Level Security (RLS) — every database query is scoped to the authenticated tenant; cross-tenant data access is architecturally prevented.
- Least-privilege roles — database roles are granted only the permissions required for each service component.
- Short-lived access tokens — JWT access tokens expire in 15 minutes; refresh tokens in 30 days.
- Audit logging — all administrative and data-modification events are recorded with user, timestamp, and IP address.
- Dependency scanning and security updates — applied on a regular cadence.
No system is perfectly secure. We encourage you to use a strong, unique password and to enable team member access controls within your workspace.
11. AI Training
We do not train the underlying large language models (LLMs) on your Customer Data. API calls to OpenAI are made with the user parameter set and with data-retention opt-out flags enabled, consistent with OpenAI's API data usage policy. Chat transcripts and document embeddings remain within your tenant's namespace and are not used to improve models for other customers.
12. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your Personal Data:
- Access — request a copy of the Personal Data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your Personal Data, subject to our legal retention obligations.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdrawal of consent — where we rely on consent, withdraw it at any time without affecting prior lawful processing.
- Restriction — request that we restrict processing in certain circumstances.
To exercise any of these rights, email privacy@tryaqari.ai. We will respond within 30 days (or the period required by applicable law).
13. Cookies & Analytics
- Authentication cookies — HTTP-only,
SameSite=Strictcookies used to maintain your logged-in session. These are strictly necessary and cannot be opted out. - GTM / analytics — Google Tag Manager may load first-party analytics scripts on the marketing website. No cross-site tracking cookies are set on the dashboard.
- Widget
visitorId— a random identifier stored inlocalStorageon the End User's browser to maintain conversation continuity across page loads. It contains no personally identifiable information and is scoped to the Customer's domain.
We do not use third-party advertising cookies or sell cookie data.
14. Children
The Service is not directed at persons under the age of 18. We do not knowingly collect Personal Data from minors. If you believe a minor has provided us with Personal Data, please contact privacy@tryaqari.ai and we will delete it.
15. Changes
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice by email to the primary account address. The "Last updated" date at the top of the Policy reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
16. Contact
For privacy-related enquiries, requests, or complaints:
privacy@tryaqari.ai · Aqari FZ-LLC · Dubai, United Arab Emirates