Legal · Privacy · v1.0 · Draft

Privacy Policy

What personal data we collect, how we use it, who we share it with, and your rights under the UAE Personal Data Protection Law.

Legal·v1.0·Last updated 2026-05-21
DraftPending legal review. Use as guidance only; binding terms ship with v2.0.
Controller
Maktab FZ-LLC
Data law
UAE PDPL · Decree-Law 45/2021
Data export
Self-serve
Marketing cookies
None · zero third-party ad

01Who we are

Watin is operated by Maktab FZ-LLC (we, us), a free-zone limited liability company registered in Dubai, United Arab Emirates. We are the data controller for personal data we collect from prospective and signed-in customers. For Customer Data uploaded into a workspace, the customer organization is the controller and we act as processor — see the Data Processing Addendum for those obligations.

02What personal data we collect

  • Account data — name, email, role, password hash, MFA factor enrollment status.
  • Workspace metadata — organization name, TRN, emirate, license number, fiscal year.
  • Customer Data — invoices, transactions, clients, documents, deadlines, audit-log entries. Processed on your behalf; see DPA.
  • Usage telemetry — pages visited, features used, performance metrics, error reports.
  • Billing data — card last-4, billing address, plan, payment history. Card numbers themselves are stored only by our payment processor (Stripe).
  • Support communications — emails, in-product messages, ticket history.

03How we use it

  • To provide, operate, and improve the Service.
  • To authenticate you, secure your account, and prevent abuse.
  • To bill you and to handle plan changes.
  • To respond to your support requests.
  • To comply with our own legal obligations (e.g. UAE tax record retention, anti-money-laundering checks).
  • To send transactional emails about your workspace (deadline reminders, FTA-cleared notifications, etc.).
  • With your consent, to send product update emails. You can unsubscribe at any time.

04Lawful basis (UAE PDPL)

We rely on the following lawful bases under UAE Federal Decree-Law No. 45 of 2021: contract (delivering the Service you signed up for), legal obligation (tax record retention, financial crime reporting), legitimate interest (security, abuse prevention, product improvement, only where balanced against your rights), and consent (marketing emails, optional analytics).

05Who we share with

We do not sell your data. We share with the following categories of processors, each bound by a written processing agreement:

  • Cloud infrastructure (Supabase, Vercel) — hosting + storage of your workspace data.
  • Payment processing (Stripe) — billing, card data tokenization.
  • Email delivery (Resend) — transactional and consented marketing emails.
  • Error monitoring (Sentry) — crash reports, performance traces (no Customer Data).
  • FTA submissions — invoice and return data when you authorize EmaraTax e-invoicing clearance.
  • Professional advisors (auditors, legal counsel) — only on a need-to-know basis.

The current sub-processor list is published and versioned in the Data Processing Addendum.

06How long we keep it

  • Account data — for the life of the account plus thirty (30) days after closure.
  • FTA-relevant Customer Data (invoices, credit notes, VAT returns, audit trail) — minimum seven (7) years from the relevant tax period, regardless of subscription status.
  • Other Customer Data — deletable on request after subscription end.
  • Backups — rolling 30-day retention with delete-on-restore semantics.

07Security

We protect your data with encryption in transit and at rest, role-based access controls, multi-factor authentication, append-only audit logging, tenant-isolated database row-level security, and continuous security monitoring. We are pursuing SOC 2 Type II attestation; status is published on /security. No system is perfectly secure; you remain responsible for your password and for promptly reporting any suspected compromise to security@watin.app.

08Your rights

UAE PDPL Articles 13 through 19 grant you the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account data (subject to retention obligations above).
  • Object to processing for direct marketing.
  • Restrict processing in specific circumstances.
  • Receive your data in a portable format.
  • Withdraw consent at any time where consent is the lawful basis.

To exercise any of these rights, email privacy@watin.app from the address associated with your account. We respond within thirty (30) days.

09International transfers

Some of our processors are headquartered outside the UAE. Where data is transferred internationally we rely on the safeguards permitted under PDPL Article 22, including processor agreements requiring equivalent protection and, where applicable, recognized adequacy decisions.

10Cookies & similar technologies

We use cookies for authentication, security, preferences, and (with your consent) analytics. The full cookie inventory, categorization, and opt-out controls are documented in the Cookies section of the DPA.

11Children

The Service is not directed at children under 18 and is intended for use by UAE-registered legal entities. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

12Changes to this policy

Material changes will be notified at least thirty (30) days before they take effect, by email to the workspace owner and an in-product banner. The version history at the bottom of this page records every revision.

13Contact

Data protection inquiries: privacy@watin.app. Postal: Maktab FZ-LLC, Dubai, United Arab Emirates.

Version history

VersionEffectiveSummary
v1.02026-05-21Initial publication. Aligned to UAE PDPL (Federal Decree-Law No. 45 of 2021). Pending external review.