Summary
In one paragraph. Scinops AI is an enterprise AI advisory based in the UAE. We collect the personal data you give us (your name, work email, company details, what you tell us in the assessment) and a small amount of technical data needed to run the service. We use that data to provide you with the assessment, the deep-analysis report and the related communications you opt into — and for nothing else without your permission.
We store production data in AWS me-central-1 (UAE). We never sell personal data, and we never use customer data to train AI models. You have the full set of UAE PDPL rights described below, and you can exercise any of them by writing to privacy@scinops.ai.
Who we are
Scinops AI (“Scinops”, “we”, “us”) is the data controller for the personal data processed through this website and our services, unless we are processing the data on behalf of a customer under a Data Processing Agreement — in which case the customer is the controller and we act as a processor.
| Field | Detail |
|---|---|
| Legal entity | Scinops AI |
| Registered office | United Arab Emirates |
| Contact email | hello@scinops.ai |
| Data Protection Officer | privacy@scinops.ai |
| Supervisory authority | UAE Data Office |
Personal data we collect
You give us, directly
- Identifiers — name, work email, role, company name and country.
- Assessment answers — operational profile of your firm, data maturity, compliance posture and sector specifics.
- Contact / sales enquiries — message content, preferred channel (email, WhatsApp, call).
- Payment metadata — billing name, country and last four digits of the card (full card data is handled by Stripe).
We collect automatically
- Authentication events — sign-in time, source IP and user-agent for security purposes.
- Technical logs — request paths, error codes and performance traces, with identifiers redacted where possible.
- Cookie / device data — see the Cookies section below.
We receive from third parties
- OAuth identity providers (if you sign in with one) — your name, email and a stable provider-side identifier.
- Stripe — payment status, dispute notifications and signed webhook events for the subscriptions you take out with us.
How we use personal data
| Purpose | Categories used | Lawful basis (PDPL) |
|---|---|---|
| Run the assessment and generate the deep-analysis report | Identifiers, assessment answers, technical logs | Performance of a contract |
| Bill subscriptions and one-off purchases | Identifiers, payment metadata | Performance of a contract |
| Respond to enquiries and provide support | Identifiers, message content | Performance of a contract / legitimate interest |
| Detect, prevent and investigate abuse, fraud and security incidents | Authentication events, technical logs | Legitimate interest / legal obligation |
| Send service emails (account, report-ready, security) | Identifiers, account metadata | Performance of a contract |
| Send marketing emails (newsletter, product updates) | Identifiers | Consent — withdrawable at any time |
| Comply with applicable laws and regulatory requests | As required | Legal obligation |
| Improve the product using aggregated, anonymised statistics | Aggregated only — no individual identification | Legitimate interest |
Lawful basis for processing
We rely on the lawful bases set out in PDPL Articles 4 and 5: performance of a contract, legitimate interest, consent, legal obligation and, where relevant, the protection of vital interests or the performance of a public-interest task. Where we rely on legitimate interest, we conduct and document a balancing test before doing so and we will share the assessment on request.
International transfers
Where personal data leaves the UAE — for example, an LLM call routed through our default inference mode — we rely on PDPL Article 22 and the safeguards we have in place with the relevant sub-processor, combined with strict purpose limitation. Customers who require zero cross-border transfer can opt into our in-region inference mode at no extra cost; write to privacy@scinops.ai for the detailed breakdown.
Your rights under PDPL
Under UAE PDPL you have the following rights, regardless of where you are based:
- Information — to know what data we hold about you and why.
- Access — to receive a copy of your personal data.
- Rectification — to correct inaccurate or incomplete data.
- Erasure — to have your data deleted, subject to retention obligations. You can submit a deletion request online.
- Restriction — to limit how we use your data while a complaint is investigated.
- Portability — to receive your data in a structured, commonly used format.
- Objection — including to direct marketing and to legitimate-interest processing.
- Automated decisions — to require human review of decisions made solely by automated means that produce legal or similarly significant effects (see the AI section below).
- Complain — to the UAE Data Office if you believe we have not handled your data correctly.
To exercise any of these rights, use our data subject request form or write to privacy@scinops.ai. We will verify your identity and respond within 30 days; we can extend this once by a further 30 days for complex requests and will tell you if we do.
Retention periods
| Category | Retention |
|---|---|
| Account & assessment data | Active life of the account |
| Generated reports (PDF & dashboard) | 24 months by default; shorter on request |
| Payment & invoicing records | 7 years for tax and accounting purposes |
| Audit and security logs | ≥ 365 days |
| Marketing consent records | Until withdrawn + 24 months |
When you close your account, we delete personal data within 30 days and remove copies from backups within a further 60 days, except where we are legally required to retain specific records (invoices, tax filings) for longer.
Automated decisions & AI
The Scinops AI assessment and deep-analysis report involve automated processing of the answers you provide. The output is an advisory document: it informs the decisions you and your team make; it does not by itself produce a legal or similarly significant effect on any individual. A named human at Scinops can review any report on request, and our internal AI-governance controls — model selection, evaluation, human oversight and the no-training commitment below — are documented in detail and shared with enterprise customers as part of procurement.
Security
We protect personal data with industry-standard controls: encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access with mandatory multi-factor authentication, continuous monitoring with anomaly alerting and a documented incident-response plan. In the unlikely event of a personal data breach affecting your information, we will notify you and the UAE Data Office in line with PDPL Article 9 — without undue delay and in any case within 72 hours of confirming impact. A detailed security control summary is available to enterprise customers on request.
Children
The Scinops AI service is intended for business users and is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18; if you believe a child has provided personal data to us, please contact privacy@scinops.ai and we will delete it promptly.
Changes to this notice
We update this notice when our practices change. Material changes are highlighted at the top of the page for at least 30 days and, where appropriate, notified by email. The current version number and last-updated date are shown in the header.
Contact our Data Protection Officer
For any privacy question, request or complaint, write to our DPO at privacy@scinops.ai. If you are not satisfied with our response, you may also lodge a complaint with the UAE Data Office.