Privacy Policy
1. Introduction and Identity of the Data Controller
This Privacy Policy (the “Policy”) is issued by Iyara Labs LLC, a limited liability company incorporated in the Sharjah Media City Free Zone, United Arab Emirates, under Trade Licence No. 2646487.01, whose registered address is Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, United Arab Emirates (referred to in this Policy as “Iyara Labs”, “we”, “us”, or “our”).
This Policy sets out the basis on which any personal data we collect from visitors to iyaralabs.com(the “Site”), or that visitors provide to us, will be processed by us. It applies to all personal data processed through the Site, whether submitted voluntarily by visitors or collected automatically through the technical operation of the Site.
We are committed to processing personal data fairly, lawfully, and transparently, in accordance with applicable data protection legislation, including:
(a) Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”), as operative in the United Arab Emirates;
(b) EU Regulation 2016/679 (the “GDPR”), to the extent applicable to the processing of personal data of individuals in the European Economic Area; and
(c) the California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020 (together, “CCPA/CPRA”), to the extent applicable to California residents.
Please read this Policy carefully before using the Site. By using the Site, you acknowledge that you have read and understood its terms.
2. Personal Data We Collect and the Basis on Which We Process It
2.1 Contact form submissions
When you submit the contact form on the Site, we collect the following categories of personal data:
(a) your name;
(b) your email address;
(c) your company name, where provided; and
(d) the content of your message.
Purpose. We process this data solely for the purpose of responding to your enquiry and evaluating a potential commercial engagement. We do not add contact form submissions to any mailing list, nor do we use this data for direct marketing, without your separate and express consent.
Legal basis:
(a) GDPR: Consent (Article 6(1)(a)). You may withdraw your consent at any time by contacting us at legal@iyaralabs.com. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.
(b) UAE PDPL: Consent, on the same basis. The same withdrawal rights apply.
(c) CCPA/CPRA: This data is collected for business purposes only, as defined under the CCPA/CPRA. We do not sell or share this data.
2.2 Analytics data
We use Vercel Analytics to understand aggregate patterns of use of the Site. Vercel Analytics is cookieless by design. It does not set cookies, does not track individual users across sessions or devices, and does not collect data capable of identifying any individual person. The data collected comprises page views, referral sources, device type, browser type, and country-level location, in aggregated and anonymised form only.
Purpose. To understand how visitors use the Site in order to improve its content and performance.
Legal basis:
(a) GDPR: Legitimate interests (Article 6(1)(f)). Our legitimate interest is in understanding aggregate patterns of Site usage. Given the anonymised and aggregated nature of the data collected, we do not consider this processing to carry a material risk to individual privacy rights. You have the right to object to this processing; see clause 6.1 below.
(b) UAE PDPL: Legitimate interests, on the same basis.
(c) CCPA/CPRA: This data does not constitute “personal information” as defined under the CCPA/CPRA, as it is anonymised and cannot be linked to any identifiable individual. No CCPA/CPRA obligations attach to it.
2.3 Data we do not collect
We do not collect, process, or retain:
(a) special categories of personal data, including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, genetic data, or biometric data;
(b) financial or payment data. The Site does not offer e-commerce or payment functionality of any kind;
(c) precise geolocation data;
(d) personal data of children under the age of 13, under any circumstances; or
(e) personal data of individuals under the age of 18, as this Site is not directed at minors.
3. Third-Party Processors
We engage the following third-party data processors in connection with the operation of the Site:
| Provider | Jurisdiction | Role | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | United States | Website hosting, edge network delivery, and cookieless analytics | Standard Contractual Clauses (EU Commission Decision 2021/914); Vercel Data Processing Addendum |
We have entered into data processing agreements with each processor that impose obligations on them materially consistent with applicable data protection law. We do not authorise any processor to use personal data for their own independent purposes.
We do not sell, rent, lease, or otherwise transfer personal data to any third party for marketing, commercial, or any other purpose not described in this Policy.
4. International Data Transfers
Iyara Labs LLC is based in the United Arab Emirates. Our hosting and analytics provider, Vercel Inc., is based in the United States.
Where personal data is transferred from the European Economic Area to the United States, we rely on the Standard Contractual Clauses adopted by the European Commission pursuant to Decision 2021/914 as the applicable transfer mechanism, supplemented by such additional safeguards as the circumstances require.
Where personal data is transferred from the UAE to the United States, we ensure that appropriate contractual protections are in place, consistent with the requirements of the PDPL in relation to cross-border transfers. The United States has not been the subject of an adequacy determination by the UAE Data Office. Accordingly, transfers to Vercel are made subject to the contractual safeguards described above.
5. Data Retention
We retain personal data only for as long as is necessary for the purposes set out in this Policy or as required by applicable law. Once the applicable retention period has expired, personal data will be securely deleted or irreversibly anonymised in accordance with our internal data management procedures.
| Category | Retention period |
|---|---|
| Contact form submissions | Up to 24 months from the date of submission, or until you request deletion, whichever is the earlier |
| Vercel Analytics data | Aggregated and anonymised. No personal data retention period applies |
6. Your Rights
Subject to the conditions and limitations set out in applicable law, you have the rights described below in relation to your personal data. To exercise any of these rights, please submit a written request to legal@iyaralabs.com. We may require reasonable verification of your identity before processing a request. We will not charge a fee for processing a rights request unless it is manifestly unfounded or excessive.
6.1 GDPR (EU/EEA Residents)
Pursuant to the GDPR, you have the following rights:
(a) Access (Article 15): to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with supplementary information about how it is processed.
(b) Rectification (Article 16): to have inaccurate or incomplete personal data corrected without undue delay.
(c) Erasure (Article 17): to have your personal data erased where no lawful basis for its continued retention exists, subject to any applicable exemptions.
(d) Restriction (Article 18): to restrict the processing of your personal data in certain circumstances, including where you contest its accuracy or object to its processing.
(e) Portability (Article 20): to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where technically feasible and where processing is carried out by automated means.
(f) Objection (Article 21): to object to processing carried out on the basis of legitimate interests. We shall cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or that the processing is necessary for the establishment, exercise, or defence of legal claims.
(g) Withdrawal of consent: where processing is based on consent, to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Response time. We will respond within 30 days of receipt of a verified request. In cases of complexity or volume, we may extend this period by a further two months, with written notice provided within the initial 30-day period.
Supervisory authority. You have the right to lodge a complaint with the data protection supervisory authority in your country of residence or place of work. A list of EU/EEA supervisory authorities is available at edpb.europa.eu.
6.2 CCPA/CPRA (California Residents)
Pursuant to the CCPA/CPRA, you have the following rights:
(a) Right to Know: to request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for which it is used, and the categories of third parties to whom it has been disclosed.
(b) Right to Delete: to request deletion of personal information we hold about you, subject to certain statutory exceptions.
(c) Right to Correct: to request correction of inaccurate personal information we hold about you.
(d) Right to Opt-Out of Sale or Sharing: we do not sell personal information and we do not share personal information for cross-context behavioural advertising. No opt-out mechanism is required or available.
(e) Right to Limit Use of Sensitive Personal Information: we do not collect sensitive personal information as defined under the CPRA.
(f) Right to Non-Discrimination: we will not discriminate against you for exercising any right under the CCPA/CPRA.
Response time. We will respond within 45 days of receipt of a verified request. Where reasonably necessary, we may extend this period by a further 45 days, with written notice provided within the initial 45-day period.
Authorised agents. Requests submitted on your behalf by an authorised agent must be accompanied by written authorisation signed by you or a valid power of attorney.
6.3 UAE PDPL (UAE Residents)
Pursuant to Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”), we process your personal data on the following lawful bases:
(a) Contact form data: on the basis of your consent, which you provide by voluntarily submitting the contact form. You may withdraw consent at any time by contacting legal@iyaralabs.com, without affecting the lawfulness of any processing carried out prior to withdrawal.
(b) Analytics data: on the basis of our legitimate interests, as described in clause 2.2 above.
You have the following rights under the PDPL:
(a) Access: to request confirmation of whether we process your personal data and to obtain a copy of it.
(b) Rectification: to request correction of inaccurate or outdated personal data.
(c) Erasure: to request deletion of your personal data where there is no longer a lawful basis for its retention.
(d) Restriction: to request that we restrict processing of your personal data in certain circumstances.
(e) Objection: to object to processing of your personal data in certain circumstances.
(f) Portability: to receive your personal data in a structured, machine-readable format, where technically feasible.
Response time. We will respond within 30 days of receipt of a verified request.
Complaints. If you consider that we have processed your personal data in breach of the PDPL, you have the right to submit a complaint to the UAE Data Office, the federal authority responsible for oversight of data protection in the United Arab Emirates, at uaedataoffice.gov.ae.
Regulatory note. The PDPL is operative and enforceable. Full enforcement capacity is being developed by the UAE Data Office with a compliance deadline of 1 January 2027. We will update this Policy as Executive Regulations and further regulatory guidance are published.
7. Automated Decision-Making and Profiling
We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on any individual. No decisions concerning you are made solely by automated means.
8. Cookies and Tracking Technologies
This Site does not use non-essential cookies or tracking technologies of any kind. Vercel Analytics is cookieless by design and sets no cookies at any point during your visit to the Site. We do not use pixels, browser fingerprinting, or cross-site tracking mechanisms.
No cookie consent banner is presented or required in connection with your use of the Site.
9. Children
This Site is directed exclusively at businesses and professionals. It is not intended for use by individuals under the age of 18.
In accordance with Federal Decree-Law No. 26 of 2025 on Child Digital Safety (the “CDS Law”), which came into force on 1 January 2026, we do not knowingly collect, process, publish, or share the personal data of children under the age of 13 under any circumstances. We implement no registration, account creation, or interactive functionality that could be used by minors.
Under the CCPA/CPRA, we do not sell or share the personal information of consumers under the age of 16.
If you have reason to believe that a person under the age of 13 has submitted personal data through this Site, please notify us promptly at legal@iyaralabs.com. We will take reasonable steps to delete such data without undue delay upon becoming aware of it.
10. Security
We implement reasonable and appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. All data transmitted through the Site is encrypted in transit using HTTPS. Our hosting infrastructure is managed by Vercel Inc., which maintains industry-standard security controls and certifications.
No method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of personal data transmitted to or stored by us. Subject to the requirements of applicable law, we shall not be liable for any unauthorised access to, or disclosure of, personal data that results from circumstances beyond our reasonable control.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority and, where required by applicable law, affected individuals, without undue delay and in accordance with applicable legal requirements.
11. Changes to This Policy
We reserve the right to amend this Policy at any time. Where we do so, we will update the “Last updated” date at the top of this page. Material changes, including changes to the purposes for which we process personal data or to the categories of data we collect, will be communicated by means of a prominent notice posted on the Site for a reasonable period prior to the change taking effect. Where required by applicable law, including under the GDPR, we will seek fresh consent before relying on amended terms as a basis for processing.
Your continued use of the Site following the posting of a non-material amendment shall constitute your acceptance of the amended Policy. We encourage you to review this Policy periodically.
12. Contact
All enquiries, rights requests, or complaints relating to this Policy or our data practices should be directed to:
Iyara Labs LLC
Trade Licence No. 2646487.01
Shams Business Center, Sharjah Media City Free Zone
Al Messaned, Sharjah, United Arab Emirates
legal@iyaralabs.com
We aim to acknowledge all enquiries within five working days of receipt.