Keyflow Technology Ltd — Data Protection Policy

Effective: 22 February 2026  |  Version: 1.2


Keyflow Technology Ltd (“Keyflow”, “we”, “us”, or “our”) values your security and privacy. Keyflow is a company registered in the Dubai International Financial Centre (DIFC License No. CL-12435, Reference SR-661431) and is required to comply with the DIFC Data Protection Law, DIFC Law No. 5 of 2020 (the “DP Law”), the DIFC Data Protection Regulations 2020, and may, for certain types of personal data processing, be subject to laws from other jurisdictions including UAE Federal Decree-Law No. 45 of 2021 (the “Federal Data Protection Law”) and the EU General Data Protection Regulation (GDPR) where applicable.

It is the policy of Keyflow to respect the privacy of its users across all products and services. In accordance with the DP Law and, as applicable, our Terms of Service (TOS-2026-001), Keyflow collects information about you when you use or access our products and services, including:

  • LeaseFlow (leaseflow.me) — property and lease management platform
  • LeadsFlow (leadsflow.me) — real estate lead management and CRM
  • Connect (connect.keyflowae.com) — unified communications hub (WhatsApp Business and email)
  • Keyflow Website (keyflowae.com) — our corporate website

(collectively, the “Services”), as well as through other interactions and communications you have with us.

This data protection policy (the “Policy”) sets out the basis on which any information, including any personal data, we collect from you, or you provide to us, will be processed by Keyflow. Each time you access or use the Services or provide us with information, by doing so you acknowledge the practices described in this Policy. For use of specific services, you may be asked to provide your affirmative opt-in consent to our use of the information you submit. Your rights described herein apply in these instances as well.

1. Scope and Application

This Policy applies to persons anywhere in the world who access or use any of Keyflow's Services (“Users”), including but not limited to:

  • Real estate agency administrators, managers, and agents who use the Services
  • Property owners who access owner portals
  • Tenants and clients whose personal data is managed through the Services
  • Leads and prospective clients whose inquiry data is processed through the Services
  • Contacts who communicate via WhatsApp Business or email through Connect
  • Visitors to the Keyflow website

2. Collection of Information

2.1 Information You Give Us

This is personal data you give us by providing information or filling in forms on our Services, or by corresponding with us (for example, by telephone, email, WhatsApp, or any other digital or electronic form). It includes information you provide when you register for an account, create or manage lease contracts, submit lead inquiries, communicate through Connect, or report a problem with any of our Services.

The personal data you give us may include the following categories:

Identity and Contact Data:

  • Full name, email address, phone number, postal address
  • Emirates ID number and Emirates ID document images
  • Nationality, date of birth
  • Passport number and passport document images (where provided)
  • Photographs and profile pictures

Property and Lease Data:

  • Property details, unit information, lease terms and conditions
  • Rental amounts, payment schedules, deposit information
  • Ejari contract details, RERA compliance data, DLD permit numbers
  • Lease documents, contracts, and associated correspondence

Financial Data:

  • Bank account details (property owners — for rental disbursements)
  • Commission records, management fee calculations
  • Cheque details and payment records

Lead and Inquiry Data:

  • Name, email, phone number
  • Property interests, budget, timeline preferences
  • Source of inquiry (property portal, social media, website, referral)
  • Notes and follow-up records

Communication Data (Connect):

  • WhatsApp messages (sent and received), message delivery status
  • Email content, subject lines, attachments
  • Contact information, conversation history

Photographs and Profile Pictures:

  • Emirates ID photographs are processed through AWS Rekognition (DetectFaces API) to extract the facial region for use as client profile pictures within LeaseFlow
  • This is face detection for photo cropping only — it is NOT biometric identification, face comparison, or identity verification
  • No biometric vectors, embeddings, or comparison data are generated or stored

Staff and Agent Data:

  • Employee names, email addresses, phone numbers
  • Roles and permissions, login credentials (passwords stored in hashed form only)
  • Performance metrics, activity logs

2.2 Information We Collect About You and Your Device

Each time you use our Services we may automatically collect the following information:

  • Technical Information: the type of device you use, a unique device identifier, your operating system, browser type and version, time zone setting, language preferences (“Device Information”)
  • Log Information: details of your use of our Services including, but not limited to, traffic data, access logs, API call records, and the resources that you access (“Log Information”)
  • Location Information: IP address and general geographic location derived from IP address

2.3 Information We Receive from Third Parties

We receive personal data from third-party services that integrate with our platform:

  • Property portals (Bayut, PropertyFinder, Dubizzle): lead inquiry data including name, phone, email, and property interest
  • Meta Lead Ads (Facebook/Instagram): lead inquiry data from social media advertising campaigns
  • Webhook integrations (Zapier, custom webhooks): lead data from external systems configured by your agency

3. Special Categories of Personal Data

Keyflow does not process special categories of personal data as defined in Article 9 of the DP Law.

Clarification on Face Detection: We use AWS Rekognition (DetectFaces API) within LeaseFlow to detect and crop the facial region from Emirates ID photographs for use as client profile pictures. This is standard image processing for photo extraction — it does NOT constitute biometric data processing under Article 9 because:

  • It is not used for the purpose of uniquely identifying a natural person
  • No face comparison (CompareFaces) or identity verification is performed
  • No biometric vectors, embeddings, or face collections are created or stored
  • Only the detected face bounding box coordinates are used to crop a profile photo

We do not process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health, or data concerning a person's sex life or sexual orientation.

Children's Data: Our Services are not targeted at, intended for, or expected to be of use to children under the age of 18. We do not knowingly collect personal data from children.

3A. B2B2C Data Processing Model

Keyflow operates a business-to-business-to-consumer (B2B2C) model:

  • Our direct customers are real estate agencies who subscribe to our Services.
  • Indirect data subjects include tenants, property owners, and leads whose personal data is input into the platform by the subscribing agency.
  • Lawful basis for agency-entered data: When an agency inputs tenant or property owner data, the lawful basis is primarily contract performance (Article 10(1)(b)) — the processing is necessary for the tenancy or property management agreement between the agency and the individual. Agencies may also rely on legitimate interest (Article 10(1)(f)) for lead management and operational purposes.
  • Agency responsibility: Each subscribing agency is responsible for ensuring it has the appropriate lawful basis for collecting personal data from its clients (e.g., under the tenancy agreement or management contract). Keyflow provides the platform infrastructure and processing capabilities.

4. Use of Personal Data

We use personal data which you provide to us or we collect from you for the following purposes:

4.1 Service Delivery and Contract Performance (Article 10(1)(b) of the DP Law)

  • Provide, maintain, and improve our Services, including facilitating property management, lease administration, lead management, and communications
  • Process and manage lease contracts, rental payments, Ejari registrations, and PropertyFinder listings
  • Distribute leads to agents, manage lead lifecycle, and track conversions
  • Facilitate WhatsApp Business and email communications through Connect
  • Authenticate users, manage accounts and permissions, and provide customer support
  • Send transactional communications (e.g., lease reminders, payment confirmations, service notifications)

4.2 Legal Obligations (Article 10(1)(c) of the DP Law)

  • Comply with RERA regulations, Ejari registration requirements, and Dubai Land Department requirements
  • Maintain audit logs for a minimum of 7 years as required by DIFC regulations
  • Respond to lawful requests from regulatory authorities
  • Maintain records of processing activities as required by Article 15 of the DP Law

4.3 Legitimate Interests (Article 10(1)(f) of the DP Law)

  • Perform internal administrative and operational functions
  • Prevent fraud, abuse, and unauthorized access to our Services
  • Conduct data analysis, testing, and research to improve our Services
  • Troubleshoot software issues and operational problems
  • Monitor usage and activity trends for service improvement
  • Ensure network and information security

4.4 Consent (Article 10(1)(a) of the DP Law)

The following processing activities are conducted only with your explicit consent, which you may withdraw at any time:

  • Marketing and promotional email communications
  • Marketing SMS communications
  • Marketing phone communications
  • Analytics cookies and tracking technologies
  • Sharing data with third parties for marketing purposes
  • Automated profiling and lead scoring

4.5 AI-Powered Processing

Keyflow uses artificial intelligence services provided by AWS to enhance the Services:

  • AWS Bedrock (Claude Haiku): Intelligent document analysis for lease contracts and property documents. Documents are sent to the AI service for analysis and the results are returned to the application. AWS does not retain your data for model training.
  • AWS Textract: Optical character recognition (OCR) for extracting information from Emirates ID cards, lease contracts, and other documents.
  • AWS Rekognition: Face detection (DetectFaces API only) for extracting profile photos from Emirates ID images. No face comparison, identity verification, or biometric identification is performed.

None of these AI services make automated decisions with legal effects on data subjects. AI assists real estate agents in their work — all significant decisions are made by human operators.

5. Processing, Storage, and Transfer of Personal Data

5.1 Data Storage Location

Your personal data is primarily stored in the AWS Middle East (UAE) region (me-central-1), which is the local AWS region in the UAE. This includes our databases (AWS RDS PostgreSQL), file storage (AWS S3), and application hosting (AWS ECS Fargate).

5.2 International Transfers

In order to conduct our operations, we transfer personal data to processors outside the DIFC:

ProcessorLocationPurposeSafeguards
Amazon Web Services (AWS)UAE (me-central-1) primary; certain services may route through US/global endpointsInfrastructure, database, storage, email, AI processing, OCR, face detectionAWS Data Processing Addendum with Standard Contractual Clauses
Meta Platforms (WhatsApp Business API)US/EUWhatsApp messaging (Connect only)Meta Data Processing Terms with Standard Contractual Clauses

Neither the United States nor the UAE (outside DIFC) currently holds a DIFC adequacy designation. Accordingly, we rely on Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreements with each processor, as permitted under Article 27(1) of the DP Law.

We take appropriate security measures to protect your personal data in connection with all international transfers, in accordance with the DP Law and this Policy.

5.3 Automated Decision-Making

Keyflow does not rely solely on automated decision-making when processing your personal data. While we use AI tools to assist with document analysis, OCR, and profile photo extraction, all consequential decisions are made or reviewed by human operators.

6. Sharing of Personal Data

6.1 Within the Keyflow Platform

Your personal data may be shared across Keyflow products (LeaseFlow, LeadsFlow, Connect) to provide integrated services. For example, a contact's information may be linked across LeadsFlow and Connect to enable unified communications. This sharing is governed by your agency's configuration and is necessary for the performance of the services you have requested.

6.2 With Data Processors

We share personal data with the following categories of processors who assist us in delivering the Services:

  • Cloud infrastructure providers (AWS) for hosting, storage, email delivery, AI processing, OCR, and profile photo extraction
  • Communication platform providers (Meta/WhatsApp) for messaging services through Connect

All processors are bound by Data Processing Agreements that require them to process data only on our instructions, maintain appropriate security measures, and comply with applicable data protection laws.

6.3 With Third Parties as Directed by Your Agency

Real estate agencies using our Services may configure integrations that share data with:

  • Property portals (PropertyFinder) for listing syndication — note: this involves property metadata and listing information only, NOT tenant personal data
  • Workflow automation tools (Zapier) as configured by the agency

6.4 Legal and Regulatory Disclosure

We may share personal data:

  • In response to a request for information by a competent authority or government entity if we determine that such disclosure is required by applicable law, regulation, or legal process
  • With law enforcement officials, government entities, or authorities as required by applicable law
  • To comply with RERA, Ejari, DLD, or other Dubai/UAE real estate regulatory requirements
  • In connection with any merger, sale of company assets, consolidation, or restructuring
  • In an aggregated and/or anonymized form that cannot reasonably be used to identify you

6.5 Government Data Sharing

In some circumstances we may be legally obliged to share information with public authorities or law enforcement. In any such scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making process.

7. Data Retention

We retain personal data for the following periods:

Data CategoryRetention PeriodBasis
Audit logs7 years minimum from creationDIFC regulatory requirement
Consent records7 years from consent dateDIFC accountability requirement (Article 14)
Lease and property dataDuration of agency subscription + 7 yearsLegal obligation (RERA, Ejari) and audit retention
Lead dataDuration of agency subscription + 30 daysContractual necessity
Communication data (messages)Duration of agency subscription + 7 yearsAudit trail requirement
User accountsDuration of subscription + 30 days grace periodContractual necessity
Profile photos (extracted from Emirates ID)Duration of agency subscription + 7 yearsRetained with client record
Identity document imagesDuration of agency subscription + 7 yearsLegal obligation (tenant verification records)

After the applicable retention period, personal data is either securely deleted or anonymized so that no individual can be identified from the remaining data.

We are not responsible for the accuracy of the information you provide, and will modify or update your personal data in our databases when you provide updated information or upon your request, as further outlined below.

8. Your Rights and Choices

8.1 Your Data Protection Rights

Under the DP Law, you have the following rights in respect of your personal data:

RightDescriptionDP Law Reference
Right of AccessThe right to obtain confirmation of whether we process your personal data and to receive a copy of that dataArticle 32
Right to RectificationThe right to have inaccurate personal data corrected or incomplete data completedArticle 33
Right to ErasureThe right to have your personal data deleted in certain circumstancesArticle 34
Right to RestrictionThe right to restrict processing of your personal data in certain circumstancesArticle 35
Right to Data PortabilityThe right to receive your personal data in a structured, commonly used, machine-readable formatArticle 36
Right to ObjectThe right to object to processing based on legitimate interests or for direct marketingArticle 37
Right to Withdraw ConsentWhere processing is based on consent, the right to withdraw that consent at any timeArticle 10

8.2 How to Exercise Your Rights

Method 1 — Self-Service (where available):

  • Navigate to your account settings page (e.g., /dashboard/settings/privacy in LeaseFlow or LeadsFlow)
  • Use the data export request or account deletion request functions
  • Adjust your marketing and communication preferences

Method 2 — Contact Us Directly:

  • Email: privacy@keyflowae.com
  • Post: Data Protection Officer, Keyflow Technology Ltd, Unit GA-00-SZ-01-FX-07, Level 1, Gate Avenue - South, DIFC, Dubai, UAE
  • Phone: +971 56 754 0655

Any access request is generally free of charge. We will respond within 30 days of receiving your request, unless the DP Law provides otherwise. We may, where permissible, impose a reasonable fee to meet any extraordinary administrative costs.

8.3 Marketing and Preferences

You have the right to opt out of receiving marketing communications from us at any time. You may:

  • Change your marketing preferences in your account settings
  • Use the unsubscribe link provided in marketing emails
  • Contact us at privacy@keyflowae.com to opt out

Please note that we may continue to send you transactional and service-related communications (e.g., lease reminders, payment confirmations, account notifications) even if you opt out of marketing communications, as these are necessary for the performance of the services you have requested.

8.4 Non-Discrimination

As set out in Article 39 of the DP Law, we will not discriminate against you for exercising your rights by denying services or changing prices or quality of service.

9. Security Precautions

Keyflow implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical Measures:

  • Encryption at rest for all databases (AWS RDS with KMS encryption) and file storage (AWS S3 server-side encryption)
  • Encryption in transit via TLS/HTTPS for all data transmission
  • AWS Web Application Firewall (WAF) for protection against web-based attacks
  • Multi-tenant architecture with strict data isolation — each agency's data is segregated at the database query level
  • Role-based access controls limiting data access to authorized personnel only
  • Password hashing using bcrypt (passwords are never stored in plain text)
  • Automated security scanning (CodeQL) in our development pipeline

Organizational Measures:

  • Access to personal data is restricted to those who need it to perform their duties
  • Background checks on employees
  • Data protection training for all team members
  • Regular review and assessment of security policies and procedures
  • Audit logging of all access to and modification of personal data, with 7-year retention
  • Incident response procedures for handling data breaches

Sub-Processor Security:

  • AWS maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS certifications
  • Meta maintains ISO 27001 certification and SOC 2 reports

If you have any questions about our security practices, please contact us at privacy@keyflowae.com. To the extent permitted by applicable law, Keyflow expressly disclaims any liability that may arise should any third party obtain personal data through fraud or other means that are no fault of Keyflow.

10. Cookies and Tracking Technologies

A cookie is a small text file stored on your device by your web browser, used to retain user preferences and enhance your browsing experience.

10.1 Cookies We Use

Essential Cookies:

  • Session cookies for authentication and maintaining your logged-in state
  • CSRF (Cross-Site Request Forgery) protection tokens
  • Load balancing and routing cookies

Analytics Cookies (with consent):

  • Usage analytics to understand how our Services are used and to improve them

Communication Cookies:

  • WhatsApp Business session management (Connect only)

10.2 Cookie Preferences

In accordance with the DP Law, our default privacy settings collect only the minimum necessary cookies to operate the Services. Non-essential cookies require your opt-in consent.

You can manage your cookie preferences through your browser settings. Please refer to your browser's help documentation for instructions on how to modify cookie settings. You may also visit www.aboutcookies.org for general information about cookies and how to manage them.

Altering cookie settings may limit your ability to use certain features of the Services.

11. External Links

The Services may contain links to other websites on the Internet that are owned and operated by third parties (the “External Sites”). These links are provided solely as a convenience to you and not as an endorsement by Keyflow of the contents or reliability of such External Sites.

If you decide to access linked third-party websites, you do so at your own risk. Keyflow does not accept liability, and shall not be liable to you for any loss or damage arising from or as a result of your acting upon the content of another website to which you may link from the Services.

12. Changes to This Policy

Keyflow may change this Policy from time to time. If we make significant changes in the way we treat your personal data, or to this Policy, we will provide you notice through the Services or by other means, such as email.

Material changes to the purposes for which we process your data may require us to request your re-consent.

Your continued use of the Services after such notice constitutes your acknowledgment of the changes. We encourage you to periodically review this Policy for the latest information on our privacy practices.

This Policy is accessible through:

  • Each of our products (LeaseFlow, LeadsFlow, Connect)
  • The Keyflow website (keyflowae.com)
  • Our Terms of Service (keyflow.me/terms-of-service)
  • Contracts and agreements as necessary or appropriate

13. Contact Us

If you have any questions, comments, or requests related to this Policy, or if you have any complaints related to how Keyflow processes your personal data, please contact us using any of the following methods:

Data Protection Officer

Abdallah Al Shaqra (Interim DPO)

Method 1 — Email: privacy@keyflowae.com

Method 2 — Post: Data Protection Officer, Keyflow Technology Ltd, Level 14, The Gate, Dubai International Financial Centre, P.O. Box 74777, Dubai, United Arab Emirates

Method 3 — Phone: +971 56 754 0655

Method 4 — DPO Direct: privacy@keyflowae.com

14. Complaints to the Commissioner

If you are not satisfied with our response to your complaint or believe that our processing of your personal data does not comply with the DP Law, you have the right to lodge a complaint with the DIFC Commissioner of Data Protection:

DIFC Commissioner of Data Protection

Dubai International Financial Centre Authority

Level 14, The Gate Building, Dubai, UAE

Phone: +971 4 362 2222

Email: commissioner@dp.difc.ae

Website: difc.ae/business/operating/data-protection

15. Data Protection Officer

Keyflow has appointed a Data Protection Officer in accordance with Article 16 of the DP Law, as Keyflow conducts High Risk Processing involving AI-powered document analysis, OCR of identity documents, and systematic processing of considerable amounts of personal data.

The DPO may be contacted using the details provided in Section 13 above, or directly via email at privacy@keyflowae.com.

The DPO is responsible for:

  • Monitoring compliance with the DP Law and this Policy
  • Advising on Data Protection Impact Assessments
  • Cooperating with and acting as the point of contact for the Commissioner of Data Protection
  • Handling data subject requests and complaints

Appendix A: Lawful Bases for Processing by Product

LeaseFlow

Processing ActivityLawful BasisDP Law Reference
Lease contract managementContract performanceArticle 10(1)(b)
Tenant data managementContract performanceArticle 10(1)(b)
Ejari registrationLegal obligationArticle 10(1)(c)
RERA rental index complianceLegal obligationArticle 10(1)(c)
AI lease document analysis (Bedrock)Legitimate interestArticle 10(1)(f)
OCR of identity documents (Textract)Contract performanceArticle 10(1)(b)
Profile photo extraction (Rekognition DetectFaces)Contract performanceArticle 10(1)(b)
Audit loggingLegal obligationArticle 10(1)(c)
Transactional emailsContract performanceArticle 10(1)(b)
Marketing communicationsConsentArticle 10(1)(a)

LeadsFlow

Processing ActivityLawful BasisDP Law Reference
Lead data managementContract performanceArticle 10(1)(b)
Lead distribution to agentsContract performanceArticle 10(1)(b)
Lead analytics and conversion trackingLegitimate interestArticle 10(1)(f)
Portal lead ingestion (Bayut, PF, Dubizzle)Contract performanceArticle 10(1)(b)
Meta Lead Ads ingestionContract performanceArticle 10(1)(b)
Transactional emailsContract performanceArticle 10(1)(b)
Marketing communicationsConsentArticle 10(1)(a)
Audit loggingLegal obligationArticle 10(1)(c)

Connect

Processing ActivityLawful BasisDP Law Reference
WhatsApp messagingContract performanceArticle 10(1)(b)
Email communicationsContract performanceArticle 10(1)(b)
Contact managementContract performanceArticle 10(1)(b)
Cross-product contact linkingLegitimate interestArticle 10(1)(f)
Message delivery trackingContract performanceArticle 10(1)(b)
Audit loggingLegal obligationArticle 10(1)(c)

Keyflow Website

Processing ActivityLawful BasisDP Law Reference
Contact form submissionsConsentArticle 10(1)(a)
Essential cookiesLegitimate interestArticle 10(1)(f)
Analytics cookiesConsentArticle 10(1)(a)

Appendix B: Sub-Processors

Keyflow uses the following sub-processors as part of its engagement with primary processors:

AWS Sub-Services (covered by single AWS DPA)

Sub-ServicePurposeData ProcessedRegion
RDS (PostgreSQL)Database hostingAll database recordsme-central-1 (UAE)
S3File storageDocuments, images, uploadsme-central-1 (UAE)
SESEmail deliveryRecipient emails, email contentme-central-1 (UAE)
SNSNotificationsBounce/complaint notificationsme-central-1 (UAE)
Bedrock (Claude Haiku)AI document analysisLease documents, property dataus-east-1 (Virginia)
TextractOCR processingEmirates IDs, contractsap-south-1 (Mumbai)
RekognitionFace detection (DetectFaces only)Emirates ID images for profile photo extractionap-south-1 (Mumbai)
ECS (Fargate)Application hostingAll data in-memory during processingme-central-1 (UAE)
CloudFrontCDNRequest/response data in transitGlobal edge locations
WAFSecurityRequest metadataGlobal

Meta Sub-Services (covered by Meta DPA)

Sub-ServicePurposeData ProcessedRegion
WhatsApp Business APIMessagingPhone numbers, message content, contact names, delivery statusUS/EU

Document Control

VersionDateAuthorChanges
1.022 February 2026Abdallah Al Shaqra (Interim DPO)Initial version covering all 4 products
1.122 February 2026Abdallah Al Shaqra (Interim DPO)Reclassification: Rekognition usage updated from biometric identity verification to profile photo extraction. Removed special category data classification. Added B2B2C data processing model section. Updated lawful bases.
1.222 February 2026Abdallah Al Shaqra (Interim DPO)Updated “Terms of Use” references to “Terms of Service” (TOS-2026-001) to align with the unified Terms of Service document covering all Keyflow products.

Review Schedule: Annually at minimum, or when processing activities change materially.

Next review date: 22 February 2027


This Policy was last updated on 22 February 2026.

Keyflow Technology Ltd, DIFC License CL-12435, Unit GA-00-SZ-01-FX-07, Level 1, Gate Avenue - South, DIFC, Dubai, UAE