Privacy Policy

How we collect, use, and protect your personal information

Last updated: 30/03/2026

Personal Data We Collect

"Personal Data" means information about an individual from which that person is either directly identified or can be identified. It does not include anonymised data where your identity has been permanently removed.

Category	What This Means
Identity Data	Name, username, profile picture, age/date of birth (if provided). Birth dates are collected solely for Age Verification and regulatory compliance, and are not used for marketing or profiling.
Contact Data	Email address, telephone number(s).
Location Data	Approximate location if you enable this feature via your device settings.
Listings Data	Details about your listings, listings you viewed, favorites, and offers you made.
Marketing Data	Your preferences for receiving marketing communications.
Chat Data	Messages you exchange with other users through our chat feature.
Behavioural Data	Inferred information about your behaviour and interests based on Platform activity, often grouped into segments.
Technical Data	IP address (anonymized), browser type, device information, operating system.

Aggregated Data

We also collect and use "aggregated data" (statistical or demographic data). Aggregated data may be derived from your Personal Data but does not directly identify you. For example, we may calculate the percentage of users in Dubai vs Abu Dhabi. If we combine aggregated data with Personal Data that could identify you, we treat it as Personal Data under this policy.

What Happens If You Refuse to Provide Personal Data?

You do not have to provide Personal Data to us. However, where we need to process your Personal Data to grant you access to the Platform or comply with law, failure to provide it means we may not be able to provide services.

For example: We need your email address to create your account. Without it, you cannot register.

📥

Personal Data We Collect from Other Sources

In addition to data you provide directly, we collect certain Personal Data from third-party sources:

Third Party Source	Categories of Personal Data
Social Media Platforms	Identity Data (name, profile photo), Contact Data (email)
Analytics Providers	Behavioural Data, Technical Data (with consent only)
Advertisers	Behavioural Data, Technical Data (with consent only)

📋

Category-Specific Data Addendums

Additional privacy information for specific listing types

The Master Privacy Policy above applies to all users. However, certain listing categories require us to collect additional sensitive data for regulatory compliance. Click below to learn how we handle data specific to your listing type.

🏠

Real Estate Verification Addendum

If you list a property for sale or rent, click here to see how we handle your verification documents.

This addendum covers:

• Title Deeds & Property Documents
• RERA Broker ID & Trade License
• Trakheesi & Madmoun Permits

Read Full Addendum→

🚗

Motor Vehicle Addendum

If you list a car or vehicle, click here to see how we handle VINs and registration documents.

This addendum covers:

• Vehicle Identification Numbers (VIN)
• Mulkiya (Registration Card)
• Vehicle History & Service Records

Read Full Addendum→

🛡️

Compliance & Verification Addendum

REQUIRED

Learn how we process government documents and share data with UAE authorities for regulatory compliance.

Categories covered:

🏠 Real Estate🚗 Vehicles💎 Jewelry💼 Jobs & Business✈️ Drones🐾 Pets

Read Full Addendum→

💡 Note: These addendums are supplements to (not replacements for) the Master Privacy Policy. All general data protection rights described above apply equally to category-specific data.

How We Use Your Information

To provide and maintain our service;

To communicate with you about your account and our services;

To personalize your experience and improve our platform;

To detect and prevent fraud and abuse;

To comply with legal obligations;

To send you marketing communications (with your consent).

⚖️

Legal Basis for Processing Your Personal Data

Under UAE data protection laws, we must have a valid "legal basis" for processing your Personal Data. We rely on the following legal bases:

📋Contractual Necessity

Processing necessary to provide you access to the Platform and fulfill our obligations to you.

⚖️Compliance with Law

Processing required to comply with legal or regulatory obligations under UAE law.

✋Consent

Processing based on your explicit, informed, and freely-given consent (e.g., marketing emails, analytics cookies).

Purpose	Categories of Data	Legal Basis
Account Creation	Identity Data, Contact Data	Contractual Necessity
Platform Operation	All Data Categories	Contractual Necessity
Marketing Communications	Contact Data, Marketing Data	Consent
Analytics & Tracking	Behavioural Data, Technical Data	Consent
Fraud Prevention	Identity Data, Technical Data	Compliance with Law
Account Verification	Identity Data, Contact Data	Contractual Necessity

Information Sharing

🔒We do not sell your personal information

to third parties for marketing purposes.

We may share your information with service providers who help us operate our platform, or when required by law.

Your Rights Under PDPL

You have the right to access, correct, or delete your personal information.

We ensure that your data is processed in a secure European Union (EU) cloud region with GDPR-compliant data protection standards, or in countries with adequate data protection levels.

We have appointed a Data Protection Officer to oversee compliance.

Data Security

We implement appropriate security measures to protect your personal information against unauthorized access, alteration, or disclosure.

Your Legal Rights

Under UAE PDPL, you have the following explicit rights regarding your personal data:

✓Right to Access: Request a copy of the personal data we hold about you.
✓Right to Rectification: Correction of inaccurate or incomplete data.
✓Right to Erasure (Right to be Forgotten): Request deletion of your data when it is no longer necessary.
✓Right to Withdraw Consent: You may withdraw consent at any time where we rely on consent to process your data.

To exercise any of these rights, please contact us at [email protected] or use the 'Delete My Account' tool in your Settings.

📢

Filing Complaints & Concerns

If you have concerns about how we handle your Personal Data or wish to make a complaint, we want to hear from you:

Step 1: Contact Us Directly

First, please contact our Data Protection Officer at [email protected]. We will investigate and respond to your complaint as quickly as possible, typically within 30 days.

When contacting us, please include:

• Your full name and contact information
• Details of your complaint or concern
• Any relevant documentation or evidence
• Your preferred resolution

Step 2: File with UAE Data Office (If Unsatisfied)

If you are not satisfied with our response, you have the right to file a complaint with the UAE Data Office, the supervisory authority for data protection in the United Arab Emirates.

UAE Data Office Contact:

Website: u.ae/en/about-the-uae/digital-uae/data
Authority: UAE Ministry of Human Resources and Emiratisation (MOHRE)
Jurisdiction: Federal Decree-Law No. 45 of 2021 (UAE PDPL)

Our Commitment

We take all complaints seriously and are committed to resolving them promptly and fairly. Your feedback helps us improve our data protection practices and better serve our users.

⚖️

Legal Basis for Data Processing (UAE PDPL)

Under Federal Decree-Law No. 45 of 2021 (UAE PDPL), we process your personal data based on the following legal grounds:

✓Consent:

You provide explicit consent when creating an account, subscribing to services, or using social login. You can withdraw consent at any time through your account settings.

✓Contractual Necessity:

Processing is necessary to provide our marketplace services, manage your account, facilitate transactions, and fulfill our obligations to you.

✓Legal Obligation:

We process data to comply with UAE laws, including tax requirements, anti-money laundering regulations, and responding to lawful requests from authorities.

✓Legitimate Interest:

We process data for fraud prevention, platform security, service improvement, and business analytics, balanced against your privacy rights.

Sensitive Personal Data:

We do NOT knowingly collect sensitive personal data (health information, biometric data, genetic data, religious beliefs, political opinions, sexual orientation, trade union membership, or criminal records) unless explicitly required by law and with your explicit consent. If you inadvertently provide such information, please contact us immediately for removal.

🌍

Data Storage & International Transfers

🇪🇺

Data Storage & European Hosting

To provide secure, high-performance services—including our AI search features and marketplace verification—BuyOrSell24 processes and stores your core user data on secure infrastructure located in the European Union (EU).

What's stored in the EU:

• User accounts & authentication data
• Job applications, CVs, and professional profiles
• Listing information & images
• Messages & communications
• Transaction records & contact form submissions

While your primary data is hosted securely in the EU, we may still utilize global edge networks (like Cloudflare) to deliver content quickly to you in the UAE.

While your core data remains in the EU, some third-party services we use for analytics and authentication may process limited data outside the EU. When we transfer data internationally, we ensure appropriate safeguards are in place as required by UAE PDPL:

Third-Party Services with International Processing:

•Cloudflare (Bahrain/UAE): Web traffic proxy, CDN, and security services. Traffic is processed through Cloudflare's Bahrain edge servers (closest to UAE). Cache keys and TLS metadata may be processed in Bahrain and other global points of presence. (Standard Contractual Clauses + DPA + ISO-27001, SOC 2, DESC CSP certified)
•Google Services (US): Analytics (with consent only), OAuth authentication for social login (Standard Contractual Clauses + DPA)
•Facebook/Meta (US): Social login, advertising tracking (with consent only) (Standard Contractual Clauses + DPA)

Safeguards We Use:

✓ Primary data storage in EU (AWS Frankfurt region)
✓ Standard Contractual Clauses (SCCs)
✓ Data Processing Agreements (DPAs)
✓ End-to-end encryption in transit and at rest
✓ Consent-based cookie controls
✓ IP anonymization for analytics

Your Rights:

✓ Control cookie consent (analytics & marketing)
✓ Request information about data location
✓ Obtain copies of DPAs/SCCs
✓ Withdraw consent for third-party services
✓ File complaints with UAE Data Office

🔐

Cross-Border Data Transfer Compliance

We are committed to protecting your data regardless of where it is stored. Under Article 23 of the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), cross-border data transfers are permitted to jurisdictions that possess adequate data protection legislation.

The European Union is recognized as an adequate jurisdiction due to its strict General Data Protection Regulation (GDPR) frameworks. By creating an account, applying for jobs, or using our services, you explicitly consent to this cross-border transfer. To further protect your data, all international transfers to our third-party infrastructure providers are governed by strict Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) to ensure your data receives a level of protection equivalent to UAE standards.

📋

UAE Data Office Notification:

As required by UAE PDPL Article 23, we have notified the UAE Data Office of our data processing activities and international transfers. For details, contact: [email protected]

✋

Consent Management & Withdrawal

Under UAE PDPL, your consent must be freely given, specific, informed, and unambiguous. You have the right to withdraw consent at any time:

📧

Marketing Emails

Unsubscribe via link in any email or update preferences in account settings

Effect: Immediate

🔐

Social Login

Revoke access via Facebook/Google account settings or disconnect in profile

Effect: Immediate

🍪

Cookies

Manage via cookie banner or browser settings for analytics and advertising cookies

Effect: Immediate

Complete Account Deletion:

To delete your account and all associated data, go to Account Settings → Delete Account, or email [email protected]. Upon deletion:

• 30-day grace period for account recovery
• Permanent deletion of personal data within 90 days
• Anonymization of transaction records for legal compliance (7 years)
• Removal from marketing lists (immediate)
• Notification to third-party processors to delete data

Important: Withdrawing consent or deleting your account may limit your ability to use BuyOrSell24 services. Some data must be retained for legal obligations (e.g., transaction records for tax purposes).

🤖

Automated Decision-Making & Profiling

Do We Use Automated Decision-Making?

BuyOrSell24 uses limited automated processing for the following purposes:

🔍

Fraud Detection: Automated systems analyze transactions for suspicious patterns to protect users from fraud. Human review is always involved in final decisions.

📊

Content Recommendations: Algorithms suggest listings based on your browsing history and preferences. You can disable personalized recommendations in settings.

🚫

Content Moderation: Automated filters detect prohibited content (spam, illegal items). Flagged content is reviewed by human moderators before action.

Your Rights Regarding Automated Processing:

✓Right to human intervention in decisions affecting you
✓Right to contest automated decisions
✓Right to explanation of the logic involved
✓Right to opt-out of profiling for marketing

No Purely Automated Decisions: We do not make decisions solely based on automated processing that produce legal effects or significantly affect you without human oversight.

🔐

Social Login & Data Collection

When you choose to use Facebook Login or Google Login, we collect and process certain information from your social account to provide you with seamless authentication and an enhanced user experience.

📥Data We Collect from Social Accounts:

•Name: To personalize your profile
•Email: For account management and notifications
•Profile Picture: To display on your account (optional)
•User ID: For authentication purposes only

🔒How We Use This Data:

•Create and manage your BuyOrSell24 account
•Authenticate you securely on our platform
•Communicate important account updates
•Improve and personalize your experience

Your Data Rights with Social Login:

Control Your Data: You have complete control over what data your social provider (Facebook or Google) shares with us. You can review and modify these permissions in your account settings at any time.

Revoke Access: You can disconnect BuyOrSell24 from your social account through your provider's App Settings (Facebook App Settings or Google Account Permissions). This will not delete your BuyOrSell24 account but will prevent future data sharing.

Delete Your Data: If you delete your BuyOrSell24 account, we will remove all data obtained from your social accounts within 30 days, except where required by law.

Important Information:

•No Password Storage: We do not store your social account passwords. Authentication is handled securely by the respective providers (Facebook or Google).
•Limited Access: We only request the minimum permissions necessary (public_profile and email).
•No Posting: We never post to your social accounts on your behalf without explicit permission.
•Provider Privacy Policies: Your use of social login is also governed by the respective provider's Privacy Policy and Terms of Service (Facebook, Google).
•Alternative Options: You can always choose traditional email registration if you prefer not to use social login.

🔐

Security Note:

BuyOrSell24 follows Facebook Platform Policy and Google API Services User Data Policy. We use secure OAuth 2.0 protocol for all social login integrations and employ industry-standard security measures to protect data obtained through social authentication.

If you have questions about how we handle social login data or want to exercise your data rights, please contact us at [email protected]. For more information about provider data practices, visit Facebook's Privacy Policy or Google's Privacy Policy.

🍪

Cookies

We use cookies to enhance your experience and analyze site usage.

👶

Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect personal information from children.

•We strictly prohibit behavioral tracking, profiling, or targeted advertising using personal data (including age) for any user under 18.
•Safety by Default: Privacy settings for any permitted minor accounts (ages 13–17) are set to 'High Privacy' (contact info hidden) by default.

📢

Transparency and Compliance

✓Verification: We reserve the right to request proof of a UAE Trade License or Media Council Advertiser Permit for users posting commercial or high-frequency advertisements.
✓Third-Party Sharing: Payment data is processed securely via Stripe. We do not store full credit card details on our servers.

📝

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page.

🛡️

Data Protection Officer

For privacy-related inquiries, data subject rights requests, or concerns about how we handle your personal data, please contact our Data Protection Officer:

Company: Dynamic Web Lab FZE LLC (Formation Number: 4426361)

Email: [email protected]

Address: Dubai, UAE

🔗

Third-Party Services & Data Processors

We use the following third-party services to provide and improve our platform. Each service processes data in accordance with their privacy policies and our data processing agreements:

🌐Infrastructure & Storage (EU-Based)

•AWS Europe (Frankfurt) Region: Primary cloud hosting and data storage. All core user data stored in the EU. Privacy Policy
•Primary Database: Securely hosted on AWS RDS (PostgreSQL/Aurora) with multi-AZ redundancy.
•File Storage: User-uploaded images and files stored on AWS S3 in EU region.

Analytics & Tracking (Consent-Based)

•Google Analytics 4: Website analytics, user behavior tracking (only loads with consent). IP addresses anonymized. Data retention: 14 months. Privacy Policy
•Facebook Pixel: Advertising tracking, conversion measurement (only loads with consent). Privacy Policy

Authentication Services

•Google OAuth: Social login authentication (optional feature). Collects name, email, profile picture with consent. Privacy Policy
•Facebook Login: Social login authentication (optional feature). Collects name, email, profile picture with consent. Privacy Policy

Email Services

•Cloudflare Email Routing – user-initiated messages (contact forms, security reports, privacy requests) are forwarded to Gmail (Google Workspace).
•Data path: UAE visitor → Cloudflare edge (Bahrain) → Gmail (U.S. & EU).
•Safeguard: Cloudflare PDPA + Google Workspace PDPA + 2021 SCC.
•No message content stored at rest on our servers; Gmail retention follows Google's default 30-day Trash purge.
•Azure Communication Services – Email – application-initiated transactional e-mails (verification, password reset, ad-approved, etc.).
•Data location: United States (until ACS Email launches in UAE).
•Safeguard: Microsoft PDPL Data-Processing-Addendum + Standard Contractual Clauses.
•Logs retained ≤ 30 days; message bodies ≤ 24 h.

💳

Payment & Financial Privacy (Stripe)

Stripe as Data Controller

For processing payments and preventing fraud, Stripe, LLC acts as an independent Data Controller of your personal data. This allows Stripe to monitor for fraudulent transactions, mitigate financial loss, and comply with international anti-money laundering (AML) and know-your-customer (KYC) obligations.

Transaction Data Collected

•Direct Identifiers: Name, email address, and billing address.
•Payment Information: Credit or debit card numbers (processed securely via Stripe), bank account details, and payment card images.
•Order Details: Amount, date/time of purchase, and description of the service (e.g., 'Premium Listing').
•Technical Data: IP address, device ID, and geographic location.

Financial Data Localization (UAE 2026)

Personal and payment data related to our operations is stored and maintained with GDPR-compliant protections in the European Union. Customer and transaction data will be retained for a minimum of five (5) years to meet applicable financial record-keeping laws.

Cross-Border Data Transfers

Since Stripe is a global entity, your data may be transferred outside the UAE. These transfers are protected by Stripe’s Data Processing Agreement (DPA) and international frameworks, ensuring your data receives a level of protection equivalent to UAE standards.

✅

EU-Based Secure Hosting:

Your core personal data (accounts, listings, messages, contact forms, transactions) is stored exclusively on secure AWS servers located in the European Union (EU). All data transfers and processing comply with both UAE PDPL and EU GDPR standards, ensuring the highest level of protection through Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs).

⚠️

Data Breach Notification

We take data security seriously and have implemented measures to prevent unauthorized access to your personal data.

In Case of a Breach:

Notification to Authorities: We will notify the UAE Office of Data Protection within 72 hours of becoming aware of the breach.
Notification to You: We will inform affected users without undue delay via email, in-app notification, and website notice.
Information Provided: Nature of breach, data affected, consequences, mitigation measures, and contact point.
Your Rights: Request details, additional security measures, or exercise right to erasure.

If you suspect unauthorized access to account, contact us immediately at [email protected] and change your password.

⏱️

Data Retention & Storage Limitation

We strictly adhere to Storage Limitation. Personal data (e.g., birth dates) is deleted immediately once the purpose is exhausted. Financial/Transaction records are retained for 5 years as required by UAE financial regulations. All other data is erased upon account deletion.

Back to Home