Privacy Policy
Last updated: May 11, 2026
1. Who We Are
Hadar Real Estate (“Hadar,” “we,” “us”) provides a business-to-business SaaS CRM platform built for real estate brokerages operating in Dubai and the wider GCC region. This Privacy Policy describes how we handle personal data both as a controller (for our own business operations such as account registration and billing) and as a processor (when we process leads, contacts and communications on behalf of our broker customers).
Hadar Real Estate
Dubai, United Arab Emirates
General contact: privacy@hadar-ai.com
Data Protection Officer: dpo@hadar-ai.com
2. Personal Data We Collect
The categories of personal data we process depend on whether you are a customer (broker), an end user invited by a customer, or a lead managed inside a customer’s tenant.
- Account & identity data: name, work email, phone number, role, organisation name, country, password hash.
- Lead & contact data: name, email, telephone number, property preferences, budget, source channel, agent assignment, lead score and status.
- Communications: WhatsApp, Telegram, SMS and email message content, attachments, voice call recordings and transcriptions, chat widget conversations, AI agent reply history.
- Documents & files: identification copies, contracts, MoUs, property listings or marketing assets uploaded by the broker or shared by leads.
- Billing data:billing email, VAT/TRN number, invoice history, last 4 digits and brand of payment instrument (full card data is handled exclusively by our merchant of record — we never store it).
- Technical & usage data: IP address, browser, device, operating system, session timestamps, audit log entries, feature usage metrics.
- Cookies: strictly necessary cookies for session and CSRF, plus a small preferences cookie for locale. See our Cookies Policy.
3. Lawful Basis for Processing
We rely on the following lawful bases under GDPR (and equivalent UAE PDPL bases):
- Performance of a contract— to deliver the platform you subscribed to, manage your tenant, run AI workflows you triggered, and process payments.
- Legitimate interests— to keep the service secure, prevent abuse, and improve the product. Where we rely on legitimate interests we balance them against your rights and freedoms.
- Legal obligation— to retain tax invoices, AML records, and respond to lawful requests from regulators.
- Consent— for non-essential cookies, marketing emails to non-customers, and any voice or video recording where consent is required by local law. You may withdraw consent at any time.
- Processor instructions— for lead and communication data we process on behalf of broker customers under their own lawful basis, governed by our Data Processing Agreement.
4. How We Use Personal Data
- Provide and operate the Hadar platform: lead management, AI chat, voice agents, WhatsApp / Telegram / email automation, document handling and analytics.
- Run the AI features you enable. Lead messages, transcripts and contextual data are sent to our model providers (OpenAI, Anthropic, Google) over encrypted channels and are not used to train third-party models.
- Authenticate users, enforce tenant isolation, monitor for abuse, and keep audit trails required for security and compliance.
- Generate invoices, collect payments, and meet UAE FTA tax obligations.
- Send transactional communications (billing, security alerts, product changes, and account notifications). Marketing emails to customers can be unsubscribed at any time.
- Improve the service through aggregated, de-identified analytics — never to profile individual leads.
5. How We Share Personal Data
We do not sell personal data. We share it only with sub-processors that help us deliver the service, all bound by written agreements with confidentiality and security obligations equivalent to ours.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | PostgreSQL hosting, file storage, auth | EU / United States |
| Vercel | Application hosting (London lhr1) | United Kingdom |
| OpenAI | GPT models, Whisper speech-to-text | United States |
| Anthropic | Claude language models | United States |
| Google AI | Gemini language models | United States / EU |
| VAPI | AI voice agent and telephony orchestration | United States |
| ElevenLabs | Voice synthesis and conversational voice agent | United States |
| HeyGen | AI avatar video generation | United States |
| Resend | Transactional email delivery | United States / EU |
| Sentry | Error monitoring and performance telemetry | United States / EU |
| Upstash | Rate limiting and Redis caching | EU / United States |
| LemonSqueezy / Creem | Merchant of record, payment processing, invoicing | United States / EU |
We may also disclose personal data when required by law, court order, or to protect the rights, property or safety of Hadar, our customers, or the public.
6. International Data Transfers
Our infrastructure is centred in the United Kingdom (Vercel lhr1) with database storage in the European Union, but several sub-processors are located outside the UAE and the EEA. Where personal data is transferred internationally we rely on appropriate safeguards:
- EU Standard Contractual Clauses (SCCs) for transfers from the EEA to non-adequate jurisdictions.
- UK International Data Transfer Addendum where the UK GDPR applies.
- Equivalent contractual safeguards for transfers governed by UAE PDPL and DIFC Data Protection Law No. 5 of 2020.
- Encryption in transit (TLS 1.3) and at rest (AES-256) for all transfers.
7. Retention
Retention periods depend on the nature of the data and the lawful basis for processing. The following table sets out the default periods we apply across the platform; customer tenants may configure shorter periods where their own policy requires it.
| Data category | Retention period | Legal basis |
|---|---|---|
| User account data | Active + 12 months after deactivation | Contract |
| Lead records | 12 months from last contact | Legitimate interest |
| Lead memory (AI context) | 12 months | Legitimate interest, soft-cap |
| Interactions log | 24 months | Legitimate interest |
| Identity links (cross-channel matching) | 60 months | UAE FTA Federal Decree-Law No. 8 of 2017 |
| Voice call recordings | 12 months | Legitimate interest |
| Voice transcriptions | 24 months | Legitimate interest |
| Chat conversations | 24 months | Legitimate interest |
| WhatsApp messages | 24 months | Legitimate interest |
| Tax invoices and credit notes | 84 months (7 years) | UAE FTA mandate |
| Wallet transactions | 84 months | UAE FTA mandate |
| Audit logs | 24 months active + 60 months archived | Legitimate interest, breach forensics |
| Cookie consent records | 36 months | GDPR Art. 7 consent demonstrability |
| GDPR request records | 60 months | GDPR Art. 12 demonstrability |
| Marketing consent | Until withdrawal + 3 months | GDPR Art. 7 |
| Encrypted backups | Up to 35 days before being overwritten | Legitimate interest |
| Account closure (customer tenant) | Exported on request; otherwise deleted within 60 days | Contract / Legal obligation |
After the applicable retention period, personal data is securely deleted or anonymized.
8. UAE Personal Data Protection Law
For users residing in the United Arab Emirates, this Privacy Policy is also governed by the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, “PDPL”). Under PDPL you have the following rights:
- Right to access your personal data (PDPL Art. 13)
- Right to rectification of inaccurate data (PDPL Art. 15)
- Right to erasure (“Right to be Forgotten”, PDPL Art. 16)
- Right to restrict processing (PDPL Art. 17)
- Right to data portability (PDPL Art. 18)
- Right to object to automated decision-making (PDPL Art. 19)
Cross-border transfers within GCC countries follow the GCC Data Protection Treaty 2023. Other transfers require explicit consent or contractual safeguards as per PDPL Art. 22.
To exercise PDPL rights or file a complaint, contact:
- Hadar DPO: dpo@hadar-ai.com
- UAE Data Office (regulator): https://uaedataoffice.gov.ae
9. Automated Decision-Making and AI Processing
Hadar uses artificial intelligence (LLMs, voice agents, automated lead scoring) to assist real estate brokers in their work. Specifically:
- Lead scoring:AI assigns a numerical score to incoming leads based on message content, channel, language, and stated interests. This score is advisory — final qualification decisions are made by human brokers.
- AI chat / voice / WhatsApp responses:AI may generate first-touch responses to inbound inquiries. These responses are based on the broker’s training data and follow a system prompt. AI responses are flagged in the audit log as
source: ‘ai_generated’. - Property matching: AI matches incoming lead preferences to listings. This is a recommendation, not an automated decision affecting legal rights.
Under GDPR Article 22 and UAE PDPL Article 19, you have the right to:
- Request human intervention in any AI-driven interaction
- Object to automated processing entirely (we will route you to human-only channels)
- Request an explanation of how the AI reached a particular decision
To opt out of AI processing on your interactions, contact us at privacy@hadar-ai.com or your assigned broker.
10. Your Rights
Subject to UAE PDPL, EU GDPR and any other applicable law, you have the right to:
- Access the personal data we hold about you.
- Request rectification of inaccurate or incomplete data.
- Request erasure (“right to be forgotten”).
- Receive your data in a portable, machine-readable format.
- Object to or restrict certain processing activities.
- Withdraw consent at any time, where consent is the lawful basis.
- Lodge a complaint with the UAE Data Office or your local supervisory authority.
If your personal data is held by a Hadar customer (for example, you are a lead managed inside a broker’s tenant), please contact that broker first — they are the controller. We will support them in fulfilling your request.
11. How to Exercise Your Rights
Email our Data Protection Officer at dpo@hadar-ai.com with the subject line “Data Subject Request”.
We respond within 30 days. We may need to verify your identity before disclosing personal data. There is no fee unless the request is manifestly unfounded or excessive.
12. Cookies
We use a small number of strictly necessary cookies (session, CSRF) and a preferences cookie for locale. Detailed information is in our Cookies Policy.
13. Children
Hadar is a B2B platform intended for licensed real estate professionals. We do not knowingly process personal data of anyone under 18 years of age. If you believe a minor has provided personal data through our platform, contact us at privacy@hadar-ai.com and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy as our service or applicable law evolves. Material changes will be notified by email to active customers and posted on this page with a new “Last updated” date at the top.
15. Contact
Hadar Real Estate — Privacy
General: privacy@hadar-ai.com
Data Protection Officer: dpo@hadar-ai.com
Address: Dubai, United Arab Emirates