How we collect, use, and protect your personal data
Issued by
Personiti FZ-LLC, Dubai Internet City Free Zone, UAE
Last updated
8 June 2026
Applies to
All individuals who register as, or act on behalf of, a Provider on the Personiti Platform
Primary framework
UAE Federal Law No. 45 of 2021 on Personal Data Protection (PDPL)
Also applicable
EU GDPR (2016/679) where Provider is EEA-based or EEA data subjects are involved
Data Controller
Personiti FZ-LLC, Dubai Internet City Free Zone, Dubai, UAE
Contact
privacy@personiti.com | www.personiti.com
About this policy. This Provider Privacy Policy describes how Personiti FZ-LLC (“Personiti”, “we”, “our”, or “us”) collects, uses, and discloses the personal data of experience providers, tour operators, activity companies, and individual guides (“Providers” or “you”) who offer Experiences on the Personiti Platform. This policy does not cover the personal data of Travellers, which is addressed in the Data Processing Addendum (Exhibit B) of the Provider Platform Agreement.
This policy has been drafted, and shall be construed, in the English language. Any translation is for reference only. In the event of inconsistency between the English language version and a translated version, the English language version prevails.
1. Controller Details
The Data Controller responsible for processing your personal data is:
Entity
Personiti FZ-LLC
Registration
In5 Tech, Dubai Internet City Free Zone, UAE
Address
Dubai Internet City, Dubai, United Arab Emirates
Website
Privacy contact
privacy@personiti.com (subject line: Data Protection Enquiry)
For the purposes of UAE Federal Law No. 45 of 2021 on Personal Data Protection (PDPL) and, where applicable, EU GDPR Article 4(7), Personiti FZ-LLC is the Data Controller for the personal data described in this policy.
2. Definitions
The following terms have the meanings set out below:
“Personal Data”: any information relating to an identified or identifiable natural person. This includes information you provide to us and information we collect about you during your interaction with Personiti. Personal data relating to a legal person or entity is not covered by this policy.
“Sensitive Personal Data”: personal data requiring enhanced protection under applicable law, including biometric data and any categories designated as sensitive under the PDPL.
“OCEAN Data”: personality profile data generated by Personiti’s Big Five (OCEAN) personality assessment. In the context of this policy, OCEAN Data refers to any personality dimension data generated or held in relation to Provider account holders who choose to complete a profile assessment.
“Platform”: the Personiti web application, mobile application, Provider Dashboard, and all associated technology operated by Personiti.
“PDPL”: UAE Federal Law No. 45 of 2021 on Personal Data Protection and its executive regulations.
“GDPR”: General Data Protection Regulation (EU) 2016/679.
“Processing”: any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
3. Personal Data We Collect
The personal data Personiti collects depends on your interactions with us, the features you use, and the jurisdiction in which you operate.
3.1 Registration and Account Creation
When you register as a Provider on the Platform, we collect the following categories of personal data:
Identity
Full name, date of birth, nationality
Contact
Email address, telephone number, business address, country of operation
Business
Company name, trade name, company registration number, UAE trade licence number or equivalent, tourism licence or activity permit details, VAT registration number (TRN)
Financial
Bank account details or other payment account information for Stripe Connected Account onboarding
Insurance
Insurer name, policy number, policy expiry date, coverage type and amount
Account
Username, password (stored in hashed form), account preferences
We use this data to establish and manage your Provider Account, to verify your eligibility to operate on the Platform, to process payments, and to comply with applicable UAE and international legal and regulatory requirements.
3.2 Identity Verification
All Providers are required to undergo identity verification as part of the onboarding process. This is carried out through Stripe’s identity verification infrastructure. During this process, the following data may be collected:
Biometric and sensitive data. Facial geometry and biometric data are sensitive personal data. Stripe will obtain your explicit consent before collecting biometric data. Personiti receives only confirmation of successful or unsuccessful identity verification. For more information, please refer to Stripe’s Identity Privacy Policy at stripe.com/privacy.
To enable Stripe to link your verification with your Personiti Provider Account, we provide Stripe with your Provider Account ID. The legal basis for this processing is compliance with applicable KYC and AML obligations (PDPL Article 4 / contractual necessity).
3.3 Communications with Personiti and the Push Notification Tool
When you contact Personiti’s operations team through the Provider Dashboard, by email, or by telephone, any communication you send or receive — including any personal data it contains — may be accessed and stored by Personiti.
The Provider Dashboard also includes a push notification tool that allows Providers to send broadcast operational announcements to all Travellers who hold a confirmed Booking for a specific Experience slot. When you use this tool, Personiti processes the content of your notification and the Experience slot it relates to. Personiti delivers the notification to the relevant Booking group on your behalf. You do not have access to individual Traveller contact details through this tool. Personiti may review push notification content to ensure compliance with the Provider Platform Agreement. This processing is based on contractual necessity (PDPL Article 4 / GDPR Article 6(1)(b)).
We process communications with Providers for the following purposes:
3.4 Provider Support Services
When you contact Personiti for support — by email, through the Provider Dashboard, or by telephone — we collect and retain:
This data is used solely to provide support services and to maintain a record of Provider interactions for quality, compliance, and dispute resolution purposes.
3.5 Payment Processing
In order to process payments on your behalf, Personiti uses Stripe Connect as its payment infrastructure. The following financial data is shared with Stripe to operate your Stripe Connected Account:
Stripe processes this data as an independent data controller for KYC and payment infrastructure purposes, and as a data processor acting on Personiti’s instruction for payment facilitation. Please refer to Stripe’s Privacy Policy at stripe.com/privacy for information on how Stripe handles your personal data.
3.6 Platform Usage Data
When you use the Provider Dashboard and Platform tools, we automatically collect certain usage and technical data:
This data is processed to ensure Platform security, diagnose technical issues, improve Platform functionality, and detect unusual account activity that may indicate unauthorised access.
3.7 Experience Listing Data
When you create Experience Listings on the Platform, you provide content including descriptions, photographs, videos, pricing, availability, and logistical information. Where Experience Listing content is associated with an identified individual (for example, a personal guide profile with a photograph and biography), this constitutes personal data and is processed in accordance with this policy.
3.8 OCEAN Profile and Session Filter Data
Where Provider account holders or individuals within the Provider team choose to complete Personiti’s Big Five (OCEAN) personality assessment, Personiti collects the following data:
Stable by design. An OCEAN profile generated for a Provider account holder is stable, it does not change automatically based on Platform behaviour or usage patterns. It is updated only if the individual actively chooses to retake the assessment. This approach is intentional: the OCEAN profile represents personality preferences at the time of assessment, not browsing or booking behaviour.
Completion of the OCEAN assessment by Provider personnel is entirely optional. Where completed, the data is processed with the individual’s explicit consent (PDPL Art. 4 / GDPR Art. 6(1)(a)). Personiti applies enhanced privacy protections to OCEAN profile data due to its personal and personality-realted nature.
Session filter data. When Provider account holders search the Platform or use the Traveller-facing features, session-specific filter data is generated. This includes destination selections, travel dates, budget ranges, group size, and interest category selections. This data is temporary: it is used to process the specific search request and is not stored as part of the individual’s permanent profile. It is not used to modify any OCEAN profile and is not retained beyond the session.
3.9 Marketing and Survey Data
With your consent, or on the basis of our legitimate interests in promoting the Platform and keeping Providers informed, Personiti may contact you with:
You may opt out of marketing communications at any time by clicking “unsubscribe” in any email or by contacting privacy@personiti.com. Opting out of marketing does not affect operational communications required to manage your Provider Account and Bookings.
4. Lawful Basis for Processing
Under the PDPL and GDPR, all processing of personal data must be based on a valid lawful basis. The table below sets out the lawful basis Personiti relies on for each category of processing activity.
Contractual necessity
Account registration and management; Booking facilitation; payment processing; support services; processing session filter data (destination, dates, budget, interests) to fulfil search requests
PDPL Art. 4 (contractual performance) | GDPR Art. 6(1)(b)
Legal obligation
KYC and identity verification; AML compliance; tax reporting and VAT obligations; disclosure to regulatory authorities
PDPL Art. 4 (legal obligation) | GDPR Art. 6(1)(c)
Legitimate interests
Platform security and fraud prevention; communications monitoring; usage analytics; product improvement; marketing to existing Providers
PDPL Art. 4 (legitimate interest) | GDPR Art. 6(1)(f)
Explicit consent
Biometric data collected during identity verification; OCEAN Data where Provider completes a profile assessment; marketing communications to new Providers
PDPL Art. 4 (consent) | GDPR Art. 6(1)(a)
GDPR note for EEA-based Providers. Where Personiti relies on legitimate interests as its lawful basis, Personiti has conducted a legitimate interests assessment confirming that the processing is necessary, proportionate, and does not override Provider privacy interests. You have the right to object to processing based on legitimate interests at any time. See Section 8 for your rights.
5. Recipients of Personal Data
Your personal data may be shared with the following categories of recipients in connection with the operation of the Platform:
5.1 Stripe
Stripe Technology Europe Limited and its affiliates process Provider financial data, identity verification data, and transaction data as described in Section 3.5. Stripe operates as an independent data controller for KYC/AML purposes and as Personiti’s data processor for payment facilitation. Stripe is headquartered in Ireland and subject to EU GDPR requirements.
5.2 Cloud Infrastructure Providers
The Personiti Platform is hosted on cloud infrastructure based in the United Arab Emirates. Provider personal data stored on the Platform is held on UAE-based servers. Personiti is incorporated in the UAE and the UAE is the primary jurisdiction for all data storage.
Authorised Personiti personnel may access Platform data remotely from other locations, including the EEA and the United Kingdom for platform development, operations, and support purposes. All such access is through authenticated, access-controlled channels and is subject to confidentiality obligations. Remote access by Personiti personnel does not change the storage location of your personal data, which remains in the UAE.
5.3 Travellers
Where necessary to facilitate a Booking, Personiti may share limited Provider personal data with a Traveller who has confirmed a Booking with you. This typically includes your business name, trading name, and contact information required for Experience logistics. We do not share Provider financial data, identity documents, or verification data with Travellers.
5.4 Legal and Regulatory Authorities
Personiti may be required to disclose Provider personal data to legal or regulatory authorities, including the UAE Data Office, UAE Ministry of Economy, Dubai Courts, law enforcement agencies, or equivalent bodies in other jurisdictions, where required by Applicable Law, court order, or regulatory requirement. In such cases, we will notify you in advance where legally permissible.
5.5 Professional Advisors
Personiti’s legal advisors, auditors, and accountants may access Provider personal data on a confidential basis where necessary for the provision of professional services to Personiti. All such advisors are bound by professional confidentiality obligations.
5.6 Successors
In the event of a merger, acquisition, or sale of all or substantially all of Personiti’s business or assets, Provider personal data may be transferred to the acquiring entity as part of that transaction. Personiti will notify Providers of any such transfer and ensure that the acquiring entity is bound by privacy obligations at least equivalent to those in this policy.
5.7 No Sale of Personal Data
Personiti does not sell, rent, or otherwise commercially transfer Provider personal data to any third party. Personal data is shared only as described in this Section and only to the extent necessary for the relevant purpose.
6. International Data Transfers
Personiti is incorporated in the UAE. Provider personal data may be transferred to countries outside the UAE in connection with the recipients described in Section 5. Where such transfers occur, Personiti ensures that an appropriate safeguard is in place in accordance with the following frameworks:
6.1 Transfers from UAE
Cross-border transfers of personal data from the UAE are governed by the PDPL. Personiti transfers personal data outside the UAE only where: (i) the destination country is recognised as providing an adequate level of protection by the UAE Data Office; or (ii) appropriate contractual safeguards are in place as approved by the UAE Data Office.
6.2 Transfers from EEA (where applicable)
Where Personiti processes personal data of EEA-based Providers subject to the GDPR, transfers of that data outside the EEA are governed by Chapter V of the GDPR. Personiti implements the EU Standard Contractual Clauses (SCCs) as the transfer mechanism for transfers from the EEA to the UAE, which does not currently hold an EU adequacy decision. Copies of the applicable SCCs are available upon request by contacting privacy@personiti.com.
6.3 Transfers from UK (where applicable)
Where Personiti processes personal data of UK-based Providers subject to UK GDPR, transfers of that data outside the UK are governed by UK GDPR Chapter V. Personiti implements the UK International Data Transfer Agreement (IDTA) as the applicable transfer mechanism.
7. Data Retention
Personiti retains personal data for as long as necessary to manage our relationship with you, to operate the Platform, to comply with legal obligations, and to resolve disputes and claims. The following retention periods apply:
Data Category
Retention Period
Account registration and identity data
Duration of active Provider Account, plus 5 years following closure or termination. Extended to 7 years where required for UAE VAT or commercial records compliance.
KYC and identity verification records
Duration of active Provider Account, plus 5 years following closure. Extended where required by UAE AML obligations (UAE Federal Decree-Law No. 20 of 2018).
Transaction and paymentrecords
7 years from the date of the transaction, as required by UAE Federal Law No. 8 of 2017 on VAT and applicable commercial records law.
Support correspondence and communications
2 years from the date of the last communication, extended where the matter is subject to ongoing dispute or legal proceedings.
Platform usage and technical logs
12 months from collection, after which logs are aggregated or anonymised.
Marketing data
Until you withdraw consent or opt out of marketing communications, after which your preference is retainedfor 3 years to honour the opt-out.
OCEAN Data (Provider profile, where applicable)
Duration of active Provider Account, then deleted within 30 days of account closure unless a longer period is required by law.
Insurance records
Duration of the insurance policy plus 5 years.
Upon expiry of the applicable retention period, Personiti securely deletes or anonymises personal data. Anonymised data (where no individual can be identified) may be retained indefinitely for analytics and product improvement purposes. You may request early deletion of your personal data subject to the conditions in Section 8.
8. Your Data Protection Rights
You have the following rights with respect to your personal data. These rights apply under the PDPL and, where applicable, the GDPR. To exercise any of these rights, please contact privacy@personiti.com. We will respond within thirty (30) days of receipt of your request. Complex or multiple requests may take up to sixty (60) days; we will notify you if an extension is needed.
8.1 Right of Access
You have the right to obtain confirmation as to whether or not Personiti is processing personal data about you and, if so, to receive a copy of that data. We will provide this in a clear, structured format.
8.2 Right to Rectification
You have the right to have inaccurate personal data corrected and to have incomplete personal data completed. You may also update many details directly through your Provider Dashboard.
8.3 Right to Erasure
You have the right to request that Personiti delete your personal data where: (i) the data is no longer necessary for the purpose for which it was collected; (ii) you have withdrawn consent and there is no other lawful basis for processing; (iii) you have objected to processing based on legitimate interests and there are no overriding legitimate grounds; or (iv) the data has been processed unlawfully.
Important. The right to erasure is not absolute. Personiti may retain personal data where required by law, including UAE VAT records (7 years), AML records (5 years), or where the data is necessary for the establishment, exercise, or defence of legal claims. We will explain any applicable limitations when responding to your request.
8.4 Right to Restriction of Processing
You have the right to request that Personiti restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or where processing is unlawful but you do not wish for the data to be deleted.
8.5 Right to Data Portability
Where processing is based on your consent or on contractual necessity and is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller.
8.6 Right to Object
You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interests. If you object, Personiti will cease processing unless we can demonstratecompelling legitimate grounds that override your interests, or where processing is necessary for the establishment, exercise, or defence of legal claims.
You also have an absolute right to object to the use of your personal data for direct marketing purposes at any time. We will honour this request without requiring you to provide any justification.
8.7 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal. To withdraw consent, contact privacy@personiti.com or use the opt-out mechanisms in your Provider Dashboard.
8.8 Right to Lodge a Complaint
You have the right to lodge a complaint with the relevant data protection supervisory authority:
Jurisdiction
Supervisory Authority
UAE
UAE Data Office (the supervisory authority designated under the PDPL). Contact: www.uaedataoffice.gov.ae
EU
The competent lead supervisory authority in the EU member state of your establishment, or the supervisory authority where you are habitually resident.
UK
The Information Commissioner’s Office (ICO). Contact: ico.org.uk
We encourage you to contact us directly at privacy@personiti.com before lodging a supervisory authority complaint, as we will endeavour to resolve any concerns promptly.
8.9 Additional Rights under PDPL
Under the PDPL, you may also have the right to: (i) be notified of the categories of personal data held about you and the purposes of processing; (ii) receive information about the recipients to whom your data has been transferred; and (iii) request that Personiti correct or update your data where inaccurate. These rights can be exercised by contacting privacy@personiti.com.
9. Cookies and Tracking Technologies
The Provider Dashboard uses cookies and similar tracking technologies to operate Platform features, maintain your session, and collect usage analytics. The following categories of cookies are used:
Category
Purpose
Strictly necessary
Required to operate the Provider Dashboard, maintain login sessions, and ensure Platform security. These cannot be disabled.
Functional
Remember your preferences (language, display settings, notification preferences). Disabled by default in the Provider Dashboard.
Analytics
Collect aggregated, anonymised data about Dashboard usage to improve Platform functionality. Disabled by default.
Security
Detect and prevent fraudulent login attempts and unusual account activity. Required for Platform integrity.
You may manage cookie preferences through your browser settings or through the cookie management interface in the Provider Dashboard. Disabling strictly necessary cookies will affect your ability to use the Platform.
10. Security
Personiti implements and maintains technical and organisational measures designed to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:
While Personiti takes reasonable steps to protect your personal data, no transmission over the internet or electronic storage system is completely secure. You are responsible for maintaining the security of your Login Credentials and should notify Personiti immediately at privacy@personiti.com if you believe your account has been compromised.
11. Personal Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Personiti will:
12. Automated Decision-Making and Profiling
Personiti uses automated processes to manage certain aspects of the Provider experience on the Platform, including:
Where automated processing has a significant effect on your Provider Account — such as an automated listing suspension trigger — you have the right to request human review of the automated decision by contacting hello@personiti.com. Automated listing suspensions are always followed by a human review notification in accordance with Section 14.4 of the Provider Platform Agreement.
Under GDPR Article 22, EEA-based Providers have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and to request human review of any such decision. Personiti periodically reviews and refines automated systems to support fairness, relevance, and appropriate functionality.
13. Children
The Personiti Platform is not directed at individuals under the age of eighteen (18). Personiti does not knowingly collect personal data from anyone under 18. If you believe that we have inadvertently collected personal data from a person under 18, please contact privacy@personiti.com and we will promptly delete that data.
14. Changes to This Policy
Personiti may update this Provider Privacy Policy from time to time to reflect changes in law, Platform functionality, or our data processing practices. Where we make material changes, we will notify you by email to your registered Provider Account address and by notice in your Provider Dashboard at least thirty (30) days before the change takes effect.
Your continued use of the Platform following the effective date of an updated policy constitutes your acknowledgement of the changes. If you do not accept a material change, you may terminateyour Provider Account in accordance with Section 14.2 of the Provider Platform Agreement.
The current version and effective date of this policy are displayed on the cover page. All previous versions are available upon request by contacting privacy@personiti.com.
15. Contact Us
If you have any questions about this Provider Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle your personal data, please contact us:
privacy@personiti.com (subject line: Provider Privacy Enquiry)
General
Website
Address
Personiti FZ-LLC, Dubai Internet City Free Zone, Dubai, United Arab Emirates
If you are a Traveller and not a Provider, this policy does not apply to you. Please refer to Personiti’s Traveller Privacy Policy, available at www.personiti.com/traveller-privacy
If you are based in the EEA and wish to contact our EU-related data protection point of contact, please email privacy@personiti.com with the subject line: GDPR Enquiry.
Personiti FZ-LLC | Dubai Internet City Free Zone | Dubai, United Arab Emirates
privacy@personiti.com | www.personiti.com
This policy is governed by UAE Federal Law No. 45 of 2021 on Personal Data Protection (PDPL). Additional data protection obligations may apply where required under applicable international law, including the EU GDPR.
Copyright © 2026 Personiti - All Rights Reserved.