Privacy Policy

Al Ain Finance P.J.S.C. and its group companies ("Company", "we", "our", "us”) respects the privacy rights of its online visitors ("you", "your", "yours") and recognises the importance of protecting the information collected about them. We are a private joint stock company licensed by the United Arab Emirates (“UAE”) Central Bank to offer a buy-now pay-later product to retailers, for use by consumers located in the UAE. Our principal address is at 5th Floor, Office #504, Dusit Thani Complex, Offices Building, Sultan Bin Zayed The First St, Abu Dhabi, UAE.

We have adopted this group wide Privacy Policy to guide how we collect, store, and use the information that you provide us with.

The following information is provided by the Company to enable our online visitors to our buy-now pay-later website (“BNPL Website”) and/or our buy-now pay-later application (“BNPL App”, together with the BNPL Website, the “BNPL Facility”) to be fully informed of our privacy policies. By visiting the BNPL Facility and clicking “ACCEPT” on our privacy banner or page, you are accepting and consenting to the practices described in this Privacy Policy. Also by clicking “ACCEPT”, you acknowledge and agree that the collection and processing of your personal data is necessary for the performance of the Services by Al Ain Finance.

To use the BNPL Facility, you must be at least 21 years of age. By using the BNPL Facility, you confirm that you are 21 years of age or older. We reserve the right to verify your age and deny or revoke access to the BNPL Facility if this requirement is not met. If you are under 21, we require that you inform a parent or guardian about the terms of this Privacy Policy and obtain their agreement and consent to the terms of this Privacy Policy, as well as your use of our BNPL Facility.

THIRD PARTIES

Our BNPL Facility may contain links to and from websites belonging to other companies or organisations.

This Privacy Policy does not apply to websites maintained by other companies or organisations to which we link and the Company is not responsible for any personal information you submit to third parties via our BNPL Facility. If you follow any link to another website, that website may have its own privacy policy. We do not accept any liability or responsibility for the privacy policies of third parties. We recommend that you read the privacy policies of such other companies or organisations before submitting any personal details.

WHAT PERSONAL INFORMATION DO WE COLLECT FROM YOU?

The Company collects personal information about you in various ways when you visit the BNPL Facility, or submit an inquiry to us. As noted above, by using our BNPL Facility and clicking “ACCEPT” on our privacy banner or page, you are consenting to the collection of your personal data.

In visiting our BNPL Facility, we may collect some or all of the following information:

Identity Data

  • Full name;
  • Date of birth; and
  • Government-issued ID (Emirates ID).

Contact Data

  • Residential address;
  • Email address; and
  • Mobile phone number.

Financial Data

  • Bank account details;
  • Credit/debit card information;
  • Employment and income details;
  • Spending behaviour and patterns (e.g., from bank feeds or payment history);
  • Credit history or credit score (from credit reference agencies); and
  • Credit report (from credit reference agencies).

Transactional Data

  • Purchase history (what was bought, where, when, and how much);
  • Repayment history; and
  • Outstanding balances and payment due dates.

Behavioural/Usage Data

  • Browsing behaviour on the BNPL Facility or partner sites;
  • Device information (IP address, browser type);
  • Interaction logs (e.g., clicks, time spent on page); and
  • Communication logs (emails, chat messages, customer service calls).

Compliance & Risk Data

  • Data collected for anti-money laundering (AML) and fraud detection;
  • Politically Exposed Person (PEP) or sanctions screening; and
  • Internal risk scores.

Location Data (if applicable)

  • Geolocation data from app or IP address (useful for fraud prevention)

Special Categories of Personal Data

  • Gender (optional or inferred);
  • Nationality;
  • Biometrics (face scan or finger print); and
  • Court case history in the UAE.

The above information is defined as (“Personal Data”).

In addition, we automatically collect information about you when you visit our BNPL Facility. This may include technical information such as, for example, browser type and version, time zone setting, cookies (see the “What About Cookies” section below) browser plug-in types and versions, and details of the device, operating system and platform that you use. Additional information that we may collect includes page response times, download errors, length of visits to certain pages on our BNPL Facility, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from pages on our BNPL Website.

HOW WE MAY COLLECT YOUR PERSONAL DATA

We may collect Personal Data:

  • directly from you by filling in forms on our BNPL Facility or by corresponding with us by phone or in writing (including by email) including applications for services, participation in surveys, registration for events, or requesting marketing be sent to you;
  • from affiliated entities, social media platforms, business partners and other Third Party Site Accounts which we may add to our account information;
  • from credit rating agencies such as Al Etihad Credit Bureau (“AECB”) in relation to credit reports and scores;
  • anti-money laundering and counter financial terrorism systems;
  • from banks and financial institutions in respect to bank details, income, transaction history;
  • from open banking platforms with respect to financial behaviour (with consent);
  • alternative data providers with respect to utility, rental, and telecom payment histories;
  • identity verification service providers such UAE Pass;
  • fraud prevention service provider with respect to KYC;
  • our Live Chat provider; and
  • from cookies on our BNPL Website (see “What About Cookies?” section below) or similar technologies.

WHAT ABOUT COOKIES?

Our BNPL Website uses cookies. A cookie is a very small data file that a website asks your browser to store on your computer or mobile device. A cookie allows our BNPL Website to "remember" your actions or preferences when you visit our BNPL Website in the future. A cookie may transmit information via your browser in order to authenticate or identify either the computer (for example, via the IP address) or the user.

Additionally, cookies may contain other information such as registration data or user preferences. When our servers receive a request from a computer which stores a cookie from our BNPL Website, our servers can use the information stored in the cookie in combination with the information which we store on our servers.

There are four types of cookies:

  • BNPL Website functionality cookies

These cookies enable you to browse our BNPL Website and use our features.

  • BNPL Website analytics cookies

We use these cookies to measure and analyse how our visitors use our BNPL Website. This allows us to continuously improve our BNPL Website and your experience.

  • User preference cookies

When browsing, our BNPL Website will remember preferences you make (for example your user name, language or location). This makes your browsing experience simpler, easier and more personal to you.

  • Targeting cookies or advertising cookies

These cookies are used to deliver advertisements (when used) that are relevant to you. In addition, they limit the number of times you see an advertisement as well as helping us measure the effectiveness of our advertising campaigns.

By using our BNPL Facility and clicking “ACCEPT” on our privacy banner or page, you agree that we can place these types of cookies on your device and access them when you visit our BNPL Website in the future.

HOW DO I DELETE OR REJECT COOKIES?

You can delete cookies at any time. If you want to delete any cookies that are already on your computer, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

Information on deleting, rejecting or controlling cookies is available at https://allaboutcookies.org/. Please note that by deleting our cookies or disabling or rejecting future cookies you may not be able to access certain areas or features of our BNPL Website, or certain functions may not work correctly.

If you use our BNPL Facility without deleting or rejecting some or all cookies and have clicked “ACCEPT” on our privacy banner or page, you agree that any cookies you have not deleted or rejected may be placed by us on your computer or on your device.

You may change your cookie preferences (and withdraw your consent to our use of non-essential cookies that collect your Personal data) at any time using our [cookie preference platform]. 

HOW WE MAY USE YOUR PERSONAL DATA

We may use your Personal Data for the following purposes:

Identity Data

We process your identity data to verify your identity, prevent identity fraud, comply with legal obligations such as anti-money laundering (AML) regulations, and assess your eligibility for BNPL services.

Contact Data

We use your contact data to communicate with you regarding your account and transactions, send important updates and notifications, deliver marketing communications (with consent), and support payment recovery processes when necessary.

Financial Data

Your financial data is used to assess your creditworthiness and ability to repay, reject or approve your BNPL application, monitor financial behaviour, and detect potential fraud or unusual activity.

Transactional Data

We collect and process transactional data to track your BNPL purchases, manage your repayment schedules, identify irregular payment patterns, and provide accurate records such as receipts and transaction histories.

Behavioural/Usage Data

We process behavioural and usage data to enhance the performance of our BNPL Facility, personalize your experience, detect misuse or suspicious behavior, and analyze user trends to improve our services.

Compliance & Risk Data

This data is used to fulfil our legal and regulatory obligations, including anti-money laundering checks and sanctions screening, assess internal credit and fraud risk, and help prevent financial crime.

Location Data

We may process location data to detect and prevent fraud, comply with local legal requirements, and tailor our services to your geographic location for a better user experience.

Special Categories of Personal Data

We process such data to verify your identity, prevent identity fraud, comply with legal obligations such as anti-money laundering (AML) regulations, and assess your eligibility for BNPL services.

LAWFUL GROUNDS

We will process your Personal Data based upon a lawful ground. The lawful grounds applicable may include the following (as available under the relevant data protection law):

  • the performance of the contract for services entered into between you and the Company;
  • in compliance with applicable law including any UAE Central Bank regulations, notices and circulars, consumer protection regulations and anti-money laundering or terrorist financing legislation;
  • as necessary in order to protect the vital interests of a Data Subject or of another natural person; and
  • as necessary for the purpose of legitimate interests (specific to Personal Data being processed in accordance with the DIFC DPL and ADGM DPR).

We may rely on your consent when the above ground(s) are not available. Please note that if you withdraw you may not be able to access certain services, facilities or systems.

Please note that where the lawful ground for processing is pursuant to a contractual requirement, failure to provide your Personal Data may prevent us from providing services to you.

In addition, where the lawful ground for processing is compliance with applicable laws, such as satisfying any legal, accounting, or reporting requirements, you may not be able to exercise your rights of erasure, restriction on processing or objection to processing (see further details in the ‘Your Rights’ section). By way of example, the UAE Central Bank’s Finance Companies Regulation requires us to retain customer records for a prescribed period of time.

AUTOMATED DECISION-MAKING

We use automated processing, including profiling, to make decisions about your eligibility to use the BNPL services. Automated decision-making means that a decision is made using technology without human involvement. Profiling refers to the use of Personal Data to evaluate certain aspects about an individual, such as their creditworthiness, payment history, or financial behaviour.

When you apply to use the BNPL services, our systems automatically assess the information you provide which may include, but is not limited to: your identity data, income level, payment history, and data received from third parties such as AECB and UAE Pass. This data is processed to generate a credit risk score, which helps determine:

  • whether you are eligible to use the BNPL services;
  • what credit limit or repayment terms we can offer;
  • whether additional verification is needed;

This process involves applying internal risk models that consider factors which may include but are not limited to: past defaults, existing credit obligations, and patterns in your financial behaviour. Automated decision-making helps us make fair and consistent credit decisions quickly, and it is necessary for entering into or performing the contract you have requested.

The outcome of this automated assessment may mean that:

  • your application is approved or declined automatically;
  • you are offered different terms (e.g. a lower credit limit); or
  • you are asked to provide additional information.

If you would like more information about how these processes work or would like to exercise your rights in this context, please see the “Contact Us” section below.

SECURITY OF YOUR PERSONAL DATA

The Company takes the security of your Personal Data seriously. It has internal policies and controls in place and implements technology measures to ensure that your Personal Data is not lost, accidentally destroyed, misused or disclosed, or subject to unauthorised access.

The Company will update these policies, controls, and measures from time to time as appropriate, including when new technology becomes available.

RETENTION OF YOUR PERSONAL DATA

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it, including satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data, and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, for example, where the basis of processing your data has changed or ceased to exist, we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker, or contractor of the company, we will retain and securely destroy your Personal Data in accordance with applicable laws and regulations.

If you have elected to receive marketing communications from us, we will retain personal information about your marketing preferences for a reasonable period of time, which will be determined by us based on the date you last expressed interest in our content, products, or services.

YOUR RIGHTS

The Company aims to keep the Personal Data we hold about you as accurate as possible. As a data subject, you have a number of statutory rights available to you under the data privacy laws which apply to us. These rights are summarised below.

If you wish to exercise any of your rights, please follow the instructions in the ‘Contact Us’ section.

Where you make any request to us, we reserve the right to request further details from you to evidence your identity before processing your request.

  • The Right to Withdraw Consent

Where we rely on your consent as the lawful ground for our processing, you may withdraw your consent at any time by notifying us in accordance with this section and the section entitled ‘Contact Us.’ We will cease any processing based upon your consent as soon as reasonably practicable, provided that no other lawful ground is available to us to continue such processing.

Any withdrawal of consent must:

  • be in writing (either in hard copy or electronic form);
  • notified to us by one of the methods set out in the section entitled ‘Contact Us’; and
  • clearly set out the processing for which consent is withdrawn.

In the event that the applicable legislation or regulations set out any additional requirements to which a withdrawal of consent must adhere, then such additional requirements shall apply in addition to the above requirements. By way of example, the UAE Central Bank’s Finance Companies Regulation requires us to retain customer records for a prescribed period of time.

The withdrawal of consent will not affect the validity of the processing of your Personal Data that occurred prior to the withdrawal of your consent. Depending on the nature of the processing for which consent is withdrawn, this may affect our ability to provide services to you.

  • The Right to Access, Rectification and Erasure

You may request details from us about whether we are processing your Personal Data, the purpose of our processing, the categories of your Personal Data being processed, and the recipients or categories of recipients to whom we are disclosing your Personal Data.

In some cases, you may also request us to rectify any Personal Data that we hold about you.

You may also be entitled to require us to erase your Personal Data. This right may be available to you where the purposes of the processing are no longer necessary, the Personal Data must be deleted under applicable law, and there are no other grounds upon which we may rely to continue our processing. Please note that we may not be able to process your erasure request if applicable law requires us to retain such Personal Data or if it is subject to or for establishing a legal defence or legal claim.

We may not be able to process your erasure or rectification request when it is technically not feasible. In such cases, we will inform you and provide further details.

We will endeavour to complete any request hereunder within the timeframe required under the applicable data protection legislation. We shall notify you of any such delay and the reasons therefor.

We have the right to reject any request that is unfounded or excessive because of its repetitive character and we reserve the right, in such circumstances, to charge an administrative fee or take any other action or inaction as permitted by applicable law. We may also be unable to provide you with certain information in certain circumstances pursuant to laws applicable to us. In such cases, we shall inform you of the reasons why and the remedies available to you should you disagree.

  • The Right to Object to Processing

You may object at any time, on reasonable grounds, to any processing which we carry out on the following grounds:

  • it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or
  • it is necessary for the purposes of our legitimate interests or those of a third party.

Should we use your Personal Data for direct marking purposes, we shall offer you the right to object. Please note that we do not use your Personal Data for direct or indirect marketing purposes.

  • The Right to Restriction of Processing

In some circumstances, you may restrict the processing of your Personal Data. Please get in touch with us using the details provided in the ‘Contact Us’ section to find out more about what restrictions you may request and the circumstances in which we may continue to process, irrespective of such a request. 

  • The Right to Data Portability

Where our processing is carried out on the grounds of consent or the performance of a contract and is carried out by automated means, you may have the right to receive such data in a machine-readable format, provided that it is technically feasible to do so and such disclosure will not infringe the rights of any other natural person.

  • The Right to Object to any Decision Based Solely on Automated Processing.

You have the right to object to any decision we make that is based solely on automated processing, including profiling, which produces legal consequences upon you or other seriously impactful consequences. You may also require such decisions to be reviewed manually.

  • The Right to Lodge a Complaint

For complaints against the Company and its group entities, they may be lodged with the relevant authority:

UAE PDPL

  • the UAE Data Office, noting that at present, the UAE Minister of State for Artificial Intelligence, Digital Economy & Remote Work Applications Office (https://ai.gov.ae/ar/personal-data-protection-law/) may receive complaints pending the operation of the UAE Data Office

DIFC DPL

  • the DIFC Commissioner of Data Protection’s Office at:
  • Dubai International Financial Centre Authority

Level 14, The Gate Building

+971 4 362 2222

commissioner@dp.difc.ae

ADGM DPR

  • the ADGM Data Protection’s Office at:
  • Abu Dhabi Global Market

Abu Dhabi Global Market Authorities Building

ADGM Square, Al Maryah Island

PO Box 111999. Abu Dhabi, UAE

+971 2 333 8888

data.protection@adgm.com

We encourage you to first raise any complaints directly with us.

MARKETING OPT-IN AND EXERCISING YOUR RIGHTS

When you register on our BNPL Facility, or use the ‘Contact Us’ option on our BNPL Facility here [insert URL], you will be given the opportunity to subscribe to our regular update service which may send you:

(i) Email alerts for new products, features, enhancements, special offers, upgrade opportunities, contests, events of interest, and one-off marketing promotions.

(ii) Direct mail alerts for new products, features, enhancements, special offers, upgrade opportunities, contests, events of interest, and one-off marketing promotions.

Marketing communications you subscribe to will only be sent by us.

At all times, we will offer you the opportunity to unsubscribe out of any service or update to which you have subscribed, if you change your mind. Any e-mail we send you will contain an easy automated unsubscribe link so that you can opt-out of that particular mailshot. Simply follow the indications in the e-mail. To opt out of direct mail service or updates, please contact the Company on [insert phone number] or by email at [insert email address].

You may exercise, with respect to the data collected, your rights under applicable data protection legislation, such as, the right to erasure, transfer, restricted processing, and the right to object to automated processing by sending a communication (see “Your Rights” section above”) to the contact details noted below. You may also withdraw your consent to the processing of your Personal Data.

SHARING YOUR PERSONAL DATA

Your Personal Data may be shared internally and the Company may also share your Personal Data with:

  • Third parties that process data on its behalf for the purposes of providing services to the Company such as website hosting, data storage, software services, email services, marketing, fulfilling customer orders, providing payment-related services including payment aggregation, data analytics, data mining, providing customer services, and conducting surveys, as permitted by applicable law. These companies may be located within or outside the UAE, but in any case, they are obligated to protect your data.
  • Regulatory authorities or other government entities to ensure compliance with its legal and professional obligations, including in response to a request made by a government authority;
  • Law enforcement authorities and courts.
  • Financial institutions.
  • Professional advisors providing services to the Company such as legal and accounting services.
  • Other companies within the Company’s group who provide services to us.
  • If the Company sells or buys any business or assets, in which case, prospective sellers or buyers of such business or assets (however, the transfer of such personal data will be in compliance with applicable data protection laws).
  • Third-party social media advertising partners like Facebook, Google, Snapchat and Twitter or other third-party digital marketing providers where we wish to tailor our advertising to you, to ensure that you only receive targeted marketing which is relevant to you. Where we undertake this targeted advertising, the social media company and/or digital advertising companies will only be able to see your email address if you already have an account with them and they already have your address themselves.
  • Debt collection agencies appointed by us to collect outstanding debts on our behalf. These agencies will be given details necessary to contact you to discuss the settlement of your debt. Your requests should be directed to the company in question.
  • Loan information to credit agencies.
  • If it is necessary to arrange the receipt of a prize you have won after entering into one of our competitions, the third party in which we have run the competition in conjunction with.
  • Third parties to whom we may pass on information to about our BNPL Facility traffic and other commercial information, but this information will not include any information which can identify you personally.

You acknowledge and agree that any defaults reported by Al Ain Finance to credit agencies, may negatively affect your credit score.

All unsolicited/public information shall be deemed to be non-confidential and we shall be free to reproduce, use, disclose, and distribute such unsolicited/public information to others without limitation or attribution.

TRANSFER OF YOUR PERSONAL DATA TO OTHER COUNTRIES OR JURISDICTIONS

The majority of information the Company collects, including your Personal Data, is stored in the UAE in accordance with applicable law. However, if permitted under applicable law, some information you give us may be transferred to other jurisdictions outside the UAE. For example, some of the Company’s offices, third-party providers, or facilities may be outside the UAE. 

In such circumstances, the Company will take such organisational, contractual, and legal measures as required under applicable legislation or regulations to implement suitable safeguards to ensure that your personal data is processed only for the purposes mentioned above and that, where required, adequate levels of protection have been implemented in order to safeguard your personal data.

Where your personal data will be transferred to a jurisdiction that does not have an adequate level of protection, the Company may be required to enter into a contract with the recipient or ensure other suitable safe guards have been implemented in accordance with applicable legal requirements.

If you do not agree to the transfer, storage and use of your information in any other country where we operate, please do not click “ACCEPT” on our privacy banner or page.

If you wish to obtain a copy of the suitable safeguards you may request this by using the ‘Contact Us’ section on [insert email address].

DATA BREACH

In the event we become aware that the security of our BNPL Facility, or our services has been compromised or your Personal Data has been disclosed to unrelated third parties as a result of external activity, including, but not limited to, security attacks or fraud, we reserve the right to take reasonably appropriate measures, including, but not limited to, investigation and reporting, as well as notification to and cooperation with law enforcement authorities. In the event of a data breach, we will if notify affected individuals as required by applicable law. If for any reason, you have a reason to believe that your Personal Data shared with us is no longer secure, you may contact us via our e-mail address at [insert email address].

CHANGES TO OUR PRIVACY POLICY

If possible, we will notify you of any changes to this Privacy Policy using the contact information you have provided us, and you consent to being contacted by us for this purpose. We will also update the Privacy Policy on our BNPL Facility, which you can refer to at any time, and will ask you to accept the new Privacy Policy when you next visit our BNPL Facility.

CONTACT US - TO ASK QUESTIONS OR FILE COMPLAINTS

Al Ain Finance is responsible for any Personal Data collected relating to you.

To contact us relating to any concerns in relation to this Privacy Policy or to exercise your rights, please send a communication:

  • By email to [insert email address] with the subject "Data protection"; or
  • By any postal means with which there is evidence of receipt by the company, addressed to our principal address noted above (indicating on the envelope the reference "Data Protection").

You may also contact our Data Protection Officer on [insert email address of nominated DPO].

SEVERABILITY

If any term or condition of this Privacy Policy is deemed invalid or unenforceable by a court of law or tribunal with binding authority, then the remaining terms and conditions shall not be affected.

GOVERNING LAW AND DISPUTE RESOLUTION

Any dispute arising out of the formation, performance, interpretation, nullification, termination or validation of this Privacy Policy in any manner whatsoever shall be referred to and settled exclusively by the Abu Dhabi courts.