How We Handle Personal Data

Nexa Luna Solutions is the data controller responsible for the personal data collected through this corporate website (nexalunasolutions.com) and through the consumer-facing platforms that we own and operate. Each operated platform may publish its own platform-specific privacy notice, which applies in addition to this Policy.

For all privacy-related enquiries, contact: privacy@nexalunasolutions.com.

Depending on how you interact with us, we may collect:

• Identification & contact data: name, company name, email, phone number, country.
• Communications data: messages submitted via the contact form, email correspondence, support tickets.
• Technical & device data: IP address, browser type, device identifiers, language, time-zone, referring URL.
• Usage data: pages visited, interactions, session duration, performance and diagnostic logs.
• Transactional data (operated platforms only): order, subscription and payment metadata processed by licensed payment service providers.

We do not knowingly collect special-category data (e.g. health, religious or biometric data) through this corporate website. We do not knowingly process the personal data of minors under 18 without verifiable parental or guardian consent.

We process personal data only where we have a lawful basis under the PDPL, namely:

• Consent — for marketing communications, optional analytics, and non-essential cookies.
• Performance of a contract — to deliver services you have requested or subscribed to.
• Legal obligation — to comply with UAE tax, anti-money-laundering, and regulatory requirements.
• Legitimate interests — for fraud prevention, network security, platform improvement, and corporate communications, subject to a balancing test.

We use personal data to:

• Respond to enquiries submitted via the contact form;
• Operate, secure, monitor and improve our website and platforms;
• Comply with UAE law, regulatory requests and lawful court orders;
• Detect, prevent and investigate fraud, abuse and cyber-incidents;
• Send service updates and, where permitted, marketing communications you can opt out of at any time.

We do not sell personal data. We may share personal data with:

• Vetted processors providing hosting, analytics, communications, payments and support services, under written data-processing agreements;
• Professional advisers (legal, audit, compliance) under confidentiality obligations;
• Competent UAE authorities where required by law, including under Federal Decree-Law No. 34 of 2021 on Cybercrimes and Federal Decree-Law No. 20 of 2018 on Anti-Money-Laundering.

Where personal data is transferred outside the UAE, we ensure the transfer is permitted under the PDPL — either because the destination country provides an adequate level of protection as recognised by the UAE Data Office, or because appropriate safeguards (such as standard contractual clauses, binding corporate rules, or explicit consent) are in place.

We retain personal data only for as long as necessary for the purposes set out in this Policy and to comply with our legal obligations under UAE commercial, tax and AML legislation (typically a minimum of five (5) years for financial and transactional records). When no longer required, data is securely deleted or irreversibly anonymised.

We implement appropriate technical and organisational measures — including encryption in transit (TLS), access controls, least-privilege principles, secure development practices, monitoring and incident-response procedures — to protect personal data against unauthorised access, loss, alteration or disclosure.

Subject to the PDPL and its exemptions, you have the right to:

• Be informed about, and access, your personal data;
• Request rectification of inaccurate or incomplete data;
• Request erasure of your personal data;
• Restrict or object to certain processing activities;
• Request data portability where technically feasible;
• Withdraw consent at any time, without affecting prior lawful processing;
• Lodge a complaint with the UAE Data Office.

To exercise any of these rights, email privacy@nexalunasolutions.com. We respond within the statutory time-frame set by the PDPL Executive Regulations.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, Nexa Luna will notify the UAE Data Office and affected data subjects without undue delay, in accordance with the PDPL and its Executive Regulations.

We may update this Privacy Policy from time to time. The “Effective date” at the top reflects the latest revision. Material changes will be communicated through this website or by direct notification where appropriate.