Privacy policy
Last updated draft — not yet published
This is a working draft, prepared to reflect how AE Compliance’s systems are actually built as of this writing. It has not been reviewed by legal counsel and is not yet a final, enforceable policy. It is written with an eye toward the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), but nothing here should be treated as a compliance determination until counsel has reviewed it.
1. Who this covers
AE Compliance is business-to-business middleware. Our direct customers (“tenants”) are companies, not individual consumers. This policy covers two categories of personal data we handle: (a) data about people at our tenants and prospective tenants — names, work emails, and similar contact details submitted through this site or provided during onboarding; and (b) personal data that may appear inside invoice payloads our tenants submit to us for processing (for example, a named contact on an invoice line).
2. What we collect directly
- Early-access and contact form submissions: name, company, work email, role, source system, and any message you provide.
- API and account activity:requests made with a tenant’s API key, for security, debugging, and the audit trail described in our platform documentation.
- Standard web server logs: IP address, user agent, and request timestamps for the pages on this site.
3. Data submitted through the compliance API
When a tenant submits an invoice for validation or transmission, the payload may contain personal data about the parties to that invoice. We process this data as a processor acting on the tenant’s instructions, not as the party who decided to collect it. It is persisted to a tenant-isolated ledger protected by Postgres Row-Level Security, and to an append-only audit log, for as long as is necessary to provide the service and meet the tenant’s own regulatory retention obligations. We do not sell this data, and we do not use it to build profiles for any purpose unrelated to providing the service.
4. How we use personal data
- To respond to early-access and contact requests.
- To provision, operate, and secure tenant accounts and API access.
- To validate, route, and maintain an audit trail for invoices submitted through the API, on the tenant’s behalf.
- To investigate and respond to security incidents.
5. Where data is stored
Our infrastructure is deployed in the UAE region (AWS me-central-1); this deployment is in progress and not yet fully live in production. ASP credentials are encrypted with AES-256-GCM envelope encryption before storage, with the key-encryption key held outside the database.
6. Your rights
Subject to applicable law, individuals whose personal data we hold may have rights to access, correct, or request deletion of that data. Because most personal data we process arrives inside a tenant’s invoice submissions, requests concerning that data should generally go to the relevant tenant first, as they control what is submitted. For data we hold directly (contact form submissions, account data), reach out through the early-access page.
7. Changes to this policy
This is a pre-launch draft. It will be reviewed by legal counsel, revised, and re-published with a real effective date before general availability.