Sanadi Privacy Policy

Version: 2025-12-24 • Effective date: 24 Dec 2025 • Last updated: 24 Dec 2025

1) Who we are (Data Controller)

Sanadi is operated by Sanadi Innovations Ltd. (DIFC) (the "Company", "we", "us"). For privacy requests: privacy@sanadi.app. For support: support@sanadi.app.

2) Scope

This Privacy Policy applies to personal data processed when you use our website and web app at sanadi.app and related services linking to this policy.

3) What Sanadi does (and does not do)

Sanadi is a coordination and record-keeping platform for rotating savings circles. Payments happen off-platform directly between circle members.

• Sanadi does not hold or custody money.
• Sanadi does not process payments or provide escrow.
• Sanadi does not verify real-world transactions.

4) Personal data we collect

A) Account & profile data

• Name
• Email address
• Password hash (not plaintext)
• Account preferences (e.g., language)
• Authentication and security settings (e.g., 2FA flags if enabled)

B) Circle & schedule data

• Circle name, contribution amount, frequency, duration
• Start date, due dates/turns, status history
• Invite code and membership links

C) Proof data (only if you submit it)

• Proof URL you provide, and/or proof files you upload (image/PDF), plus basic file metadata (filename, size, upload time)

Please avoid uploading unnecessary sensitive information. Redact where possible.

D) Technical, security, and usage data

• IP address (for security and abuse prevention)
• Device/browser indicators (limited)
• Login timestamps and failed login attempts
• Session cookies required for authentication and security

5) What we do not collect

• Bank login credentials
• Payment card numbers
• Wallet balances or stored value

6) How we use your data

• To create and secure accounts (authentication, access control, fraud prevention)
• To generate and display circle timelines and due dates
• To store proof references you choose to attach for record-keeping
• To send important service communications (security/account notices; reminders if enabled)
• To maintain safety and integrity (detect abuse and suspicious activity)
• To improve reliability (debugging, performance, error diagnostics)

7) Legal basis

We process personal data based on: (i) the performance of our agreement with you to provide the Sanadi service; (ii) our legitimate interests in operating a secure platform; (iii) compliance with applicable legal obligations under DIFC Data Protection Law No. 5 of 2020, UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, and other applicable laws; and/or (iv) your consent for optional features.

8) Identity verification (optional)

If identity verification is enabled, you may be redirected to a third-party verification provider. Sanadi does not store your identity documents. We typically store only verification status (unverified/pending/verified/failed), provider name, provider reference ID, and timestamps.

9) How we share data

We do not sell personal data. We may share limited data with service providers strictly to run the platform (hosting, email delivery, and optional identity verification), with professional advisors under confidentiality, and with authorities if required by law or to protect users and the platform.

10) International transfers

Your data may be processed in countries where our service providers operate. Where personal data is transferred outside the DIFC or UAE, we apply appropriate safeguards consistent with DIFC Data Protection Law requirements and UAE Personal Data Protection Law, including contractual protections with service providers.

11) Data retention

We retain personal data while your account is active and as needed for security logs, abuse prevention, dispute traceability, and legal compliance. You may request account deletion; some minimal records may be retained where legally required or necessary to protect platform integrity.

12) Security

• Passwords are hashed; we never store plaintext passwords.
• Secure sessions and CSRF protections are used.
• Access controls and least-privilege practices.
• Reasonable monitoring and rate limiting to protect against abuse.

13) Your rights

Under DIFC Data Protection Law and UAE Personal Data Protection Law, you may have the right to: access your personal data; correct inaccurate data; request deletion (subject to legal retention requirements); restrict or object to certain processing; withdraw consent where processing is based on consent; and request data portability. To exercise any rights, contact privacy@sanadi.app. We may verify your identity before processing requests. If you believe your rights have been infringed, you may lodge a complaint with the DIFC Commissioner of Data Protection or relevant UAE authority.

14) Cookies

We use session cookies essential for authentication and security. We do not use cookies to sell personal data or build third-party advertising profiles.

15) Children's privacy

Sanadi is not intended for children. If you believe a child has provided personal data, contact us and we will take appropriate action.

16) Changes to this policy

We may update this policy from time to time. We will revise the "Last updated" date and, where appropriate, provide additional notice in the app.

17) Governing law

This Privacy Policy is governed by and construed in accordance with the laws of the Dubai International Financial Centre (DIFC), including DIFC Data Protection Law No. 5 of 2020, without prejudice to applicable provisions of UAE federal law. Disputes shall be subject to the exclusive jurisdiction of the DIFC Courts.

18) Contact

Sanadi Innovations Ltd.
Dubai International Financial Centre (DIFC)
Dubai, United Arab Emirates

Privacy inquiries: privacy@sanadi.app
General support: support@sanadi.app