Qiyada
Legal

GDPR & PDPL Compliance

Last updated: May 2026

Qiyada is built around UAE Personal Data Protection Law (PDPL) and EU General Data Protection Regulation (GDPR) principles. This page summarises our commitments, our role as a controller and processor, and how you can exercise your rights.

1. Our role

  • We act as a data controller for personal data you provide directly to use the Services (account, KYC, financing application, communications).
  • We act as a data processor for data we handle on behalf of your business (e.g. employee payroll, accounting records, customer invoices) and only on documented instructions from you.

2. Principles we follow

  • Lawfulness, fairness and transparency.
  • Purpose limitation: data is only used for the purposes disclosed in our Privacy Policy.
  • Data minimisation: we collect only what is necessary.
  • Accuracy: you can update inaccurate data at any time.
  • Storage limitation: defined retention periods, with secure deletion or anonymisation.
  • Integrity and confidentiality: encryption, RLS, MFA, audit logging.
  • Accountability: documented policies, DPIAs for high-risk processing, vendor due diligence.

3. Your rights

  • Right of access to your personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure (subject to legal retention obligations).
  • Right to restrict or object to processing.
  • Right to data portability for data you provided.
  • Right to withdraw consent at any time, without affecting prior processing.
  • Right to lodge a complaint with the UAE Data Office or your local data protection authority.

4. How to exercise your rights

Email privacy@qiyada.biz with your request. We respond within 30 days. We may request proof of identity to protect your data.

5. Sub-processors

We use vetted sub-processors for cloud hosting, KYC verification, communications, accounting and payroll software, analytics and customer support. A current list is available on request. Each sub-processor is bound by a data processing agreement and equivalent safeguards.

6. International transfers

Data is hosted in the Middle East region by default. Transfers outside the UAE use standard contractual clauses, adequacy decisions or explicit consent. We do not transfer personal data to jurisdictions without an appropriate safeguard.

7. Breach notification

In the event of a personal data breach likely to result in a risk to your rights, we notify the relevant authority within 72 hours and affected individuals without undue delay, in line with PDPL and GDPR.

8. Data Protection Officer

Our DPO can be reached at dpo@qiyada.biz for any privacy concern, DPIA support or supervisory authority communication.