Privacy Policy
Effective Date: June 2, 2026 • Jurisdiction: United Arab Emirates (UAE PDPL Compliant) • Document Ref: KP-PP-2026-V1
REGULATORY DATA COMPLIANCE NOTICE
This Master Privacy Policy outlines the explicit protocols, governance vectors, and security controls enforced by KanzPay regarding the compilation, processing, retention, protection, and systematic cross-border transfer of personal and corporate data. Part I sets forth the policy governing Buyers. Part II sets forth the policy governing Business Entities (Business Partners). Part III details the Common Data Security and Governance Provisions applicable across the entire system matrix. KanzPay operates strictly as an AI Commerce Operating System providing commerce technology integration; all regulated financial and payment services are executed independently by licensed payment providers.
PART I: BUYER DATA PROTECTION POLICY
Categorization of Collected Personal Data
- Identity & Verification Records: Legal name, date of birth, nationality, residential address, biometric descriptors (where enabled for facial validation verification), and certified government identification records (e.g., Emirates ID, passport copies) processed in coordination with licensed providers.
- Contact Architecture: Valid mobile phone numbers, registered email addresses, and dynamic messaging handles.
- Financial Telemetry & Commerce Interactions: Linked bank account tokens, credit or debit card primary account markers, transactional volume tallies, and underlying interaction records utilizing open banking channels. Note: These vectors are captured strictly to facilitate secure payment handover to a licensed payment provider; KanzPay does not execute payments or store credentials such as PINs or CVVs.
- Loyalty Metrics & Gold Allocations: Accrued Gold Rewards, transaction histories linked to participating Business Partners, and Gold Allocation transaction records managed by our authorized gold partner, SafeGold.
- Device Telemetry & Geolocation Data: Internet Protocol (IP) address nodes, unique device identifiers (IMEI, MAC addresses), hardware operating system configurations, application performance logs, and real-time Global Positioning System (GPS) spatial coordinates.
Purpose and Legal Basis for Processing
- Contractual Execution: To provision the buyer profile architecture, coordinate real-time secure payment handover to licensed payment providers, and compute loyalty balance matrices native to the AI Commerce Operating System.
- Statutory & Regulatory Obligations: To assist in compliance with federal Anti-Money Laundering (AML) legislations and Counter-Terrorism Financing (CTF) rules, supporting frameworks where licensed providers independently complete KYC/AML obligations.
- Legitimate Commercial Interests: To detect, neutralize, and mitigate systemic fraud, collusive cash-farming loops, or hardware-based system manipulation.
- Explicit User Consent: To authorize tailored product placements, marketing communication cycles, and customer retention triggers configured via the AI Commerce Operating System and its integrated AI Commerce Agent (K-ACE).
Cross-Border Sharing and Third-Party Disclosures
- Licensed Payment Providers and regulated financial institutions responsible for payment authentication, execution, and settlement during a secure payment handover.
- SafeGold, our specialist authorized digital gold provider, responsible for gold allocation, custody, and redemption pathways for Gold Rewards.
- Governmental entities, judicial registries, and federal financial regulatory frameworks when served with a valid disclosure command, subpoena, or statutory inquiry.
- Internal cloud server farms, storage infrastructure architectures, and data computation suites executing background algorithmic sync routines.
Temporal Retention Limits
KanzPay retains the personal data of Buyers for the duration required to satisfy the functional commercial purposes outlined in this document. Notwithstanding the deactivation or requested termination of a Buyer's account, KanzPay is legally mandated to preserve a master archive of the Buyer's transactional ledger, identity verifications, and compliance logs for a mandatory minimum retention timeline of five (5) to ten (10) fiscal years, in absolute alignment with federal UAE financial crime prevention legislation.
Statutory Data Rights of the Buyer
- The right to request comprehensive visibility and structured access to the personal data files held within the KanzPay active registry.
- The right to demand swift remediation or correction of erroneous, incomplete, outdated, or misaligned personal data.
- The right to request data erasure ("the right to be forgotten"), subject to the understanding that KanzPay shall reject such requests if the data must be retained to fulfill overriding statutory financial, anti-fraud, or legal defense mandates.
- The right to object to automated data processing profiling or targeted behavioral marketing streams.
- To invoke these statutory rights, the Buyer must initiate an official verification ticket with the Data Protection Officer via email at dpo@kanzpay.com.
PART II: BUSINESS ENTITY (BUSINESS PARTNER) DATA PROTECTION POLICY
Scope of Corporate and Employee Information Compiled
- Corporate Registries & Trade Licenses: Registered trade name, incorporation history, corporate registry numbering, tax registration verification certificates (TRN), physical retail coordinates, and structural operational profiles.
- Ultimate Beneficial Ownership (UBO) & Key Person Data: Legal names, identity passport frameworks, localized residency permits, and ownership percentage matrices of all beneficial owners holding equity thresholds exceeding 5%.
- Financial Channel Parameters: Commercial corporate banking accounts, IBAN details, past historical chargeback trends, daily transactional velocity ceilings, and automated reconciliation files mapped to licensed providers.
- Dashboard Technical Telemetry: System login credentials utilized by authorized personnel, administrative action timestamps, IP networks used to access the Business Workspace, and operational configurations executed via external API keys or the K-ACE interface.
Operational Objectives of Business Entity Data Processing
- Know Your Business (KYB) Validation: To execute comprehensive corporate background monitoring, credit risk calculations, and financial sanity evaluations, enabling licensed providers to independently complete verification profiles.
- Platform Costing & Automated Direct Debiting: To manage, calculate, and invoice subscription plans, transaction commission deductions, and automated direct debit routines from linked commercial bank lines.
- AI-Driven Business Intelligence Modeling: To power the AI Commerce Agent (K-ACE) for learning ERP/POS layouts, inventory intelligence, and cash flow forecasting within the dashboard.
- Financial Product Routing: To cross-reference anonymous aggregated volume traits against underwriting requirements from third-party lending institutions, routing optimal credit or insurance product matching recommendations to the Business Workspace.
Confidentiality and Commercial Metric Protections
KanzPay handles the Business Entity's metrics, pricing indices, and volume tallies with commercial confidentiality. KanzPay explicitly covenants that it shall not sell, license, lease, or distribute proprietary, non-anonymized transaction patterns or pricing models to direct commercial competitors of the Business Entity. However, the Business Entity grants KanzPay a perpetual, royalty-free, irrevocable license to aggregate, anonymize, and compile transactional data into macroscopic sector reports, platform analytical models, and public-facing system performance charts.
Business Entity Marketing Data Restrictions
When a Business Entity leverages the integrated marketing dashboard to launch customer win-back models or distribute promotional notices, the Business Entity acts as the primary Data Controller, and KanzPay acts as the Data Processor regarding the targeted consumer list. The Business Entity represents and warrants that it possesses explicit, legally verifiable consumer consent to execute such marketing interactions. The Business Entity shall indemnify KanzPay against any regulatory actions, consumer class actions, or fines levied due to non-compliant marketing practices executed via the AI Commerce Operating System infrastructure.
KYB Audit Logs and Statutory Retention Obligations
Corporate profile documentation, commercial verification records, financial accounting parameters, and API/K-ACE integration audit metrics shall be retained by KanzPay for an enduring tenure mirroring the lifecycle of the active commercial contract. Following the absolute termination of the business relationship, KanzPay shall maintain all corporate archival files, KYB history, and settlement invoices for a continuous window of ten (10) fiscal years, to ensure strict compliance with institutional banking policies, corporate taxation statutes, and federal financial audit protocols of the United Arab Emirates.
PART III: COMMON DATA SECURITY AND GOVERNANCE PROVISIONS
Data Security Mechanisms and Cryptographic Controls
- The implementation of Advanced Encryption Standard protocols with 256-bit keys (AES-256) for all static data stores, ledger configurations, and compliance archives.
- The deployment of Transport Layer Security frameworks (TLS 1.3) for all active data-in-transit configurations between mobile applications, business terminals, open banking APIs, and backend hosting nodes.
- The separation of databases utilizing restricted-access microservices, protected by automated next-generation network firewalls and continuous intrusion detection suites.
- The execution of periodic, third-party vulnerability audits, ethical black-box penetration testing, and structural code reviews to secure API and ERP/POS integrations.
Cross-Border Data Transfers
To guarantee operational uptime, high availability, and structural system redundancy, KanzPay may replicate and process encrypted data sets within regional and international data storage centers. If personal data compiled inside the United Arab Emirates is transferred to external computing nodes located beyond the geographic boundaries of the state, KanzPay ensures that such cross-border transfers align with the formal adequacy provisions set forth by local data regulators, or are protected by binding corporate rules, standard contractual data protection clauses, and end-to-end cryptographic shielding.
Incident Response and Breach Notification Frameworks
- KanzPay shall immediately deploy containment countermeasures, isolate affected server infrastructure, and initiate forensic technical reviews.
- KanzPay shall notify the competent federal UAE data protection regulatory bodies within the statutory timelines mandated by the UAE PDPL after confirming the breach.
- If the personal data breach is calculated to present a high risk to the financial security, personal identity, or privacy of individual users, KanzPay shall dispatch electronic security notices directly to the affected Buyers and Business Entities without undue delay, advising on mitigation strategies, such as mandatory credential resets or multi-factor authentication upgrades.
Algorithmic Processing and Autonomous AI Limitations
The KanzPay system utilizes integrated artificial intelligence modeling—including the K-ACE AI Commerce Agent—to extract business trends, understand approved screen layouts via consent-based observation, and generate automated consumer reward weights for Gold Rewards. All Users (Buyers and Business Entities) recognize that these algorithmic procedures rely entirely on computerized analytical processing of metadata. KanzPay maintains robust internal bias testing and compliance review layers to prevent discriminatory profiles or erroneous analytical conclusions. No automated financial decision is generated without human legal supervision capability, and any suspected automated calculation anomalies may be formally submitted for human-led compliance review.
Revisions, Updates, and Policy Primacy
KanzPay reserves the right to amend this Master Privacy Policy at its sole convenience to mirror regulatory additions, structural compliance refinements, or modifications in the core applications software architecture. Notice of major revisions shall be distributed via the Business Workspace or through mobile application push screens. The updated version takes legal effect from the precise moment it is published on the network. This document maintains legal primacy over any localized privacy parameters, marketing brochures, or technical onboarding documentation.
Consent Affirmation and Executive Acknowledgment
By activating a Buyer profile, logging into the Business Workspace, or integrating the platform's open banking commerce APIs, the User confirms they have read this Master Privacy Policy, understood its structural processing tracks, and granted explicit, lawful consent for KanzPay to manage personal and commercial metadata in accordance with these standards.
For questions regarding this Privacy Policy, please contact the Data Protection Officer at dpo@kanzpay.com