Legal
Privacy Policy
What we collect, why, how we protect it, and the rights you keep over it.
1. Who we are
BizBuy (the "Platform", "we", "us") is a neutral online marketplace connecting buyers and sellers of operating businesses in the GCC. For the purposes of UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and DIFC Data Protection Law No. 5 of 2020 (where applicable), we are the Data Controller of the personal data we collect through the Platform.
Contact for any privacy matter: privacy@bizbuy.ae.
2. The personal data we collect
2.1 Account & contact data
- Email address
- WhatsApp number and (optionally) phone number
- Password (stored only as a one-way hash — we never see your plaintext password)
- First name and family name (after KYC)
- Country of residence
2.2 Identity-verification (KYC) data
- Scanned image of your passport and/or Emirates ID
- Fields extracted from those documents: full legal name, date of birth, nationality, document number, expiry date, document type
- Buyer/seller bio: current role, companies owned, sectors of interest, current city, LinkedIn URL, maximum budget
2.3 Listing & transaction data
- Business listings you create (financial figures, descriptions, photos)
- Documents you upload to support a listing (e.g. P&L, trade licence, audited statements)
- Engagement records with agents, NBOs, SPAs, and exclusivity agreements
2.4 Usage & technical data
- Pages visited, searches run, listings viewed
- Conversation metadata (timestamps, parties, status) — not message bodies
- IP address, browser, device, locale, and time zone
2.5 Consent & legal-action records
To evidence the agreements you enter through the Platform, we keep a record of certain legally significant actions — when you accept these Terms or this Privacy Policy, give KYC consent, sign a confidentiality agreement (NDA), or accept a Non-Binding Offer or Share Purchase Agreement. Each record captures the date and time, the version of the document or terms you agreed to, your IP address, and your browser/device details, together with a tamper-evident snapshot of exactly what was agreed. These records are encrypted at rest and are used only to demonstrate that the action took place and on what terms.
3. Why we collect it — and our lawful basis
We process your personal data on the following bases, per UAE PDPL Art. 4–5:
- Your consent — for KYC document processing, automated extraction of identity fields via a third-party AI provider, and cross-border transfers of your data (see §5 and §6 below).
- Performance of the contract — to provide the marketplace services you signed up for, including account access, listing publication, messaging, and engagement workflows.
- Compliance with legal obligations — including any applicable anti-money-laundering (AML) and counter-terrorism financing (CFT) record-keeping under UAE Federal Decree-Law No. 20 of 2018 and its implementing regulations.
- Legitimate interests — for platform security, fraud prevention, abuse moderation, evidencing the agreements you enter through the Platform (see §2.5), and improving the service, balanced against your rights and interests.
4. Automated processing of identity documents
When you upload a passport or Emirates ID for KYC, the image is sent to Google LLC via the Google Cloud / Vertex AI Gemini API to extract structured fields (name, date of birth, nationality, document number, expiry, document type). This processing is governed by the Google Cloud Data Processing Addendum, which prohibits Google from using your data to train their models and binds Google to processor-style obligations.
You can object to automated processing of your identity document and request a manual human review instead — email privacy@bizbuy.ae.
5. Who we share your data with
We share your personal data only with the following categories of recipients:
- Our cloud infrastructure provider: Railway — hosts the application, the PostgreSQL database, and uploaded files (all personal data at rest), under a Data Processing Addendum.
- Our AI sub-processor for KYC extraction: Google LLC (Google Cloud / Vertex AI Gemini API), under the Google Cloud DPA.
- Our transactional-email provider: Resend — sends account-verification links and service notifications; it processes your email address and the contents of those emails.
- Other Platform users: limited to information you explicitly publish (your listing details) or that the Platform's stage-based visibility model unlocks at each step (e.g., a verified buyer who reaches due-diligence stage may see seller financial documents).
- Agents in the directory: if you engage an agent, the agent receives the contact details and engagement scope you authorise.
- Competent authorities: regulators, courts, and law enforcement when required by applicable law, court order, or to comply with our AML/CFT obligations.
- Professional advisors: our auditors, lawyers, and insurers, under confidentiality obligations.
We do not sell your personal data to any third party, and we do not push your identity-document images or document numbers to external CRMs (including HubSpot). Only your contact-level fields (name, email, lead stage) may be synchronised with our CRM for customer-relationship purposes.
6. International data transfers
Some of our sub-processors (notably Google LLC, Railway, and Resend) operate from data centres outside the United Arab Emirates. By signing up and ticking the consent box presented at registration, you provide explicit consent under UAE PDPL Art. 22(2) for the transfer of your personal data to those jurisdictions for the purposes described in this Policy.
We require each recipient to be bound by appropriate contractual safeguards (data processing addenda, standard contractual clauses, or equivalent) and to apply technical and organisational measures comparable to those required under UAE PDPL.
7. How long we keep your data
- While your account is active: we retain your account, KYC, listing, and engagement data.
- After you close your account: we delete or anonymise your personal data within thirty (30) days, except where retention is required by law (see below) or where data has been irreversibly anonymised for analytics.
- AML/CFT retention: where Federal Decree-Law No. 20 of 2018 or equivalent law requires it, we retain KYC and transaction records for the minimum period required (typically five years from account closure or the last transaction).
- Consent & agreement records: the records evidencing your consents and the offers/agreements you signed (§2.5) are retained for the life of the related deal and any applicable limitation or dispute period, even after account closure, so they remain available if a dispute arises.
- Backups: encrypted backups are rotated; data may persist in backups for up to ninety (90) days after deletion in production.
8. How we protect your data
- TLS/HTTPS encryption for all data in transit.
- Application-level encryption of sensitive personal data: identity-document fields, financial figures, and message/offer content are individually encrypted with AES-256-GCM before storage, in addition to disk-level encryption at rest. Even fields we must be able to search (such as your email) are stored encrypted, matched through a separate keyed index rather than the plaintext value.
- Passwords stored only as bcrypt hashes; session and password-reset tokens stored only as hashes.
- Role-based access controls, and audit logging of access to and downloads of sensitive documents (identity, due-diligence, and proof-of-funds files).
- Automated redaction of personal data and secrets from our operational logs.
- Vendor due diligence and Data Processing Addenda with our sub-processors.
- Incident-response procedures and notification to affected users and the UAE Data Office as required by law.
Our security practices are designed to follow recognised industry guidance — including the OWASP Top 10 and OWASP API Security Top 10 for application-security risks, and the data-protection principles of the UAE PDPL and DIFC Data Protection Law. We do not currently hold a formal third-party certification (such as ISO 27001 or SOC 2); the measures above describe the controls we apply, not a certification.
9. Your rights
Subject to UAE PDPL, DIFC DP Law, KSA PDPL, and any other applicable law, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data (subject to AML/legal retention obligations)
- Restrict or object to certain processing activities
- Withdraw consent at any time (without affecting the lawfulness of processing before withdrawal)
- Data portability — receive your data in a structured, machine-readable format
- Lodge a complaint with the UAE Data Office, the DIFC Commissioner of Data Protection, or the Saudi Data & AI Authority (SDAIA), as applicable to your residence.
To exercise any of these rights, email privacy@bizbuy.ae. We will respond within thirty (30) days.
10. Cookies and tracking
We use strictly necessary cookies to keep you logged in and to remember your locale and theme preferences. We do not use third-party advertising cookies. Where we use analytics cookies to understand aggregate usage, we anonymise or pseudonymise the data and seek your consent where required.
11. Children
The Platform is not directed to anyone under the age of 18, and we do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us immediately so we can delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to you by email or in-app notice before they take effect, and continued use of the Platform after the effective date constitutes acceptance of the updated Policy.
13. Contact
Data Protection contact: privacy@bizbuy.ae
Legal / general: legal@bizbuy.ae
Effective date: pending public launch. Last updated: 2026-07-09.