Privacy Policy

Who we are. This Privacy Policy (the "Policy") is issued by UNIQ LAB FZCO (the "Company", "we", "us", "our"), a free zone company incorporated under the laws of the United Arab Emirates, with its registered office at IFZA Business Park, DDP, PO Box 342001, Dubai, United Arab Emirates, License No. 52386, Registration No. DSO-FZCO-50056. The Company acts as the data controller in respect of personal data collected through the UNIQUNITS mobile application (the "Application"), the website www.uniqunits.com (the "Website") and any related services (collectively, the "Services").

Scope. This Policy applies to all natural persons who download, install or use the Application; visit the Website; register an account or create a partner account; purchase a Subscription or use the Trial period; or otherwise interact with the Company in connection with the Services.

Acknowledgement. By using the Services, you confirm that you have read and understood this Policy. Where required by applicable law, processing is carried out only on the basis of your separate consent, a contract, our legal obligations or a legitimate interest.

Applicable law. We process personal data in accordance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and its Executive Regulations; Regulation (EU) 2016/679 ("GDPR") and the UK GDPR, where applicable; the California Consumer Privacy Act ("CCPA / CPRA"), where applicable; and any other data-protection law applicable to a specific user based on their location.

Data you provide directly.
— Identity & contact data: full name, email address, billing region.
— Account data: username, password (stored as a hash), profile picture (optional), language preferences.
— Payment data: billing name, billing country, transaction reference, subscription status (full card data is processed exclusively by our payment providers).
— Educational data: progress in the educational module, test answers, score, certificate ID and issuance date.
— Communications: support requests, complaints, feedback, correspondence with us.
— KYC / Partner data (Partners only): identity documents, tax residency, payment account details, corporate documents.

Data collected automatically.
— Device & technical data: device model, operating system, unique device identifier, language, time zone, crash logs.
— Usage data: screens viewed, features used, session duration, frequency of use, in-app actions.
— Network data: IP address (truncated where possible), approximate location derived from IP, internet service provider.
— Cookies & SDKs: as described in our Cookie Policy.

Data from third parties. We may receive data from payment processors (transaction status, transaction ID, antifraud signals); app stores (install, update, uninstall, in-app purchase events); analytics and attribution providers; affiliate / referral partners (referral identifier, click ID); and identity-verification or anti-fraud providers (verification result, risk score).

Data we do not intentionally collect. Full payment-card numbers and CVV/CVC codes; biometric data; special categories of personal data under Art. 9 GDPR / Art. 15 UAE PDPL; personal data of children under 18; and trading data executed via third-party broker platforms. If special-category data is provided to us by mistake, we will delete it without undue delay.

Lawful bases. We process personal data only where one or more lawful bases applies (Art. 6(1) GDPR / Art. 4 UAE PDPL):
— Operating your account and providing the Application and educational module — performance of a contract.
— Processing payments and Subscriptions — contract; legal obligation (accounting, tax).
— Issuing and verifying Certificates — performance of a contract.
— Customer support and complaint handling — contract; legitimate interest.
— Security, fraud prevention and abuse detection — legitimate interest; legal obligation.
— Analytics and product improvement — legitimate interest; consent where required.
— Marketing and personalization — consent (soft opt-in for existing customers where permitted).
— AML, sanctions screening and KYC (mainly Partners) — legal obligation; legitimate interest.
— Compliance with legal requests and defence of claims — legal obligation; legitimate interest.
Where we rely on legitimate interests, we have carried out a balancing test and you may object.

Marketing and consent. We send marketing only with your prior consent where required, or on a soft opt-in basis for existing customers where permitted. You may withdraw consent or unsubscribe at any time via the "Unsubscribe" link, your notification settings, or by emailing info@uniqunits.com. Withdrawal does not affect prior lawful processing.

Hosting and cross-border transfers. Personal data may be hosted on servers in the UAE, the EU and other jurisdictions where our service providers operate. Where data is transferred outside your country, we ensure adequate protection through mechanisms such as adequacy decisions (Art. 45 GDPR / Art. 22 UAE PDPL), Standard Contractual Clauses, the UK IDTA, binding corporate rules, or your explicit consent. A copy of the relevant transfer mechanism may be requested at info@uniqunits.com.

Security measures. We implement appropriate technical and organizational measures, including TLS/SSL encryption in transit; encryption at rest for sensitive credentials and KYC documents; least-privilege access control with MFA for administrators; salted password hashing; network segmentation, firewalling and logging; regular security testing and patching; backups and disaster recovery; staff confidentiality and training; and incident response (including breach notification within 72 hours where required by GDPR Art. 33). No system is fully secure — if you believe your data has been compromised, contact us immediately at info@uniqunits.com.

Retention periods. We retain data only as long as necessary:
— Account data: while active and for 2 years after deletion.
— Subscription / payment / accounting data: 5 years from the transaction (up to 10 where local law requires).
— KYC / AML records (Partners): 5 years after the end of the relationship.
— Educational data and Certificates: while active and up to 3 years after deletion.
— Marketing data: until consent withdrawal; suppression list kept to honour unsubscribes.
— Server logs and security events: 12 months by default.
— Correspondence and complaints: 3 years from closure.
After expiry, data is deleted or irreversibly anonymized.

Recipients (processors). We share personal data only with carefully selected providers, bound by written data-processing agreements (GDPR Art. 28 / UAE PDPL Art. 26): cloud hosting and infrastructure; payment processors and gateways; analytics and attribution; email, push-notification and support; crash-reporting and performance monitoring; anti-fraud and identity verification; and professional advisers. A current list of sub-processors is available on request.

Disclosures required by law. We may disclose data to competent authorities, regulators, courts or law-enforcement where legally required; to protect our rights, property and safety; and in connection with the prevention or investigation of fraud, money laundering or other unlawful activity.

Corporate transactions. In a merger, acquisition, financing, reorganization, insolvency or sale, personal data may be transferred to the counterparty subject to confidentiality and the protection level of this Policy.

No sale of personal data. We do not sell personal data as defined under the CCPA/CPRA, and we do not engage in cross-context behavioral advertising.

Rights of data subjects. Subject to applicable law and identity verification, you may exercise the rights to: information and access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; object (including to legitimate-interest processing and direct marketing); not be subject to solely automated decisions with legal or similarly significant effects; withdraw consent at any time; and lodge a complaint with a supervisory authority (in the UAE, the UAE Data Office; in the EEA, your local DPA; in the UK, the ICO). California residents' CCPA/CPRA rights are honoured.

How to exercise your rights. Send a request to info@uniqunits.com with your full name, the email registered with the account, and the right(s) you wish to exercise. We respond within 30 days (extendable by up to 60 for complex requests). Requests are free unless manifestly unfounded or excessive.

Identity verification. To prevent unauthorized access, we may take reasonable steps to verify your identity, and we will not disclose data to anyone who cannot be reasonably identified as the data subject.

Our use of cookies, SDKs, pixels, local storage and similar technologies is described in our separate Cookie Policy, which forms an integral part of this Privacy Policy. Where required by law, non-essential cookies are set only after your prior, freely-given consent via our cookie consent banner.

The Services are intended exclusively for persons aged 18 or above. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18 without verifiable parental consent, we will delete it promptly. Parents or guardians may contact us at info@uniqunits.com.

We do not carry out fully automated decisions producing legal or similarly significant effects on users (Art. 22 GDPR). Where we use automated tools for fraud prevention or eligibility checks (e.g. AML screening of Partners), a human review is available on request.

We may update this Policy from time to time. For material changes, we will notify you via the Application and/or by email at least 14 calendar days before they take effect. The current version is always available within the Application and on the Website. Continued use after the effective date constitutes acceptance.

Data Controller: UNIQ LAB FZCO, IFZA Business Park, DDP, PO Box 342001, Dubai, United Arab Emirates.
License No. 52386 | Registration No. DSO-FZCO-50056.
Privacy contact: info@uniqunits.com (subject line "Privacy Request").
Website: www.uniqunits.com.

For users in the EU or UK, an EU/UK representative under Art. 27 GDPR may be appointed. This Privacy Policy forms an integral part of the UNIQUNITS Terms of Service.