Privacy Policy
Last updated: May 2026
1. Introduction
NAIWA ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SME Certification Platform.
This policy has regard to Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and related UAE data-protection principles. NAIWA aims to handle personal data consistently with these principles and continues to develop its data-protection practices; this policy is not a representation of certified or audited compliance. Where a specific legal requirement applies to your data, that requirement prevails over any general statement here.
By using our services, you consent to the collection and use of information in accordance with this policy and the PDPL.
2. Information We Collect
Personal Information
- Name and contact information (email, phone number, address)
- Business information (company name, trade license details)
- Identity documents (Emirates ID, passport copies)
- Financial documents submitted for certification
- Account credentials and authentication data
Automatically Collected Information
- Device information and browser type
- IP address and location data
- Usage patterns and interaction with our platform
- Cookies and similar tracking technologies
3. How We Use Your Information
We use the information we collect to:
- Process certification applications and assessments
- Verify submitted documentation and evidence
- Maintain the public certification registry
- Communicate with you about your application status
- Improve our services and user experience
- Comply with legal and regulatory requirements
- Prevent fraud and ensure platform security
4. Data Sharing and Disclosure
We may share your information with:
- Public Registry: Certification status and basic enterprise information is published in our verification registry
- Service Providers: Third-party vendors who assist in operating our platform
- Legal Requirements: When required by law or to protect our rights
- Business Transfers: In connection with any merger, acquisition, or sale of assets
We do not sell your personal information to third parties for marketing purposes.
5. Data Security
We implement appropriate technical and organizational security measures to protect your information, including:
- Encryption of data in transit and at rest
- Access controls and authentication mechanisms
- Regular security assessments and audits
- Employee training on data protection
While we strive to protect your information, no method of transmission over the Internet is 100% secure.
6. Data Retention
We retain your information for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law. Certification and verification records may be retained on a long-term basis to support the integrity of the public register, subject to the retention principles described below and applicable legal requirements.
7. Your Rights Under the PDPL
Under Federal Decree-Law No. 45 of 2021 (PDPL), you have the following rights with respect to your personal data:
- Right of Access: Request a copy of the personal data we hold about you and information on how it is processed.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to our legal obligations and legitimate interests (including certification record-keeping).
- Right to Restriction: Request that we limit the processing of your data in certain circumstances.
- Right to Data Portability: Request that we transfer your data to another controller in a structured, commonly used format where technically feasible.
- Right to Object: Object to processing based on our legitimate interests.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
To exercise any of these rights, submit a written request to privacy@naiwa.ae. We will respond within 30 days. For certification records, certain data may be retained as required by applicable UAE commercial and regulatory law.
8. Cookies and Tracking
We use cookies and similar technologies to enhance your experience, analyze usage patterns, and improve our services. You can control cookie preferences through your browser settings.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page with an updated "Last Updated" date.
Related Documents
10. Additional Data-Processing Disclosures
Categories of data we process
Depending on your role and use of the Services, we may process: account and contact data; SME profile and business data; uploaded SME documents; KYC/KYB and identity documents; financial documents and figures; certification and registry information; investor interest and introduction data; marketplace listing data; AI-assisted assessment outputs and AI processing logs; support messages and attachments; and payment-related metadata (such as payment status, references, and amounts) processed by our third-party payment processor. We do not store full payment-card numbers.
Reasons for processing
We process data to provide and operate the Services; to perform assessments and issue, maintain, suspend, or revoke certification; to operate the verification registry, marketplace, and introduction features; to maintain audit, evidence, and security records; to comply with legal obligations; to detect and prevent fraud and misuse; and for legitimate business administration. Where required, we rely on your consent, the performance of a contract with you, a legal obligation, or our legitimate interests as the basis for processing.
Marketplace visibility and investor disclosure
If you publish a marketplace listing or make your profile visible, information you choose to disclose may be visible to other users, including investors. You control what is published. Expressing or receiving interest creates a communication record visible to the relevant parties and to NAIWA for audit purposes. NAIWA does not sell personal data and does not share contact details beyond what is necessary to operate the introduction workflow you initiate or accept.
AI processing notice
Some features use AI to assist with assessment, summarization, and discovery. AI outputs are advisory only, are subject to human review, and do not finalize any decision. AI processing may involve third-party AI service providers acting as processors. AI summaries do not overwrite or replace your source documents or submitted evidence, which are preserved as the authoritative record.
Source evidence preservation
We preserve submitted source documents and evidence, together with related audit records, to support the integrity of assessments and certification. These records may be retained after account closure for legitimate legal, audit, and dispute-resolution purposes.
Service providers (processors)
We use third-party service providers to host infrastructure, send email, process payments, and provide AI capabilities. These providers process data on our instructions for the purposes described in this policy. Each provider operates under its own terms and security arrangements.
Cross-border transfers
Some service providers may process data outside the United Arab Emirates. Where data is transferred across borders, we take steps intended to ensure an appropriate level of protection consistent with applicable law. By using the Services, you acknowledge that such transfers may occur.
Retention by category
Retention periods vary by category. In general: account data is retained while your account is active and for a reasonable period afterward; certification, registry, audit, and evidence records are retained for longer periods to preserve the integrity and verifiability of past assessments and to meet legal and dispute-resolution needs; payment metadata is retained as required for financial record-keeping; AI logs are retained for a limited operational period. Specific periods may change and are applied in light of legal requirements.
Registry retention caveat
The public verification registry may continue to reflect that a certificate existed, expired, was suspended, or was revoked, even after certification ends, so that third parties can verify historical status. Removal from the registry is at NAIWA's discretion and subject to the integrity and audit purposes described above.
No sale of personal data
NAIWA does not sell personal data.
Security and breach
We apply administrative, technical, and organizational measures intended to protect personal data. No system is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that requires notification, we will act in accordance with applicable law. To report a security concern, contact privacy@naiwa.ae.
Exercising your rights
Subject to applicable law, you may request access to, correction of, or deletion of your personal data, and may object to or restrict certain processing. To make a request, contact privacy@naiwa.ae. We may need to verify your identity and may retain certain records where we have a legal basis or obligation to do so. Some certification, registry, audit, and evidence records may be retained even after a deletion request to preserve the integrity of past assessments and to meet legal requirements.
Contact Us
For questions about this Privacy Policy or your personal data, please contact us at privacy@naiwa.ae