Privacy Policy

Djambar AI FZCO Dubai Silicon Oasis, Dubai, United Arab Emirates Email: privacy@myumrah.ai For pilgrim data, the client travel agency is the data controller and Djambar AI FZCO acts as data processor.

Agency data: name, address, business registration, email, phone, banking details, intra-Community VAT number. Pilgrim data (collected by the agency via the platform): • Identity: name, date of birth, nationality • Documents: passport number, visa (AES-256 encrypted) • Health: medical information required for travel (AES-256 encrypted) • Contact: email, phone, emergency contact • Travel: dates, package, preferences Payment data: credit card type (Visa, Mastercard, Amex), last four digits, Stripe transaction identifier. Full card numbers, security codes (CVV/CVC) and expiration dates are never collected, processed or stored by MyUmrah.ai. This data is processed exclusively by Stripe, a PCI DSS Level 1 certified provider. Browsing data: pages visited, session duration (via Umami Analytics, no cookies, no personal data).

• Management of commercial relationship with agencies • Provision of platform services (package management, CRM, messaging) • Regulatory compliance (GDPR, PDPL) via vDPO module • Platform improvement (anonymized analytics) • Platform security (fraud detection, audit trail)

• Contract performance (Art. 6.1.b GDPR): provision of subscribed services • Legitimate interest (Art. 6.1.f GDPR): security, service improvement • Legal obligation (Art. 6.1.c GDPR): tax and regulatory compliance • Explicit consent (Art. 9 GDPR): health data and religious beliefs

Data is only accessible to: • The relevant travel agency (via RLS isolation) • The Djambar AI FZCO technical team (support, maintenance) • Our technical sub-processors: Supabase (hosting), Vercel (CDN), Stripe (payment), Anthropic (AI) Each sub-processor is bound by a DPA compliant with Article 28 of the GDPR.

Data may be processed in the following countries: • European Union (Supabase EU) • United States (Vercel, Stripe, Anthropic) - Standard Contractual Clauses (SCC) in place • United Arab Emirates (Djambar AI headquarters) All transfers are covered by appropriate safeguards in accordance with Chapter V of the GDPR and PDPL requirements.

• Critical data (passport, health): automatic deletion 6 months after travel • Sensitive data (financial, emergency contacts): 3 years maximum • Standard data (identity, preferences): contract duration + 1 year • Billing data: 10 years (legal obligation) • Analytics: continuously anonymized, no personal data retained

Under the GDPR (Articles 15 to 22) and the PDPL, you have the following rights: • Right of access • Right to rectification • Right to erasure ("right to be forgotten") • Right to restriction of processing • Right to data portability • Right to object To exercise these rights: privacy@myumrah.ai Response time: 30 days maximum. You may also lodge a complaint with the CNIL (France), SDAIA (Saudi Arabia), or any competent data protection authority.

MyUmrah.ai uses Umami Analytics, a privacy-respecting analytics solution that does not set any cookies and does not collect any personal data. Stripe, our payment provider, may use cookies strictly necessary for fraud prevention and transaction security during the payment process. These cookies are exempt from consent requirements in accordance with Article 5(3) of Directive 2002/58/EC (ePrivacy Directive), as they are essential for the provision of the payment service. Apart from these functional cookies, no consent banner is required.

We implement the following measures: • AES-256 encryption of sensitive data at rest • TLS 1.3 for all communications • Row Level Security (RLS) for per-agency data isolation • MFA authentication available • Audit trail of all access to sensitive data • Regular security testing • Compliance with NIST Cybersecurity Framework and CIS Benchmarks Level 1

In accordance with the Personal Data Protection Law (PDPL): • SDAIA registration: pre-filled documentation available • Double opt-in for sensitive data (health, religion) • Parental consent required for minors' data • Breach notification within 72 hours to SDAIA • Limited retention period in accordance with Article 18 of the PDPL

We reserve the right to modify this policy. Any substantial change will be notified by email to Clients at least 30 days before coming into effect.

For any questions regarding this policy: Djambar AI FZCO Email: privacy@myumrah.ai Address: Dubai Silicon Oasis, Dubai, UAE