Privacy Policy
Last updated: March 2026 · Compliant with UAE Federal Decree-Law No. 45 of 2021 (PDPL)
1. Data Controller
tenancycontract.com is the data controller responsible for your personal data processed through this Platform. For privacy enquiries: privacy@tenancycontract.com
2. What Personal Data We Collect
| Category | Data Collected | Source |
|---|---|---|
| Identity & Contact | Name, email address, phone number | Entered by user in contract form |
| Contract Data | Property details, rental terms, Emirates ID numbers (if uploaded) | Entered by user or AI-extracted from uploaded documents |
| Signature Data | Electronic signature image (base64) | Drawn by user on signing page |
| Usage Data | IP address, browser type, device, pages visited, referrer | Automatically via server logs |
| Payment Data | Transaction ID, last 4 digits of card (no full card data stored) | Processed by Stripe — we do not store card details |
We do not collect sensitive personal data such as biometric data, health information, or political opinions.
3. Legal Basis for Processing
We process your personal data on the following legal bases under UAE PDPL:
- Contractual necessity — to provide the document generation and signing service you requested
- Legitimate interests — to maintain platform security, prevent fraud, and improve our services
- Legal obligation — to comply with applicable UAE laws and regulations
- Consent — where you have explicitly provided consent (e.g., marketing communications)
4. How We Use Your Data
- To generate and populate the DLD Unified Tenancy Contract with your details
- To create and send digital signing links to landlord and tenant
- To deliver the signed contract via email upon completion
- To process payments securely via Stripe
- To send transactional emails (contract generation, signing invitations, signed contract delivery)
- To maintain platform security, detect fraud, and prevent abuse
- To comply with legal and regulatory obligations under UAE law
- To improve Platform functionality based on anonymised usage analytics
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
5. Data Sharing with Third Parties
| Recipient | Purpose | Location |
|---|---|---|
| Brevo (Sendinblue) | Transactional email delivery | EU (GDPR compliant) |
| Stripe | Payment processing | USA/EU (PCI-DSS compliant) |
| Railway | Cloud hosting and database | USA |
| Vercel | Frontend hosting | USA |
| Anthropic (Claude AI) | Document data extraction from uploads | USA |
| Infobip | WhatsApp message delivery (optional) | EU |
All third-party processors are bound by data processing agreements and industry-standard security measures.
6. Data Retention
- Contract form data and generated PDFs: retained for 90 days, then permanently deleted
- Signing sessions and signature images: retained for 48 hours post-signing, then deleted
- Transaction records: retained for 7 years as required by UAE commercial law
- Server logs (IP, usage): retained for 30 days
- Uploaded documents (Emirates ID, passport, title deed): processed in-session only — not stored on our servers
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data including:
- HTTPS/TLS encryption for all data in transit
- Encrypted database storage for sensitive fields
- Access controls limiting data access to authorised personnel only
- Regular security reviews and penetration testing
- Secure deletion of data upon expiry of retention periods
Despite these measures, no internet transmission is 100% secure. You transmit data to us at your own risk.
8. Your Rights Under UAE PDPL
You have the following rights regarding your personal data:
- Right to access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your personal data (subject to legal retention obligations)
- Right to restriction — request that we limit processing of your data
- Right to data portability — request your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at privacy@tenancycontract.com. We will respond within 30 days. You also have the right to lodge a complaint with the UAE Data Office at uaedataoffice.ae.
9. Cookies
We use cookies and similar technologies. For full details, please refer to our Cookies Policy.
10. Children's Privacy
The Platform is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us immediately at privacy@tenancycontract.com and we will delete it promptly.
11. International Data Transfers
Your data may be processed by our third-party service providers outside the UAE (see Section 5). Where data is transferred internationally, we ensure appropriate safeguards are in place, including contractual protections and processor agreements compliant with UAE PDPL requirements.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date above. Your continued use of the Platform after changes are posted constitutes acceptance of the revised Policy.
13. Contact
Data Controller: tenancycontract.com
Email: privacy@tenancycontract.com
Dubai, United Arab Emirates