1. Introduction
Yalla CRM, a product of ZAR Media FZCO ("we," "our," "us," or the "Company"), is a customer relationship management platform registered and operating in the United Arab Emirates. We are committed to protecting your privacy and handling your personal data in compliance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and other applicable data protection regulations.
This Privacy Policy explains how we collect, use, process, store, share, and protect your personal data when you use our WhatsApp Business Management Platform, mobile applications, and related services (collectively, the "Services"). By using our Services, you acknowledge that you have read and understood this Privacy Policy.
2. Definitions
For the purposes of this Privacy Policy:
- "Personal Data" means any data relating to an identified or identifiable natural person, including but not limited to name, identification number, location data, online identifier, or factors specific to the physical, psychological, economic, cultural, or social identity of that person.
- "Sensitive Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation.
- "Processing" means any operation performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
- "Data Subject" means the individual to whom the personal data relates.
- "Controller" means the entity that determines the purposes and means of processing personal data.
- "Processor" means the entity that processes personal data on behalf of the Controller.
3. Data Controller
Yalla CRM acts as the Data Controller for the personal data we collect directly from you. When you use our Services to manage your customer relationships, you act as the Data Controller for your customers' data, and Yalla CRM acts as the Data Processor on your behalf.
Data Controller Contact Information:
ZAR Media FZCO (trading as Yalla CRM)
Dubai, United Arab Emirates
Email: privacy@yallacrm.com
Data Protection Officer: dpo@yallacrm.com
4. Legal Basis for Processing
In accordance with UAE PDPL and international data protection standards, we process your personal data based on one or more of the following legal grounds:
- Consent: You have given explicit consent for processing your personal data for specific purposes.
- Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party, or to take pre-contractual steps at your request.
- Legal Obligation: Processing is necessary for compliance with UAE laws and regulations to which we are subject.
- Legitimate Interests: Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms.
- Vital Interests: Processing is necessary to protect the vital interests of you or another natural person.
- Public Interest: Processing is necessary for the performance of a task carried out in the public interest.
5. Personal Data We Collect
5.1 Information You Provide Directly
When you register for an account, subscribe to our Services, or contact us, you may provide:
- Full name and professional title
- Email address and telephone number
- Company name, trade license number, and business address
- Emirates ID or passport information (for verification purposes)
- Payment and billing information (credit card details, bank account information)
- Username, password, and account preferences
- Communication records when you contact our support team
5.2 Information Collected Automatically
When you access or use our Services, we automatically collect:
- Device information (device type, operating system, unique device identifiers)
- IP address and approximate geographic location
- Browser type and version
- Usage data (pages visited, features used, time spent, click patterns)
- Log data (access times, error logs, referring URLs)
- Performance data and diagnostics
5.3 WhatsApp and Social Media Integration Data
When you connect your WhatsApp Business, Instagram, or Facebook accounts to our platform, we may access and process:
- Message content, attachments, and metadata
- Contact information and conversation history
- Profile information from connected social media accounts
- Business account settings and configurations
- Broadcast and campaign performance metrics
Important: You are responsible for ensuring you have obtained appropriate consent from your customers before collecting and processing their personal data through our platform.
5.4 Information from Third Parties
We may receive personal data from:
- Business partners and resellers who refer you to our Services
- Payment processors and financial institutions
- Identity verification services
- Publicly available sources and business registries
- Social media platforms (when you choose to connect)
6. Sensitive Personal Data
We do not intentionally collect sensitive personal data as defined under UAE PDPL. Our Services are designed for business communications and customer relationship management, and we request that you do not submit sensitive personal data through our platform.
If you are a business user processing your customers' data through our platform, you are responsible for ensuring compliance with applicable laws regarding sensitive personal data. You must obtain explicit consent before processing any sensitive personal data and implement appropriate safeguards.
7. How We Use Your Personal Data
We process your personal data for the following purposes:
7.1 Service Delivery
- Creating and managing your account
- Providing access to our CRM platform and features
- Processing and facilitating WhatsApp, Instagram, and Facebook communications
- Managing your sales pipelines and customer data
- Enabling team collaboration and access controls
7.2 Payment Processing
- Processing subscription payments and renewals
- Managing billing, invoicing, and refunds
- Fraud detection and prevention
- Compliance with UAE financial regulations
7.3 Communication
- Sending service-related notifications and updates
- Responding to your inquiries and support requests
- Providing technical assistance and troubleshooting
- Sending marketing communications (with your consent)
7.4 Service Improvement
- Analyzing usage patterns to improve our Services
- Developing new features and functionalities
- Conducting research and analytics
- Personalizing your experience
7.5 Security and Compliance
- Protecting against unauthorized access and security threats
- Detecting and preventing fraud, abuse, and violations
- Enforcing our Terms of Service
- Complying with UAE laws and legal obligations
- Responding to lawful requests from UAE authorities
8. Disclosure of Personal Data
We may share your personal data with the following categories of recipients:
8.1 Service Providers
We engage trusted third-party service providers to perform functions on our behalf, including cloud hosting (AWS, Google Cloud), payment processing, customer support tools, analytics services, and email delivery. These providers are contractually bound to protect your data and use it only for the specified purposes.
8.2 Platform Partners
To provide our WhatsApp, Instagram, and Facebook integration features, we share necessary data with Meta Platforms, Inc. in accordance with their applicable terms and our data processing agreements.
8.3 Legal and Regulatory Authorities
We may disclose your personal data to UAE government authorities, regulatory bodies, law enforcement agencies, or courts when required by applicable laws, legal processes, or to protect our legal rights.
8.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
8.5 With Your Consent
We may share your personal data with other parties when you have given us explicit consent to do so.
We do not sell your personal data to third parties for their marketing purposes.
9. International Data Transfers
Your personal data may be transferred to, stored, and processed in countries outside the United Arab Emirates where our service providers operate. These countries may have different data protection laws than the UAE.
When we transfer personal data internationally, we implement appropriate safeguards in compliance with UAE PDPL, including:
- Standard Contractual Clauses approved by relevant data protection authorities
- Data processing agreements with adequate security provisions
- Ensuring the recipient country provides adequate data protection or the transfer falls under permitted exceptions
- Obtaining your explicit consent where required
10. Data Security
We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access controls, multi-factor authentication, and regular access reviews
- Infrastructure Security: Secure cloud infrastructure with firewalls, intrusion detection, and regular security audits
- Employee Training: Regular security awareness training for all staff
- Incident Response: Documented procedures for detecting, reporting, and responding to data breaches
- Vendor Management: Due diligence and security assessments for third-party service providers
- Physical Security: Secure data centers with restricted access and environmental controls
Despite our efforts, no security measures are completely impenetrable. We cannot guarantee absolute security of your data transmitted to our Services.
11. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:
- Active Account Data: Retained for the duration of your subscription and account activity
- Transaction Records: Retained for 7 years as required by UAE Commercial Companies Law and tax regulations
- Communication Records: Retained for 3 years for customer service and dispute resolution
- Log Data: Retained for 12 months for security and performance monitoring
- Marketing Preferences: Retained until you withdraw consent or request deletion
Upon account termination, we will retain your data for 30 days to allow for reactivation, after which it will be securely deleted or anonymized, except where longer retention is required by law.
12. Your Data Protection Rights
Under UAE PDPL and applicable data protection laws, you have the following rights regarding your personal data:
- Right of Access: You have the right to request a copy of the personal data we hold about you and information about how we process it.
- Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
- Right to Erasure: You have the right to request deletion of your personal data, subject to legal retention requirements.
- Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain circumstances.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: You have the right to lodge a complaint with the UAE Data Office or relevant supervisory authority.
To exercise any of these rights, please contact us at privacy@yallacrm.com. We will respond to your request within 30 days. We may request verification of your identity before processing your request.
13. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience on our platform. These include:
- Essential Cookies: Required for the operation of our Services (authentication, security, load balancing)
- Functional Cookies: Enable personalization and remember your preferences
- Analytics Cookies: Help us understand how visitors interact with our Services
- Marketing Cookies: Used to deliver relevant advertisements (with your consent)
You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services.
14. Third-Party Links and Services
Our Services may contain links to third-party websites, applications, or services that are not operated by us, including WhatsApp, Facebook, and Instagram. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.
15. Children's Privacy
Our Services are intended for business use and are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately at privacy@yallacrm.com, and we will take steps to delete such information.
16. Marketing Communications
With your consent, we may send you marketing communications about our products, services, and promotions. You can opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in our emails
- Updating your preferences in your account settings
- Contacting us at privacy@yallacrm.com
Please note that even if you opt out of marketing communications, we may still send you service-related messages necessary for the administration of your account.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via email or through a notice on our platform
- Obtain your consent where required by law
We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes constitutes acceptance of the updated Privacy Policy.
18. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the United Arab Emirates, including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its implementing regulations. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Dubai, UAE.
19. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
General Privacy Inquiries:
Email: privacy@yallacrm.com
Data Protection Officer:
Email: dpo@yallacrm.com
Postal Address:
ZAR Media FZCO (trading as Yalla CRM)
Dubai, United Arab Emirates
Data Subject Rights Requests:
Email: rights@yallacrm.com
We aim to respond to all legitimate requests within 30 days. If your request is particularly complex, we may require additional time, in which case we will notify you accordingly.