1. Scope and Application
This Policy applies to persons anywhere in the world who access or use DealsFlow (“Users”), including but not limited to:
- Individual real estate agents who use DealsFlow as their workspace
- Real estate agency administrators, managers, and team members
- Contacts and clients whose personal data is managed through DealsFlow
- Leads and prospective clients whose inquiry data is processed through DealsFlow
- Property owners and landlords whose listing data is managed through DealsFlow
2. Collection of Information
2.1 Information You Give Us
This is personal data you provide when registering for an account, creating listings, managing deals, adding contacts, or corresponding with us. The categories include:
Identity and Contact Data
Full name, email address, phone number, and postal address.
Professional Data
RERA Broker Registration Number (BRN), DREI permit numbers, brokerage affiliation, license details, and professional credentials.
Deal and Transaction Data
Deal pipeline stages, transaction values, commission amounts and splits, payment records, closing dates, and associated correspondence.
Listing and Property Data
Property details, unit information, listing descriptions, media (photos and documents), pricing, and portal publishing records.
Contact and Lead Data
Client and lead names, email addresses, phone numbers, property interests, budget, timeline preferences, source of inquiry, and follow-up records.
2.2 Information We Collect Automatically
Each time you use DealsFlow, we may automatically collect:
- Technical Information: device type, unique device identifier, operating system, browser type and version, time zone, and language preferences
- Log Information: access logs, API call records, and resources accessed
- Location Information: IP address and general geographic location derived from IP address
2.3 Information from Third Parties
We may receive personal data from third-party services that integrate with DealsFlow, including property portals (Bayut, PropertyFinder, Dubizzle) for lead inquiry data and listing syndication.
3. Special Categories of Personal Data
DealsFlow does not process special categories of personal data as defined in Article 9 of the DP Law. We do not process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health, or data concerning a person's sex life or sexual orientation.
Children's Data: DealsFlow is not targeted at, intended for, or expected to be of use to children under the age of 18. We do not knowingly collect personal data from children.
4. B2B2C Data Processing Model
DealsFlow operates in two modes:
- Individual agents who subscribe directly and manage their own contacts, deals, and listings.
- Teams and agencies (B2B2C) where the subscribing organization's agents input client, tenant, and lead data.
When an agent or agency inputs contact data, the lawful basis is primarily contract performance (Article 10(1)(b)) — the processing is necessary for the real estate transaction or management agreement. Agents and agencies are responsible for ensuring they have the appropriate lawful basis for collecting personal data from their clients.
5. Use of Personal Data
5.1 Service Delivery and Contract Performance
Article 10(1)(b) of the DP Law
- Provide, maintain, and improve DealsFlow, including deal pipeline management, listing creation, commission tracking, and RERA compliance tools
- Facilitate publishing of listings to property portals (PropertyFinder, Bayut)
- Authenticate users, manage accounts and permissions, and provide customer support
- Send transactional communications (e.g., deal updates, commission reminders, license expiry notifications)
5.2 Legal Obligations
Article 10(1)(c) of the DP Law
- Comply with RERA regulations and Dubai Land Department requirements
- Maintain audit logs for a minimum of 7 years as required by DIFC regulations
- Respond to lawful requests from regulatory authorities
- Maintain records of processing activities as required by Article 15 of the DP Law
5.3 Legitimate Interests
Article 10(1)(f) of the DP Law
- Perform internal administrative and operational functions
- Prevent fraud, abuse, and unauthorized access
- Conduct data analysis, testing, and research to improve DealsFlow
- Monitor usage and activity trends for service improvement
- Ensure network and information security
5.4 Consent
Article 10(1)(a) of the DP Law
The following processing activities are conducted only with your explicit consent, which you may withdraw at any time:
- Marketing and promotional communications
- Analytics cookies and tracking technologies
- Sharing data with third parties for marketing purposes
6. Processing, Storage, and Transfers
6.1 Data Storage Location
Your personal data is primarily stored in the AWS Middle East (UAE) region (me-central-1), which is the local AWS region in the UAE. This includes our databases (AWS RDS PostgreSQL), file storage (AWS S3), and application hosting (AWS ECS Fargate).
6.2 International Transfers
In order to conduct our operations, we transfer personal data to processors outside the DIFC:
| Processor | Location | Purpose | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | UAE (me-central-1) primary | Infrastructure, database, storage, email | AWS DPA with SCCs |
We rely on Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreements with each processor, as permitted under Article 27(1) of the DP Law.
6.3 Automated Decision-Making
DealsFlow does not rely solely on automated decision-making when processing your personal data. All consequential decisions are made or reviewed by human operators.
8. Data Retention
We retain personal data for the following periods:
| Data Category | Retention | Basis |
|---|---|---|
| Audit logs | 7 years minimum | DIFC regulatory requirement |
| Consent records | 7 years | DIFC accountability (Article 14) |
| Deal and transaction data | Subscription + 7 years | Legal obligation and audit retention |
| Contact and lead data | Subscription + 30 days | Contractual necessity |
| User accounts | Subscription + 30 days | Contractual necessity |
| Listing and property data | Subscription + 7 years | RERA and audit requirement |
After the applicable retention period, personal data is either securely deleted or anonymized so that no individual can be identified from the remaining data.
9. Your Rights and Choices
9.1 Your Data Protection Rights
Under the DP Law, you have the following rights:
| Right | Description | DP Law |
|---|---|---|
| Access | Obtain confirmation of whether we process your data and receive a copy | Art. 32 |
| Rectification | Have inaccurate data corrected or incomplete data completed | Art. 33 |
| Erasure | Have your personal data deleted in certain circumstances | Art. 34 |
| Restriction | Restrict processing of your personal data in certain circumstances | Art. 35 |
| Data Portability | Receive your data in a structured, machine-readable format | Art. 36 |
| Object | Object to processing based on legitimate interests or for direct marketing | Art. 37 |
| Withdraw Consent | Withdraw consent at any time where processing is based on consent | Art. 10 |
9.2 How to Exercise Your Rights
Self-Service: Navigate to Settings > Privacy in your DealsFlow dashboard to manage consent preferences, request data exports, or submit deletion requests.
Contact Us: Email privacy@keyflowae.com or write to us at the address in Section 14. We will respond within 30 days.
9.3 Non-Discrimination
As set out in Article 39 of the DP Law, we will not discriminate against you for exercising your rights by denying services or changing prices or quality of service.
10. Security Precautions
Keyflow implements appropriate technical and organizational measures to protect your personal data:
Technical Measures
- Encryption at rest (AWS RDS with KMS) and in transit (TLS/HTTPS)
- AWS Web Application Firewall (WAF) protection
- Multi-tenant architecture with strict data isolation
- Role-based access controls
- Password hashing using bcrypt
- Automated security scanning in the development pipeline
Organizational Measures
- Access restricted on a need-to-know basis
- Audit logging of all access and modifications with 7-year retention
- Regular security review and assessment
- Incident response procedures for data breaches
12. External Links
DealsFlow may contain links to other websites, including property portals and regulatory services. These links are provided as a convenience, and Keyflow does not accept liability for the content or privacy practices of external sites.
13. Changes to This Policy
Keyflow may change this Policy from time to time. If we make significant changes, we will provide you notice through DealsFlow or by other means, such as email. Material changes to the purposes for which we process your data may require us to request your re-consent. Your continued use of DealsFlow after such notice constitutes your acknowledgment of the changes.
14. Contact Us
If you have any questions, comments, or requests related to this Policy, please contact us:
Email: privacy@keyflowae.com
Post: Data Protection Officer, Keyflow Technology Ltd, Unit GA-00-SZ-01-FX-07, Level 1, Gate Avenue — South, DIFC, Dubai, UAE
Phone: +971 56 754 0655
15. Complaints to the Commissioner
If you are not satisfied with our response or believe our processing does not comply with the DP Law, you have the right to lodge a complaint with the DIFC Commissioner of Data Protection:
DIFC Commissioner of Data Protection
Dubai International Financial Centre Authority
Level 14, The Gate Building, Dubai, UAE
Phone: +971 4 362 2222
Email: commissioner@dp.difc.ae
16. Data Protection Officer
Keyflow has appointed a Data Protection Officer in accordance with Article 16 of the DP Law. The DPO may be contacted via privacy@keyflowae.com.
The DPO is responsible for monitoring compliance with the DP Law and this Policy, advising on Data Protection Impact Assessments, cooperating with the Commissioner of Data Protection, and handling data subject requests and complaints.