Privacy Policy

Last updated: April 2026 · Compliant with UAE PDPL (Federal Decree-Law No. 45 of 2021)

1. Data We Collect

  • Account data: name, email address, company name, TRN (Tax Registration Number)
  • GHG data: emissions inputs, activity data, calculated figures, report outputs
  • Invoice data: buyer/seller details, line items, amounts, VAT figures
  • Usage data: page views, feature interactions (via PostHog, anonymized)
  • Technical data: IP address, browser type, session tokens

2. How We Use Your Data

  • Delivering the compliance reporting and e-invoicing services
  • Sending transactional emails (account, invoices, compliance reminders)
  • Improving the Platform through anonymized analytics
  • Complying with UAE legal obligations

3. Data Storage and Retention

Core application data is stored and authentication is handled by PocketBase hosted on Serverspace Dubai (UAE). We are committed to UAE data residency for all customer compliance data.

Invoice data is retained for a minimum of 5 years in accordance with UAE VAT Law (Federal Decree-Law No. 8 of 2017, Article 78) and Federal Tax Authority requirements. GHG records are retained for a minimum of 5 years in accordance with Article 14 of Federal Decree-Law No. 11 of 2024. Account data is retained for the duration of your subscription plus 12 months.

4. Your Rights (UAE PDPL)

Under UAE Federal Decree-Law No. 45 of 2021, you have the right to: access your personal data; request correction of inaccurate data; request deletion (subject to legal retention obligations); withdraw consent for non-essential processing.

Data portability: You can export a complete copy of all your personal data — including your profile, invoices, GHG reports, and audit logs — directly from your account settings page (Settings → Personal → Export Your Data). Exports are available once every 24 hours.

To exercise other PDPL rights, email privacy@smart-fenek.ae.

5. Third-Party Services and AI Processing

  • PocketBase on Serverspace Dubai (UAE) — authentication and core database. Core customer data stays in the UAE.
  • Stripe — payment processing and subscription management (United States). Stripe processes payment card data under PCI-DSS Level 1 compliance. No financial data is stored on SmartFenek servers.
  • Resend — transactional email delivery (United States)
  • PostHog — anonymized product analytics; no PII shared (EU/US)
  • Better Stack (Logtail) — error and uptime monitoring; no user content logged
  • Sentry — application error tracking; error context only, no user data
  • Vercel — application hosting and edge delivery (global CDN)
  • Anthropic Claude AI — When you use AI-assisted extraction (for GHG documents or invoice OCR), the uploaded document content is sent to Anthropic's Claude API for data extraction and validation. This processing occurs on Anthropic's servers in the United States. Anthropic's data handling is governed by their Privacy Policy. If you do not wish your documents to be processed by Anthropic, you may enter data manually — all manually entered data remains in the UAE.

We do not sell your data to any third party.

6. Cookies

We use essential session cookies for authentication and anonymized analytics cookies via PostHog. No advertising or tracking cookies are used.

7. Contact

Privacy enquiries: privacy@smart-fenek.ae

See also: Terms of Service