Pre-launch draft. Edah AI is preparing for commercial launch. This document is published in good faith as a draft of the terms that will apply to the service. Final, binding versions will be issued before the service is made available for paid use. Items shown in square brackets, such as [Effective Date] or [Legal Entity Name], will be completed prior to launch.

Last updated: [Effective Date]

Edah AI ("Edah AI", "we", "us", or "our") provides a multi-tenant conversational voice AI platform operated under the brand Edah AI at edah.ai. This Privacy Policy explains how we collect, use, share, retain, and protect personal data when you visit our website, sign up for an account, or use the Edah AI service (the "Service").

This policy is written to align with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") and applicable international data protection frameworks. By using the Service, you agree to the processing described below.

1. Who we are

The data controller for personal data processed about visitors to edah.ai and account administrators is [Legal Entity Name], a company incorporated in the United Arab Emirates with its registered office at [Registered Office Address] (Trade Licence No. [Trade Licence Number]).

For personal data of end users of our customers (callers, contacts, or other data subjects whose data is uploaded to the Service by a customer), we act as a processor on behalf of the customer, who is the controller. The customer Data Processing Agreement governs that relationship.

2. Information we collect

Account information. When you create an Edah AI account, we collect your name, work email, organisation name, role, and a hashed password. If you sign up via single sign-on, we receive the equivalent information from your identity provider.

Usage data. We automatically collect information about your use of the Service, including IP address, device and browser metadata, dashboard actions, feature usage, and timestamps. This data helps us operate the Service and detect abuse.

Voice and conversation data. Where you operate Edah AI to handle inbound or outbound calls, we process audio, transcripts, derived metadata, and tool-call payloads. This data is processed on the instructions of the customer who initiated the call. Personal data identifiable to callers is redacted by default and stored in a tamper-evident audit chain.

Connected sources. When you connect a customer relationship management system, calendar, knowledge base, or other business application, we access the records you authorise solely to enable the Service to act on your instructions.

Payment information. Once paid plans are available, billing details (such as company name, tax identification, and card-on-file references held by our payment processor) will be collected. Card numbers are never stored on Edah AI infrastructure.

Communications. If you contact us by email or chat, we keep a record of the conversation and any attachments.

3. How we use information

• Provide, operate, and maintain the Service.

• Authenticate users and enforce access controls.

• Generate, deliver, and audit voice agent conversations on customer instructions.

• Comply with regulatory obligations under PDPL and the Telecommunications and Digital Government Regulatory Authority (TDRA) rules applicable to outbound calling.

• Detect and prevent fraud, abuse, and security incidents.

• Process billing and manage commercial relationships.

• Respond to support requests and provide operational updates.

• Improve the Service through aggregated, anonymised usage analytics.

4. Legal basis for processing

We rely on the following lawful bases under the PDPL:

• Performance of a contract for processing necessary to deliver the Service to you or to a customer.

• Compliance with a legal obligation for processing required by PDPL, TDRA, anti-money-laundering, tax, or court orders.

• Legitimate interests in operating, securing, and improving the Service, balanced against your interests and rights.

• Consent, where consent is the appropriate basis (for example, recording of customer-end calls or marketing communications).

5. Sharing and disclosure

We do not sell personal data. We disclose personal data only as described below:

• Authorised sub-processors. We rely on a curated list of sub-processors to operate the Service. See our Subprocessors page for the current list.

• Customers. For end-user data we process as a processor, the customer who initiated the call or upload is the data controller and receives the data we generate on their instructions.

• Legal obligations. We disclose personal data to competent authorities where required by law, court order, or binding regulatory request.

• Corporate transactions. In the event of a merger, acquisition, or asset transfer, personal data may be transferred as part of that transaction, subject to confidentiality and continued protection.

6. Data residency

All customer voice data (audio, transcripts, embeddings, derived PII, and audit records) is stored and processed inside the United Arab Emirates on infrastructure approved for PDPL workloads. Data does not leave the country in the course of normal Service operation.

A limited set of operational data (account metadata, billing records, support correspondence) may be processed by sub-processors outside the UAE under appropriate safeguards described in the Subprocessors page.

7. Data retention

We retain personal data for the period required to provide the Service and to comply with legal obligations. Default retention windows are:

• Account information: for the life of the account, then 90 days after closure unless extended retention is required by law.

• Voice recordings and transcripts: 30 days by default, configurable per tenant under the customer Data Processing Agreement.

• Audit chain records (consent, dial, tool calls, system events): up to 7 years, as required to satisfy regulatory and forensic requirements.

• Usage logs: 12 months in identifiable form, then aggregated.

• Billing records: 5 years, as required by UAE tax and commercial law, or longer where mandated for specific categories such as real estate or capital asset transactions.

8. Security

We apply administrative, technical, and physical safeguards designed to protect personal data:

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).

• Role-based access control and row-level data isolation between tenants.

• PII redaction applied by default to stored transcripts and audit records.

• Tamper-evident hash-chained audit log for compliance-relevant events.

• Periodic third-party security assessments and a documented incident response procedure.

9. Your rights

Under the PDPL, subject to applicable conditions and exceptions, you have the right to:

• Access the personal data we hold about you.

• Request correction of inaccurate or incomplete data.

• Request deletion of your personal data.

• Restrict or object to certain processing activities.

• Receive your personal data in a portable format.

• Withdraw consent where processing is based on consent.

• Lodge a complaint with the UAE Data Office.

To exercise any of these rights, contact privacy@edah.ai. We will respond within the timeframe required by applicable law (and no later than 30 days where no specific period is mandated).

10. International transfers

Where any limited operational data is processed outside the UAE, we rely on a mechanism recognised under the PDPL, including adequacy determinations issued by the UAE Cabinet, contractual safeguards approved or accepted by the UAE Data Office, binding corporate rules, or other measures permitted by the law. Sub-processors located outside the UAE are listed on the Subprocessors page along with the mechanism that applies to each.

11. Children

The Service is not directed to individuals under 18 years of age. We do not knowingly process personal data of minors. If you believe a minor has provided personal data to Edah AI, contact privacy@edah.ai and we will delete the data promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified at least 30 days in advance by email to account administrators or through a banner on the Service. The "Last updated" date at the top of the policy will be revised.

13. Contact

For privacy questions or to exercise your rights, please reach us at the addresses below.

Privacy and data protection: privacy@edah.ai

Security disclosures: security@edah.ai

Legal and commercial: legal@edah.ai

Website: edah.ai