Privacy Policy

1. Preamble & Scope of Application

NeoLayer Technologies (“the Company,” “we,” “our,” or “us”) hereby promulgates this Privacy Policy (hereinafter “the Policy”) to delineate, with requisite transparency and unambiguous particularity, the modalities by which personally identifiable information and ancillary non-personal data are collected, processed, retained, and, where legally permissible or obligatorily required, disclosed in connection with the utilisation of our digital platforms, software-as-a-service offerings, application programming interfaces, and any contiguous or derivative services (collectively, “the Services”).

This Policy applies universally to all natural persons and legal entities that access, interact with, or otherwise avail themselves of any component of the Services, irrespective of jurisdictional domicile, nationality, or the technological medium employed to effectuate such access. By continuing to utilise the Services subsequent to the Effective Date, the Data Subject unequivocally acknowledges having read, comprehended, and irrevocably consented to the provisions contained herein.

2. Categories of Personal Data Collected

The Company may, in the ordinary and necessary course of operating the Services, collect and process the following categories of personal data:

• Identification & Contact Data: Full legal name, electronic mail address, telephone number, and any other identifying particulars voluntarily furnished upon registration or subsequent account modification.
• Authentication Credentials: Encrypted password hashes, multi-factor authentication tokens, and session identifiers generated for the purpose of verifying the identity of the Data Subject.
• Transactional & Billing Data: Invoicing details, subscription tier, payment method metadata (excluding full card numbers, which are processed exclusively by PCI-DSS-compliant third-party processors), and transaction history.
• Conversational & Operational Data: Textual and structured data traversing automated communication pipelines (e.g., WhatsApp Business API integrations), processed ephemerally for the sole purpose of generating intelligent responses and delivering the contracted functionality.
• Technical & Device Telemetry: Internet Protocol addresses, browser user-agent strings, operating system identifiers, session duration metrics, click-stream data, and device fingerprinting attributes collected via standard server logs and analytics instrumentation.
• Preference & Configuration Data: User-defined settings, language preferences, notification configurations, and customisation parameters stored to personalise and optimise the Service experience.

3. Legal Basis & Purposes of Processing

All processing operations conducted by the Company are grounded upon one or more of the following legally recognised bases:

• Contractual Necessity: Processing is indispensably required to perform the agreement entered into between the Company and the Data Subject, including provisioning, maintaining, and supporting the Services.
• Legitimate Interests: Processing is conducted to advance the Company's legitimate operational interests — including fraud prevention, network security, service improvement, and business analytics — provided such interests are not overridden by the fundamental rights of the Data Subject.
• Legal Obligation: Processing is necessitated by applicable statutory, regulatory, or judicial requirements to which the Company is subject, including anti-money-laundering obligations and tax compliance mandates.
• Consent: Where no other lawful basis is applicable, the Company shall solicit the explicit, informed, and freely given consent of the Data Subject prior to processing, which may be withdrawn at any time without prejudice to the lawfulness of prior processing.

4. Disclosure & Third-Party Transfers

The Company does not sell, rent, or commercially exploit personal data. Disclosure to third parties may occur solely in the following circumscribed circumstances:

• Authorised Sub-processors: Carefully vetted service providers engaged under binding Data Processing Agreements who furnish infrastructure, analytics, communication delivery, or payment processing functions strictly on behalf of and under the instruction of the Company.
• Regulatory & Law Enforcement Authorities: Where compelled by a valid court order, statutory obligation, governmental directive, or bona fide law enforcement request, the Company may disclose the minimum data necessary to satisfy such mandatory requirement.
• Corporate Restructuring: In the event of a merger, acquisition, asset transfer, or analogous corporate transaction, personal data may be transferred to the successor entity, subject to equivalent privacy protections.
• Protection of Rights: Where disclosure is reasonably necessary to prevent imminent harm, enforce contractual obligations, or defend against legal claims.

5. Data Retention & Erasure

Personal data shall not be retained beyond the period strictly necessary to fulfil the purposes for which it was collected or to discharge applicable legal retention obligations. Upon expiration of the applicable retention period, data shall be irreversibly anonymised or securely destroyed in accordance with industry-standard data sanitisation protocols.

• Account data is retained for the duration of the contractual relationship and for a period of up to five (5) years thereafter for audit and legal compliance purposes.
• Conversational data processed through automated pipelines is retained for no longer than ninety (90) days unless the Data Subject explicitly requests earlier deletion.
• Anonymised and aggregated analytical data, which cannot reasonably be used to re-identify any individual, may be retained indefinitely for statistical and product improvement purposes.

6. Security & Organisational Safeguards

The Company employs a multi-layered, defence-in-depth security architecture encompassing administrative, technical, and physical controls commensurate with the sensitivity of the data processed and the prevailing state of the art. Implemented measures include, without limitation:

• Transport Layer Security (TLS 1.2+) encryption for all data in transit between the Data Subject's device and Company infrastructure.
• AES-256 encryption at rest for all personally identifiable data stored within Company-controlled systems.
• Role-based access controls (RBAC) and the principle of least privilege governing internal access to personal data repositories.
• Continuous monitoring, anomaly detection, and periodic penetration testing to identify and remediate potential vulnerabilities.
• Mandatory data protection training for personnel whose functions involve the processing of personal data.

Notwithstanding the foregoing, no system of security controls is absolutely impregnable, and the Company cannot guarantee the absolute inviolability of data transmitted over public networks.

7. Rights of the Data Subject

Subject to applicable law, Data Subjects are vested with the following rights, exercisable without undue restriction:

• Right of Access: To obtain confirmation as to whether personal data is being processed and, if so, to receive a structured copy thereof.
• Right to Rectification: To request the correction of inaccurate or incomplete personal data without undue delay.
• Right to Erasure: To request the deletion of personal data where it is no longer necessary for the purposes for which it was collected, subject to overriding legal obligations.
• Right to Restriction: To request the temporary suspension of processing pending the resolution of a contested accuracy or legitimate interest objection.
• Right to Data Portability: To receive personal data in a structured, commonly used, machine-readable format and to transmit such data to another controller.
• Right to Object: To object at any time to processing grounded on legitimate interests or conducted for direct marketing purposes.

8. Cookies & Tracking Technologies

The Company utilises cookies, web beacons, pixel tags, and analogous persistent and session-based tracking technologies to facilitate authentication, preserve user preferences, and compile aggregated statistical analyses of Service utilisation patterns. Granular control over non-essential cookies may be exercised via the Cookie Preference Centre accessible within the platform interface or through the Data Subject's browser configuration settings. Withdrawal of consent for non-essential cookies shall not impair access to core Service functionality.

9. International Data Transfers

The Company's infrastructure is predominantly domiciled within the United Arab Emirates and the European Economic Area. Where personal data is transferred to jurisdictions that do not afford an equivalent level of data protection, such transfers shall be effectuated exclusively pursuant to legally recognised transfer mechanisms, including but not limited to Standard Contractual Clauses, binding corporate rules, or adequacy decisions issued by competent regulatory authorities.

10. Amendments to this Policy

The Company reserves the unilateral right to amend, supplement, or replace any provision of this Policy at any time, subject to the provision of reasonable prior notice to Data Subjects through the Services interface or via electronic communication. Continued utilisation of the Services following the promulgation of such amendments shall constitute irrevocable acceptance of the revised Policy. Data Subjects are encouraged to review this Policy periodically to remain apprised of any modifications.

11. Contact & Supervisory Authority

All enquiries, requests to exercise data subject rights, or complaints pertaining to this Policy or the Company's data processing activities shall be addressed in writing to:

Data Subjects domiciled within the European Economic Area retain the right to lodge a complaint with the competent national supervisory authority should they consider that the processing of their personal data contravenes applicable data protection legislation.