Effective Date: 25 January 2025
Issued By: Nuvra Limited (Masdar City Free Zone, Abu Dhabi, UAE)
Contact: dpo@nuvra.agency
1.1 This Data Processing & Retention Policy (“Policy”) establishes the principles, rules, and procedures governing the Processing, retention, storage, archiving, deletion, and protection of Personal Data by Nuvra Limited (“Nuvra”, “Nuvra Tech”, “Company”, “we”, “our”).
1.2 This Policy applies to all Personal Data processed through the Vibe Coding Platform (“Platform”), including data relating to Users, subscribers, customers, visitors, contractors, and business partners.
1.3 This Policy supplements the Privacy Policy and forms an integral component of Nuvra Tech’s compliance framework under the UAE Personal Data Protection Law.
This Policy is established pursuant to:
All Processing shall be carried out in accordance with these laws.
3.1 “Personal Data” means any data relating to an identified or identifiable natural person, as defined under the PDPL.
3.2 “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, transfer, or deletion.
3.3 “Controller” refers to Nuvra Tech, which determines the means and purpose of Processing.
3.4 “Processor” means any natural or legal person engaged by the Company to Process Personal Data on its behalf.
3.5 “Retention Period” means the duration for which Personal Data is stored before being securely deleted or anonymized.
3.6 “Anonymization” means the irreversible removal of identifying elements from data such that a person cannot be identified.
All Personal Data shall be Processed in accordance with the following principles:
4.1 Lawfulness, Fairness, and Transparency
Processing must be grounded on a lawful basis and carried out in a transparent manner.
4.2 Purpose Limitation
Personal Data shall be collected strictly for legitimate, explicit, and specified purposes.
4.3 Data Minimization
Processing is limited to the minimum level of data necessary for operational, contractual, or legal requirements.
4.4 Accuracy
Data shall be kept accurate, complete, and up to date where relevant.
4.5 Storage Limitation
Personal Data shall not be retained longer than necessary for the purposes for which it was collected.
4.6 Integrity and Confidentiality
Data shall be safeguarded using appropriate technical and organizational measures.
4.7 Accountability
Nuvra Tech shall maintain documentation demonstrating compliance with PDPL requirements.
Nuvra Tech Processes the following categories of Personal Data:
Processing shall occur under one or more of the lawful bases permitted by PDPL:
6.1 Explicit consent from the User.
6.2 Contractual necessity for delivering the Services.
6.3 Compliance with legal or regulatory obligations.
6.4 Protection of public interest or national security (where applicable).
6.5 Legitimate interests pursued by the Company, provided User rights are not overridden.
The Company undertakes the following categories of Processing:
7.1 Account and Subscription Management
Including identity verification, authentication, allocation of credits/tokens, and subscription administration.
7.2 System Operations and Service Delivery
Running software models, executing workloads, providing AI-generated outputs, and maintaining platform functionality.
7.3 Analytics and Product Development
Aggregated and anonymized data may be used for platform improvements, bug identification, and enhancement of algorithms.
7.4 Security and Fraud Detection
Data is Processed to detect unauthorized access, enforce cybersecurity measures, and comply with Cybercrime Law.
7.5 Payment Processing
Payments are conducted through PCI-certified third-party processors; financial data is not stored by the Company.
7.6 Customer Support
Personal Data is Processed to respond to queries, technical issues, and compliance-related requests.
7.7 Legal Compliance
Personal Data may be Processed to satisfy obligations under UAE law, regulatory orders, or judicial directives.
Retention periods are based on:
Retention periods are defined as:
8.1 Identity & Account Data
Retained for the duration of the User relationship and 7 years thereafter, consistent with UAE commercial record-keeping requirements.
8.2 Authentication Logs and Security Data
Retained for 12 to 24 months to investigate incidents and ensure cybersecurity compliance.
8.3 Billing Records
Retained for 7 years to comply with UAE tax and financial record obligations.
8.4 User Inputs and AI Outputs
Retained for the duration of the User account unless manually deleted by the User.
8.5 Analytics and Service Data
Retained for up to 24 months, anonymized where feasible.
8.6 Logs, Backups, and System Snapshots
Retained for 90 to 180 days depending on storage architecture and redundancy requirements.
8.7 Deleted User Accounts
Upon account deletion:
Personal Data is removed or anonymized within 30–60 days, except where retention is mandated by law.
When Personal Data reaches the end of its Retention Period:
9.1 The data shall be securely deleted, anonymized, or archived in compliance with PDPL.
9.2 Deletion methods include:
9.3 Users may submit deletion requests via: privacy@nuvra.agency
9.4 Certain data may be retained where required by UAE Federal Law or for dispute resolution purposes.
Where Nuvra Tech engages third-party Processors:
10.1 A written Data Processing Agreement (“DPA”) shall be executed in accordance with PDPL Article 20.
10.2 Processors must implement adequate security measures and process Personal Data only in accordance with Company instructions.
10.3 Processors may not subcontract processing activities without prior written authorization.
10.4 The Company conducts periodic assessments of Processors to ensure compliance.
Personal Data may be transferred outside the UAE only under conditions permitted by PDPL:
11.1 The destination country must have adequate legal protections; or
11.2 Appropriate contractual safeguards must be implemented; or
11.3 The User provides explicit consent; or
11.4 Transfer is necessary for contract performance; or
11.5 Transfer is required for public interest or legal compliance.
All cross-border transfers are documented and subject to risk assessment.
Nuvra Tech shall implement robust technical and organizational measures including:
13.1 A Personal Data breach shall be assessed promptly to determine severity and impact.
13.2 Where a breach exposes Personal Data and risks User harm, the Company shall notify:
in accordance with PDPL Articles 9 and 10.
13.3 Notifications shall detail:
Users may exercise the following rights under PDPL:
Requests shall be submitted to: dpo@nuvra.agency
Nuvra Tech shall respond within statutory timelines.
15.1 The Company maintains documented evidence of PDPL compliance.
15.2 Internal audits and risk assessments shall be conducted periodically.
15.3 Employees and contractors with access to Personal Data shall undergo confidentiality obligations and compliance training.
This Policy is governed by:
Nuvra Tech reserves the right to revise this Policy at any time to reflect legal, regulatory, or operational changes.
Updates will be published with a revised Effective Date.
For inquiries or concerns relating to this Policy:
Nuvra Limited
Masdar City Free Zone
Abu Dhabi, United Arab Emirates
Nuvra is a software creation ecosystem combining AI-Powered self-serve building with expert-led development.
Built for MENAT. Ready for Global Scale.
Products
Solutions & Resources
Copyright 2026 Nuvra Limited
Nuvra is a software creation ecosystem combining AI-Powered self-serve b uilding with expert-led development.
Built for MENAT. Ready for Global Scale.
Products
Solutions & Resources
Company
Contact
Trust Center
