Privacy Policy

Issued by: AI Digidot Limited

Registered at the Dubai International Financial Centre

License No. CL10599

Trading as: Aisfy

1. Introduction

This Privacy Policy explains how AI Digidot Limited (“we”, “our”, or “Aisfy”) collects, uses, stores, and protects personal data when users access the Aisfy platform. This policy aligns with:

UAE Federal Personal Data Protection Law (PDPL) – Law No. 45 of 2021
DIFC Data Protection Law – Law No. 5 of 2020
ADGM Data Protection Regulations 2021
Core principles of GDPR, where applicable

Aisfy is committed to protecting the rights of data subjects and maintaining full transparency with respect to data processing activities. We adhere to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

2. Scope

This policy applies to all personal data collected and processed through the Aisfy platform, including through:

User accounts and registrations
Uploaded business documents, prompts, and AI workflows
Content publishing integrations (e.g. Meta, WhatsApp)
Third-party AI services used within the platform

3. Types of Data Collected

Aisfy may process the following types of personal and operational data:

User Profile Data: Name, email address, business name, role, login timestamps, and platform settings
Uploaded Content: Contracts, memos, reports, strategy documents, prompts, internal business data
System Activity Logs: AI interactions, task lists, campaigns, approvals, user actions
Technical Metadata: IP address, device information, browser type, usage region
Platform Integrations: CRM tokens, social media scheduling, email and WhatsApp publishing metadata

Note: Aisfy does not intentionally collect sensitive personal data (e.g. health, biometrics, national IDs), and users are advised not to upload such data unless explicitly agreed in writing.

Aisfy acts as a processor for user-uploaded content on behalf of enterprise clients, and will never use such content for training or analysis without explicit authorization.

Aisfy applies data minimization principles and collects only data necessary for the performance of services or as required by applicable law.

4. Legal Basis for Processing

Personal data is processed on one or more of the following legal bases:

Contractual Necessity – To provide access to Aisfy platform features
Legitimate Interest – Platform security, analytics, feature optimization
Legal Obligation – Compliance with UAE or DIFC laws
Consent – For publishing content via Meta or WhatsApp, or when connecting third-party tools

Users may withdraw consent for integrations or optional features at any time. Users may withdraw consent at any time by accessing their account settings or contacting the DPO. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.

5. Data Residency & International Transfers

Aisfy stores and processes data in secure data centers located in the UAE and the United States. For international data transfers outside the DIFC or UAE, the following safeguards are in place:

Standard Contractual Clauses (SCCs)
Cross-border transfer risk assessments
Data Processing Agreements (DPAs) with sub-processors
Access controls, encryption, and audit logging

Aisfy clients are notified if data processing is required in new jurisdictions. Wherever possible, UAE residency is prioritized for regulated entities. For transfers to non-adequate jurisdictions (e.g. USA), Aisfy relies on Standard Contractual Clauses under Article 27(2)(c) of DIFC Data Protection Law No. 5 of 2020.

6. Security Measures

Aisfy implements enterprise-grade security protocols:

Encryption at Rest: AES-256
Encryption in Transit: TLS 1.2+
Role-Based Access Control (RBAC)
Multi-Factor Authentication (MFA)
WAFs, firewalls, and rate limiting
Internal and external penetration testing
Automated patch management and vulnerability scans

Endpoint Device Controls: Access is restricted via device fingerprinting and activity-based session control.
Third-Party Risk Reviews: All processors are vetted for ISO 27001 or equivalent compliance.

7. Data Subject Rights

Under DIFC, PDPL, and applicable international laws, users have the right to:

Access their personal data
Correct inaccurate or outdated data
Request data erasure (right to be forgotten)
Restrict or object to certain types of processing
Data portability (where technically feasible)

Requests must be sent to: 📧 compliance@aisfy.ai

Aisfy may require verification of identity before acting on a request.

We respond to all verified requests within 15 business days, unless lawfully extended. Data subjects also have the right to lodge a complaint with the DIFC Commissioner of Data Protection if they believe their rights have been violated.

8. Sub-Processors & Third-Party APIs

Aisfy uses carefully selected sub-processors with strict contractual safeguards. These include:

Provider	Purpose	Retention	Region
Amazon Web Services	Hosting infrastructure	Configurable	UAE / US
OpenAI API	Language model processing	Stateless	US
Meta (Facebook/Instagram Graph API)	Content publishing	OAuth-based only	Global
Google Cloud APIs	Image generation & rendering	Transient prompts	UAE / US

Aisfy does not resell or share user data with any third party unless required by law or explicitly authorized by the client. All publishing or external integrations require user consent.

9. Retention & Deletion Policy

All personal and uploaded data is retained only for the duration of the client agreement or as required by law.
Upon contract termination or user request, Aisfy permanently deletes data within 30 days.
System logs and audit metadata may be retained longer for security and regulatory compliance, as contractually agreed.

Where required by law or pending legal/regulatory matters, data may be retained beyond the standard retention window in a secure, access-restricted archive.

10. Breach Notification & Incident Response

Aisfy maintains a structured breach response policy:

Affected clients and regulators will be notified within 24 hours of confirmed data breach incidents.
A detailed incident report will be provided within 3 business days.
All actions are documented and available for client audit under NDA.

All breach notifications follow the 72-hour reporting window required under DIFC Law, unless a longer period is justified by forensic investigation protocols.

11. AI Workflow, Agent-Based Processing & System Notice (Final Compliant Version)

Aisfy incorporates AI-powered modules and custom agents to assist users in automating marketing, compliance, and operational workflows. These agents are activated based on user input and role-based access permissions, and operate within defined platform boundaries.

Use Cases

AI agents may support:

Parsing and analyzing uploaded client documents
Generating content, strategy plans, regulatory reports, or SOPs
Suggesting workflows or actions based on user-defined goals
Executing tasks across departments (e.g., marketing, HR, compliance)

All actions taken by AI agents are initiated or reviewed by the user and are bound by account-level permissions.

AI System Notice

“This feature is powered by AI. Outputs are generated based on your inputs and system context. Please review and approve all content before publishing or acting. No fully automated decisions with legal or significant effects are made without human review.”

This notice appears in the platform UI wherever AI-driven features are used.

Human Oversight & Explainability

Aisfy does not rely on fully automated decision-making that produces legal or similarly significant effects on individuals (per Article 35 of DIFC Law No. 5 of 2020).
All AI actions are subject to human review and user approval before publication or execution.
Users can access summary explanations of how AI outputs were generated, including input parameters and logic applied.
Platform administrators may override or deactivate AI outputs where necessary.

Transparency & Audit Logging

All AI modules are version-controlled.
AI actions are logged with timestamp, user ID, action type, and agent version.
Audit trails are accessible by enterprise admins under NDA or regulatory review.
Data subjects may request a summary of AI-based processing involving their data.

Data Categories Processed

AI agents operate primarily on business content and metadata provided by the user (e.g., campaign brief, uploaded content, industry settings).
No sensitive personal data (e.g., health, religion, biometrics) is used in AI models unless explicitly agreed and legally permitted.
Profiling and segmentation may be used to generate content or workflows, but never for legal scoring, biometric prediction, or behavioral inference.

Opt-Out & Customization

Enterprise clients can disable or limit specific AI agents within their organization.
Individual users may opt out of non-essential AI features where alternatives exist.
Configuration settings allow admins to define which users or roles may access AI agents or automated workflows.

Model Governance & Third Parties

Aisfy uses third-party models such as OpenAI, Falcon, and SDXL under strict contractual safeguards.
Prompt and response data is not used to train models unless anonymized and contractually agreed.
No user content is shared with external model providers for fine-tuning unless explicitly authorized.

12. Children’s Privacy

Aisfy is not designed for individuals under the age of 18. If it becomes known that personal data has been submitted by a minor, the data will be deleted immediately.

13. Contact

Data Protection Officer: Kanwal Shahzad

AI Digidot Limited (DIFC License No. CL10599)

📍 DIFC AI Campus, Dubai, UAE

📧 compliance@aisfy.ai

14. Changes to This Policy

This policy may be updated from time to time to reflect platform changes or regulatory developments.

All updates will be posted on our website and, where applicable, notified to clients via email or in-app notification.