Privacy Policy

Scope: This Privacy Policy explains how Listi Partners Portal("Listi", "we", "us", or "our"), a sole establishment licensed and operating in Dubai, UAE under the Department of Economy and Tourism (DET), Licence No. 1523229 (E-Trader Professional category), collects, uses, discloses, and protects personal data in connection with the platform operated at listi.ae (the "Platform"). The names "Listi" and "Listi.ae" and associated logos are trademarks of Listi Partners Portal. Trademark registration is currently in process in the UAE. All rights in these marks are reserved pending registration.

We process personal data in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") and other applicable UAE laws, including Federal Law No. 15 of 2020 on Consumer Protection and Federal Decree-Law No. 46 of 2021 on Electronic Transactions and Trust Services.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is Listi Partners Portal, a sole establishment registered in Dubai, United Arab Emirates under DET Licence No. 1523229. Our registered address is Dubai, UAE.

• General enquiries: hi@listi.ae
• Privacy and data protection enquiries, rights requests, complaints: privacy@listi.ae

2. Who This Policy Applies To

This Policy applies to:

• Users and Referrers who register an account on the Platform to browse listings, contact businesses, or refer potential customers;
• Businesses that list their services on the Platform;
• Third-party individuals whose details are submitted to us by a Referrer as part of a referral (see Section 5); and
• Visitors who browse the Platform without registering.

The Platform is intended for individuals aged 18 years or older. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will delete it promptly.

3. Personal Data We Collect

3.1 Account and Profile Data

• Full name, email address, phone number (where provided), and role (User, Referrer, or Business);
• Password credentials (stored as a one-way hash — never in plain text);
• LinkedIn profile URL and publicly available LinkedIn data (name, profile URL, headline, profile photo) for mandatory identity verification;
• Profile photo, biography, and any optional information you choose to add to your profile.

3.2 Business Listing Data

• Business (trade) name, description, services offered, reward amounts, business contact information, logo, and listing images;
• Trade licence number and issuing authority (to verify that the Business is legally permitted to operate in the UAE);
• Authorised representative name and contact details.

3.3 Communication Data

• Messages, attachments, and links exchanged between Users, Referrers, and Businesses through the in-platform messaging feature (InternChat);
• Emails, notifications, and other correspondence with Listi support.

3.4 Referral and Transaction Metadata

• Records of referrals submitted, clicks, business introductions, and the status of each referral;
• Details that a Referrer chooses to share about a third party (see Section 5).

3.5 Payment Data (Premium Plan and Paid Listings)

• We do not store full card details. Payments are processed by Stripe, Inc. (PCI-DSS compliant) on our behalf;
• We retain a record of the transaction (amount, currency, last four digits of the card, timestamp, and Stripe reference) for tax, accounting, and fraud-prevention purposes.

3.6 Technical and Usage Data

• IP address, browser type and version, device identifiers, operating system, referring URL, and approximate location derived from IP;
• Pages visited, features used, session duration, click and scroll events, and error logs;
• Cookies and similar technologies, as described in our Cookie Policy.

3.7 Sensitive Personal Data

We do not knowingly collect or process sensitive personal data (such as health data, biometric data, racial or ethnic origin, religious beliefs, or criminal record data) unless required by applicable law. Where processing of sensitive personal data ever becomes necessary, we will obtain explicit consent and implement appropriate safeguards in line with Article 5 of the UAE PDPL.

4. Legal Basis for Processing

We process personal data on one or more of the following lawful bases under Article 5 of the UAE PDPL:

• Consent — for LinkedIn verification, marketing communications, optional profile sharing, and analytics/advertising cookies;
• Contract — to create and operate your account, display listings, process payments, deliver referral services, and provide customer support;
• Legal obligation — to comply with UAE tax, consumer-protection, anti-money-laundering, and record-keeping requirements;
• Legitimate interest — for platform security, fraud prevention, abuse investigation, service improvement, and analytics (balanced against your rights and freedoms).

5. Referred-Person Data (Important)

When a Referrer submits a referral, they may share limited personal data about a third party — typically a name, phone number, and/or email — so that a Business can follow up.

• Referrers' responsibility.If you are a Referrer, you confirm and warrant that you have the referred person's prior consent to share their personal data with Listi and with the relevant Business, and that the data you provide is accurate.
• How we handle it.Listi acts as a data processor on behalf of the Referrer and the Business in respect of referred-person data. The referred person's data is transmitted only to the specific Business the Referrer selected and is not used for any other purpose.
• Rights of referred individuals. If your details were shared on the Platform without your knowledge or consent, you may contact us at privacy@listi.ae to request deletion, correction, or further information. We will action such requests in accordance with the UAE PDPL.
• Retention of referred-person data. We retain referred-person data for up to 24 months from the date of the referral, or until the referred person requests deletion, whichever is earlier.

6. How We Use Your Personal Data

• To create, authenticate, and manage your account (including OTP email verification and LinkedIn verification);
• To publish Business listings and display them to Users and Referrers;
• To facilitate messaging, referrals, and follow-ups between Users, Referrers, and Businesses;
• To process payments, issue invoices, and maintain tax and accounting records;
• To send service notifications, security alerts, password resets, and other transactional communications;
• To send marketing communications where you have opted in (you may unsubscribe at any time via the link in any marketing email);
• To monitor, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms;
• To improve the Platform, analyse usage, and develop new features;
• To comply with legal obligations and respond to lawful requests from UAE authorities.

7. How We Share Your Personal Data

We do not sell your personal data. We share personal data only as described below:

7.1 With Other Platform Users

• When a Referrer submits a referral to a Business, the Referrer's name and selected contact details (and any referred-person details) are shared with that Business.
• Business contact details and listing information are displayed publicly to Platform visitors.
• Profile information you choose to make visible (including the LinkedIn Verified badge, if enabled) is shown to other Platform users.

7.2 With Our Service Providers and Sub-Processors

We use the following sub-processors to operate the Platform. Each is bound by contractual data-protection obligations:

• Supabase(Supabase Pte. Ltd., Singapore) — database, authentication, real-time messaging, and storage infrastructure. Data is hosted in Supabase's Mumbai, India region. Supabase uses its own authorised sub-processors, including Amazon Web Services, Cloudflare, and OpenAI LLC (for natural-language features within Supabase's own infrastructure).
• Vercel, Inc. (United States) — web hosting, edge delivery, and application deployment.
• Stripe, Inc. (United States) — payment processing for Premium Plan subscriptions and paid listing plans. Stripe is PCI-DSS compliant and handles cardholder data directly.
• Email delivery providers — for transactional emails (account verification, OTPs, password resets, notifications) and marketing emails where consent has been given.
• Google LLC — Google Business Profile verification and, where enabled, site analytics. No personal data is transmitted to Google for profile verification purposes.

7.3 With Legal and Regulatory Authorities

We may disclose personal data to UAE authorities, courts, or regulators where we are legally required to do so, or where disclosure is necessary to protect our rights, property, or the safety of users or the public.

7.4 In Connection with a Business Transfer

If Listi is ever involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users and ensure any recipient is bound by protections at least equivalent to those in this Policy.

8. International Transfers of Personal Data

Because several of our sub-processors operate outside the UAE (for example, Supabase stores Listi's data in Mumbai, India, and Vercel and Stripe are headquartered in the United States), your personal data may be transferred to and processed in countries outside the UAE.

Where this occurs, we rely on appropriate safeguards in line with Article 22 and 23 of the UAE PDPL, including contractual commitments (Data Processing Agreements, Standard Contractual Clauses where applicable), recipient jurisdictions with adequate protection regimes, or your explicit consent where required.

9. How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected. Typical retention periods are:

Longer retention may apply where required by law, to resolve a dispute, or to enforce our agreements.

10. How We Protect Your Personal Data

We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction, including:

• Encryption of data in transit (HTTPS/TLS) and at rest (managed by our infrastructure providers);
• Role-based access control and row-level security policies within our database;
• Password hashing using industry-standard algorithms (we never store plaintext passwords);
• One-time password (OTP) email verification at sign-up;
• Regular security reviews, dependency audits, and static code analysis;
• Access logging, anomaly detection, and rate-limiting to deter automated abuse;
• Contractual data-protection commitments with our sub-processors.

No system is completely secure. If you believe your account has been compromised or you have identified a security concern, please contact us immediately at privacy@listi.ae.

11. Data Breach Notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

• Take immediate steps to contain and investigate the incident and, where possible, restore affected data;
• Notify the UAE Data Office without undue delay where required by Article 9 of the UAE PDPL;
• Notify affected users, typically by email, with information about the nature of the breach, the data involved, the likely consequences, and the steps we are taking.

12. Your Rights Under the UAE PDPL

Subject to the conditions and limitations in the UAE PDPL, you have the following rights in relation to your personal data:

• Right of access — obtain confirmation of whether we process your personal data and a copy of that data;
• Right to correction — correct inaccurate or incomplete personal data;
• Right to deletion — request deletion of your personal data where the legal grounds for retention no longer apply;
• Right to restrict processing — ask us to limit how we process your personal data in certain circumstances;
• Right to object — object to processing based on legitimate interests or for direct-marketing purposes;
• Right to data portability — receive your personal data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible;
• Right to withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing before the withdrawal.

To exercise any of these rights, email privacy@listi.ae from the address registered to your account. We will respond within 30 days. We may ask you to verify your identity before actioning a request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

If you are not satisfied with our response, you may lodge a complaint with the UAE Data Office. You remain entitled to pursue any additional rights available to you under applicable law.

13. Marketing and Notifications

• Transactional communications (account verification, OTPs, security alerts, payment receipts, service notices) are part of the service and cannot be opted out of while your account is active;
• Marketing emails are sent only where you have opted in. You can unsubscribe at any time via the link at the bottom of any marketing email or by emailing privacy@listi.ae;
• Push and in-app notifications can be controlled in your device or browser settings and, where applicable, in your account dashboard.

14. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Platform, remember your preferences, analyse usage, and (where you consent) deliver relevant communications. Full details are set out in our Cookie Policy. Essential cookies are strictly necessary for the Platform to function; non-essential cookies are set only with your consent, which you can withdraw at any time via your browser settings.

15. Third-Party Links

The Platform may contain links to third-party websites (for example, LinkedIn, a Business's own website, or social-media pages). We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing any personal data.

16. Automated Decision-Making

We do not make decisions with significant legal or similar effect on you based solely on automated processing. Where we use automated tools (for example, spam filtering, duplicate-listing detection, or fraud screening), a human review step is available on request.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, our sub-processors, applicable law, or industry practice. When we make a material change, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or through the Platform before the change takes effect.

18. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the United Arab Emirates. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of the Emirate of Dubai, without prejudice to any mandatory protections available to you under UAE consumer protection or data protection law.

19. How to Contact Us

• General enquiries: hi@listi.ae
• Privacy, data protection, and rights requests: privacy@listi.ae
• Postal: Listi Partners Portal, Dubai, UAE