TALK TO US FundOS — Privacy Policy
1. Introduction
This Privacy Policy explains how we process Personal Data under the DIFC Data Protection Law 2020 (“DIFC DPL 2020”) and, where applicable, the UAE Federal Personal Data Protection Law (“PDPL”).
We implement technical and organisational measures to protect Personal Data in accordance with these laws.
AI Processing Notice: We use Autonomous Systems to support document analysis, entity extraction, risk scoring, and related tasks. We apply fairness, transparency, security, and accountability principles and maintain proportionate testing and evaluation records. We disclose the use of AI to affected users and describe the general logic classes and material limitations.
Where FundOS processes Customer Content, the Customer (as Controller) is responsible for surfacing required notices to Data Subjects.
2. Data We Process
- Data you provide — such as contact details, account information, support requests, or files uploaded to FundOS.
- Automatically collected data — device and browser details, logs, and telemetry.
- Customer Content — including case files, KYC/AML documents, and corporate or financial metadata provided by Customers.
- We do not intentionally collect special-category data unless explicitly provided with a lawful basis.
3. Purposes and Legal Bases
- Provide, secure, and support the Services — (contract).
- Improve and develop features, analytics, troubleshooting — (legitimate interests).
- Marketing and communications — (consent or legitimate interests, as applicable).
- AI Legal Bases — We rely on contract and legitimate interests to operate and improve AI features. Where a Customer is Controller, the Customer determines the lawful basis for AI applied to Customer Content.
4. Automated Processing; Profiling; Human Review
Decision Support by Default: Outputs generated by FundOS assist human users. We do not, as Controller, make decisions that produce legal or similarly significant effects on individuals.
Customer Decisions: Where Customers configure automated decisioning in their workflows, they act as Controllers and are responsible for notices, DPIAs, and human-review mechanisms. We will assist per the DPA.
6. International Transfers
Personal Data may be transferred outside the DIFC. Such transfers are protected by lawful transfer mechanisms and risk assessments where required.
7. Security
We maintain encryption, access controls, logging, vulnerability management, and incident response procedures.
AI Security: We deploy prompt-injection defenses, output filters, adversarial testing, allow-lists, and drift/abuse monitoring to ensure AI system integrity.
8. Data Retention
We retain Personal Data for as long as necessary to fulfil the purposes for which it was collected or as required by law, after which it is deleted or anonymised.
9. Your Rights
- Access, rectification, erasure, restriction, objection, and portability (subject to legal limits).
- Requests regarding Customer Content should be sent to the relevant Customer (Controller).
- Complaints may be made to the DIFC Commissioner of Data Protection.
- For automated decisions with legal or similar effects, you may obtain human review, express your views, and contest such decisions — directed to the Controller, with our assistance as Processor.
10. Children
The Services are intended for business use and are not directed to individuals under 18 years old. We do not knowingly collect their Personal Data.
11. AI Governance & Contact
We maintain AI governance proportionate to risk, including bias and accuracy testing, output logging, model versioning, evaluation summaries, and change management.
For questions, contact: privacy@klub.ai
Related Documents
- Terms & Conditions (terms)
- Sub-processor Register (sub-processors)
- Cookie Notice (cookies)
- Security Overview (security)
