Privacy Policy
Last updated: 03 May 2026 · Aligned with UAE Federal Decree-Law 45/2021 (PDPL) · Proplr FZ-LLC, Dubai, UAE · KHDA Permit #633441
1. Controller and Contact
Proplr FZ-LLC ("Proplr", "we", "us", "our") is the controller of personal data processed via the proplr.ae platform and our delivered Programmes. We operate under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"). Registered office: Dubai, United Arab Emirates. KHDA Permit: #633441. Data protection contact: privacy@proplr.ae If You consider that We are processing Your data unlawfully, You may complain to the UAE Data Office (the federal authority responsible for the PDPL) via tdra.gov.ae.
2. Categories of Personal Data We Collect
(a) Identity data — full name, date of birth, profile photo (if uploaded), preferred pronouns. (b) Contact data — email address, mobile telephone number (incl. WhatsApp where opted in). (c) Educational data — school name, current grade level, academic interests, programme enrolment, attendance records, assessment results, certificates issued, portfolio uploads. (d) Parent / Guardian data — for Minor Students: full name, email, telephone, plus the timestamp, IP address, and user-agent recorded at the moment of parental verification (the legal record of consent). (e) Payment data — handled exclusively by Stripe Payments Europe, Limited and Stripe, Inc. We never receive, store, or process Your full card number, CVV, or expiry. We retain only the Stripe customer ID, the Stripe checkout session ID, the amount paid, the currency, and a payment-status timestamp. (f) Verification data — for the parental-verification flow and for any account-recovery flow: cryptographically random one-time tokens, the timestamp the token was minted, the timestamp it was clicked, the IP address from which it was clicked, the email address that received it, and the registration row it relates to. (g) Usage and device data — pages visited, features used, login times, browser type, operating system, IP address, session identifiers, device identifiers (where applicable to the mobile experience). (h) Communications — messages sent through Platform messaging, support ticket history, complaints, and refund requests. (i) Cookies and similar — see Section 9. (j) Health and dietary data (Summer Labs only) — allergies and dietary needs voluntarily provided to ensure safe meal service. Treated as sensitive special-category data and processed with extra safeguards.
3. Sources
We collect personal data: • Directly from You via registration forms, dashboard inputs, and uploads; • From Your Parent / Guardian where applicable (verification confirmation); • Automatically from Your device (cookies, server logs); • From third-party authentication providers if You sign in via SSO; • From Stripe (payment outcome metadata) and Resend (email delivery telemetry); • From schools or partner organisations who refer You to a Programme, with prior notice.
4. Purposes and Lawful Bases
Each processing activity is tied to a specific lawful basis under PDPL Article 4: (a) Performance of a contract — to deliver the Programmes You enrolled in, to issue certificates, to send necessary operational notices. (b) Legal obligation — to comply with KHDA reporting, tax records, anti-money-laundering, and consumer protection rules. (c) Consent — for marketing communications, optional analytics cookies, optional features (community feed visibility, profile photo display); withdrawable at any time without affecting prior processing. (d) Vital interests — to address medical or safety incidents during in-person Summer Labs sessions, including dietary safety. (e) Legitimate interests — fraud prevention, security monitoring, abuse detection, audit logs, anonymous analytics for product improvement, defending legal claims; balanced against Your rights and interests. (f) Parental authority — for Minor Students, the Parent / Guardian's documented consent (verified email link click) is the operative basis for all enrolment-related processing.
5. Recipients and Sub-Processors
We share personal data only with the following categories of recipients, each bound by contractual data-protection obligations: • KHDA (Knowledge and Human Development Authority, Dubai) — minimum necessary data for certificate attestation and regulatory reporting. • Stripe (payment processing) — Stripe Payments Europe, Limited (Ireland) and Stripe, Inc. (USA). Subject to Stripe's PCI DSS Level 1 certification and standard contractual clauses for international transfer. • Supabase (database and authentication) — Supabase Inc., infrastructure in EU-West regions for production data. • Resend (transactional email delivery) — Resend, Inc. for verification emails, receipts, and operational notices. • Anthropic (AI feature provider) — for AI-assisted features. Submissions to AI features may be sent to Anthropic; we do not allow Anthropic to use Your data to train base models. • Vercel (web hosting) — Vercel, Inc. for serving the Platform. • Your school's nominated Proplr coordinator — programme-relevant attendance and progress data only. • Your Parent / Guardian — progress reports, attendance summaries, certificates, and incident notifications relating to Minor Students. • Law enforcement, regulators, or courts — only where We are legally compelled or where there is a clear lawful basis to do so. We do NOT sell Your personal data. We do NOT share Your data with advertising networks. We do NOT use Your portfolio uploads to train any third-party model.
6. International Transfers
Where personal data is transferred outside the UAE (e.g. Stripe USA, Vercel USA, Supabase EU, Anthropic USA), We rely on: (a) Adequacy decisions issued by the UAE government, where applicable; (b) Standard Contractual Clauses (or equivalent contractual safeguards) with each recipient; (c) Where applicable, Your explicit consent following clear notice of the transfer and its risks. A summary of current transfer mechanisms is available on request from privacy@proplr.ae.
7. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, plus the minimum periods required by law: • Active accounts and operational data — for the duration of enrolment plus 24 months from the last activity. • Certificates and academic completion records — 7 years (KHDA regulatory minimum). • Financial and tax records — 5 years from the relevant tax year (UAE Federal Tax Authority requirement). • Parental verification records (token, IP, timestamp, user-agent) — 5 years from the verification date, as the legal record of parental consent. • Audit logs (security, access, admin actions) — 24 months. • Marketing consent and opt-outs — until consent is withdrawn plus 12 months for evidentiary purposes. • Deleted-account data — pseudonymised within 30 days of a verified deletion request; payment records retained per the 5-year tax minimum above; certificates retained per the 7-year KHDA minimum but disassociated from contact details. Backup snapshots may persist for up to 90 days after primary deletion before being purged from cold storage.
8. Your Rights
Under PDPL, You have the right to: • Access — obtain confirmation that We process Your data and a copy of it. • Rectification — correct inaccurate or incomplete data. • Erasure — request deletion (subject to legal retention obligations above). • Restriction — limit processing in specified circumstances. • Portability — receive Your data in a structured, commonly used, machine-readable format. • Object — object to processing based on legitimate interests, including profiling. • Withdraw consent — at any time, without affecting the lawfulness of prior processing. • Lodge a complaint with the UAE Data Office. To exercise any right, email privacy@proplr.ae from the email address associated with Your Account. We will verify Your identity and respond within 30 calendar days. Where a request is manifestly unfounded or excessive, We may charge a reasonable fee or refuse the request, with reasons.
9. Cookies and Similar Technologies
We use: • Essential cookies — required for authentication, session management, CSRF protection, and load balancing. These cannot be disabled. • Analytics cookies — Google Analytics 4 with IP anonymisation, used to understand aggregate usage. Loaded only after consent via our cookie banner. • Functional cookies — to remember preferences (theme, language, dismissed banners). Loaded only after consent. We do not use advertising cookies. You can manage cookie consent at any time from the cookie settings in the footer.
10. Children's Privacy
Our Programmes are designed for Students aged 13 and above. We do not knowingly collect personal data from children under 13. For Students aged 13–17 (Minors), We require verifiable Parent / Guardian consent via the verification email flow described in our Terms (Section 4) before processing any payment or providing access to community features. Parent / Guardian rights specific to Minor Students: • Access to all data We hold about the Student. • Correction of inaccurate data. • Suspension or deletion of the Student's Account at any time. • Withdrawal of consent for specific optional features (community visibility, profile photo, marketing). • Receipt of progress reports, attendance records, and incident notices. To exercise any of these rights, email privacy@proplr.ae from the verified Parent / Guardian email on file. We may require additional identity verification.
11. Security
We implement technical and organisational measures appropriate to the risk, including: • TLS 1.2+ encryption for all data in transit; • AES-256 encryption at rest in our database provider; • Row-level security policies and least-privilege access controls; • Secrets management via cloud provider key management services; • Cryptographically random tokens (32-byte) for all verification flows; • Single-use, time-bounded tokens with TTL of 7 days for parental verification; • Audit logging of administrative actions on personal data; • Mandatory MFA for staff with admin access; • Regular dependency vulnerability scanning; • Periodic penetration testing. No security control is perfect. If You believe Your Account has been compromised, contact security@proplr.ae immediately.
12. Data Breach Notification
In the event of a personal data breach likely to result in a high risk to Your rights and freedoms, We will notify You and, where applicable, the UAE Data Office without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with PDPL Article 9.
13. Automated Decision-Making and AI
Some features use automated processing, including AI-assisted recommendations (career suggestions, mentor matching, content recommendations). These do not produce legally binding effects on You and You may at any time request human review of any output that materially affects Your Programme experience by emailing privacy@proplr.ae. We do not use Your personal data to train any third-party AI model. AI features that send Your inputs to model providers (e.g. Anthropic) operate under contractual guarantees prohibiting training use.
14. Changes to This Policy
We may update this Policy from time to time. Material changes — including changes to the categories of data collected, recipients, or international transfer mechanisms — will be notified to You by email and via a Platform notice at least 14 days before they take effect. Continued use of the Platform after the effective date constitutes acknowledgement of the updated Policy.
15. Contact
Privacy questions and data subject requests: privacy@proplr.ae Security incidents: security@proplr.ae General contact: hello@proplr.ae Proplr FZ-LLC, Dubai, United Arab Emirates KHDA Permit: #633441