Privacy Policy
1. Introduction
ISOVIA FZCO ("ISOVIA," "we," "us," or "our"), a company incorporated and registered in the International Free Zone Authority (IFZA), Dubai, United Arab Emirates, with its registered office at IFZA Business Park, DDP, PO Box 342001, Dubai, UAE, operates the AEGIS platform ("Platform"), accessible at aegi.technology and daraa.ai.
This Privacy Policy describes how we collect, use, store, share, and protect your personal data when you access or use the AEGIS Platform, our website, or any related services. We are committed to protecting your privacy and handling your data in a transparent and lawful manner.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Platform.
2. Regulatory Framework and Compliance
ISOVIA is committed to compliance with applicable data protection laws and regulations, including:
- UAE Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its implementing regulations.
- The General Data Protection Regulation (EU) 2016/679 (GDPR), to the extent that it applies to the processing of personal data of individuals located in the European Economic Area.
- The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), in relation to the governance and transparency of AI systems managed through the Platform.
- Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020, where applicable.
Where there is a conflict between the requirements of different applicable laws, we will apply the standard that provides the highest level of protection for your personal data.
3. Data Controller
ISOVIA FZCO is the data controller responsible for the processing of your personal data collected through the AEGIS Platform. For any questions or requests regarding your personal data, you may contact us at:
ISOVIA FZCO
IFZA Business Park, DDP
PO Box 342001, Dubai, UAE
Email: [email protected]
Phone: +971 4228 52 85
Mobile: +971 50 991 7369
4. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
4.1 Account Information
When you register for an account on the Platform, we collect your full name, email address, company name, job title, and industry sector. If you register using a password, we store a securely hashed version of your password. We never store passwords in plain text.
4.2 Organizational Data
To provide governance and compliance services, we collect information about your organization, including organization name, size, industry classification, and regulatory jurisdiction. This data is provided voluntarily by you during assessments and onboarding.
4.3 AI System and Governance Data
The Platform processes information about your AI systems, including system names, descriptions, risk classifications, compliance statuses, governance policies, and assessment results. This data is entered by you or generated by the Platform's analytical tools to support your governance objectives.
4.4 Usage and Technical Data
We automatically collect certain technical information when you use the Platform, including your IP address, browser type and version, device information, pages visited, session duration, and interaction patterns. This data is collected through server logs and analytics services to improve Platform performance and security.
4.5 Payment Data
When you subscribe to a paid plan, payment processing is handled by Stripe, Inc. ("Stripe"), our third-party payment processor. We do not collect, store, or have access to your full credit card numbers, CVV codes, or card expiration dates. We retain only the Stripe customer identifier and subscription identifier necessary to manage your subscription.
4.6 Communication Data
When you contact us through the Platform's contact form, email, or other communication channels, we collect the content of your communications, your email address, and any other information you choose to provide.
4.7 Cookie and Session Data
We use session cookies to authenticate your access and maintain your login state. We also use a sidebar preference cookie for user interface personalization. Details about our cookie usage are provided in Section 10 of this Policy.
5. Purpose and Legal Basis for Processing
We process your personal data for the following purposes and on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing and maintaining the Platform, including account management, authentication, and subscription services | Performance of contract |
| Processing AI governance assessments, risk classifications, and compliance monitoring | Performance of contract |
| Generating governance reports, policy documents, and compliance certificates | Performance of contract |
| Processing payments and managing subscriptions through Stripe | Performance of contract |
| AI-powered analysis, including gap analysis, policy generation, and governance recommendations | Performance of contract; Legitimate interest |
| Improving Platform functionality, performance, and user experience | Legitimate interest |
| Ensuring Platform security, preventing fraud, and detecting unauthorized access | Legitimate interest; Legal obligation |
| Responding to your inquiries and providing customer support | Legitimate interest; Performance of contract |
6. AI and Automated Data Processing
The AEGIS Platform utilizes artificial intelligence and large language models (LLMs) to deliver governance, compliance, and analytical services. This section provides transparency about how AI processes your data within the Platform.
6.1 AI-Powered Features
The Platform uses AI to perform risk classification of AI systems under the EU AI Act framework, generate gap analysis reports comparing your governance posture against regulatory requirements, produce and review governance policy documents, provide compliance recommendations through the AEGIS Agent conversational interface, and generate board-level governance reports and benchmarking analyses.
6.2 Data Handling by AI Systems
When AI features process your data, the information you provide (such as AI system descriptions, organizational context, and governance documents) is transmitted to our AI service providers for processing. We do not use your data to train or fine-tune AI models. Your data is processed solely for the purpose of generating the specific output you have requested.
6.3 Human Oversight
All AI-generated outputs on the Platform, including risk classifications, policy drafts, and compliance recommendations, are presented as advisory tools. They are not a substitute for professional legal, regulatory, or compliance advice. You retain full control over whether to adopt, modify, or reject any AI-generated recommendation.
7. Data Sharing and Third-Party Processors
We share your personal data with the following categories of recipients, solely to the extent necessary for the purposes described in this Policy:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription management | Name, email, payment details (processed directly by Stripe) |
| AI Service Providers | AI-powered analysis, policy generation, and governance recommendations | Organizational context, AI system descriptions, governance data (as submitted by you) |
| Cloud Infrastructure Providers | Hosting, data storage, and content delivery | All Platform data (encrypted at rest and in transit) |
| Analytics Providers | Platform performance monitoring and usage analytics | Anonymized usage data, technical data |
We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes. We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of ISOVIA, our users, or the public.
8. International Data Transfers
Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. Our cloud infrastructure and AI service providers may process data in jurisdictions outside the UAE and the European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place, including standard contractual clauses approved by relevant authorities, adequacy decisions by the European Commission, or other legally recognized transfer mechanisms, to ensure that your personal data receives an adequate level of protection.
9. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:
- Account data: Retained for the duration of your active account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
- Governance and assessment data: Retained for the duration of your subscription. Upon termination, data is retained for 90 days to allow for data export, after which it is permanently deleted.
- Payment records: Retained for the period required by applicable tax and financial regulations (typically 5 to 7 years).
- Server logs and technical data: Retained for up to 12 months for security and performance monitoring purposes.
- Communication records: Retained for 24 months from the date of the last communication.
10. Cookies and Similar Technologies
The Platform uses the following cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| aegis_session | Essential | Authentication and session management | Session / persistent (secure, HTTP-only) |
| sidebar:state | Functional | Remembers sidebar open/closed preference | 7 days |
The Platform does not use third-party advertising or tracking cookies. The essential session cookie is strictly necessary for the Platform to function and cannot be disabled. The functional cookie is used solely to improve your user experience.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of data at rest in our cloud storage infrastructure.
- Secure password hashing using industry-standard algorithms (bcrypt with appropriate salt rounds).
- Role-based access controls and data isolation ensuring that each user can access only their own data.
- Rate limiting on authentication endpoints to prevent brute-force attacks.
- Regular security audits and vulnerability assessments.
- Secure session management with HTTP-only, secure, and SameSite cookie attributes.
While we take all reasonable steps to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
12. Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
12.1 Under the UAE PDPL
- Right of Access: You have the right to request access to the personal data we hold about you.
- Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
- Right to Erasure: You have the right to request deletion of your personal data, subject to legal retention obligations.
- Right to Restrict Processing: You have the right to request restriction of processing in certain circumstances.
- Right to Object: You have the right to object to the processing of your personal data in certain circumstances.
12.2 Under the GDPR (for EEA Residents)
In addition to the rights above, EEA residents have the following rights:
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your member state of residence.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, or within the timeframe required by applicable law.
13. Children's Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Privacy Policy on the Platform with a revised "Last Updated" date. We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:
ISOVIA FZCO — Data Protection
IFZA Business Park, DDP
PO Box 342001, Dubai, UAE
Email: [email protected]
Phone: +971 4228 52 85
Mobile: +971 50 991 7369
General Inquiries: [email protected]
© 2026 ISOVIA FZCO. All rights reserved.