Privacy Policy

1. Who We Are

Dembri is a UAE compliance SaaS that helps businesses track trade license renewals, compliance deadlines, and government document expiries. The service is operated by Dembri Technologies Ltd, a company incorporated in the Dubai International Financial Centre (DIFC), registered number 13580.

We handle your data carefully because we know how sensitive compliance information is. This policy explains exactly what we collect, why we collect it, who we share it with, and what rights you have over your data.

For any data-related questions, email: privacy@dembri.com

2. What Data We Collect

We only collect data that is necessary to run the service.

3. How We Collect Your Data

1. You give it to us directly — when you sign up, fill in your profile, upload documents, or enter compliance data
2. We extract it from documents you upload — our OCR feature reads expiry dates from uploaded documents so you don't have to type them manually
3. Service usage data — basic information about how you interact with the dashboard to improve the product

4. How Long We Keep Your Data

When you delete your account, all your personal data and uploaded documents are permanently deleted within 30 days. Backup copies are purged within 60 days.

4b. WhatsApp Communications — Opt-In and Opt-Out

We use the Meta WhatsApp Business Cloud API to send renewal reminders and (for Group-tier customers) two-way compliance chat. WhatsApp messaging requires explicit, per-recipient consent under both Meta's platform policy and UAE PDPL.

How we capture your consent. You opt in to WhatsApp messages from Dembri in one of two ways:

• Toggling "Receive WhatsApp reminders from Dembri" on in your vault settings
• Sending us a WhatsApp message yourself — your inbound message is recorded as opt-in for the phone number it came from

How we record your consent. For every opt-in, we store the phone number (in E.164 format), the timestamp, and the method (settings toggle or first inbound message). This record is retained for the lifetime of your account, plus 3 years after account deletion, as evidence of lawful processing under PDPL Article 4 and Meta's opt-in policy.

How to opt out. Two equivalent options:

• Toggle "Receive WhatsApp reminders from Dembri" off in your vault settings
• Reply STOP, UNSUBSCRIBE, CANCEL, END, QUIT, or OPT OUT to any WhatsApp message we send

Opt-out is immediate. We send a one-line confirmation and never message that number again from Dembri's WhatsApp Business Account until you opt back in via the settings toggle.

If you change your WhatsApp number. Opt-in is bound to a specific number. If you update the number in your settings, your previous opt-in record stays bound to the old number; you'll need to opt in again for the new one. This is intentional — it ensures consent always matches the number we send to.

For Group-tier customers using two-way chat. Messages you send to us and our AI agent's replies are stored in your chat history and used to improve your service experience. They are not used to train any AI model.

No marketing or promotional content is sent via WhatsApp. Messages are strictly transactional — renewal reminders, account alerts, and (for Group tier) your own compliance questions.

5. Where Your Data Is Stored

Your data is stored on Supabase, hosted in Frankfurt, Germany (EU region).

Data residency: your data resides in Frankfurt, Germany. It does not leave the EU economic area except when processed by our third-party tools listed in Section 6, which may process data in other regions.

6. Third-Party Processors (Who We Share Data With)

We use the following services to run Dembri. Each one has its own privacy and security measures. By creating an account you explicitly consent to these transfers under Article 22 of the UAE PDPL.

6a. AI Agent — What Leaves Dembri

When you chat with Dembri's AI agent about your own documents, compliance status, or UAE regulatory questions, the conversation is processed by Anthropic (USA) under our zero-retention Data Processing Addendum.

What is sent. Your question text, with personal identifiers (Emirates ID, UAE and international phone numbers, email addresses, passport numbers, visa file numbers, payment card numbers) automatically scrubbed before transmission. A summary of the documents relevant to answering — document name, type, issuing authority, status, and expiry date — is included as context. We do not send document numbers, file contents, scanned images, payment information, or your account profile.

Where it goes. Anthropic (USA), our AI sub-processor under PDPL Article 21(3)(c). Anthropic processes the text transiently under a zero-retention policy: your data is not used to train any model, is not retained beyond the response, and is not combined with data from any other source.

How to opt out. Don't use the chat feature. All other Dembri functionality — document vault, expiry calendar, reminders, playbooks — works without the AI agent.

6b. Live Government-Policy Research — What Leaves Dembri

When you ask the AI agent a question about UAE government policy (for example, “What does MOHRE require for X?” or “Cabinet Decision 106/2025 — does this still apply?”), the agent may offer a “Research this live” button. Clicking this button is the only way that any part of your question is sent to a research provider outside Dembri.

What is sent. Only the text of the specific question, with personal data (Emirates ID, passport, visa numbers, phone, email) automatically removed before transmission. We do not send your account information, document contents, license records, reminder schedules, or chat history.

Where it goes. Perplexity (USA), our research sub-processor under PDPL Article 21(3)(c). Perplexity uses its Sonar API. Our signed Data Processing Addendum with Perplexity (Section 5) expressly prohibits Perplexity from using your data to train its AI models and from retaining or combining it with data from any other source. Personal data is deleted within thirty days of the end of our service relationship with Perplexity.

How to opt out. Don't click the “Research this live” button. The default answer path never sends anything to Perplexity. Live search is strictly user-triggered, per-question, and rate-limited.

This is the only outbound transfer of your question content to a third-party research provider beyond the processors listed in Section 6. If we add another such provider in future, we will update this section and email account holders before activation.

7. Your Rights Under UAE PDPL

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) gives you the following rights:

To exercise any right: privacy@dembri.com — we respond within 5 business days and may ask you to verify your identity.

8. How We Protect Your Data

9. Cookies

We use only essential cookies:

• Session cookie: keeps you logged in while you use the dashboard
• CSRF token: prevents cross-site request forgery

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Blocking all cookies will prevent you from logging in.

10. Changes to This Policy

If we change this privacy policy, we will:

1. Update the “Last updated” date at the top
2. Email you at the address on your account
3. Show a notice in the dashboard the next time you log in

Significant changes (new data collection, new third-party processors) will require your explicit consent. Minor changes take effect immediately.

11. Complaints

1. First step: email privacy@dembri.com — we investigate within 5 business days
2. Second step: if you're not satisfied, you can file a complaint with the UAE Data Office (the PDPL supervisory authority)

12. Legal Basis for Processing (PDPL Article 4)

13. Children's Privacy

Dembri is a business-to-business service. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, email privacy@dembri.com and we'll delete it immediately.

14. International Data Transfers

Your data is stored in Frankfurt, Germany (Supabase EU region). Some third-party processors (Anthropic, Resend, Stripe, Meta WhatsApp Cloud API, Perplexity) may process data in other countries, including the United States.

Where these countries have data protection laws that differ from UAE PDPL, we rely on:

• Standard Contractual Clauses (SCCs) — for transfers to the US (Anthropic, Resend, Stripe, Meta, Perplexity). Each provider has signed a Data Processing Addendum incorporating EU SCCs Module 2/3, which we rely on by analogy for UAE PDPL Article 22 cross-border transfers pending publication of the PDPL Executive Regulations.
• Adequacy decisions — for transfers within the EU (Supabase)
• Your explicit consent — where applicable, including each click of the “Research this live” button (Section 6b)

15. Data Protection Officer

In line with UAE PDPL Article 10, Dembri has appointed a Data Protection Officer (DPO) responsible for monitoring our PDPL compliance, advising on data protection impact, acting as the contact point for the UAE Data Office, and handling all data-subject requests.

If you believe your personal data has been mishandled or breached, contact the DPO immediately. We're also happy to explain anything in this policy in simpler terms — just ask.

16. PRO Firms — Controller / Processor Split

When a PRO firm or business setup consultant (each, a "Firm") uses Dembri to manage compliance for their own end-clients (each, a "Managed Client"), the roles under UAE PDPL are:

• The Firm is the data controller for any personal data of its Managed Clients that the Firm uploads or imports into Dembri.
• Dembri is the data processor, processing that data only on the Firm's documented instructions. Documented instructions are: (a) actions the Firm takes through the platform's UI (uploading, editing, sharing, deleting Managed-Client data), and (b) any explicit written instructions the Firm sends to the DPO at dpo@dembri.com.

Firm responsibilities (controller obligations):

• Have a lawful basis under PDPL Article 4 to share each Managed Client's personal data with Dembri (typically: explicit consent from the Managed Client, contract with the Managed Client, or a legitimate interest assessment the Firm has documented).
• Inform Managed Clients that their data is processed by Dembri as a sub-processor and provide them with this Privacy Policy on request.
• Handle Managed-Client data-subject requests directly. Dembri will assist the Firm to fulfil such requests within 30 days. The PDPL primary law does not currently codify a DSR response window — that will land in the Executive Regulations (pending). The 30-day commitment is GDPR-aligned best practice in the interim. PDPL Article 19 (“Methods of Communicating with the Controller”) is independently satisfied by the DPO email below and the in-product contact channels.
• Notify Dembri of any change in lawful basis or any withdrawal of consent that affects data already in Dembri.

Dembri responsibilities (processor obligations):

• Process Managed-Client data only to provide the contracted service to the Firm — no secondary use, no profiling, no monetisation.
• Apply the same security controls described in Section 8 (AES-256 at rest, TLS 1.3 in transit, role-based access, audit logs) to Managed-Client data.
• Use only the sub-processors listed in Section 6. Any change in sub-processors will be notified to the Firm with at least 30 days' advance notice and the right to object; if the objection cannot be resolved, the Firm may terminate without penalty.
• Return or delete all Managed-Client data on the Firm's instruction, or within 90 days of contract termination, whichever is sooner.
• Notify the Firm without undue delay (and within 72 hours) of any personal-data breach affecting Managed-Client data.

Data Processing Agreement. The Firm's acceptance of this Privacy Policy at signup, together with the order documentation for the Firm's subscription tier, constitutes a Data Processing Agreement between the Firm (controller) and Dembri (processor) for the purposes of UAE PDPL. A standalone signed DPA is available on request for Firms that require it.