PERSONAL DATA PROCESSING POLICY

1. GENERAL PROVISIONS

1.1. Purpose of the Policy

1.1.1. This Personal Data Processing Policy (hereinafter “Policy”) is established by IMIGO INTELLIGENT INFORMATION TECHNOLOGY L.L.C., a limited liability company registered under the laws of the United Arab Emirates, with its registered office at Dubai Business Bay, The Binary by Omniyat, Office 1914-223 (hereinafter “IMIGO” or “Operator”), to ensure the protection of individuals' rights and freedoms during the processing of their personal data, including rights to privacy, in compliance with applicable laws.

1.1.2. This Policy applies to all personal data processed by IMIGO in connection with the use of the website https://imigo.ai/ (including all domains, subdomains, and pages, hereinafter “Website”) and the service at app.imigo.ai (hereinafter “Service”).

1.1.3. In compliance with UAE Federal Decree-Law No. 45/2021 on Personal Data Protection and other applicable regulations (e.g., GDPR, CCPA), this Policy is publicly available at https://imigo.ai/privacy-policy.

1.2. Definitions

1.2.1. Personal Data: Any information relating to an identified or identifiable individual (Data Subject).

1.2.2. Operator: An entity or individual, acting alone or jointly, that determines the purposes and means of processing personal data.

1.2.3. Processing of Personal Data: Any operation or set of operations performed on personal data, whether automated or manual, including collection, recording, organization, storage, updating, retrieval, use, transfer, anonymization, blocking, deletion, or destruction.

1.2.4. Automated Processing: Processing of personal data using computing technology.

1.2.5. Dissemination of Personal Data: Actions aimed at disclosing personal data to an unspecified group of persons.

1.2.6. Provision of Personal Data: Actions aimed at disclosing personal data to a specific person or group.

1.2.7. Blocking of Personal Data: Temporary suspension of processing, except where necessary to clarify data.

1.2.8. Destruction of Personal Data: Actions rendering personal data unrecoverable or destroying their physical media.

1.2.9. Anonymization of Personal Data: Actions rendering personal data unidentifiable to a specific Data Subject without additional information.

1.2.10. Personal Data Information System: A set of databases containing personal data and the technologies and tools used to process them.

1.3. Rights and Obligations of the Operator

1.3.1. Rights of IMIGO:

• Determine the measures necessary to comply with applicable data protection laws, including UAE Federal Decree-Law No. 45/2021, GDPR, and CCPA;
• Delegate processing to third parties with the Data Subject's consent, unless otherwise permitted by law, under contracts ensuring compliance with data protection principles;
• Continue processing personal data without consent if permitted by law (e.g., for legal obligations or legitimate interests).

1.3.2. Obligations of IMIGO:

• Provide Data Subjects with information about their personal data processing upon request;
• Explain the consequences of refusing to provide mandatory personal data;
• Implement legal, organizational, and technical measures to protect personal data from unauthorized access, destruction, alteration, blocking, copying, or dissemination;
• Respond to requests from data protection authorities within thirty (30) days;
• Provide Data Subjects or their representatives access to their personal data within thirty (30) days of a request;
• Update, correct, block, or destroy inaccurate or unlawfully processed personal data;
• Notify Data Subjects and third parties of changes or actions taken regarding their personal data.

2. PRINCIPLES OF PERSONAL DATA PROCESSING

2.1. Processing is conducted lawfully and fairly.

2.2. Processing is limited to specific, predefined, and legitimate purposes. Processing incompatible with these purposes is prohibited.

2.3. Databases containing personal data for incompatible purposes shall not be merged.

2.4. Only personal data necessary for the stated purposes is processed.

2.5. The scope and content of processed personal data align with the stated purposes and are not excessive.

2.6. IMIGO ensures the accuracy, sufficiency, and relevance of personal data, taking measures to delete or correct incomplete or inaccurate data.

2.7. Personal data is stored only as long as necessary for the processing purposes, unless a longer retention period is required by law or contract. Data is destroyed or anonymized upon achieving the processing purpose or when no longer needed, unless otherwise required.

3. PURPOSES OF PROCESSING

3.1. IMIGO processes personal data solely to:

• Comply with applicable data protection laws (e.g., UAE Federal Decree-Law No. 45/2021, GDPR, CCPA);
• Perform obligations under the User Agreement (https://imigo.ai/terms);
• Provide access to and deliver the Service and Website;
• Authenticate and manage User Accounts;
• Process payments via Stripe;
• Communicate with Users regarding Service updates or support;
• Improve and develop the Service and Website;
• Conduct analytics and generate statistics;
• Ensure security and prevent fraud;
• Protect IMIGO's or third parties' rights and legitimate interests.

4. CATEGORIES OF DATA SUBJECTS

4.1. IMIGO processes personal data of:

• Employees of IMIGO;
• Contractors (individuals);
• Users of the Website and Service.

5. PROCESSING CONDITIONS

5.1. IMIGO processes personal data using automated and manual methods.

5.2. IMIGO may delegate processing to third parties (e.g., Stripe for payments) with the Data Subject's consent, unless otherwise permitted by law, under contracts ensuring compliance with data protection laws.

5.3. IMIGO implements legal, organizational, and technical measures to protect personal data from unauthorized access, destruction, alteration, blocking, copying, or dissemination, including encryption and access controls.

5.4. IMIGO ensures the confidentiality of personal data and prevents disclosure without the Data Subject's consent, unless required by law.

5.5. For EU/EEA residents, cross-border data transfers comply with GDPR requirements, including Standard Contractual Clauses where necessary.

6. OBLIGATIONS OF IMIGO

6.1. IMIGO shall:

• Provide Data Subjects with information about their personal data processing upon request;
• Explain the consequences of refusing to provide mandatory data;
• Protect personal data from unauthorized access or processing;
• Respond to data protection authority requests within thirty (30) days;
• Provide access to personal data within thirty (30) days of a Data Subject's or representative's request;
• Update, correct, block, or destroy inaccurate or unlawfully processed data within seven (7) business days;
• Notify Data Subjects and third parties of changes or actions taken regarding their personal data.

7. LIABILITY

7.1. IMIGO is liable for violations of data protection laws under UAE law and other applicable regulations (e.g., GDPR, CCPA).

7.2. Harm caused by violations of Data Subject rights or data protection rules is subject to compensation under applicable laws, including non-pecuniary damages, independent of other losses.

8. FINAL PROVISIONS

8.1. This Policy takes effect upon approval by IMIGO's authorized representative.

8.2. Amendments are made in the same manner as the Policy's adoption.

8.3. Compliance with this Policy is overseen by IMIGO's designated data protection officer.

8.4. Responsibility for compliance with data protection laws is determined under UAE law and IMIGO's internal policies.

8.5. Users may contact IMIGO at support@imigo.ai for inquiries about personal data processing.

8.6. Changes to this Policy take effect upon posting at https://imigo.ai/privacy-policy unless otherwise specified.

8.7. This Policy is governed by UAE law, with applicable international regulations (e.g., GDPR, CCPA) for relevant Users.