Privacy Policy
Last updated: 2026/07/01
DATA TOWER TRADE AND SERVICES LLC-FZ is a company registered in the United Arab Emirates that respects and values your privacy and wants to make sure that you can enjoy it in safety.
This privacy policy explains (the "Privacy Policy") how DATA TOWER TRADE AND SERVICES LLC-FZ processes personal data in connection with our Platform.
This Privacy Policy is intended to provide transparent information about what Personal Data we process, why we process it, the legal bases on which we rely, with whom we share it, how long we retain it, and the rights available to individuals under applicable law.
We reserve the right to modify, update, or change this Privacy Policy from time to time. If we make material changes, we will notify you in advance. Your continued use of the Platform following the posting of any non-material changes constitutes your acceptance of the revised Privacy Policy.
1. Definitions and Interpretation
Applicable Laws refers collectively to the UAE Federal Decree-Law No. 45 of 2021 (PDPL), the UAE Cybercrime Law (No. 34 of 2021), and the Child Digital Safety Law (No. 26 of 2025).
Acceptable Use Policy or AUP means the policy referenced in this Privacy Policy that sets forth the rules and restrictions governing your use of the Platform, as may be updated from time to time, which is available at lampyre.io/acceptable-use.
Account means a user account registered with Data Tower, which provides access to the Platform and its features.
B2C Customers are individuals who register a "Private Account" directly through Lampyre website.
B2B/B2GCustomers are entities or individuals who register a "Corp Account" through our official Distributor, SNTT d.o.o., located at Spodnja Senica 20, 1215 Medvode, Slovenia, who manages account relationships and marketing on our behalf.
Child Digital Safety Law means UAE Federal Decree-Law No. 26 of 2025 Regarding Child Digital Safety.
Child Safety Policy means the policy referenced in this Privacy Policy that sets forth Data Tower's zero-tolerance approach to child sexual abuse material (CSAM), child exploitation, grooming, and any form of harm to minors, as may be updated from time to time, which is available at lampyre.io/child-safety.
Customer / User means an individual or entity that accesses or uses the Platform, including both B2C and B2B/B2G Customers.
Customer Data means any data, information, or material uploaded, submitted, transmitted, or otherwise provided by or on behalf of the Customer to the Platform, including but not limited to queries, search terms, files, and documents.
Data Tower or Company or we or our or us means DATA TOWER TRADE AND SERVICES LLC-FZ, a company registered in the United Arab Emirates with registration license No. 2424752.01.
Data Protection Officer or DPO means the person appointed by Data Tower to oversee compliance with data protection laws.
GDPR means the EU General Data Protection Regulation.
Lampyre means the software and analytical platform provided by Data Tower, including all related technologies, tools, and services offered under the Lampyre brand.
LampyreAPI means the application programming interface enabling programmatic data exchange and integration with external systems.
LampyreData Lookup means a web-based tool for quick data lookup from any browser or device.
LampyreDesktop means the installable software application provided under a specific license as part of the Platform, allowing more comprehensive data crawling and analysis with support for data visualization in different modes including table, graph, map, and timeline.
LampyreTools means collectively Lampyre Desktop, Lampyre Data Lookup, Web or Site, Lampyre API, and any other tools available or to be available to users in their Lampyre account.
PDPL means UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
Personal Information means any information relating to an identified or identifiable natural person, as defined under article 1 of PDPL. This term is used interchangeably with "personal data" in this Privacy Policy.
Platform means collectively all Lampyre Tools, websites, and services provided by Data Tower.
Private Accounts means user accounts registered by individual B2C Customers directly through the Lampyre website.
Processing means any operation or set of operations performed on Personal Data using any electronic means, including collecting, storing, recording, organizing, adapting, modifying, circulating, altering, retrieving, exchanging, sharing, using, characterizing, disclosing, broadcasting, transmitting, distributing, making available, coordinating, merging, restricting, blocking, erasing, destroying, or creating forms thereof.
Reports means the analytical outputs, findings, and data generated by the Platform in response to Customer queries and requests.
Results means the outcomes, findings, reports, data, and information generated by the Platform in response to Customer queries and requests, which are made available to the Customer through the Platform.
SNTT means SNTT svetovanje nova tehnična trgovina d.o.o., our official Distributor, located at Spodnja Senica 20, 1215 Medvode, Slovenia.
UAE Cybercrime Law means the UAE Federal Decree-Law No. 34 of 2021 on Combatting Rumors and Cybercrimes.
User Account means the same as Account.
Web Chat means the real-time messaging interface available within the User Account dashboard that allows Users to communicate directly with DATA TOWER's support team for inquiries, technical support, and other account-related matters.
Website or Site means the websites used to access the Company's products and services, hosted at lampyre.io and account.lampyre.io, and any associated sub-domains.
2. How we will contact you
We will contact you via the email address you provide during feedback submission or Account registration. We may also contact you via the Web Chat inside your User Account.
We may also use other types of communication to respond to your requests. By default, we will respond to your requests where we receive your request. If you would like a different type of response, please let us know in the body of your request letter and we will try to meet your demand, if possible.
We will not send you marketing messages without your explicit Consent to Receive Promotional and Marketing Communications. However, we reserve the right to email you with administrative, technical, or other necessary messages related to the Platform and your activity. These may include notifications about:
changes to our services or products;
to remind you that you will soon be charged for the automatic renewal of your services or products;
security alerts; or
fraud detection and prevention activities related to your User Account.
These messages are essential for the functionality of Lampyre products and services. While you cannot unsubscribe from these communications, you may contact us if you believe any message is excessive or unrelated.
3. Data controller
DATA TOWER TRADE AND SERVICES LLC-FZ
Short title: Data Tower
Our legal address: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, the UAE.
Company registration license: 2424752.01
E-mail: support@lampyre.io.
4. Types of collected personal data
Within the context of this Privacy Policy, we use the terms set forth in PDPL. In the case of B2B/B2G Customers, the Privacy Policy does not apply to the legal entities themselves but applies to the personal data of individuals associated with these Customers, such as contact persons, employees, representatives, or end users, which is processed in compliance with PDPL.
The personal data we collect includes individual information about you:
email address, IP address, ID, username, password; and
any additional information disclosed to our staff through official communication channels, or voluntarily disclosed in your feedback, Reports, Comments, or posts on our Platform.
We may also collect anonymized data that does not identify you as an individual. This includes:
device-related data (e.g., operating system type and version, device type such as personal computer, cell phone, or tablet);
browser type and version; and
other data transmitted by your browser depending on its settings.
Anonymized data that cannot be linked back to an individual is outside the scope of PDPL. However, if anonymized data is capable of re-identification, it will be treated as personal data under this Privacy Policy and regulated by PDPL.
We do not link anonymized data to other personal data unless you have registered on our website or logged into your Account. This is intended to provide additional protection for your Account against possible fraud.
We may also collect and process personal data from publicly available sources when necessary to better provide our services. Any data collected from such sources will be processed solely for legitimate purposes and in compliance with the Applicable Laws.
5. Purposes and legal basis of personal data processing
The Company is guided by the principles of lawfulness, fairness, transparency, minimization of data processing, sufficiency, rationality, and expediency of personal data processing. Your data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes. We strive to keep your personal data accurate and, where necessary, up to date.
We ensure the lawfulness of personal data processing by relying on the following legal bases as outlined in article 4 of PDPL.
A. Consent
Your explicit consent to the processing of personal data. Before granting consent, we will inform you of the purposes for processing and your right to withdraw consent at any time pursuant to article 6 of PDPL. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
B. Performance of a contract
The need to process personal data to perform a contract to which you are a party or to take steps at your request before entering into a contract.
C. Legitimate interests
The need to process personal data for purposes arising from our legitimate interests or the legitimate interests of third parties, provided that these interests do not override your fundamental rights and freedoms as a data subject.
When processing under legitimate interests, the Company conducts a balancing test to ensure that:
the method or technology used is necessary for the legitimate interests of the Company;
data processing is proportionate to business needs and the purpose to be achieved;
data processing minimizes interference with your rights and focuses on specific risk areas;
the purpose of processing is necessary and cannot be achieved through less intrusive means;
the data subject's rights and freedoms are not overridden by our interests;
risk mitigation measures are in place to minimize any impact on data subjects.
Examples of legitimate interests include fraud prevention and network security, but not marketing activities, which require explicit consent under the Applicable Laws.
D. Compliance with legal obligations
The need to process personal data to fulfill legal obligations, such as:
compliance with accounting and financial regulations;
meeting administrative or official requirements;
responding to official requests from regulatory or governmental authorities.
We retain your personal data only as long as necessary to fulfill the specified purposes or to comply with legal obligations under UAE law.
The purpose of processing depends directly on the actual data processing-related activity. We only collect and process your personal data for purposes that cannot be achieved by other means. The detailed purposes are listed below:
| Purpose | Data | Legal basis |
|---|---|---|
| Identification of visitors to the website, gathering statistics and doing analysis | IP address | consent |
| Providing personalized services, facilitating the customization of advertisements on the basis of cookie usage | interest information, habits, preferences (based on your browsing history) | consent, legitimate interests |
| Creating user accounts for Customers and identifying Customers | e-mail address, password, company name | consent, performance of the agreement |
| Protection of the Customers' data, ensuring that no unauthorized person has access to the Customers' Accounts | password, temporary password | consent |
| Making sales to the Customers | e-mail address, name, customer ID, billing address, date of the transaction | consent, performance of the agreement |
| To market, promote, and advertise our services | e-mail address, name, customer ID, billing address, date of the transaction, purchase history | consent |
| Billing | name, billing address, date of the transaction, payment history: details of each previous (completed) purchase (date, time, purchased product, value of the purchase) | consent, performance of the agreement |
| Keeping track of and visualize the purchases within a personal Customer Account for the convenience of the Customers | e-mail address, purchase history, payment history: details of each previous (completed) purchase (date, time, purchased product, value of the purchase) | consent |
| To solve issues with the payment services (e.g. Stripe, PayPal) | customer ID, payment history: details of each previous (completed) purchase (date, time, purchased product, value of the purchase) | consent, legitimate interests |
| To process Customer applications via official channels | e-mail address, name (of the individual or the contact person), payment history, your data given regarding to the usage our software | consent, performance of the agreement |
| To prevent fraud against the Customers' Accounts | data provided by the Customer earlier | consent, performance of the agreement |
| Compliance with Applicable Laws or regulatory procedures (when processing is necessary to fulfill a legal obligation imposed on us or to fulfill a public interest task or to protect the vital interests of the data subject or another person) | data provided by the Customer earlier | legal obligation |
Where personal data is transferred outside the UAE (e.g., for payment processing by Stripe or PayPal), we ensure compliance with PDPL and the Child Digital Safety Law (where applicable) by implementing adequate safeguards, such as data processing agreements and Standard Contractual Clauses (SCC) where required.
6. Security Measures
We implement technical and organizational measures to ensure the security of your personal data, including encryption, access controls, and regular security assessments.
Technical and organizational measures (TOMs):
strict access controls (role-based, least privilege);
monitoring, logging, and audit mechanisms;
logical separation of customer environments;
internal security policies and employee confidentiality obligations.
We encourage you to use an e-mail address that you have regular access to when registering, and to keep your data up to date and contribute to regularly updating and refreshing your User Account information. This will allow us to promptly and accurately address issues you may have while using our Platform.
7. Using cookies
Our Website may collect cookies. Cookies are small files stored on your device that contain information about your recent activity and enable us to distinguish you from other users. We use the information we receive from cookies to enhance the safety, convenience, and functionality of our Website, products, and services.
Cookies enable you to log in, make settings, purchases, and other actions related to your Account. We use both temporary cookies (which last for only one session and are deleted when you close your browser) and persistent cookies (which remain on your device until they expire or are manually cleared).
Before using cookies for non-essential purposes, we will obtain your explicit consent in compliance with the PDPL.
| Name | Validity period | Category | Purpose |
|---|---|---|---|
| auth_token | 30 days | Essential (Functional) | Keeps you signed in by storing your authentication token |
| __Host-bff_session | Session (up to 30 days) | Essential (Functional) | Securely maintains your signed-in session on the Platform |
| mfa_trust | 30 days | Essential (Security) | Remembers a device you have marked as trusted for two-factor authentication |
| mfa_challenge, sudo | 10 minutes | Essential (Security) | Temporarily secure the two-factor authentication step and the confirmation of sensitive account actions |
| geo_country | Session | Essential (Functional) | Detects your country (via GeoIP) to determine whether a cookie-consent banner must be shown; it performs no tracking |
| cookie_consent | 12 months | Essential (Functional) | Stores your cookie-consent choice so you are not asked again on every visit |
| _GRECAPTCHA | Up to 6 months | Security | Set by Google reCAPTCHA Enterprise to protect our forms and Website against spam and abuse |
| __stripe_mid | 1 year | Essential (Payment) | Set by Stripe to enable payments and help prevent fraud |
| __stripe_sid | 30 minutes | Essential (Payment) | Set by Stripe to enable payments and help prevent fraud |
| _ga | 2 years | Analytics | Set by Google Analytics to distinguish users |
| _ga_<id> | 2 years | Analytics | Set by Google Analytics 4 to persist the analytics session state |
| _gid | 24 hours | Analytics | Set by Google Analytics to distinguish users |
| _clck | 1 year | Analytics | Set by Microsoft Clarity to persist the Clarity user identifier |
| _clsk | 1 day | Analytics | Set by Microsoft Clarity to group page views into a single session |
| CLID | 1 year | Analytics | Set by Microsoft Clarity (clarity.ms) to recognize a returning visitor |
| _gcl_au | 90 days | Advertising | Set by the Google Conversion Linker to measure ad-click conversions |
| _gcl_aw | 90 days | Advertising | Stores a Google Ads click identifier for conversion measurement |
| __gtm_campaign_url | Up to 2 years | Advertising | Set via Google Tag Manager to remember the campaign landing URL for attribution |
| __gtm_referrer | Up to 2 years | Advertising | Set via Google Tag Manager to remember the original referrer for attribution |
| ClickCease (e.g. ct_*) | 1 year | Advertising | Set by ClickCease to detect and block fraudulent or invalid ad clicks |
You can withdraw your consent for cookies at any time by changing your browser settings or using the "Cookie settings" link on our Website.
In addition to cookies, we and our service providers use similar technologies, such as your browser's local and session storage, to remember your preferences, keep you signed in, and operate features such as in-product surveys and feedback (provided by Formbricks). You can clear this data at any time through your browser settings.
Third-Party Cookies
Cookies are not only created by our Website but also by third-party services we use to operate, secure, analyze, and promote it. These include Google Analytics and Google Tag Manager (analytics and tag management), Microsoft Clarity (usage analytics and session insights), Google Ads and ClickCease (advertising measurement and click-fraud protection), Google reCAPTCHA Enterprise (spam and abuse protection), and Stripe (payment processing and fraud prevention). Data collected via these services may be transferred to servers located outside the UAE, but such transfers comply with PDPL's cross-border data transfer requirements. To opt out of being tracked by Google Analytics on all websites, visit this site.
Managing Cookies
You can manage or delete cookies at any time through your browser settings. If you choose to disable cookies, some features of our Website may not function as intended. However, essential cookies will remain active to ensure core functionalities of our services. For more information about controlling and setting cookies, see your browser's help section or visit this site.
Google Analytics
We use Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04E5W5, Ireland.
Google Analytics uses cookies to analyze website usage and provide us with information that helps optimize our Website and improve your experience. Data collected by Google Analytics includes anonymized website usage statistics and may include information such as your IP address, browser type, and device information.
The information generated by Google Analytics cookies is typically transferred to Google servers located outside the UAE and stored there. All cross-border data transfers are conducted in compliance with the PDPL, ensuring adequate protection through standard contractual clauses or other lawful mechanisms.
Google Analytics retains collected data for up to 26 months unless otherwise specified. You can learn more about how Google processes information by visiting Google's Privacy Policy. We use Google Analytics cookies only with your explicit consent. You have the right to opt out of Google Analytics tracking at any time. You can manage your cookie preferences via the "Cookie settings" link on our Website or use the Google Analytics Opt-Out Browser Add-on.
8. Personal Data Storage Periods
We do not retain your Personal Information longer than is necessary for the purposes for which we process such Personal Information. Upon the expiration of the retention period, Personal Information will either be securely deleted using encrypted deletion methods or physically destroyed for paper-based records. For analytical or statistical purposes, Personal Information may be anonymized to remove all identifiers that can link the data to the individual. The Data Protection Officer (DPO) oversees these procedures to ensure compliance with PDPL requirements. The retention periods are determined based on the legal basis for processing, as outlined below:
| Legal basis | Storage period |
|---|---|
| Fulfillment of a legal obligation | For a period specified by UAE laws, such as tax or AML regulations, which may mandate specific retention periods |
| Performance of a contract | Until legal claims can be enforced in connection with the performed contract, typically up to five years following contract performance |
| Legitimate interests | For as long as a legitimate interest exists, provided that a balancing test confirms this does not override the data subject's rights |
| Protection of vital interests | For as long as necessary to protect the vital interests of the data subject or another person in exceptional cases |
| Data processing based on consent | For the necessary period commensurate with the purpose of processing, but not beyond the withdrawal of consent, unless required for compliance with legal obligations, enforcement of legal claims, or other lawful bases under UAE law. |
Personal Information will only be retained for as long as necessary to fulfill the purposes outlined above, comply with legal obligations, or resolve disputes. Specific retention periods are determined based on the type of data and applicable laws.
Retention Periods:
contractual data (e.g., name, address, transaction history): 5 years after the conclusion of the contract;
marketing data (e.g., email preferences, consent records): until consent is withdrawn;
compliance data (e.g., for tax and AML purposes): retained for the period specified by UAE laws (e.g., 5-10 years);
security-related data (e.g., IP addresses for fraud prevention): retained for 1 year unless otherwise required by law.
Where possible, Personal Information will be anonymized rather than deleted if retention is required for statistical or research purposes, in compliance with the PDPL.
Upon expiration of the retention period, Personal Information will either be securely deleted using encrypted deletion methods or physically destroyed for paper-based records. For analytical purposes, data may be anonymized to remove all identifiers in compliance with the PDPL.
Please note: Results obtained through Lampyre Data Lookup and Web tools are retained in your Account for a period of Two (2) months from the date of the original request, after which they are automatically and permanently deleted. It is your sole responsibility to export any Results you wish to preserve.
9. Who else can access your personal data
All your payments made on our Website are processed by Stripe or PayPal, depending on your choice.
All payment data (name, surname, address, email address, phone number, bank account number, bank identification number, bank card number, account amount, currency and transaction number) are sent directly to these systems and are not processed by Data Tower. We do not store your bank card information, but we do receive some payment information (including the first 6 and last 4 digits of your card, your name, and your email) as a result of the purchases you make. Stripe and PayPal give us access to this payment information.
When making any purchase on our Website, you explicitly consent to Stripe or PayPal's processing of your personal data, depending on your choice. These processors operate internationally, and personal data may be transferred outside the UAE.
Data Tower ensures that these transfers comply with the PDPL through adequate safeguards, including legally binding agreements with Stripe and PayPal to protect your personal data. For more information, we recommend reviewing the privacy policies of these payment processors before making a financial transaction, available on their respective websites.
Roles of Third Parties (SNTT)
SNTT acts in two distinct roles depending on the Account type:
a. For Private Accounts (individual users):
SNTT acts as a Data Processor acting under the direct instructions of Data Tower. In this context, Data Tower remains the sole Data Controller. Data Tower ensures that personal data associated with Private Accounts is not transferred to SNTT for any purposes other than those strictly required for processing under Data Tower's control.
b. For B2B/B2G Accounts (Corporate Accounts):
SNTT acts as an Independent Data Controller under the GDPR and PDPL.
Relationship: Data Tower and SNTT are not joint controllers. Data Tower's role is strictly limited to providing technical infrastructure, platform administration, and maintenance access.
Account Administration: Managing B2B/B2G Customers, including the creation and administration of Corporate Accounts, is carried out by SNTT as our official distributor. While Data Tower may provide technical support or perform manual setup during account onboarding, such actions are technical in nature and do not shift controller responsibilities.
Data Transfer & Access: By registering a Corporate Account or purchasing Data Tower products via SNTT, you acknowledge that SNTT processes personal data (e.g., contact names, job titles, email addresses, and transaction history) necessary for contract fulfillment and account management. Data Tower facilitates this by providing the technical environment but is not liable for SNTT's independent processing activities.
Liability: Data Tower is liable solely for its performance as an infrastructure and maintenance provider. SNTT is independently obligated to process personal data in accordance with PDPL and GDPR. For more details on SNTT's processing activities, please refer to their Privacy Policy available at https://osntt.com/privacy-policy.
Data Subject Rights: Individuals associated with B2B/B2G accounts (e.g., employees or representatives) may exercise their rights to access, correct, or delete their data. While requests should primarily be directed to SNTT as the independent controller, you may also contact Data Tower's support. We may facilitate these requests or perform technical actions (such as account suspension) where necessary, but the ultimate responsibility for fulfillment lies with SNTT.
Cross-Border Transfers: Any cross-border transfers of personal data comply with PDPL and GDPR, ensuring that data is protected at all times and handled lawfully, fairly, and transparently.
Data Tower ensures that personal data associated with Private Accounts is not transferred to SNTT under any circumstances. Any cross-border transfers of personal data comply with PDPL, ensuring that data is protected at all times and handled lawfully, fairly, and transparently.
Data Tower will never disclose your personal data to third parties unless required to fulfill contractual obligations to you, for organizational purposes, or as a legal or regulatory requirement. The instances of such transfers are specified below:
A. Sharing with employees and affiliates
We may share your personal data with our employees and affiliates to achieve the purposes for which you have provided us with your personal data.
B. Engaging service providers
To fulfill our contractual obligations and deliver services, we delegate some functions to external specialists, such as payment processors or legal consultants. These service providers process your personal data only to the necessary extent and under strict confidentiality agreements in compliance with PDPL.
C. Mergers and acquisitions
In the event of a merger, acquisition, asset sale, or similar organizational change, we may share your personal data with the acquiring entity or other relevant parties involved in the transaction.
D. Legal and regulatory requirements
We may disclose your personal data when required to comply with UAE laws, regulations, or lawful requests from regulatory authorities.
E. Cross-border transfers
If your personal data is transferred outside the UAE, we ensure that the receiving entity provides an adequate level of data protection or that appropriate safeguards, such as standard contractual clauses, are in place to comply with PDPL.
SNTT processes personal data in accordance with the GDPR and applicable Slovenian law. Data Tower acknowledges that the GDPR provides a level of data protection that is substantially equivalent to the material requirements of the UAE PDPL for the purposes of cross-border data transfer obligations under Article 23 of the PDPL. SNTT does not represent that it is directly subject to the PDPL, but agrees to: (i) notify Data Tower without undue delay of any personal data breach affecting residents of the UAE; (ii) provide reasonable assistance to Data Tower in responding to data subject requests received from individuals located in the UAE, to the extent such requests relate to personal data processed by SNTT on behalf of Data Tower; and (iii) comply with Data Tower's lawful instructions regarding the processing of personal data of UAE residents, provided such instructions do not conflict with the GDPR. In the event of a direct conflict between the GDPR and the PDPL that cannot be resolved through mutual cooperation, the GDPR shall prevail with respect to SNTT's processing activities.
Consent for Data Sharing
We will obtain your explicit consent before sharing your personal data unless such sharing is required by law, necessary to fulfill a contract, or covered under other lawful bases as per PDPL.
We collect your explicit consent through active measures, such as opt-in checkboxes for each specific purpose. Consent is not assumed from silence, pre-ticked boxes, or inactivity. You can withdraw your consent at any time through your Account settings or by contacting us at privacy@lampyre.io. Specific consent is required for:
use of cookies for non-essential purposes;
cross-border data transfers;
processing of personal data for marketing purposes.
10. Cross-border data transmission
Our primary data storage infrastructure is located within the European Union. However, to fulfill our contractual obligations and comply with PDPL, your Personal Information may be transferred to:
The United Arab Emirates (our headquarters);
Slovenia (where SNTT d.o.o. operates).
We primarily process your Personal Information within the organizational system of our Company. However, in certain cases, we may transfer your Personal Information to third parties located outside the UAE to fulfill contractual obligations, comply with legal requirements, or protect the legitimate interests of the Company or third parties.
All cross-border transfers are conducted in strict compliance with article 23 of PDPL using one of the following safeguards:
Standard Contractual Clauses (SCC) approved by the relevant authorities;
adequacy decisions (if the recipient country is recognized as providing adequate protection);
binding corporate rules or explicit consent (where required).
For B2B/B2G Accounts (Corp Accounts): data may be accessed by SNTT from Slovenia. Data Tower may have technical access from the UAE solely for maintenance and security purposes. Such access is logged and audited.
By providing your Personal Information, you agree to these safeguards.
Before transferring your Personal Information outside the UAE, we ensure:
the recipient jurisdiction provides an adequate level of protection in line with PDPL requirements;
appropriate safeguards, such as contractual clauses approved under UAE law, are in place;
your explicit consent has been obtained, unless the transfer is necessary to fulfill a legal obligation, protect vital interests, or perform a contract to which you are a party.
We may transfer your Personal Information in the following cases:
to comply with legal obligations or respond to lawful requests from authorities;
to prevent or stop illegal activities and protect the legitimate interests of the Company or third parties.
We take all necessary steps to ensure that your Personal Information is processed with appropriate security measures, including encryption, secure storage, and compliance with approved legal mechanisms. You may request a copy of the SCC or other safeguards, or if you have concerns regarding cross-border transfers , please contact us at support@lampyre.io .
11. Government and Regulatory Requests
Data Tower will not voluntarily disclose your Personal Information to any government, law enforcement, or regulatory body unless:
required by a binding legal instrument under UAE law (e.g., court order, official request from the UAE Data Office);
necessary to prevent imminent serious harm or illegal activity;
required to comply with PDPL, the Child Digital Safety Law, or other UAE legislation.
We will notify you of such requests unless prohibited by law. We reserve the right to challenge overbroad or unlawful requests.
12. Data Breach Notification
In the event of a Personal Information breach, we will:
notify the UAE Data Office within Seventy two (72) hours of confirmation;
notify affected Users without undue delay (target: within Seventy two (72) hours);
provide a description of the breach, likely consequences, and mitigation measures.
If the breach occurs at SNTT or another processor, Data Tower remains responsible for notifying Users. SNTT is contractually obligated to notify Data Tower within Forty eight (48) hours of discovering a breach.
13. Your rights under PDPL
If you are an individual who uses our software products, websites, and services and provides your Personal Information to Data Tower, you have the following rights under the PDPL.
A. Right toreceive Information
Under article 13 of PDPL, you are entitled to receive confirmation from us as to whether your Personal Information is being processed. If processing is in progress, you are entitled to access the following information:
the purpose of processing your data;
the categories of Personal Information processed;
the recipients or categories of recipients to whom your Personal Information has been or will be disclosed;
where applicable, the intended period for which the Personal Information will be stored or the criteria used to determine this period;
your rights to request rectification, erasure, or restriction of Personal Information and to object to processing;
the right to lodge a complaint with the UAE Data Office;
if the data was not collected directly from you, information about its source;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and consequences for you.
Provision of Copies
We will provide a copy of your Personal Information if:
you request confirmation of our processing activities;
your Personal Information is being processed;
you specifically request a copy of your Personal Information. Please note that we may charge a reasonable fee for repeated requests or requests that are excessive, as permitted under PDPL.
Timelines for requests
We will respond to your request within 30 days of receiving it, as mandated by PDPL. In cases of complexity, we may extend this timeline by an additional 30 days, and we will notify you of the reason for the delay.
B. Right torequesttransfer of Personal Information
If we process your Personal Information by automated means, you have the right, under article 14 of PDPL, to request a copy of your data in a structured, commonly used, and machine-readable format. You may also request that your Personal Information be transferred to another data controller of your choice, provided this does not interfere with the rights and freedoms of others.
C. Right to Rectification
Under article 15 of PDPL, you have the right to request that Data Tower correct your Personal Information if you believe it is inaccurate or incomplete. This includes the right to request additional information to ensure your Personal Information is complete and reliable.
We will respond to your rectification request within Thirty (30) days of receipt. If your request is complex or requires additional time, we may extend this period by an additional Thirty (30) days, and we will notify you of the reason for the delay.
D. Right to Erasure
Under article 15 of PDPL, you have the right to request the deletion or de-identification of your Personal Information. We will delete your Personal Information without undue delay if:
the Personal Information is no longer necessary for the purposes for which it was collected;
the processing is based on your consent, and you withdraw this consent, with no other legal basis for continued processing;
you object to the processing, and there are no overriding legitimate grounds for processing;
the Personal Information has been processed unlawfully;
deletion is required to fulfill a legal obligation applicable to the Company.
Exemptions
We may deny your request for deletion if:
the processing is necessary for the submission, validation, or defense of legal claims;
the request contradicts other legislation to which the Company is subject;
the data is required for public interest archiving, scientific or historical research, or statistical purposes, provided adequate safeguards are in place.
E. Restricted Processing
If deletion of your data is prohibited by law (e.g., tax, anti-money laundering retention requirements), we will apply restricted processing instead of deletion. This means:
your data is blocked from active use;
it is isolated in a secure archive;
it will only be processed for the specific legal purpose (e.g., audit, legal defense);
once the retention period expires, the data will be permanently deleted.
You will be informed if your data is restricted rather than deleted. Restricted processing does not affect your other rights under PDPL.
F. Right to Restrict Processing
Under article 16 of PDPL, you have the right to request the restriction of processing your Personal Information. You may request a restriction if:
you dispute the accuracy of your Personal Information (restriction applies for the period necessary to verify accuracy);
the processing is unlawful, but you object to deletion and request restriction instead;
we no longer need the Personal Information for processing, but you require it for legal claims.
G. Right to Stop Processing (Objection)
You have the right to object to the processing of your Personal Information and stop it if:
the processing is intended for direct marketing, including profiling related to direct marketing;
the processing is intended for statistical surveys, unless necessary for the public interest;
the processing is carried out in violation of article 5 of the PDPL.
To exercise this right, contact us at support@lampyre.io .
H. Right to Object to Automated Processing
In accordance with Article 18 of the PDPL, you have the right to object to decisions made solely through automated processing, including profiling, especially when such decisions have a legal impact on you or adversely affect your interests. You have the right to request human intervention in any automated decision-making process.
Sending Requests
To exercise your rights as a data subject under the PDPL, you may submit a request by contacting us via the email address specified in the section 21 of this Privacy Policy. Alternatively, you can exercise your rights by accessing the active links provided in your Account.
Response Timeline
We will respond to your request within 30 days of receipt. If your request is complex, we may extend this period by an additional 30 days, and we will notify you of the reason for the delay.
Fees for Requests
The information you request is generally provided free of charge. However, in accordance with article 13(3) of PDPL, we may decline your request or charge a reasonable fee if your request is clearly excessive or unreasonable, including due to its repetitive nature.
Rejection of Requests
Data Tower may reject your request if:
the request is not related to the information referred to in Article 13(1), or it is excessively repetitive;
the request conflicts with judicial procedures or investigations conducted by competent authorities;
the request may negatively affect our efforts to protect information security;
the request affects the privacy and confidentiality of Personal Information of third parties.
14. Safety and our responsibility
We store Personal Information that we receive from you on our own or rented technical devices and on properly protected media. We are committed to implementing appropriate technical and organizational security measures, consistent with industry standards and article 20 of PDPL, to protect your Personal Information from unauthorized or accidental disclosure, access, misuse, loss, or alteration.
In some cases, if we have reasonable doubt regarding the identity of the person making a request for access, correction, or deletion, we may require additional information to verify their identity. This measure ensures that your Personal Information is shared only with authorized individuals and is protected from unauthorized access.
Please note that this Privacy Policy applies solely to websites, software products, and services developed, operated, or controlled by the Company. Our products may contain hyperlinks and banners that redirect you to third-party websites. If Personal Information is shared with such third parties as part of our services, we ensure that these third parties comply with PDPL standards. However, the Company is not responsible for the privacy practices or content of such websites or resources. We encourage you to review the privacy policy and terms of service of each website you visit.
Any data you post in Reports and Comments within the Lampyre Platform is visible to third parties. If you provide us with Personal Information about other individuals, you must obtain their explicit consent. The Company is not responsible for the disclosure of Personal Information belonging to third parties as part of user-generated content.
We remind you to exercise caution when posting your Personal Information in the public domain, including the Company's resources. The Company disclaims responsibility for any disclosure of Personal Information resulting from your actions.
Limitation of Liability for Third-Party Processing
Data Tower is not jointly liable for the processing activities of SNTT when SNTT acts as an independent data controller (B2B/B2G Accounts). Data Tower's liability is limited to its role as data controller for Private Accounts and as a processor instruction provider for SNTT's processor role.
15. Limitations (Age Restrictions)
Our software products, websites, and services are intended only for individuals aged 18 years or older. During Account registration, we require Users to confirm their age. If you are under the age of 18, you may not use the Platform under any circumstances. This is in compliance with the Child Digital Safety Law, which prohibits the collection and processing of personal data of children without verifiable parental consent. If we discover that a User under 18 has provided Personal Information without such consent, we will delete this data immediately upon notification and report the incident to the competent authorities as required by law.
Please note that any individual who transmits Personal Information about another person without a valid legal basis, as defined under article 4 of PDPL, will be held liable in accordance with Applicable Laws. The Company reserves the right to take appropriate action in such cases, including notifying the relevant authorities if necessary.
16. Consent to processing of personal data
Your consent to the provision of Personal Information to the Company and its processing by the Company remains valid until the Company terminates its activities or until you withdraw your consent, as provided under article 6(2) and article 8 of PDPL.
By consenting to the processing of your Personal Information, you acknowledge the following:
you act voluntarily and consciously in providing your consent;
you are aware that the Company processes Personal Information in accordance with the PDPL;
the Personal Information you provide belongs to you personally, and you are authorized to share it with the Company;
you have carefully read and fully understood this Privacy Policy, including the purposes and terms of processing your Personal Information;
you are aware of the identity of the data controller (the Company) and the specific purposes for which your Personal Information is being processed;
you understand your rights under PDPL, including the right to withdraw consent, request rectification or erasure of your data, and object to processing, among others;
you acknowledge and confirm that you understand all the terms of this Privacy Policy and the processing of your Personal Information as outlined within it;
you agree to the terms of processing your Personal Information as described in this Privacy Policy, without any reservations or limitations.
17. Withdrawal of consent to processing of personal data
You have the right to withdraw your consent to the processing of your Personal Information at any time. You can do this by:
writing to us at the email address listed in the Contact Details section of this Privacy Policy;
using the Account Settings section of your User Account to delete your Account.
Please note:
withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
withdrawing your consent or deleting your Account does not result in the automatic removal of any Reports, Comments, or other user-generated content you have posted while using our Platform. Such content will remain on the site unless:
you submit a reasonable request for its removal; or
we delete the content as part of routine site management or in response to specific circumstances; or
the site ceases to exist.
18. De-Identification of Personal Information
If your Personal Information is no longer required for processing, we will delete or de-identify it. De-identification is performed using methods that ensure compliance with PDPL and prevent any possibility of re-identification. This ensures the continued protection of your data while fulfilling our obligations under UAE law. De-identification involves removing any identifiable elements from the data to ensure it cannot be linked back to you. For example:
digital data is deleted using encryption-based methods;
physical records are shredded or otherwise destroyed securely;
for statistical purposes, anonymized data is retained in compliance with PDPL.
19. Final Provisions
This Privacy Policy is governed by the laws of the United Arab Emirates, including the PDPL and the Child Digital Safety Law. All PDPL regulations have been considered and complied with during the drafting of this Privacy Policy and the creation of our personal data management procedures.
If you have any questions about this Privacy Policy or concerns regarding how we manage your Personal Information, please contact us at the email address provided in the section 21 of this Privacy Policy.
If you believe that our procedures for managing your Personal Information violate PDPL, you have the right to file a complaint with the UAE Data Office.
Alternatively, you may also pursue your right to a judicial remedy in accordance with UAE laws through the appropriate UAE courts.
20. Applicable law
This Privacy Policy and any dispute that may arise between you and Data Tower is governed by the laws of the United Arab Emirates, regardless of your location.
21. Contact details
Website: https://lampyre.io
Email: support@lampyre.io
Mail address: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, the UAE.
Other contact details: https://lampyre.io/contact-us