Privacy Policy

How we collect, use, store, share, and protect your personal information across our platform and mobile applications.

Last updated: March 2, 2026

IMPORTANT: Mosaik Tech DMCC ("Mosaik", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (mosaik.technology), iOS application, Android application, and related services (collectively, the "Platform"). This policy complies with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and takes into account the requirements of other applicable data protection frameworks including the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA") where applicable. Please read this policy carefully. By using the Platform, you consent to the data practices described in this policy.

1. Information We Collect

We collect information that you provide directly, information collected automatically when you use the Platform, and information from third-party sources. Below is a comprehensive description of each category.

1.1 Personal Identification Data

Information you provide when creating your account and during onboarding:

  • Full legal name (first name, last name)
  • Email address
  • Phone number
  • Date of birth
  • Nationality
  • Country of residence
  • Residential address (street, city, postal code, country)
  • Profile photo / avatar (uploaded to our storage services)

1.2 Identity Verification (KYC) Data

Collected during mandatory Know Your Customer verification through our third-party provider, Sumsub:

  • Government-issued identity documents (passport, national ID, driver's license) — images and extracted data
  • Facial biometric data: selfie photographs and liveness verification video used for face-matching against your identity document (processed by Sumsub)
  • Emirates ID number (format: 784-YYYY-NNNNNNN-N)
  • KYC applicant reference ID, verification status, and verification timestamps
  • Politically Exposed Person (PEP) status and, if applicable, details of the PEP relationship

Biometric Data Notice: Facial biometric data is captured by the Sumsub SDK on your device and transmitted directly to Sumsub's servers for processing. Mosaik does not directly store raw biometric data on its own servers. Sumsub processes this data as a data processor on our behalf for identity verification purposes only. Sumsub retains biometric data in accordance with its own retention policy (typically 3 years for certain jurisdictions, up to 5 years otherwise). You may request deletion of your biometric data from Sumsub through us at privacy@mosaik.ae.

1.3 Financial and Employment Data

Collected during onboarding for regulatory compliance (AML/CFT, investor suitability assessment, and VARA investor classification):

  • Employment status (employed, self-employed, student, retired, unemployed)
  • Employer name and job title
  • Industry of employment
  • Country of employment
  • Source of funds (salary, personal savings, business income, inheritance, government benefits, investments, other)
  • Annual income range (in AED)

1.4 Investment Profile Data

Collected to assess investment suitability and determine your investor classification:

  • Investment goals (wealth growth, passive income, capital preservation, diversification)
  • Risk tolerance (conservative, moderate, aggressive)
  • Investment horizon (1-3, 3-5, 5-10, 10+ years)
  • Investment experience level (none, beginner, intermediate, experienced)
  • Liquidity needs
  • Intended investment amount
  • Investor classification (retail, professional, or qualified — calculated from the above)

1.5 Transaction and Financial Records

  • Token purchase orders (listing, quantity, price per token, total amount, platform fee, status, timestamps)
  • Token sell orders and secondary market trade history
  • AED wallet balance and deposit history
  • Partial payment card information (card brand and last 4 digits — stored for your reference; full card details are handled exclusively by Stripe)
  • Rental income distribution records (amount, date, property)
  • Portfolio value history and performance snapshots
  • Investment certificates

1.6 Blockchain and Wallet Data

  • Blockchain wallet public address(es) linked to your account
  • Wallet type (currently embedded via MPC technology)
  • Trustline status per property token
  • On-chain transaction hashes
  • Token balances and holdings

Public Blockchain Notice: Wallet addresses and on-chain transactions are recorded on a public blockchain. This data is permanently visible to anyone and cannot be deleted or modified by Mosaik. Your wallet address, token holdings, and transaction history on the blockchain are publicly accessible by design of the technology.

1.7 Device and Technical Data

Collected automatically when you use our mobile applications:

  • Device identifier (iOS: identifierForVendor; Android: ANDROID_ID)
  • Device name (manufacturer and model)
  • Operating system name and version
  • App version number
  • Platform identifier (iOS or Android)
  • Firebase Cloud Messaging (FCM) push notification token
  • Network connection status

1.8 Authentication Data

Stored securely on your device (iOS Keychain / Android EncryptedSharedPreferences):

  • Session tokens (access token, refresh token) — encrypted at rest on your device
  • User ID and email associated with your session
  • Apple Sign-In user name (captured on first Apple login)
  • Web3Auth session data for embedded wallet (encrypted in device secure storage)
  • OAuth state and PKCE parameters (temporary, used during authentication flows)

1.9 AI Conversation Data

Collected when you use our AI features (Mosaik AI Chat, AI Discover, AI Market Pulse):

  • Your chat messages and natural language queries
  • AI-generated responses
  • Conversation titles and timestamps
  • AI model identifier and token usage metadata (input/output tokens per request)
  • Portfolio context data sent with AI requests (your holdings, investment goals, and risk profile may be included as context to generate personalized responses)

1.10 Notification Preferences

  • Push notification enabled/disabled status
  • Email notification preferences
  • Per-category preferences: orders, account updates, earnings, security alerts, marketing
  • Quiet hours settings and timezone preference (default: Asia/Dubai)
  • Price alert configurations (target price, direction, per listing)

1.11 Security Audit Logs (iOS only)

Stored locally on your device for security monitoring:

  • Sign-in attempts and authentication events
  • Jailbreak/root detection results
  • Certificate pinning validation results
  • Sensitive operation authorization events

These logs are stored locally on your device only (up to 1,000 records, automatically pruned after 30 days) and are not transmitted to our servers unless required for security incident investigation.

1.12 UAE Pass Data (When Using UAE Pass Login)

If you authenticate using UAE Pass, the following data is retrieved from the UAE Pass identity provider:

  • Full name in English
  • Emirates ID number
  • Email address
  • Mobile phone number
  • Gender
  • Nationality
  • User type (citizen, resident, or visitor)

1.13 Information We Do Not Collect

  • We do not access your device contacts or address book
  • We do not collect health or fitness data
  • We do not record phone calls or access SMS messages
  • We do not collect your full payment card number (handled exclusively by Stripe)
  • We do not store your wallet private keys on our servers (non-custodial design)
  • Firebase Analytics data collection is disabled in our iOS application

2. Device Permissions

Our mobile applications may request the following device permissions. All permissions are requested at the time of use and can be managed through your device settings:

Camera

Used only during KYC identity verification (Sumsub SDK) for document scanning and selfie capture. The camera is not used for any other purpose. Camera hardware is listed as optional — the app functions without camera access if KYC documents are uploaded from your photo library.

Location (Android only)

Fine and coarse location may be requested on Android for the property map view (Google Maps) to center the map on your location. Location data is used locally on the device for map rendering and is not transmitted to or stored on our servers. No background location tracking occurs. iOS does not request location permissions.

Biometrics (Face ID / Touch ID / Fingerprint)

Used for authorizing sensitive operations such as transaction signing and wallet private key export. Biometric data is processed entirely on your device by the operating system — Mosaik never receives, transmits, or stores your biometric authentication data.

Push Notifications

Required for receiving real-time updates about order status, payment confirmations, token transfers, distribution payments, and security alerts. You can manage notification preferences within the app.

Photo Library (Android only)

Used for uploading your profile avatar photo and for providing KYC documents from your photo library.

Internet and Network

Required for all platform functionality. The app requires an active internet connection to function.

3. How We Use Your Information

We use the information we collect for the following purposes, each tied to a specific legal basis:

Platform Operations (Contractual Necessity)

  • Creating and managing your account
  • Processing Token purchases, sales, and transfers
  • Processing AED deposits and withdrawals via Stripe
  • Managing your wallet and blockchain transactions
  • Calculating and distributing rental income
  • Displaying your portfolio, holdings, and transaction history
  • Enabling secondary market trading
  • Generating investment certificates
  • Sending transactional notifications (order updates, payments, security alerts)

Regulatory Compliance (Legal Obligation)

  • KYC/AML identity verification and ongoing customer due diligence
  • PEP screening and sanctions list checks
  • Investor suitability assessment and classification (VARA requirements)
  • Suspicious transaction monitoring and reporting to UAE authorities
  • Maintaining records as required by UAE AML/CFT laws and VARA regulations
  • Responding to lawful requests from regulators, courts, and law enforcement
  • Tax reporting obligations

AI Features (Consent / Legitimate Interest)

  • Providing AI-powered chat assistance, property discovery, and market pulse features
  • Using your portfolio data as context to generate personalized AI responses
  • Storing conversation history to maintain continuity across chat sessions
  • Tracking AI token usage for service quality and cost management
  • Improving AI response quality and relevance over time

Security and Fraud Prevention (Legitimate Interest)

  • Detecting and preventing fraud, unauthorized access, and security threats
  • Jailbreak and root detection to protect account security (iOS)
  • Certificate pinning to prevent man-in-the-middle attacks
  • Session management and authentication token validation
  • Maintaining security audit logs on your device
  • Enforcing our Terms of Service

Service Improvement (Legitimate Interest / Consent)

  • Analyzing platform usage to improve features and user experience
  • Providing customer support and responding to inquiries
  • Sending marketing communications (only with your consent; you can opt out at any time)
  • Conducting research and development for new features

4. Information Sharing and Third-Party Processors

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share your information only as described below with specific categories of recipients:

Ctrl Alt DMCC (Regulated Partner)

Our VARA-licensed broker-dealer and token issuer. Ctrl Alt receives your identity information, investor classification, wallet addresses, and transaction data to process Token issuance, settlement, custody, order execution, and regulatory reporting. Ctrl Alt operates as a joint controller for investment-related data processing.

Sumsub (Identity Verification)

Provides KYC identity verification services. Receives and processes your government ID documents, facial biometric data (selfie, liveness video), and personal identification data. Sumsub acts as a data processor on our behalf. Sumsub is GDPR, FATF, and CCPA compliant. See Sumsub's privacy notice at sumsub.com/privacy-notice-service for details on their data handling practices.

Stripe (Payment Processing)

Processes card deposits in AED. Stripe receives your card details (entered directly into Stripe's PCI DSS Level 1 certified interface), billing information, and transaction amounts. Mosaik never handles, processes, or stores your full card number. We retain only card brand and last 4 digits for your reference. See Stripe's privacy policy at stripe.com/privacy.

Supabase (Cloud Infrastructure)

Our cloud database, authentication, file storage, and serverless function provider. Supabase stores and processes your account data, profile information, transaction records, wallet data, AI conversations, notification preferences, and uploaded files (avatars). Supabase acts as a data processor. Data is stored in Supabase's cloud infrastructure.

Firebase / Google (Push Notifications)

Firebase Cloud Messaging (FCM) delivers push notifications to your device. Firebase receives your FCM token and device metadata for notification delivery. Firebase Analytics is disabled in our iOS application. On Android, basic Firebase Analytics data may be collected automatically by the Firebase SDK.

Web3Auth (Wallet Infrastructure)

Provides MPC (multi-party computation) key infrastructure for embedded wallets. Web3Auth receives your authentication token to derive distributed key shares. Your complete private key is never transmitted to or stored by Web3Auth — it is reconstructed on your device from key shares. Web3Auth acts as a data processor for key management operations.

AI Service Providers

Our AI features are powered by third-party large language model providers, including Anthropic (Claude), OpenAI, and Google (Gemini). AI requests are proxied through our backend servers — no API keys or direct connections to AI providers exist on your device. Your chat messages and portfolio context data are transmitted to these providers for generating AI responses. AI providers may process this data according to their respective API terms.

Google Maps (Android)

Provides map rendering for the property map view on Android. Google Maps may collect device and location data in accordance with Google's privacy policy when you use the map feature.

Regulatory Authorities and Law Enforcement

We may disclose your information when required by law, regulation, court order, subpoena, or regulatory directive. This includes sharing data with VARA, Dubai Land Department, UAE Central Bank, the UAE Financial Intelligence Unit, and other competent authorities for AML/CFT compliance, suspicious transaction reporting, tax reporting, and responding to lawful data access requests.

Secondary Market Participants

When you trade on the secondary market, limited anonymized data (name initials and avatar) may be visible to other users in the trade history. Your full identity is never disclosed to other traders.

5. Data Security

We implement comprehensive technical and organizational measures to protect your personal information:

Encryption

  • • All data in transit encrypted via HTTPS/TLS
  • • Certificate pinning on critical API connections (Supabase)
  • • iOS Keychain encryption for sensitive credentials
  • • Android EncryptedSharedPreferences (AES-256-GCM + AES-256-SIV) with hardware-backed Android Keystore for tokens
  • • Cloud data encrypted at rest by Supabase

Authentication and Access

  • • JWT-based authentication with automatic token refresh
  • • 15-minute session timeout for idle sessions
  • • 5-minute re-authentication for sensitive operations
  • • Biometric verification for wallet and transaction signing
  • • OAuth 2.0 with PKCE for third-party authentication flows

Device Security

  • • Jailbreak and root detection (iOS)
  • • Debugger detection in production builds
  • • App tampering detection
  • • Android backup disabled (allowBackup=false)
  • • Sensitive files excluded from cloud/device backups

Non-Custodial Wallet Security

  • • Private keys never stored on Mosaik servers
  • • Embedded wallet keys derived via MPC (Web3Auth)
  • • Private keys held in device memory only during signing
  • • Keys immediately discarded after transaction
  • • Biometric gate for private key export

While we implement industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant authorities in accordance with UAE PDPL requirements and other applicable breach notification laws.

6. Data Retention

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

  • Account profile data: retained for the duration of your account and for up to 7 years after account closure, as required by UAE AML/CFT regulations
  • KYC/identity verification records: retained for a minimum of 5 years after the end of the business relationship, as required by UAE AML/CFT law (Cabinet Decision No. 10 of 2019)
  • Transaction records (orders, deposits, distributions): retained for a minimum of 5-7 years after the transaction, as required by financial regulations and tax law
  • Biometric data (held by Sumsub): retained by Sumsub for 3-5 years per their retention policy and applicable law
  • AI conversation data: retained for the duration of your account. You may request deletion of specific conversations by contacting us
  • Device tokens and notification data: retained while your account is active; deleted upon account closure or device deregistration
  • Security audit logs (on-device): automatically pruned after 30 days or 1,000 records
  • Blockchain data: permanently recorded on the public blockchain and cannot be deleted by any party

When personal data is no longer required for the purposes described above or for compliance with legal obligations, we securely delete or anonymize it. Aggregated, anonymized data that cannot be used to identify you may be retained indefinitely for analytical purposes.

7. Your Rights

Under the UAE Personal Data Protection Law (PDPL) and, where applicable, the GDPR and CCPA, you have the following rights regarding your personal information:

Your Data Subject Rights

  • Right of Access: Request a copy of the personal information we hold about you, including the purposes of processing, categories of data, and recipients of your data
  • Right of Correction: Request correction of any inaccurate, incomplete, or outdated personal information
  • Right of Deletion: Request deletion of your personal information, subject to our legal obligations to retain certain data for regulatory compliance (AML/CFT, tax, VARA requirements)
  • Right to Restrict Processing: Request that we restrict the processing of your personal information in certain circumstances
  • Right to Object: Object to certain processing of your personal information, including processing for direct marketing purposes
  • Right to Data Portability: Request transfer of your personal information to another service provider in a structured, commonly used, machine-readable format
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the UAE Data Office or other relevant supervisory authority

Important limitations: Certain data cannot be deleted while you hold active investments or where retention is required by law. Blockchain data recorded on the public ledger cannot be modified or deleted by any party. KYC records must be retained for the legally mandated period regardless of deletion requests.

For California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information held by us and our service providers
  • Right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your CCPA rights

To exercise any of these rights, please contact us at privacy@mosaik.ae. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may require identity verification before processing your request.

8. International Data Transfers

Your personal information may be transferred to, stored in, and processed in countries outside the United Arab Emirates. Our service providers operate infrastructure globally, and data transfers may occur to the following regions:

  • Supabase cloud infrastructure (data center locations vary)
  • Stripe payment processing (United States and global infrastructure)
  • Sumsub identity verification (processing centers in EU and other regions)
  • Firebase/Google Cloud (global infrastructure for push notification delivery)
  • Web3Auth/Torus Network (distributed node infrastructure)
  • AI service providers: Anthropic, OpenAI, Google (United States)

Where personal data is transferred outside the UAE, we ensure that appropriate safeguards are in place in accordance with UAE PDPL requirements. These safeguards may include data processing agreements with our service providers, standard contractual clauses, reliance on adequacy decisions, or other approved transfer mechanisms. All international transfers are conducted over encrypted channels (HTTPS/TLS).

For EU residents, where data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) or other GDPR-compliant transfer mechanisms to ensure adequate protection of your personal data.

9. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. The Platform involves regulated financial investment activities that are restricted to adults under UAE law. Our KYC verification process includes age verification through government-issued identity documents.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we may have collected information from a child, please contact us at privacy@mosaik.ae.

10. Cookies and Tracking Technologies

Our website (mosaik.technology) may use essential cookies required for website functionality. Our mobile applications do not use third-party advertising cookies or tracking pixels.

Firebase Analytics data collection is explicitly disabled in our iOS application. On Android, basic Firebase Analytics may collect limited usage data automatically as part of the Firebase SDK integration. We do not use cross-app or cross-site advertising trackers. We do not participate in behavioral advertising networks.

11. Data Protection Officer

Given the nature and scale of personal data processing on our Platform — including sensitive financial data, biometric data (via Sumsub), and data of UAE residents — we maintain a point of contact for data protection inquiries. For all privacy-related questions, concerns, or data subject access requests, please contact:

Data Protection Contact: privacy@mosaik.ae

We will acknowledge your inquiry within 5 business days and provide a substantive response within 30 days.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, regulatory requirements, or business operations. We will notify you of material changes by:

  • Posting the updated policy on our website and within the app
  • Updating the "Last updated" date at the top of this page
  • Sending a notification via email or push notification for material changes
  • Providing at least 30 days' notice before significant changes take effect

Your continued use of the Platform after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you should discontinue use of the Platform and contact us about account closure.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy inquiries: privacy@mosaik.ae

Legal inquiries: legal@mosaik.ae

General support: support@mosaik.ae

Entity: Mosaik Tech DMCC

Location: Dubai, United Arab Emirates

Website: mosaik.technology