KeyFlow Privacy Policy
Effective: 22 July 2026 | Version: 2.0
KeyFlow Technology Ltd (trading as “KeyFlow”, “we”, “us”, “our”)
DIFC Commercial Licence CL-12435 · Unit GA-00-SZ-01-FX-07, Level 1, Gate Avenue South Zone, DIFC, Dubai, UAE
| Version | 2.0 |
| Effective date | 22 July 2026 |
| Supersedes | Version 1.x (published under a superseded domain; no longer in effect) |
| Canonical location | https://keyflowae.com/privacy-policy (linked from all KeyFlow products) |
| Data Protection Officer | Abdallah Alshaqra (interim) — privacy@keyflowae.com |
KeyFlow Technology Ltd is a company incorporated in the Dubai International Financial Centre (“DIFC”). We are committed to processing Personal Data in accordance with the DIFC Data Protection Law, DIFC Law No. 5 of 2020 (as amended) (“the DP Law”) and the DIFC Data Protection Regulations. This Policy explains what Personal Data we collect, why we collect it, how we process, store, transfer and protect it, and the rights you have. Capitalised terms not defined here have the meanings given in the DP Law.
This Policy applies from its effective date to all of the following (“the Services”):
- the KeyFlow marketing website at keyflowae.com;
- the next-generation Keyflow platform — the Arc, Atlas, Connect, Ledger, Console and Keys applications (web and iOS) used by real-estate agencies and their clients;
- the first-generation products LeaseFlow (leaseflow.me) and LeadsFlow (leadsflow.me), which remain in operation for existing agency customers while they migrate to the next-generation platform.
The first-generation product DealsFlow was discontinued on 15 July 2026 and held no Personal Data at discontinuation.
1. Scope and Application
1.1 Who this Policy is for
This Policy applies to everyone whose Personal Data we process through the Services, wherever in the world you are located: visitors to our website; staff of the real-estate agencies that use our platform (brokers, administrators, finance staff); the agencies' clients — tenants, landlords and property owners, buyers, sellers and prospective clients — including users of the Keys app; signatories to documents executed through the platform; and our business and supplier contacts.
1.2 The two roles KeyFlow plays — and why it matters to you
KeyFlow processes Personal Data in two distinct capacities, and your rights are exercised through a different door depending on which applies:
- KeyFlow as Controller. We decide the purposes and means of processing for: your platform account and verified identity, security and audit logging, session management, push-notification delivery, the handling of data-protection rights requests, our website, and our own corporate and supplier records. For this data, this Policy is your notice and KeyFlow is your point of contact.
- KeyFlow as Processor. The real-estate agency you deal with is the Controller of its own client records — its CRM entries, tenancy and sale records, messages, documents and financial records held in the platform. We process that data only on the agency's documented instructions under a written data processing agreement that complies with Article 24 of the DP Law. For this data, the agency is responsible for the lawfulness of the processing and for answering your rights requests, and we assist it in doing so. If you contact us about agency-held data, we will route your request to the agency without undue delay and support its response (see Section 6.5).
1.3 If you use the Keys app (tenants, owners, buyers) — in plain language
Keys is the client app of the Keyflow platform. If your agency invites you to use it:
- You sign in with UAE PASS, the UAE's national digital identity. You authenticate directly with UAE PASS, at your own initiation; we never see or hold a password for you. UAE PASS shares verified identity attributes with us (see Section 2.1).
- You can view your documents, receive offer letters, and sign contracts electronically through UAE PASS — again at your own request, for each individual document.
- If you set up rent auto-debit, the mandate is operated with our regulated payment partner. Your bank credentials never touch KeyFlow's systems; we hold only the mandate details (limits, validity window, authorisation and revocation records).
- Your tenancy, purchase and payment records in Keys belong to your agency's relationship with you: the agency is the Controller of those records and KeyFlow processes them on the agency's behalf. Your KeyFlow account itself (your verified identity, sessions, notification settings) is controlled by KeyFlow.
- Linking your Keys account to an agency's records happens under two-party control: you initiate the link with your UAE PASS-verified identity, and the agency explicitly approves it. No agency can see another agency's data about you.
1.4 Children
The Services are directed at adults engaged in real-estate business and transactions. We do not knowingly collect Personal Data from children, and no part of the Services is designed for or targeted at them.
2. Collection of Information
2.1 Information you give us, or that is verified at the source
Wherever possible we obtain identity data from official sources rather than asking you to type it in or upload scans:
- UAE PASS identity attributes (when you authenticate or sign): full name (English and Arabic), Emirates ID number, email address, mobile number, nationality, gender, identity-assurance level and UAE PASS identifier.
- Account and profile information you or your organisation provide: role, agency membership, RERA agent identifiers for brokers, notification preferences.
- Enquiries and correspondence: information you provide when you contact us, submit a form on our website, or communicate through the platform.
- Transaction information entered in the course of using the Services: tenancy and sale terms, invoices, payment and post-dated cheque records, auto-debit mandate details, maintenance requests, and documents generated or uploaded in the Services.
2.2 Information collected about you by your agency
Where you are a client or prospective client of a real-estate agency using our platform, the agency may record information about you in the Services (contact details, enquiry details, tenancy or transaction records). The agency is the Controller of that data (Section 1.2) and is responsible for informing you under Articles 29–30 of the DP Law; where required, notice is also given at our first communication with you through the platform.
2.3 Information we collect about you and your device
- Device information: for the iOS apps, a push-notification device token and basic device characteristics needed to deliver notifications.
- Log and session information: IP address, browser user agent, session identifiers (stored hashed), sign-in and sign-out events, and timestamps.
- Audit records: the platform keeps an append-only audit log of every data change — who did what, when, and from where — as a security and accountability measure.
- Website data: the marketing website is a static site; analytics data is collected only if you opt in (see Section 8).
We do not collect GPS or continuous location data through any of the Services.
2.4 Special Categories of Personal Data
We do not intentionally process Special Categories of Personal Data (such as data revealing racial or ethnic origin, beliefs, health or biometric identification data). UAE PASS performs any biometric verification inside its own service; we receive identity attributes only, not biometric data.
3. Use of Personal Data
We use Personal Data, in each case with a documented lawful basis under Article 10 of the DP Law, to:
- provide, maintain and improve the Services — operating accounts, agency workspaces, property and tenancy management, messaging, documents, e-signing, invoicing and payments (contract; consent for actions you initiate such as UAE PASS authentication, signing and auto-debit mandates);
- verify identity at the source — anchoring accounts on UAE PASS attributes and matching brokers against Dubai Land Department agent records (consent and contract);
- deliver operational notifications — service messages, signing requests, payment and tenancy notices (contract). Operational messages are not marketing and continue while you use the Services;
- send marketing communications only with your prior opt-in consent, which is never pre-ticked and is as easy to withdraw as to give (consent — see Section 6.1);
- maintain security, prevent fraud and keep evidence — access control, session management, tenant isolation, audit logging of every data change, incident investigation (legitimate interests, which the DP Law recognises for network and information security, and legal obligation);
- comply with legal and regulatory obligations — statutory record-keeping, tax and audit retention, responding to valid requests from public authorities (legal obligation — see Section 5.4);
- administer data-protection rights requests and keep the records the DP Law requires of us (legal obligation);
- notify you of changes to the Services, this Policy or our terms.
Where KeyFlow acts as Processor, we use agency-controlled data only as instructed by the agency and never for our own purposes.
4. Processing, Storage and Transfer of Personal Data
4.1 Fair and lawful processing
All processing is conducted fairly, lawfully and transparently in accordance with the DP Law. Each processing activity, its purpose and its lawful basis are documented in our Record of Processing Activities, which is maintained under Article 15 of the DP Law and available to the Commissioner of Data Protection.
4.2 Automated decision-making
We do not make any decision based solely on automated processing that produces legal effects concerning you or otherwise significantly affects you. The platform's automations — such as lead-assignment and reminder rules — are deterministic, human-defined rules, and no such automation produces legal or similarly significant effects without human involvement. AI-assisted features are not currently active on the platform; if and when they are activated, they will be introduced only with the controls required by Regulation 10 of the DIFC Data Protection Regulations (including impact assessment, user notices at first use and human review), and this Policy will be updated before their introduction.
4.3 Where your data is processed and stored
- Primary hosting: AWS Singapore (ap-southeast-1). Singapore is recognised as an adequate jurisdiction under Article 26 of the DP Law and Appendix 3 of the DIFC Data Protection Regulations, so this storage requires no additional transfer safeguard. Databases are encrypted at rest in private, isolated networks; documents are stored encrypted with public access blocked.
- Onshore UAE (outside the DIFC): certain flows go to UAE government services at your own initiation — UAE PASS authentication and digital signing (with your explicit consent and as necessary for the transaction you request, under Article 27(3) of the DP Law), and Dubai Land Department verifications (conducted under the government data-sharing procedure in Section 5.4). Documents transmitted for signing are limited to the signing transaction.
- Limited transfers to the USA: delivery of push notifications through Apple's notification service, minimised to the device token and the notification content. Meta/WhatsApp messaging is not currently active; if activated, it will operate only once safeguards compliant with Article 27 of the DP Law are in place.
- Legacy first-generation file storage for LeaseFlow and LeadsFlow partially remains in AWS UAE (me-central-1) under KeyFlow's sole control; that storage is being consolidated to Singapore, to be completed before the next-generation platform's production launch.
Every transfer jurisdiction is declared in our notification to the Commissioner of Data Protection. Any other transfer to a non-adequate jurisdiction would take place only under DIFC-approved safeguards (such as the DIFC Standard Contractual Clauses) or a specific derogation permitted by Article 27.
4.4 How long we keep Personal Data
We keep Personal Data in identifiable form no longer than necessary, under a documented Retention & Erasure Schedule. The key periods:
| Data | Retention |
|---|---|
| Account and identity records | Life of the account; erased (by anonymisation) on account closure or an executed erasure request |
| Sessions and session metadata (IP, user agent) | Hard-deleted 30 days after session expiry |
| Audit log | 7 years (deleted automatically thereafter) |
| Signed contracts and signing events | 15 years from execution (regulated-document horizon) |
| Financial records (invoices, payments, cheques) | Minimum 5 years (UAE VAT), within a 15-year envelope for property-transaction documents |
| Leads and unconverted contacts (agency-controlled) | Default: 2 years after last activity, subject to the agency's instructions |
| Messages (agency-controlled) | Life of the agency–client relationship + 2 years, subject to the agency's instructions |
| Rights-request records | 7 years, as compliance evidence |
When a retention period ends, or the lawful basis for processing lapses, data is securely deleted, anonymised or — where neither is possible (for example, backup snapshots pending expiry) — archived beyond use in accordance with Article 22 of the DP Law. Our standard erasure method is irreversible anonymisation, which removes your identity while preserving the integrity of financial and legal records that the law requires us to keep.
4.5 Accuracy
Identity attributes anchored on UAE PASS and Dubai Land Department records are verified at the source. You may ask us — or, for agency-held records, your agency — to correct inaccurate or incomplete data at any time (Section 6.3), and corrections are passed on to recipients of the data where required.
5. Sharing of Personal Data
5.1 Through the Services
Data you or your agency enter into the platform is visible to authorised users within that agency's workspace under its own access rules. Strict tenant isolation applies: no agency can see another agency's data. The only cross-boundary mechanism is client account linking in Keys, which requires both your UAE PASS-verified initiation and the agency's explicit approval.
5.2 Service providers (processors)
We disclose Personal Data to service providers who process it on our documented instructions under written agreements meeting Article 24 of the DP Law:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Infrastructure — compute, database, document storage, email delivery | Singapore (ap-southeast-1); legacy first-generation file storage in AWS UAE pending consolidation |
| Atlassian | Operational and support tooling | Cloud |
| Microsoft 365 | Corporate email | Cloud |
| Apple | Push-notification delivery | USA (device tokens and notification content only) |
| Lean Technologies | Payment initiation and account information services (currently sandbox/testing only) | UAE/ADGM |
| Meta Platforms | Lead Ads retrieval (where an agency connects its own account); WhatsApp messaging only when activated, with Article 27 safeguards in place first | USA |
5.3 Independent government services
UAE PASS / Digital Dubai and the Dubai Land Department are not our service providers. They are independent controllers of their own government services. You interact with UAE PASS directly when you authenticate or sign, under UAE PASS's own terms and privacy notice; we interface with the Dubai Land Department as a public authority under the procedure below.
5.4 Government data sharing and lawful disclosures
Where a public authority requests disclosure of Personal Data, we follow a mandatory procedure aligned with Article 28 of the DP Law: every request is verified for identity and legal basis, assessed for proportionality, narrowed to the minimum data necessary, disclosed only with written confidentiality assurances where practicable, recorded, and — where the data is agency-controlled — notified to the agency unless the law prohibits it. Where the validity of a request is in doubt, we may consult the Commissioner of Data Protection before responding.
5.5 Other disclosures
We may disclose Personal Data where required by Applicable Law (including fraud prevention), or in connection with a corporate transaction such as a merger or acquisition — in which case confidentiality protections apply and you will be notified where the law requires. We do not sell Personal Data, and we have no corporate group with which data is shared.
6. Your Rights and Choices
6.1 Marketing and preferences
Marketing communications are sent only with your prior opt-in consent, which is never pre-ticked. You may withdraw consent at any time — via the unsubscribe link in any marketing message, your account settings, or by contacting us — and withdrawal is as easy as giving consent was. Transactional and service messages (for example, signing requests and payment notices) are not marketing and continue while you use the Services.
6.2 Your rights under the DP Law
Under Articles 32–40 of the DP Law you have the right, at any time and for any reason, to:
- withdraw consent to processing based on consent (Article 32);
- access your Personal Data and receive a copy of it (Article 33);
- rectify inaccurate or incomplete data (Article 33);
- erasure of your data, where the legal grounds apply (Article 33);
- object to processing — including an absolute right to object to direct marketing (Article 34);
- restrict processing in the circumstances the DP Law defines (Article 35);
- data portability — receive the data you provided in a structured, commonly used, machine-readable format (Article 37);
- object to solely automated decisions producing legal or similarly significant effects, and require human review (Article 38 — noting that we make no such decisions, per Section 4.2); and
- lodge a complaint with the Commissioner of Data Protection at any time (contact details at the end of this Policy).
6.3 How requests are handled
- Requests are actioned free of charge and answered within one month of receipt. For complex or numerous requests the DP Law permits a two-month extension; if we need one, we will tell you within the first month, with reasons. A reasonable fee may be charged only for manifestly unfounded or excessive requests, or for extraordinary administrative costs, with written reasons.
- We verify your identity before disclosing data; where we have genuine doubt, the response clock pauses until identity is established. Other people's Personal Data is redacted from what we provide.
- You will never be discriminated against for exercising your rights (Article 39): we will not deny you the Services, or vary their price or quality, because you exercised a right.
6.4 Limits on erasure — stated prominently
Some records cannot be erased on request, and the DP Law requires us to tell you this clearly:
- Signed contracts are legally immutable documents: altering an executed, digitally signed contract would destroy its validity. Signed documents are retained for 15 years from execution.
- Audit-log entries are an append-only, tamper-evident security record and are retained for 7 years, after which they are deleted automatically.
- Financial records (invoices, payments, cheque records) are retained for their statutory periods and are never deleted on request during those periods.
In each case, when your erasure request is executed you disappear from all live, operational systems by irreversible anonymisation; what remains is a sealed historical record kept solely as legal evidence, protected by the same security as live data, used for no decision about you, and deleted when its statutory period ends. Any partial refusal of an erasure request is given to you in writing with its legal ground.
6.5 Data held for your agency
Where your request concerns records controlled by a real-estate agency (Section 1.2), the agency is responsible for the decision and we assist it: we will route your request to the agency without undue delay, and the platform provides the agency with the tools to respond within the statutory deadline. You may also approach the agency directly.
6.6 How to make a request
Use any of the contact methods in the Contact Us section below, or the self-service request workflow in the Keys app. Requests made through any channel are honoured.
7. Security Precautions
We protect Personal Data from the point of collection to the point of destruction with technical and organisational measures that include:
- encryption at rest and in transit (TLS 1.2+), with databases in private, isolated networks and document storage encrypted, versioned and blocked from public access;
- verified identity instead of passwords — platform users authenticate through UAE PASS, so we hold no passwords; session tokens are stored hashed and can be revoked remotely;
- least-privilege access — strict per-tenant isolation, capability-based authorisation with per-user restrictions, and production access limited to named personnel;
- accountability tooling — an append-only audit log of every data change; secrets held in a managed vault; deployment pipelines authenticated without static credentials; encrypted daily backups;
- processor flow-down — every service provider is bound by written contract to equivalent confidentiality and security obligations;
- incident management — a documented breach-response procedure providing for notification of the Commissioner of Data Protection and, where required by Article 42 of the DP Law, of affected individuals.
No transmission or storage system can be guaranteed 100% secure. While we apply the safeguards above and review them continuously, we cannot guarantee absolute security; you can help by keeping your UAE PASS credentials and devices secure and by telling us immediately at privacy@keyflowae.com if you suspect any misuse of your data or account.
8. Cookies
Cookies are small files placed on your device by a website. Consistent with the DP Law's data-minimisation requirements, the Services collect the bare minimum necessary:
- Essential cookies (always on) — strictly necessary for the Services to function: authentication, session management, security. These cannot be switched off, as the Services do not work without them.
- Analytics cookies (opt-in only) — used to understand aggregate site usage. These are off by default and set only if you opt in through the consent banner. You can change or withdraw your choice at any time via the cookie settings on the site; your choice is stored on your own device (in browser local storage under the key
keyflow_cookie_consent). - Advertising cookies — we do not use them.
You can also control cookies through your browser settings, including deleting existing cookies and blocking new ones; blocking essential cookies will prevent parts of the Services from working. General guidance on cookies is available at aboutcookies.org.
9. External Links
The Services may contain links to third-party websites and services (for example, UAE PASS, government portals or an agency's own website). This Policy does not apply to those third parties, and we are not responsible for their content or privacy practices. Review the privacy notice of any third-party service before providing Personal Data to it.
10. Changes to this Policy
We may update this Policy from time to time. The current version, with its effective date, is always published at https://keyflowae.com/privacy-policy, and every KeyFlow product links to it. If we make significant changes — including any change to the purposes of processing, the jurisdictions data is transferred to, or the introduction of AI-assisted features under Section 4.2 — we will give notice through the Services (website notice, in-app notice or email) before the change takes effect. This version 2.0, effective 22 July 2026, replaces all previous versions, including those published under a superseded domain.
Contact Us
You can contact us about this Policy, our processing of your Personal Data, or to exercise any of your rights, through any of the following methods (the DP Law requires us to offer at least two — we offer three):
1. Email: privacy@keyflowae.com
2. Post: Data Protection Officer, KeyFlow Technology Ltd, Unit GA-00-SZ-01-FX-07, Level 1, Gate Avenue South Zone, DIFC, Dubai, UAE
3. In-app: the self-service data-request workflow in the Keys app
Data Protection Officer (appointed under Article 16 of the DP Law): Abdallah Alshaqra (interim DPO) — privacy@keyflowae.com.
If you are not satisfied with our response, or wish to raise a concern directly, you have the right to lodge a complaint at any time with the Commissioner of Data Protection:
Commissioner of Data Protection
Dubai International Financial Centre Authority
Level 14, The Gate Building, DIFC, Dubai, UAE
Telephone: +971 4 362 2222
Email: commissioner@dp.difc.ae
Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 22 February 2026 | Abdallah Al Shaqra (Interim DPO) | Initial version covering all 4 products |
| 1.1 | 22 February 2026 | Abdallah Al Shaqra (Interim DPO) | Reclassification: Rekognition usage updated from biometric identity verification to profile photo extraction. Removed special category data classification. Added B2B2C data processing model section. Updated lawful bases. |
| 1.2 | 22 February 2026 | Abdallah Al Shaqra (Interim DPO) | Updated “Terms of Use” references to “Terms of Service” (TOS-2026-001) to align with the unified Terms of Service document covering all Keyflow products. |
| 2.0 | 22 July 2026 | Abdallah Alshaqra (Interim DPO) | Full rewrite aligned with the next-generation Keyflow platform: unified versioning with the Terms of Service (single v2.0 tracked by the consent gate); Controller/Processor role split; UAE PASS source-verified identity (no document OCR/AI extraction); Singapore (ap-southeast-1) primary hosting as an adequate jurisdiction; updated retention schedule, transfer map and sub-processor list; Regulation 10 commitment for any future AI features; DealsFlow discontinuation recorded. Supersedes all v1.x versions published under a superseded domain. |
Review Schedule: Annually at minimum, or when processing activities change materially.
Next review date: 22 July 2027
KeyFlow Technology Ltd — Privacy Policy version 2.0, effective 22 July 2026.
KeyFlow Technology Ltd, DIFC Commercial Licence CL-12435, Unit GA-00-SZ-01-FX-07, Level 1, Gate Avenue South Zone, DIFC, Dubai, UAE