Privacy Policy

Privacy Policy

Last Updated: 2^th June 2026

This Privacy Policy (“Privacy Policy”) describes how Medsahra (“Platform”, “Company”, “we”, “our”, or “us”) collects, uses, stores, processes, transfers, discloses, and protects Personal Data when users access or use our website, mobile applications, communication systems, and related services.

The Platform operates solely as an online marketplace publication and communication service that allows users to publish listings and communicate with one another. The Platform does not own listed products or services, process payments, hold funds, participate in negotiations, guarantee transactions, or act as a party to agreements between users.

This Privacy Policy is intended to comply with applicable laws and regulations of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data (“UAE PDPL”), together with related regulations and applicable legal requirements.

By accessing or using the Platform, users acknowledge that they have read and understood this Privacy Policy.

1. Data Controller Information

The Platform is operated by:

• Company Name: SB Global Technologies L.LC-FZ
• Trade License Number: 2646361.01
• Registered Address: Maydan Grandstand 6th floor Maydan road, Nad Al Sheba Dubai UAE
• Jurisdiction: United Arab Emirates
• Contact Email: legal@medsahra.com

For purposes of applicable data protection laws, the Company acts as the controller of Personal Data processed through the Platform.

2. Scope of This Privacy Policy

This Privacy Policy applies to:

• Website visitors
• Registered users
• Users communicating through the Platform
• Individuals contacting us
• Users accessing our applications or related services
  

This Privacy Policy applies only to information processed by the Platform and does not apply to third-party websites, services, or platforms.

3. Definitions

For purposes of this Privacy Policy:

1. “Personal Data” means any information relating to an identified or identifiable natural person.
2. “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, deletion, or retention.
3. “User” means any individual or entity accessing or using the Platform.
4. “Sensitive Personal Data” means data relating to health, biometrics, financial information, government identifiers, criminal records, or other specially protected information under applicable law.

4. Information We Collect

We collect and process only Personal Data reasonably necessary for operation of the Platform and purposes described in this Privacy Policy.

A. Information Provided by Users

We may collect information voluntarily submitted by users, including:

1. Full name;
2. Company or business name;
3. Email address;
4. Phone number;
5. Usernames and account credentials;
6. Profile information;
7. Business information;
8. Listing information, descriptions, images, and uploaded content;
9. Communications sent through the Platform;
10. Customer support requests;
11. Marketing preferences;
12. Any other information voluntarily provided;
13. corporate documents, trade licences, certificates of incorporation, shareholder documents, authorisation documents, compliance documents, and other company-related documentation voluntarily submitted by users.

B. Information Collected Automatically

We may automatically collect technical and usage-related information, including:

• IP address
• Browser type and version
• Device identifiers
• Operating system
• Language preferences
• Usage patterns and interactions
• Access dates and times
• Referring URLs
• Log files and system activity

C. Communications Data

We may collect and retain records of communications conducted through the Platform for moderation, security, fraud prevention, investigation, customer support, compliance, and enforcement purposes.

5. Legal Basis for Processing

Where required under applicable law, we process Personal Data based on one or more of the following legal grounds:

1. User consent
2. Performance of contractual obligations
3. Compliance with legal obligations
4. Legitimate business interests, including:
   • operating and improving the Platform
   • maintaining security
   • preventing fraud and abuse
   • enforcing policies and agreements
   • protecting users and the Platform

Users may withdraw consent at any time where processing is based on consent, subject to legal or operational limitations.

6. How We Use Personal Data

We may use Personal Data for the following purposes:

1. Creating and managing accounts;
2. Publishing and maintaining listings;
3. Facilitating user communications;
4. Operating and maintaining the Platform;
5. Providing customer support;
6. Monitoring Platform activity;
7. Detecting fraud, abuse, spam, suspicious activity, or illegal conduct;
8. Improving services and functionality;
9. Enforcing agreements and policies;
10. Sending service-related notifications;
11. Sending marketing communications where permitted;
12. Conducting analytics and performance monitoring;
13. Complying with legal obligations;
14. Protecting rights, security, and integrity of the Platform;

7. Marketplace Role and User Responsibility

The Platform acts solely as an intermediary publication and communication service.

The Platform:

1. Does not own, manufacture, store, distribute, inspect, endorse, certify, or guarantee products or services listed on the Platform;
2. Does not verify all users, listings, businesses, products, or services;
3. Does not guarantee the accuracy, legality, quality, safety, availability, or authenticity of listings or users;
4. Does not process payments or hold funds;
5. Does not act as an agent, broker, reseller, escrow provider, distributor, or representative of users;
6. Does not participate in negotiations between users;
7. Is not a party to any transaction, contract, or agreement between users;

Users are solely responsible for:

1. Conducting due diligence;
2. Verifying counterparties;
3. Evaluating listings;
4. Negotiating transactions;
5. Assessing risks associated with communications or transactions;

Users acknowledge that transactions and interactions with other users occur entirely at their own risk.

8. User Communications and Voluntary Disclosure

The Platform enables users to communicate directly with one another.

Users acknowledge and agree that:

• Communications with other users occur entirely at their own risk;
• Information voluntarily shared with other users may be copied, disclosed, recorded, distributed, or otherwise used by recipients;
• The Platform cannot control how users handle information shared with them;
• The Platform does not guarantee the identity, honesty, legitimacy, or conduct of users;
• Users should avoid sharing unnecessary sensitive, financial, confidential, or personal information;

Communications conducted through or outside the Platform may be monitored, filtered, reviewed, retained, or analyzed using automated or manual systems for:

1. Security;
2. Spam prevention;
3. Fraud detection;
4. Moderation;
5. Legal compliance;
6. Enforcement purposes;

The Platform is not responsible for:

1. Off-platform communications
2. User conduct
3. Negotiations
4. Transactions
5. Disputes
6. Misuse of information by users

We cannot guarantee the security or confidentiality of information shared directly between users.

9. Sensitive Personal Data

We do not intentionally collect or require Sensitive Personal Data unless legally necessary or specifically requested for legitimate operational purposes.

Users should not upload, publish, transmit, or share Sensitive Personal Data unless strictly necessary and legally permitted.

Sensitive Personal Data may include:

1. Passport or visa information
2. Banking or financial account information
3. Credit or debit card information
4. Medical or health information
5. Biometric information
6. Criminal record information
7. Confidential business information

Users are solely responsible for information voluntarily disclosed through listings, profiles, communications, or interactions with other users.

10. Public Listings and Search Engine Visibility

Listings, profile information, business details, images, and other publicly shared content may become publicly accessible through the internet.

Public content may:

• Be indexed by search engines
• Appear in search results
• Be cached or archived by third parties
• Be copied or redistributed by users or external websites

Even after content is removed from the Platform, cached or archived copies may remain accessible for a period of time through third-party services or search engines.

Users should carefully evaluate what information they choose to publish publicly.

11. Cookies and Tracking Technologies

The Platform may use cookies and similar technologies to:

• Maintain functionality
• Analyze usage
• Improve user experience
• Store user preferences
• Enhance security and performance

Further details regarding cookies and tracking technologies are available in our separate Cookie Policy.

12. Sharing and Disclosure of Personal Data

We may share Personal Data with:

1. Hosting and cloud infrastructure providers
2. Security, analytics, and IT service providers
3. Communication and support providers
4. Professional advisors, auditors, insurers, and consultants
5. Government authorities, regulators, courts, or law enforcement agencies where legally required
6. Entities involved in mergers, acquisitions, restructuring, financing, or asset transfers

International transfers may occur through cloud hosting providers, infrastructure providers, analytics systems, communication systems, and operational support services located in multiple jurisdictions.

We do not sell Personal Data to third parties.

We do not share Personal Data for independent third-party marketing purposes without consent.

13. International Data Transfers

Personal Data may be processed, stored, or transferred outside the United Arab Emirates.

Where international transfers occur, we implement reasonable safeguards designed to protect Personal Data in accordance with applicable legal requirements, including contractual protections, security measures, and operational controls where appropriate.

By using the Platform, users acknowledge and consent to international transfers where necessary for operation of the Platform.

14. Data Retention

We retain Personal Data only for as long as reasonably necessary based on specific criteria and timeframes, rather than solely on the purposes described in this Privacy Policy.

Retention Periods by Data Category

• Active account information (e.g., name, email, phone number, profile details, listings) - Retained while your account remains active. Upon account closure, we retain this data for up to 60 days to allow for reinstatement, resolution of ongoing listings, or user reinstatement requests.
• User-generated content (e.g., product listings, descriptions, reviews, messages) - Retained for as long as your account is active. After account closure, reviews and historical listings may be anonymized and retained for platform integrity and dispute resolution, but no longer than 2 years.
• Communications between users (e.g., chat logs, inquiry messages) - Retained for 1 year from the date of the last message to support dispute resolution, moderation, and fraud prevention.
• Payment and transaction information - When you make or receive payments through our marketplace, we use Stripe as our third-party payment processor. We receive and retain limited transaction data from Stripe, including order amounts, payment status, transaction dates, and the last four digits of payment cards. This data is retained for 2 years from the transaction date for order fulfillment, dispute resolution, and fraud prevention purposes. Stripe independently retains transaction records in accordance with its own retention policies and legal obligations (typically 5 to 7 years for compliance with anti-money laundering and financial regulations).
• Google Analytics data - We use Google Analytics to understand how users interact with our marketplace. Google Analytics collects your IP address (which we have configured to anonymize before storage), browser type, device information, pages visited, time spent on the platform, and referral source. We have set our Google Analytics data retention period to 14 months from the date of collection. After this period, Google automatically deletes individual-level event data. Anonymized aggregated reports may be retained longer.
• AWS infrastructure logs and backups - Our marketplace is hosted on Amazon Web Services (AWS). AWS system logs, access logs, and database backups may retain Personal Data as part of routine technical operations. Backups are retained for 30 days for disaster recovery purposes, after which they are automatically deleted. Primary data stored on AWS is retained according to the specific data categories listed above.
• Security logs (e.g., IP addresses, login timestamps, device information) - Retained for 6 months for security monitoring, forensic investigations, and abuse prevention.
• Fraud prevention and trust and safety data - Retained for 2 years from the date of last activity or as otherwise required by UAE regulatory authorities.
• Identity verification documents (e.g., Emirates ID, trade license for sellers) — Retained for the duration of our contractual relationship plus 1 year for legal, audit, and trust and safety purposes.
• Marketing and cookie-based data - Retained until you withdraw your consent, or for 2 years from your last interaction, whichever occurs earlier.

Third-Party Data Processors

We engage the following third-party processors to help operate our marketplace. Each processor processes Personal Data only on our instructions and is contractually obligated to protect your data in accordance with UAE PDPL requirements.

• Stripe (payment processing) - We share your name, email address, transaction amounts, payment status, and the last four digits of payment cards with Stripe. Stripe processes this data to facilitate payments on our marketplace.
• Google Analytics (website analytics) - Google Analytics collects your IP address (anonymized), browser type, device information, pages visited, time on site, and referral source to help us understand how users interact with our platform.
• Amazon Web Services or AWS (cloud hosting and infrastructure) - All Personal Data you provide (including account information, listings, messages, and transaction records) is stored on AWS servers and processed through AWS infrastructure.

Data Processing Agreements with Third-Party Processors

We do not have separate, independently signed Data Processing Agreements (DPAs) with Stripe, Google Analytics, or AWS. Instead, each of these processors incorporates its DPA into its standard terms of service, which we have accepted by using their services. This is a standard industry practice and satisfies the written agreement requirement under UAE PDPL Article 5.

Specifically:

• Stripe - The Stripe Data Processing Agreement is incorporated into the Stripe Services Agreement by reference. You can review Stripe's DPA at https://stripe.com/legal/dpa.
• Google Analytics - Google's Data Processing Terms and Data Processing Addendum are incorporated into the Google Analytics Terms of Service. You can review Google's DPA at https://business.safety.google/dpa.
• AWS - The AWS Data Processing Addendum is incorporated into the AWS Customer Agreement. You can review AWS's DPA at https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf.

Each of these agreements contractually obligates the processor to protect your Personal Data, including processing data only on our instructions, implementing appropriate security measures, assisting with data subject requests and breach notifications, and deleting or returning data after processing ends.

Cross-Border Data Transfers

Your Personal Data may be transferred to, stored, and processed in countries outside the United Arab Emirates (UAE), including countries where Stripe, Google Analytics, and AWS operate.

• Stripe operates in the United States, Ireland, Singapore, and other jurisdictions.
• Google Analytics operates globally, primarily in the United States.
• AWS operates globally. We have configured our AWS environment to use servers located in Frankfurt Germany but AWS may transfer data within its global network for backup, disaster recovery, or technical operations.

Where such transfers occur, we ensure that appropriate safeguards are in place to protect your Personal Data in accordance with UAE Federal Decree-Law No. 45 of 2021 (PDPL). These safeguards include Standard Contractual Clauses (SCCs) approved by relevant data protection authorities, Binding Corporate Rules (BCRs) where applicable, or adequacy decisions where the recipient country has been recognized as providing an adequate level of data protection.

For transfers involving Stripe, we rely on Stripe's implementation of Standard Contractual Clauses. For Google Analytics, we rely on Google's compliance with Standard Contractual Clauses. For AWS, we rely on AWS's Data Processing Addendum and its adherence to global privacy frameworks.

By using our marketplace, you acknowledge that your Personal Data may be transferred to and processed in jurisdictions whose data protection laws may differ from those in the UAE. We will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

If you have questions about cross-border data transfers or wish to obtain details of the safeguards in place, please contact us at legal@medsahra.com

General Retention Criteria

In addition to the specific periods above, we determine retention based on the following criteria:

• The duration of our contractual or service relationship with you;
• Legal or regulatory minimum retention periods applicable in the UAE (e.g., consumer protection laws, e-commerce regulations, and financial regulations applicable to payment processors);
• The existence of pending disputes, investigations, or legal claims between users of the marketplace;
• Technical or operational necessity (e.g., system backups or disaster recovery).

After Retention Period Expiry

When the applicable retention period ends, Personal Data will be permanently deleted, anonymized so it can no longer be linked to you, aggregated for analytical purposes, or securely destroyed.

Account Deletion Requests

You may request deletion of your account or Personal Data at any time. However, we may retain certain data where required under UAE law, for fraud prevention, trust and safety, dispute resolution between marketplace users, or enforcement of our terms of service.

Please note that transaction records shared with Stripe may be retained by Stripe independently for longer periods as required by financial regulations, and Stripe determines its own retention schedule for such data. Similarly, Google Analytics may retain anonymized aggregated data beyond the 14-month period, and AWS may retain backup data for up to 30 days as described above.

Where your Personal Data has been transferred outside the UAE (including to Stripe, Google Analytics, or AWS), any deletion request will be honored in accordance with this policy, subject to the independent retention obligations of third-party processors. We will communicate your deletion request to our processors, but we cannot compel them to delete data where they are independently required to retain it by applicable law. Any retained data will be isolated from active processing and used only for the limited permitted purpose.

Your Rights Regarding Cross-Border Data

Under UAE PDPL, you have the right to:

• Request information about any cross-border data transfers involving your Personal Data;
• Obtain details of the safeguards applied to such transfers;
• Object to a transfer under certain circumstances.

To exercise these rights, please contact us at legal@medsahra.com

For questions about our data retention practices, to request deletion, or to obtain a copy of the relevant Standard Contractual Clauses (redacted as necessary for commercial confidentiality), please contact us at legal@medsahra.com

15. Security Measures

We implement reasonable technical, organizational, and administrative safeguards designed to protect Personal Data, including measures such as:

• Access restrictions
• Authentication procedures
• Encryption where appropriate
• Monitoring and logging systems
• Internal security controls
• Secure hosting environments

While we implement reasonable safeguards, internet-based services and electronic communications cannot be guaranteed to be fully secure.

Accordingly, we cannot guarantee absolute security of Personal Data, communications, or Platform systems.

16. User Rights

Under UAE Federal Decree-Law No. 45 of 2021 (PDPL), you have the following rights regarding your Personal Data:

Right to Obtain Information (Article 13) - You have the right to request from us:

• The types of your Personal Data being processed;
• The purposes of processing;
• Decisions made based on automated processing, including profiling;
• The sectors or establishments (inside or outside the UAE) with whom your Personal Data has been or will be shared;
• The controls and standards for the retention period of your Personal Data;
• Procedures for correcting, erasing, limiting, or objecting to processing of your Personal Data;
• Protection measures for cross-border processing;
• Actions taken in the event of a breach or misuse of your Personal Data, particularly if such breach poses a direct and serious threat to your privacy;
• How to submit complaints to the UAE Data Office.

Right to Data Transferability (Article 14) - You have the right to receive a copy of your Personal Data in a structured, commonly used, and machine-readable format, and to request transfer of such data to another controller where technically feasible.

Right to Correction or Erasure (Article 15) - You have the right to request correction of inaccurate or incomplete Personal Data, and to request erasure of your Personal Data where the data is no longer necessary for the purposes for which it was collected or where you withdraw consent.

Right to Restrict Processing (Article 16) - You have the right to restrict the processing of your Personal Data in certain circumstances, including where you contest the accuracy of the data or where processing is unlawful.

Right to Stop Processing (Article 17) - You have the right to object to and request cessation of certain types of data processing.

Right to Object to Automated Processing (Article 18) - You have the right to object to automated processing of your Personal Data, including profiling, that produces legal effects concerning you or similarly significantly affects you.

Right to Withdraw Consent - Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Submitting a Request

To exercise any of these rights, submit your request to:

Email: legal@medsahra.com

Our Response Process

• Acknowledgment: We will acknowledge receipt of your request within 10 business days.
• Identity Verification: We will verify your identity before processing your request to protect your Personal Data from unauthorized access. This may require you to provide government-issued identification or confirm account-specific information.
• Response Timeline: We will respond to your request within a reasonable period, and in any case within 14 days of receipt as a matter of best practice. Please note that the UAE PDPL does not specify a statutory deadline for responding to data subject requests.
• Complex or Multiple Requests: If your request is complex or you have submitted multiple requests, we may extend the response period. We will notify you of any such extension and provide an estimated response date.

When We May Refuse, Limit, or Delay a Request

As permitted under Article 13(3) of the PDPL, we may refuse your request in the following circumstances:

• Your request is excessively repetitive or not related to the information described above;
• Your request conflicts with judicial procedures or investigations being conducted by competent UAE authorities;
• Your request would negatively affect our efforts to protect information security;
• Your request would affect the privacy and confidentiality of third parties' Personal Data;
• We are required to retain your data for legal compliance, fraud prevention, security purposes, or enforcement of our agreements.

If we refuse your request, we will provide you with a written explanation of the reasons for refusal.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UAE Data Office (also referred to as the "Bureau" in the PDPL). We will provide you with contact information for the Data Office upon request.

No Fee for Requests

You will not be charged any fee for submitting a data subject request under Article 13(1) of the PDPL.

17. Marketing Communications

Under UAE Personal Data Protection Law (PDPL) and Consumer Protection Law, we will only send you marketing communications where you have provided your explicit, prior opt-in consent. We do not rely on any alternative legal basis (such as legitimate interests) for marketing purposes.

You are not required to give consent for marketing as a condition of using our marketplace. Refusing marketing consent will not affect your access to core marketplace services.

Types of Marketing Communications

Where you have provided explicit consent, we may send you:

• Promotional offers and discount notifications;
• New product or service announcements;
• Marketplace updates and feature releases;
• Personalized recommendations based on your activity;
• Surveys and feedback requests.

Marketing Channels

Consent applies separately to each marketing channel. When you opt in, you will be informed of which channels are included:

• Email marketing – requires separate explicit consent;
• SMS / text message marketing – requires separate explicit consent;
• In-app notifications – may be managed through your device settings;
• Phone calls (telemarketing) – requires separate explicit consent under Cabinet Decision No. 56 of 2024;
• Social media messaging (e.g., WhatsApp) – requires separate explicit consent.

Operational and Service Communications

Notwithstanding any withdrawal of marketing consent, we may still send you operational or service-related communications where necessary for:

• Transaction confirmations and order updates;
• Account security alerts (e.g., password reset, login from new device);
• Changes to our Terms of Service or Privacy Policy;
• Responses to your customer support inquiries;
• Legal or regulatory communications required by UAE law.

You cannot opt out of operational communications as they are necessary for the functioning of your account and our legal obligations. These communications will not contain marketing content.

How We Obtain Consent

We obtain marketing consent through:

• A clear, unticked checkbox on our registration or account settings page;
• A separate consent form with plain language explaining what you are agreeing to;
• A double opt-in confirmation (where we send a follow-up to confirm your intent).

We retain records of your consent, including how and when it was obtained, for compliance and audit purposes .

How to Withdraw Consent

You may withdraw your consent for marketing communications at any time, using any of the following methods:

• Click the "unsubscribe" link at the bottom of any marketing email (instant effect);
• Reply "STOP" to any marketing SMS message;
• Adjust your notification preferences in your account settings;
• Contact us at legal@medsahra.com
• Withdrawal of consent is effective immediately upon your request. We will update our records within 48 hours of receiving your withdrawal request.

Effect of Withdrawal

Withdrawal of marketing consent does not affect:

• The lawfulness of processing based on consent before its withdrawal;
• Our ability to send you operational or service-related communications;
• Other legal bases for processing your Personal Data (e.g., contractual necessity, legal compliance).

Right to Object to Direct Marketing

Independent of your right to withdraw consent, you have an express right under PDPL Article 17 to object to the processing of your Personal Data for direct marketing purposes. Upon receiving such an objection, we will immediately stop all marketing processing activities relating to you.

Third-Party Marketing

We do not sell or share your Personal Data with third parties for their own marketing purposes. If we were to do so in the future, we would first obtain your explicit separate consent and update this Privacy Policy.

Where we engage third-party platforms (such as email service providers or SMS gateways) to send marketing communications on our behalf, we ensure they are bound by Data Processing Agreements that restrict their use of your data solely to our instructions.

Users Under 18

We do not knowingly send marketing communications to users under the age of 18 without verified parental consent, as required under UAE law.

Record-Keeping

We maintain records of:

• Your consent status, including date, time, and method of consent;
• Any withdrawal of consent, including date and method;
• Any objections to direct marketing.

These records are retained for as long as your account is active plus two years thereafter, or as required by UAE regulatory authorities.

Complaints

If you believe we have sent you marketing communications without valid consent or in violation of your rights, you may:

• Contact us directly at legal@medsahra.com
• Lodge a complaint with the UAE Data Office.

18. Content Moderation and Enforcement

We reserve the right, at our sole discretion, to:

• Review, monitor, restrict, remove, edit, or disable content or listings;
• Suspend, restrict, or terminate user accounts;
• Investigate suspected violations;
• Preserve records and communications;
• Cooperate with law enforcement or regulators;

Such actions may occur where we reasonably believe conduct or content may violate laws, regulations, third-party rights, Platform policies, or security requirements.

19. Disclosure Required by Law

We may disclose Personal Data where necessary to:

• Comply with UAE laws and regulations;
• Respond to lawful requests;
• Cooperate with authorities;
• Investigate fraud, cybercrime, abuse, or illegal activity;
• Protect rights, safety, users, or Platform integrity;
• Enforce agreements and policies.

20. Data Breach Response

Security Incident Response and Notification

In the event of a personal data breach (as defined under UAE Federal Decree-Law No. 45 of 2021), we will take the following mandatory actions:

Detection and Internal Response

Upon becoming aware of any breach that compromises the confidentiality, integrity, or availability of Personal Data, we will immediately activate our internal incident response procedures. This includes containing the breach to prevent further unauthorized access, conducting an initial investigation to determine the scope and cause, and securing all affected systems and data.

Notification to UAE Data Office

Where the breach is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the UAE Data Office without undue delay and, in any event, within 72 hours of becoming aware of the breach, as required under Article 35 of the PDPL. Our notification will include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and Personal Data records concerned;
• The name and contact details of our data protection officer or other contact point for further information;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its potential adverse effects.

If we cannot provide all this information within 72 hours, we will provide it in phases without further undue delay.

Notification to Affected Users

Where the breach is likely to result in a high risk to your rights and freedoms (for example, financial loss, identity theft, discrimination, or reputational harm), we will notify you directly without undue delay. User notification will be provided in clear and plain language and will include:

• A description of the breach and the categories of Personal Data affected;
• The likely consequences of the breach for you;
• A description of the measures we have taken or will take to address the breach;
• Specific steps you can take to protect yourself, if applicable;
• Contact information for further questions.

We will notify you by email using the address associated with your account, or by prominent notice on our marketplace if we do not have a valid email address.

Circumstances Where User Notification May Be Delayed or Omitted

We may delay notifying you or the UAE Data Office only where such notification would impede a criminal investigation or where a competent UAE authority requests delay for national security or law enforcement purposes. Otherwise, we will never withhold notification.

We are not required to notify you where:

• We have implemented appropriate technical and organizational protections (such as encryption) that render the breached data unintelligible to any unauthorized person; or
• We have taken subsequent measures that ensure the high risk to your rights and freedoms is no longer likely to materialize.

In either exclusion case, we will document our determination in writing, including the legal basis for not providing notification, and retain that documentation for review by the UAE Data Office upon request.

Record of Breaches

We maintain an internal record of all personal data breaches, regardless of whether notification was required. This record includes the facts surrounding the breach, its effects, and the remedial action taken. This record is retained for a minimum of five years or as otherwise required by UAE law and is available to the UAE Data Office for inspection upon request.

Your Responsibilities

You agree to notify us immediately upon becoming aware of any unauthorized access to or disclosure of your account credentials. Failure to provide timely notification may limit our ability to mitigate harm and may affect your rights in any subsequent dispute. You remain responsible for maintaining the security of your own devices and login credentials.

Limitation of Liability

We will comply with all mandatory breach notification obligations under UAE law. However, we are not liable for any damages arising from a breach that occurs despite our compliance with industry-standard security measures, including but not limited to zero-day attacks, advanced persistent threats, or unauthorized access resulting from your own failure to protect your account credentials.

21. Children’s Privacy

The Platform is intended only for users aged 18 years or older.

We do not knowingly collect Personal Data from minors.

If we become aware that a minor has provided Personal Data in violation of this Privacy Policy, we may suspend or terminate the associated account and remove related information.

22. Third-Party Services and Links

The Platform may contain links to third-party websites, services, or applications.

We are not responsible for:

• Third-party privacy practices
• Third-party content
• Security of third-party services
• Conduct of third parties

Users access third-party services entirely at their own risk.

23. Relationship with Terms of Use

Use of the Platform is also governed by our Terms of Use and related policies, which should be read together with this Privacy Policy.

24. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect operational, technical, legal, regulatory, or business changes.

Updated versions will be published on the Platform together with the revised effective date.

Where appropriate, we may provide notice of material changes through email notifications, account notices, or publication on the Platform.

Continued use of the Platform after updates become effective constitutes acceptance of the revised Privacy Policy.

25. Governing Law

This Privacy Policy shall be governed by and interpreted in accordance with the laws of the United Arab Emirates.

In the event an Arabic-language version of this Privacy Policy is published, the Arabic-language version may prevail to the extent required by applicable law.

26. Contact Information

For privacy-related requests, complaints, or inquiries, contact:

• Company Name: SB Global Technologies L.LC-FZ
• Address: Maydan Grandstand 6th floor Maydan road, Nad Al Sheba Dubai UAE
• Contact Email: legal@medsahra.com