UAE PDPL Compliant · Federal Decree-Law 45/2021

Privacy Policy

Last updated: June 3, 2026 · Version 1.0

We respect your privacy and are committed to protecting your personal data under the UAE Personal Data Protection Law. This policy explains what data we collect, why, how we protect it, and your rights.

Download as Markdown

1. Introduction and Scope

Dynamic Web Lab FZE LLC ("PausePOS", "we", "us", or "our") is committed to protecting your privacy and complying with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use the PausePOS platform, websites, and related services (the "Service").

This Policy applies to all personal data we process as a Data Controller (for our own customers and staff) and as a Data Processor (for the customer data our Customers upload to the Service).

2. Data Controller and Data Processor

We act as a Data Controller for personal data you provide directly to us (e.g., your account contact information). When you use the Service to process personal data of your own customers or staff, we act as a Data Processor on your behalf, and our Data Processing Agreement (DPA) governs that processing.

3. Personal Data We Collect

We collect the following categories of personal data:

  • Identity Data: Name, nationality, Emirates ID number (for KYC), passport number, trade license number, Tax Registration Number (TRN).
  • Contact Data: Business address, email address, phone number, WhatsApp number.
  • Transaction Data: Sales records, payment references, invoices, refund records, customer names, and amounts.
  • Technical Data: IP address, browser type, device type (e.g., Sunmi, Android, Windows, iOS), operating system, session duration, page views.
  • End-customer Data: Names, phone numbers, email addresses, and purchase history of your customers that you load into the Service.
  • Communications: Support requests, emails, chat messages, and feedback you send to us.

4. How We Use Personal Data (PDPL Article 5-6)

We use personal data only for specified, explicit, and legitimate purposes, including:

  • Providing, operating, and maintaining the Service.
  • Processing payments and managing your subscription.
  • Generating FTA-compliant electronic invoices (PINT-AE) and submitting them to your chosen Accredited Service Provider.
  • Verifying your identity and conducting KYC checks as required by UAE law.
  • Responding to your support requests and providing customer service.
  • Detecting, preventing, and addressing fraud, security incidents, and abuse.
  • Complying with UAE legal, regulatory, and tax obligations.
  • Sending you service-related notices (security alerts, billing, policy changes) — these are not marketing.
  • With your consent, sending marketing communications about new features, plans, and offers (you can withdraw consent at any time).

5. Legal Basis for Processing (PDPL Article 5-6)

We process personal data on the following legal bases under the PDPL:

  • Consent: For marketing communications, optional cookies, and non-essential features.
  • Contract performance: To provide the Service you have subscribed to.
  • Legal obligation: To comply with UAE tax law, anti-money-laundering regulations, and court orders.
  • Legitimate interest: To secure the Service, prevent fraud, and improve functionality, where this does not override your fundamental rights.

6. Data Residency and Storage

All Customer Data is stored in the European Union (Frankfurt, Germany) on enterprise-grade infrastructure provided by Hetzner Online GmbH. By default, Customer Data does not leave the EU. Enterprise customers may opt-in to UAE-only data residency at additional cost; please contact [email protected].

Some ancillary data (CDN logs, error monitoring, payment processing) may transit through or be processed in other jurisdictions by our sub-processors as listed in Section 7. No personal data is stored in the United States.

7. Sub-Processors

We use the following sub-processors to provide the Service. Each is bound by a data processing agreement that meets PDPL Article 14 requirements:

Hetzner (Germany)Hosting and database
Cloudflare (Global)CDN, DNS, DDoS protection
Stripe (US / Ireland)Payment processing
Sentry (US)Error monitoring (anonymized, no PII sent)
OpenAI (US)Optional AI features (only the data you submit)
Twilio / Meta (US)Optional WhatsApp receipts
ClearTax / Flick (UAE)PINT-AE e-invoicing submission

8. International Data Transfers

By default, Customer Data stays in the European Union. Where sub-processors outside the EU process personal data (e.g., Stripe for payments, Sentry for error monitoring), we ensure appropriate safeguards are in place, including: (a) Standard Contractual Clauses approved by the European Commission; (b) data processing agreements with PDPL-compliant obligations; (c) data minimization and pseudonymization where possible; and (d) regular transfer impact assessments.

9. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We share personal data only with: (a) sub-processors listed in Section 7 to provide the Service; (b) UAE government authorities, the Federal Tax Authority, or law enforcement where required by UAE law or valid court order; (c) banks and payment processors to process your subscription payments; (d) auditors, legal counsel, and professional advisors under confidentiality obligations; and (e) a successor entity in the event of a merger, acquisition, or sale of PausePOS, with notice to you.

10. Data Retention

We retain personal data for as long as necessary to provide the Service and comply with UAE legal obligations. Specific retention periods:

  • Account and billing data: For the duration of the subscription plus 7 years (UAE tax law requires 5 years; we retain 7 for safety).
  • Transaction and invoice data: 7 years from the date of transaction (UAE tax law requirement).
  • Audit logs: 10 years (PDPL Article 14 — Records of Processing).
  • Support communications: 3 years from last interaction.
  • Marketing consent records: Until consent is withdrawn, plus 3 years.
  • Backups: 30 days rolling, then permanently deleted.

11. Data Security (PDPL Article 22)

We implement industry-standard technical and organizational measures to protect personal data, including: AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access control with least-privilege, multi-factor authentication for staff, network segmentation, daily encrypted backups, 24/7 security monitoring, regular penetration testing, and mandatory annual staff data protection training.

12. Your Rights under the PDPL

As a data subject, you have the following rights. To exercise any of these rights, email [email protected] and we will respond within 30 days:

  • Right of access (PDPL Art. 14): Request a copy of all personal data we hold about you.
  • Right to correction (PDPL Art. 15): Request correction of inaccurate or incomplete data.
  • Right to erasure (PDPL Art. 16): Request deletion of your personal data, subject to legal retention obligations.
  • Right to restrict processing (PDPL Art. 17): Request that we limit how we process your data.
  • Right to data portability (PDPL Art. 18): Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (PDPL Art. 19): Object to processing based on legitimate interest or for direct marketing.
  • Right to withdraw consent (PDPL Art. 10): Withdraw any consent you previously gave, at any time, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (PDPL Art. 20): Lodge a complaint with the UAE Data Office (www.digitalgov.ae).

13. Cookies and Tracking

We use essential cookies that are strictly necessary for the Service to function (authentication, session management, security). We also use optional analytics cookies (privacy-friendly, no third-party sharing) that you can disable. We do not use advertising cookies or cross-site tracking. You can manage cookie preferences via the cookie banner on our website.

14. Marketing Communications

We may send you marketing emails about new features, plans, and offers only if you have given consent (via the signup form, an opt-in checkbox, or by requesting a demo). You can withdraw consent at any time by clicking "unsubscribe" in any marketing email or by emailing [email protected]. Withdrawal of marketing consent does not affect the lawfulness of processing for the Service itself.

15. Children's Data

The Service is intended for use by businesses and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child in error, please contact [email protected] and we will delete it within 7 days.

16. Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal or similarly significant effects. Optional AI features (e.g., smart product categorization, demand forecasting) are suggestions only and require human review before any business action is taken.

17. Changes to this Policy and Contact

We may update this Privacy Policy from time to time. Material changes will be notified by email and in-app notification at least 30 days before they take effect. The latest version is always available at pausepos.com/privacy.

For all privacy questions, data subject requests, or complaints, please contact our Data Protection Officer:

Data Protection OfficerDynamic Web Lab FZE LLCOffice 2703, Platinum Tower, Jumeirah Lake Towers, Dubai, UAE[email protected]+971 4 123 4567

Exercise your data protection rights

Email our Data Protection Officer. We respond to all requests within 30 days.

[email protected]