Legal - Privacy Policy

Formenzo is a product operated by Formenzo FZE, licensed in the Sharjah Research, Technology and Innovation Park (SRTIP) free zone, United Arab Emirates (“Formenzo”, “we”, “us”). We are the controller of personal data described below.

For privacy-related queries, contact our Data Protection Contact at [email protected] or via WhatsApp at +971 58 829 3781. We are appointing a Data Protection Officer; once registered, the DPO’s name and contact will be published on this page.

• Identity data: full name, passport copy, Emirates ID, nationality, date of birth, photograph.
• Contact data: email, WhatsApp number, phone number, address.
• Company data: business name, activity, shareholders, ownership %, address of operation.
• Financial data: source of funds declarations, bank statements (when required for KYC/AML).
• Usage data: IP address, browser type, pages visited, assessment answers, anonymous product analytics.
• Device data (mobile app): push notification tokens, biometric authentication state (yes/no — biometric templates are never sent to our servers).

• To form your UAE company (contractual necessity).
• To apply for residence visas and Emirates ID on your behalf.
• To open corporate bank accounts with our partner banks.
• To comply with UAE Anti-Money Laundering (AML), UBO, and ESR regulations.
• To communicate case status via email, WhatsApp, and in-app notifications.
• To improve our service through anonymized usage analytics.

• Consent: for marketing communications, optional analytics, and pre-contract lead capture.
• Contract performance: to deliver the company-formation service after you have engaged us.
• Legal obligation: AML/KYC compliance, tax-authority filings, UBO disclosures.
• Legitimate interest: fraud prevention, security monitoring, service improvement — balanced against your rights as the data subject.

Where you can withdraw consent (marketing, optional analytics), withdrawal is one click and does not affect obligations that rely on other lawful bases (e.g. AML retention).

Passport, Emirates ID, financial source-of-funds documents, and bank statements are sensitive personal data under PDPL Art 9. Before any sensitive document is uploaded, we capture an explicit, separate consent that lists:

• The categories of sensitive data being processed.
• The specific sub-processors that may see the document (storage, AI OCR provider, free-zone authority recipient).
• The retention period (see §9) and your right to withdraw consent — subject to AML/KYC obligations that require continued retention even after withdrawal.

Your sensitive-data consent is version-stamped and stored against your account; you can review the version you accepted by emailing [email protected].

We are transparent about where your data physically lives. Different categories sit in different regions because each sub-processor has its own infrastructure footprint:

• Application database (case data, profile, leads): Neon Postgres — encrypted at rest (AES-256), hosted in the EU (Frankfurt). Daily backups retained 7 days.
• Identity-document storage (passport, EID, bank letters): Cloudflare R2, S3-compatible object storage. Documents are encrypted at rest, accessed only via short-lived signed URLs (5-minute expiry), and every access is audit-logged. Region is global edge.
• AI-processing of identity documents: Microsoft Azure OpenAI, UAE-North region (in-country) for data-residency alignment.
• Authentication: Clerk, hosted in the United States.
• Email delivery: Resend, hosted in the United States.
• Application hosting (web, portal, ops): Hostinger VPS, Frankfurt.

All data in transit is protected with TLS 1.3. We do not ship raw biometric templates anywhere — biometric authentication on the mobile app is handled by your device’s secure enclave; we only see a yes/no result.

We share data only with trusted processors necessary to deliver our services. Each sub-processor is bound by a data-processing agreement that mirrors the protections you receive directly from us.

Cross-border transfer notice: several of our sub-processors are based outside the UAE. Where data leaves the UAE, we rely on contractual safeguards (DPA + standard contractual clauses) and, where available, region-pinning to the EU rather than the US. By using our service you consent to these transfers. You may withdraw consent for non-essential transfers (analytics, marketing) at any time.

We never sell your data. We never share with third-party advertisers. We never use your data to train third-party AI models.

We use AI to (1) extract structured fields from identity documents you upload (OCR), (2) suggest UAE free zones based on your assessment answers, (3) answer questions in our customer-support chat. AI processing runs on Microsoft Azure OpenAI in UAE-North.

None of these decisions is fully automated. A human Formenzo specialist reviews and approves every step that affects you (the zone you ultimately form in, the documents we file, the bank account application). You have the right under PDPL Art 19 to:

• Know that AI was used in suggesting an outcome to you.
• Request a human review of any AI-assisted decision.
• Express your point of view and contest the decision.

To exercise any of these rights, email [email protected].

We respond to every rights request within 30 days at no charge. You have the right to:

• Access your personal data and receive a machine-readable export.
• Correct inaccurate data.
• Delete your data (right to be forgotten), subject to legal retention requirements (see §10).
• Object to processing for marketing purposes — one-click unsubscribe in every email.
• Restrict processing while a dispute is resolved.
• Portability — export in machine-readable format including the documents you uploaded.
• Withdraw consent at any time.
• Human review of any AI-assisted decision.
• Lodge a complaint with the UAE Data Office if you believe we have not honoured these rights.

To exercise any right, email [email protected]. We may ask you to verify your identity (typically via the email associated with your account) before acting on a request that involves disclosure or deletion.

We retain your data for the duration of our service relationship plus 7 years after, to comply with UAE Commercial Companies Law record-retention requirements (Federal Decree-Law 32 of 2021). KYC records may be retained up to 10 years under AML law.

On account deletion we tombstone-anonymise your application record (the contract trail required for retention stays; personally-identifying fields are scrubbed). Document blobs in storage that are not subject to AML retention are queued for deletion within 30 days.

We use industry-standard security: TLS 1.3 for data in transit, AES-256 at rest, role-based access control, mandatory two-factor authentication for staff with customer-data access, audit logging of every read and write, and security-event scrubbing of personally-identifying fragments before errors reach our diagnostic tools.

If we discover a personal-data breach that is likely to harm you, we will notify the UAE Data Office within 72 hours and notify affected data subjects without undue delay, in accordance with UAE PDPL Art 22.

We use essential cookies (session, CSRF protection, preference storage) and a privacy-respecting product analytics tool (PostHog, EU-hosted) to understand site usage. We do not set third-party advertising pixels (no Facebook, Google Ads, TikTok pixels). See our Cookie Policy for the full list.

Formenzo is a B2B service intended for use by adults (21+ in the UAE context) acting in the course of business. We do not knowingly collect personal data from minors. If you believe a minor has submitted personal data through our service, contact [email protected] and we will delete it.

We will notify you of material changes via email and via a banner on our website. The current version is always posted at formenzo.com/privacy with a last-updated date. Changes are never retroactive: a processing activity that was not disclosed when you uploaded data will not begin without your renewed consent.

Data Protection Contact
Formenzo FZE
Sharjah Research, Technology and Innovation Park (SRTIP)
United Arab Emirates
Email: [email protected]

UAE Data Office complaint portal: tdra.gov.ae.