Privacy Policy

Last updated: 26 May 2026  ·  UAE PDPL aligned  ·  Plain English

This page explains what we collect, why, where it lives, and what you can ask us to do with it. It is written to be read once and remembered, not skimmed and forgotten.

1. Who we are

We are Singularity Marketing Management F.Z.E, a UAE-registered marketing and automation agency operating out of Ajman Free Zone (Trade Licence 46545, Office C1-1F-SF20681, Ajman Free Zone C1 Building, Ajman, UAE). When this page says "we", "us" or "Singularity", we mean that company.

We are the data controller for the information described in section 2 below. For the data that belongs to our clients' customers, our clients are the controllers — we do not ingest that data into our systems. The boundary is deliberate; details in section 5.

2. What we collect

From people who contact us, fill in our Growth Diagnosis form, or become clients:

• Your name, company name, role, email, phone or WhatsApp number.
• What your business does, who you sell to, where you operate.
• Your monthly ad budget range and your goals for the next 90 days.
• What you have tried so far (current channels, current agency, what worked and what did not).
• Brand assets you choose to share with us (logo, photos, videos, brand guide).
• Messages you send us through the contact form, email, or WhatsApp.

From the website itself: minimal session cookies for login on our client portal, and standard server logs (IP, user agent, request time). No third-party analytics tracker is loaded on this page.

If you give us access to your Meta Ads (Facebook, Instagram), Google Ads, Google Analytics, or Google Search Console accounts, we receive tokens that let us read campaign data and create or edit campaigns inside your account. We do not download your customer lists, leads, or audience identifiers out of those platforms.

3. Why we collect it

• To prepare your Growth Diagnosis and recommend a plan that fits your business.
• To draft and run ad campaigns on your behalf once you have approved them.
• To report results back to you with the numbers behind them.
• To send the contractual paperwork, invoices, and onboarding materials a service requires.
• To improve our own process based on what worked across past engagements (in aggregate, not by naming you).

We do not sell your data. We do not rent it. We do not use it to train third-party AI models.

4. Where your data lives

The primary copy lives on a self-hosted PostgreSQL database on operator-controlled infrastructure in the UAE. Encrypted offsite backups (AES-256, keys held in the UAE) reach Backblaze B2; the cipher-text is the only thing that crosses a border, and it is unreadable without our keys.

Specific third parties involved in normal operation:

• Anthropic — language model calls for drafting copy and reports. Inputs are short and scoped to the task; conversations are not used to train models.
• OpenAI — embeddings for our internal knowledge base. We do not send your customer data to embed.
• Hostinger — website hosting and our outbound email (SMTP).
• Cloudflare — CDN, TLS, and DDoS protection for the public site.
• Backblaze B2 — encrypted backup storage.

We do not push your data to a third-party CRM. Your customer or lead data stays where you keep it — your inbox, your CRM, your WhatsApp Business, your Meta lead-form export inside your own account.

5. Who we share it with

We share data only when one of these applies:

• You ask us to. Example: you grant us access to your Meta Ads or Google Ads account so we can run campaigns. We act inside your account, on your authority.
• Service operation. The third-party processors named in section 4 — strictly to run the service, never for their own marketing.
• Legal obligation. A court order or a written request from the UAE Data Office, the Telecommunications and Digital Government Regulatory Authority, or a tax authority with jurisdiction.

We do not share with data brokers. We do not share with affiliates we have not named. If a new processor is added, this page is updated with the date of the change.

6. Meta, Facebook, Instagram, and Google Ads access

This section exists because Meta and Google require it.

When you connect your Meta Business account (Facebook Page, Instagram account, Ad account, Pixel, Conversions API) to give us management access, Meta issues us an access token. We use that token to:

• Read your existing campaigns, ad sets, ads, audiences, and creative for diagnosis.
• Read aggregate performance (impressions, clicks, spend, CTR, CPL, conversions) for reporting.
• Create campaigns, ad sets, ads, and audience definitions — always as paused drafts first, never launched without your explicit approval.
• Upload conversion events server-to-server via Meta Conversions API after you have set up tracking on your own properties.

We do not download identifiable Meta user data (names, individual engagements, DMs) into our systems. We do not share your Meta access with any third party.

The same boundary applies to Google Ads, Google Analytics, and Google Search Console: we read aggregate data and write campaign drafts; we do not extract individual user records.

You can revoke our access at any time from inside your own Meta Business Settings or Google account. That immediately stops all access from our side.

7. How long we keep it

• Active clients: for the duration of our engagement plus 24 months after it ends, so we can answer questions about past campaigns and produce the audit trail a regulator might ask for.
• Prospects who did not become clients: 90 days from the last interaction, then purged.
• Aggregate, anonymised metrics (no identifier attached): kept indefinitely as legitimate-business-purpose analytics.
• Encrypted backups: 30-day rolling window. Older backups are deleted automatically.

If you formally ask us to delete your data sooner, we will. Details in section 8.

8. Your rights under UAE PDPL

Under Federal Decree-Law No. 45 of 2021 (the UAE Personal Data Protection Law), you can:

• Access — ask for a copy of the data we hold about you.
• Correct — ask us to fix anything that is wrong or out of date.
• Delete — ask us to delete your data ("right to be forgotten").
• Restrict — ask us to stop processing your data in specific ways while a question is open.
• Object — disagree with a specific use and have us stop that use.
• Withdraw consent — at any time, with no penalty. Withdrawal only affects what happens after the withdrawal; it does not undo prior lawful processing.
• Complain — to the UAE Data Office if you believe we have mishandled your data.

9. Cookies and tracking

The public marketing site is intentionally light. We use a session cookie when you log into the client portal so the portal knows it is you. We do not load third-party analytics on this page. We do not load advertising trackers on our own site to retarget visitors.

10. Children

Our services are not directed at people under 18. We do not knowingly collect data from children. If you believe a minor has shared data with us, write to us at the address in section 12 and we will delete it.

11. Security

We treat security as part of the service, not as a compliance afterthought.

• TLS in transit, encryption at rest for the primary database.
• Backups encrypted with AES-256; encryption keys held in the UAE.
• Access to your data is limited to the people working on your account. Every meaningful action is recorded in an append-only audit log.
• If a breach affects your data, we will tell you and the UAE Data Office within 72 hours of becoming aware of it.

12. Changes to this policy

When we change this policy we update the Last updated date at the top and write a short note describing what changed. If a change is material — for example, adding a new processor, or a new category of data — we tell active clients by email before it takes effect.

13. Contact