Privacy Policy
UAE Property Wills takes the protection of your personal data seriously. This privacy policy explains which data we collect, why we collect it, how long we retain it, with whom we share it, and what rights you have. We process your data in accordance with the General Data Protection Regulation (GDPR).
1. Who we are
The data controller for your personal data is:
Andaluma OÜ
Estonia
Trading as: UAE Property Wills / VAE Testament
Contact for privacy enquiries: support@vaetestament.nl
We have not appointed a Data Protection Officer (DPO) as our size and activities do not require one under GDPR Art. 37. For all privacy-related questions, please contact support@vaetestament.nl.
2. What data we process
We only process the data necessary to guide you through the registration of your DIFC will and to provide additional support where you explicitly request it.
2.1 Account data
- Email address (login credential, required)
- Name (first name, surname, required for the will)
- Password you choose (encrypted and stored by Firebase Authentication; we have no access to it)
- IP address and session tokens (technically necessary for login and session management)
2.2 Will data (Phase 2 in our portal)
- Personal details: date of birth, passport number, passport expiry date, nationality, marital status, contact information, residential address
- Property details: address, plot/title deed number, ownership percentage, mortgage status of your UAE property
- Details of beneficiaries, substitute beneficiaries, executors and witnesses: names, dates of birth, passport numbers and contact details (required fields for the DIFC portal)
- Distribution preferences and special wishes
- Uploaded documents: passport scans, title deeds (only when you upload them yourself; stored on Google Cloud, European region)
2.3 Payment data
Payments are processed through Stripe. We do not process credit card or bank account numbers ourselves. We do receive: payment confirmation, amount, date, Stripe reference and your billing address. Stripe processes your card data under their own privacy policy (see stripe.com/privacy).
2.4 Communication data
- Emails you send to us and support ticket messages via our portal
- WhatsApp messages (only for Tier 2 and Tier 3 clients who have explicitly opted in)
- AI support log (only counters and metadata; no content of your question or the answer; see section 6)
2.5 Optional consents (Phase 1 onboarding)
During your first login you may optionally consent to:
- Additional email or WhatsApp contact outside your DIFC process, for service updates and related offerings from UAE Property Wills and affiliated brands under the same legal entity
- Use of your date of birth for service personalisation and a birthday greeting
These consents are voluntary, not required for the will process, and can always be withdrawn via support@vaetestament.nl.
3. Why we process your data
We process your data exclusively on the following legal bases:
| Purpose | Legal basis (GDPR) |
|---|---|
| Performance of our guidance service (account, will data, documents) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and bookkeeping | Legal obligation (Art. 6(1)(c)) |
| Responding to your support enquiries | Performance of contract |
| Optional marketing and personalisation communications | Consent (Art. 6(1)(a)), withdrawable |
| Securing our systems, fraud prevention, error tracking | Legitimate interest (Art. 6(1)(f)) |
4. With whom we share your data
We do not sell your data and do not share it for third-party marketing purposes. We use a limited number of processors for our technical infrastructure and operations:
| Processor | Role | Location |
|---|---|---|
| Google / Firebase | Authentication and database (your account and will data) | EU (Belgium, europe-west1) |
| Cloudflare | DNS, Workers (API layer for our portal), email and payment verification | US / global edge network (Standard Contractual Clauses) |
| Stripe | Payment processing | EU (Ireland) and US (Standard Contractual Clauses) |
| Brevo | Sending transactional and service emails | EU (France) |
| Anthropic | AI support (only anonymised, structured summaries; see section 6) | US (Standard Contractual Clauses) |
| cal.com | Booking appointments (orientation calls, live sessions, intake calls) | EU/US (Standard Contractual Clauses) |
| Loom | Hosting instructional videos in our personal guide | US (read-only, no upload of your data) |
For Tier 3 (Full Service), we share your will data with the DIFC lawyer handling your case, only with your explicit consent and only what is necessary. This lawyer is an independent party with their own duty of confidentiality and privacy policy.
We do not share data with government authorities unless legally required to do so.
5. International transfers
Some of our processors have servers outside the European Economic Area (EEA), particularly in the United States. For these transfers we rely on the Standard Contractual Clauses (SCCs) of the European Commission and, where applicable, the EU-US Data Privacy Framework. A copy of the applicable SCCs is available on request via support@vaetestament.nl.
6. AI support
Our platform offers two AI-assisted features:
- Upgrade suggestion at the end of your personal guide: our system analyses the structural characteristics of your will (number of properties, type of beneficiaries, chosen distribution method) to inform you whether a different service tier might be a better fit.
- Help questions via the help button on each screen: our AI answers questions based on our FAQ content.
What we send to the AI provider (Anthropic):
- For the upgrade suggestion: only a structured summary (counts and booleans, no names, addresses or passport numbers)
- For help questions: only your question text and your tier (no identifying data)
What we store in our logs: only counters (number of calls, input/output length, latency), no content. Anthropic processes our API calls under their own data policy: the data is not used for training their models (business API). See Anthropic Commercial Terms.
7. How long we retain your data
| Category | Retention period |
|---|---|
| Account and will data (active client) | As long as your account is active |
| Account and will data (after cancellation) | No longer than necessary for the purpose of processing, taking into account statutory retention periods |
| Uploaded documents (passports, title deeds) | Until completion of DIFC registration or as long as necessary for the process |
| Accounting data (invoices, payment information) | In accordance with statutory fiscal retention obligations |
| Support tickets and correspondence | No longer than necessary for resolution and any follow-up enquiries |
| Marketing consents and associated email address | Until you withdraw your consent |
After the retention period expires, your data is deleted or anonymised.
8. Your rights
Under the GDPR you have the following rights:
- Access - request which data we process about you
- Rectification - have incorrect data corrected
- Erasure - have your data deleted ("right to be forgotten"), subject to statutory retention obligations that apply to us
- Restriction - temporarily restrict processing
- Portability - receive your data in a structured format to transfer to another provider
- Objection - object to processing based on legitimate interest
- Withdraw consent - for optional marketing and personalisation processing
To exercise these rights, send an email to support@vaetestament.nl. We respond within 30 days. For your protection, we may request additional identity verification before releasing or modifying data.
If you are not satisfied with how we handle your data, you have the right to file a complaint with the relevant data protection authority. For EU residents, this is typically your national supervisory authority.
9. Security
We take appropriate technical and organisational measures to protect your data, including:
- Encryption of all communication between your browser and our systems (HTTPS / TLS)
- Encrypted storage of your data at our infrastructure provider (Google Cloud, European region)
- Role-based access control: only specific staff members have access to your data, and only to the extent necessary for their role
- API endpoint security with token verification and rate limiting
- Regular security updates to our dependencies
10. Cookies
Our portal and website use only functionally necessary cookies for login and session management (placed by Firebase Authentication). We do not use tracking or advertising cookies and do not use web analytics tools that collect personal data. For this reason, we do not display a cookie banner.
11. Minors
Our service is intended for persons aged 18 and over. We do not knowingly collect data from minors. If you suspect that a minor has used our service without consent, please contact us so we can remove the relevant data.
12. Changes to this privacy policy
We may update this privacy policy from time to time, for example when our services change or regulations evolve. Material changes will be announced via a notification in your portal or by email. The current version and the date of last update are shown at the top of this page.
13. Contact
For all questions about this privacy policy or how we process your data, please contact: