Oosal Privacy Policy
Understand how we handle provider data responsibly under the UAE Personal Data Protection Law (PDPL).
- Version
- 1.1
- Effective Date
- 24 December 2025
- Last Updated
- 24 December 2025
PDPL Commitment
Oosal Portal LLC processes personal data in accordance with Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data in the UAE. Data subject rights requests are prioritized and handled within 30 calendar days.
1. Introduction
Oosal Portal L.L.C ("Oosal", "we", "our", "us") is committed to protecting personal data and respecting privacy. This Privacy Policy explains how we collect, use, share, store, and protect personal data when you use the Oosal platform.
This policy is designed to align with the UAE Federal Decree-Law No. 45 of 2021 (PDPL) and related regulations and guidance.
2. Key Definitions
Provider: The business that uses Oosal to create websites, invoices, bookings (if enabled), and related tools.
Client: The end-customer of the Provider.
Personal Data: Any information that identifies a person directly or indirectly.
Subprocessor: A third party that processes personal data on behalf of Oosal to help deliver the platform.
3. Data Processing Roles
3.1 Provider Personal Data (Provider owners and staff)
For personal data of Provider users (owners, employees, authorized staff), Oosal acts as a Data Controller.
3.2 Client Personal Data (Provider's end-customers)
For personal data included in invoices, bookings, and messages for Provider Clients, the Provider is the Data Controller, and Oosal acts as a Data Processor, processing this data to deliver the Services and based on the Provider's instructions.
4. Personal Data We Collect
We collect only what is necessary to provide the platform.
4.1 Provider and Business Data
- Business name, business address
- Trade license details and uploaded trade license file
- TRN (if provided)
- Business contact details (email, phone, WhatsApp, website)
- Names and contact details of Provider account users
4.2 Client Data Entered by Providers
- Client name, email, phone number, address
- Invoice, booking, and notes data as entered by the Provider
4.3 Payment and Transaction Data (Stripe)
We use Stripe for payment processing and verification.
- Oosal may display payment status (for example Paid/Unpaid), invoice totals, and references needed for reconciliation.
- Oosal does not store full card numbers or sensitive payment credentials.
- Payment credentials are handled by Stripe.
4.4 Technical and Usage Data
- IP address, device and browser info
- Log data and usage analytics for security, performance, and debugging
- Cookie identifiers (see Cookies section)
5. How We Use Personal Data
We process personal data based on lawful bases under PDPL, including contractual necessity, legal obligations, legitimate interests (where applicable), and consent (where applicable).
We use data to:
- Create and manage Provider accounts
- Verify eligibility, including trade license checks
- Generate and host websites and invoices
- Enable payment links and payment status updates via Stripe
- Provide customer support and communications
- Secure the platform, prevent fraud, and maintain logs
- Improve performance and user experience
7. Cross-Border Transfers
Oosal may process or store personal data outside the UAE because some subprocessors operate global cloud systems.
7.1 Legal basis
We rely on PDPL lawful bases and exceptions where applicable, including:
- Contractual necessity, where transfer is required to provide the Services
- Other PDPL bases or exceptions that apply in specific cases
7.2 Safeguards
Where required, we implement safeguards such as:
- Contractual data protection obligations with subprocessors (for example DPAs and contractual clauses)
- Access controls and security restrictions
- Encryption in transit and operational security measures
- Documented assessments where appropriate
By using Oosal, the Provider acknowledges that cross-border processing may occur as part of service delivery.
8. Processor Commitments (Client Data)
For Client personal data where Oosal acts as a processor, we commit to:
- Process Client data to provide the platform services and according to Provider instructions
- Keep Client data confidential and restrict access
- Apply appropriate security measures
- Use subprocessors only with appropriate contractual protections
- Notify the Provider without undue delay if we become aware of a personal data breach affecting Client data, after reasonable investigation and verification
- Assist Providers reasonably with data subject requests where applicable and technically feasible
A Data Processing Addendum (DPA) is available upon request by emailing support@oosal.app with subject "DPA Request."
9. Data Retention
We keep personal data only as long as needed for the purposes described, unless longer retention is required by law or legitimate operational needs (for example security logs).
9.1 Active accounts
We retain data while the Provider account is active to deliver services.
9.2 After account termination
Unless legal or security reasons require longer retention:
- Account data is typically deleted or anonymized within 90 days after termination
- Invoice and Client data is typically deleted or anonymized within 90 days after termination
9.3 Provider responsibility for tax records
Providers are responsible for meeting UAE tax and audit retention obligations. Oosal provides storage as a convenience, but Oosal is not the Provider's primary tax archive. Providers should export and store their own copies for audits and record keeping.
10. Security
We use reasonable administrative, technical, and organizational measures to protect personal data, including:
- Encryption in transit (TLS/SSL)
- Access controls and role-based permissions
- Monitoring and logging
- Security reviews and abuse prevention measures
No system is guaranteed 100% secure, but we work to reduce risk and respond quickly.
11. Your Rights Under PDPL
Depending on PDPL and applicable rules, you may have rights including:
- Access
- Correction
- Deletion (subject to lawful retention)
- Portability (where applicable)
- Restriction (where applicable)
- Objection (where applicable)
- Withdrawal of consent (where consent is used)
Important note for Client data
If you are a Client of a Provider, the Provider is the controller for your invoice and booking data. Requests should be directed to the Provider. Oosal will assist the Provider as processor where applicable.
To exercise rights related to Provider account data, contact: support@oosal.app
We aim to respond within 30 calendar days for valid requests.
You may also have the right to file a complaint with the UAE competent authority responsible for data protection.
13. Updates to This Policy
We may update this policy to reflect legal, operational, or technical changes. The "Last Updated" date shows the latest revision. Continued use after updates means you accept the updated policy.