Privacy Policy

Effective date: 11 May 2026 · Last updated: 11 May 2026 · Version: 1.0

This Privacy Policy describes how Hibr AI ("we", "us", "HIBR ERP") collects, uses, stores, and protects personal data of customers, prospects, and visitors. We comply with UAE Federal Decree-Law 45/2021 on the Protection of Personal Data ("PDPL") and, where applicable, GDPR. Data is stored in AWS me-central-1 (Bahrain) — inside the GCC.

1. Data controller 2. What we collect 3. How we use it 4. Legal basis (PDPL Article 5) 5. Sharing & processors 6. Data residency & transfers 7. Retention 8. Your rights (PDPL Articles 12–17) 9. Security 10. Cookies 11. Changes to this policy 12. Contact & DPO

1. Data controller

The data controller is Hibr AI, registered in the United Arab Emirates. Contact: dpo@hibr.ai (Data Protection Officer).

2. What we collect

Account & identity data

Name, work email, phone number, company name, trade license number, TRN
Emirate, free-zone status, business type (sole / LLC / branch), employee count
Billing address and payment method tokens (we do not store full card numbers — handled by Stripe)

Operational data (when you use HIBR ERP)

Customer/vendor/employee records you create in the system
Transactions: invoices, receipts, payments, payroll entries, inventory movements
Documents you upload (receipts, trade licenses, contracts)
VAT 201 and Corporate Tax return data submitted via our service to FTA EmaraTax

Usage & technical data

IP address, browser type, device identifiers, pages visited, feature usage
Audit logs of who did what, when (immutable, retained per UAE record-keeping rules)

Demo & lead-magnet inputs

Questions and inputs to the AI demos (Tax Co-pilot, Audit Pack, ROI Calculator, etc.) and your business inputs for personalization

3. How we use it

Provide and operate the HIBR ERP service
Generate VAT 201 and Corporate Tax returns and submit them on your instruction
Authenticate accounts and prevent fraud (AML/CFT screening per Cabinet Decision 74/2020)
Send service-related notifications, invoices, and security alerts
Improve the product through aggregated, de-identified analytics
With your separate consent, send marketing communications (you may opt out anytime via the email footer)

4. Legal basis (PDPL Article 5)

We process personal data on the following lawful bases:

Contract performance — to deliver the service you signed up for
Legal obligation — to comply with UAE tax, AML, and record-keeping law
Legitimate interest — to operate, secure, and improve the service
Consent — for marketing communications and optional features

We do not sell personal data. We share data only with the sub-processors required to operate the service:

AWS — hosting in me-central-1 (Bahrain)
Stripe — payment processing (PCI DSS Level 1)
Anthropic — AI model inference (no training on customer data; zero-retention API mode where supported)
ClearTax UAE — accredited e-invoicing service provider (PEPPOL PINT-AE)
FTA EmaraTax — only the data needed to submit your VAT 201 / CT-201 returns, on your instruction
SendGrid / PHPMailer SMTP — transactional email delivery

All sub-processors are bound by data processing agreements that include PDPL/GDPR-equivalent obligations.

6. Data residency & cross-border transfers

Primary data storage is AWS me-central-1 (Bahrain) — within the GCC and aligned with UAE PDPL data-residency expectations. Backups remain within the same region. Some sub-processors (Stripe, Anthropic) may process data outside the GCC; we rely on Standard Contractual Clauses or adequacy decisions for any transfer.

7. Retention

Financial records (invoices, returns, audit trails): 5 years minimum per Federal Decree-Law 8/2017 Article 78 (VAT) and the UAE Commercial Companies Law
AML/CFT records: 5 years from end of relationship per Cabinet Decision 74/2020 Article 24
Account data after account closure: archived for 30 days, then permanently deleted unless retention is required by law
Demo and lead-magnet data: 18 months from collection, then anonymized
Marketing email engagement: until opt-out + 90 days for compliance audit

8. Your rights (PDPL Articles 12–17)

As a UAE data subject, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion (subject to legal retention obligations)
Restriction — limit how we process your data
Portability — receive your data in a structured, machine-readable format
Object — object to marketing or to processing based on legitimate interest
Withdraw consent — at any time, without affecting prior processing
Lodge a complaint — with the UAE Data Office (the national PDPL regulator)

To exercise any right, email dpo@hibr.ai. We respond within 30 days as required by PDPL Article 19.

9. Security

We implement administrative, technical, and physical safeguards including AES-256 encryption at rest, TLS 1.3 in transit, RBAC with MFA for staff access, immutable audit logs, and an ISO 27001 + SOC 2 Type II roadmap. See our Security & Compliance page for details.

10. Cookies

We use strictly necessary cookies (session authentication, CSRF protection) without consent. Analytics and marketing cookies are loaded only after explicit consent via the cookie banner. You can withdraw consent anytime via the "Cookie preferences" link in the footer of any HIBR ERP page.

11. Changes to this policy

We may update this policy. Material changes will be announced by email to active customers and posted to this page with a new effective date. Historical versions remain available on request.

12. Contact & DPO

Data Protection Officer: dpo@hibr.ai
General privacy queries: privacy@hibr.ai
Regulator: UAE Data Office