Privacy Policy

1. Introduction and Purpose of this Policy

Welcome to EL7.AI ("the Platform," "we," "the Service"). We are an Arabic-first AI-powered fintech platform headquartered in Dubai, United Arab Emirates, providing financial market analytics, signals, economic news, educational courses, and AI-assisted research tools to Arabic-speaking users primarily across the Middle East and North Africa, alongside international users in the European Union, the United States, and elsewhere.

We are committed to protecting your privacy in accordance with the highest international standards, including UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL), the EU General Data Protection Regulation (GDPR) for users in the European Economic Area and the United Kingdom, and the California Consumer Privacy Act / Privacy Rights Act (CCPA/CPRA) for users residing in California.

The scope of this Policy covers all personal data we collect from or about you, including registration data, usage data, content of AI chat conversations, behavioural data, payment data, and cookie data.

The Data Controller responsible for processing your personal data is EL7.AI, registered in the Emirate of Dubai. For any privacy-related matter, you may contact our Data Protection Officer (DPO) at support@el7.ai. We commit to responding within thirty (30) calendar days.

By using our services, you acknowledge that you have read this Policy. We may update this Policy from time to time and will notify you of material changes via email or a prominent in-product notice at least thirty (30) days before the change takes effect.

2. Data We Collect

Account Data: When you create an EL7.AI account, we collect your full name, email address, and password (stored as a bcrypt hash with a per-user salt — we never store your plaintext password). If you sign up via Google or Apple, we receive from the provider a unique identifier, email, and display name.

Payment Data: All payments are processed via Stripe Inc., our PCI-DSS Level 1 certified payment provider. We never see or store your full card data. We receive and retain only: the last four digits of the card, the brand, expiry month and year, issuing country, and a unique Stripe customer identifier.

Billing and Subscription History: We retain a complete record of your financial transactions. We are required to retain these records for seven (7) years in accordance with UAE tax and accounting requirements.

Usage Data and Technical Telemetry: We automatically log: IP address (used for city-level geolocation only), device type and operating system, browser type and version, language, URLs of pages visited, timestamps, time spent on each page, and features used. This data is used to diagnose faults, improve performance, detect fraud.

User Content: We store the content you create within the Platform: chat queries you send to the AI assistant and its responses, alerts you have configured, trading journal entries, watchlists, notes, course quiz answers. This content is visible only to you.

Cookie Data and Analytics: We use essential cookies to maintain your session, analytics cookies from Google Analytics 4 and Microsoft Clarity (with sensitive form fields automatically masked), and advertising cookies from Google AdSense to display contextual ads on free-tier pages.

3. Legal Basis for Processing

We process your personal data on one of six legal bases recognized under GDPR and Articles 4-6 of the UAE PDPL.

Contract Performance: Account data, billing data, and user content are processed on the basis of performing our user agreement.

Legitimate Interest: We rely on this basis to process technical usage data, fraud detection, system security, product improvement, and abuse prevention. We have conducted a documented Legitimate Interest Assessment (LIA).

Explicit Consent: We seek your prior consent before: enabling non-essential advertising and analytics cookies, sending marketing newsletters, using your chat content to improve models. Consent is withdrawable at any time.

Legal Obligation: We retain billing and financial transaction data for seven years in response to UAE tax and accounting laws, and we may be legally compelled to disclose certain data in response to lawful requests.

4. How We Use Your Data

Core Service Delivery: We use account data to create and manage your account, verify your identity at sign-in, enforce plan permissions, send essential system notifications.

Payment Processing: We use Stripe customer data and billing data to issue invoices, automatically renew subscriptions, process refund requests, and detect fraud.

Diagnostics and Performance Tuning: We use technical usage data and logs to discover bugs, monitor server performance, identify slow features, and detect security threats.

Personalization: We use your content (watchlists, alerts, trading journal, chat history) to deliver a personalized experience. This personalization happens on our servers only and is never used for any advertising purpose outside the Platform.

Marketing Communications (with consent only): If you have explicitly subscribed to the newsletter, we use your email to send weekly market summaries, course announcements, and educational content. Every marketing email contains a one-click unsubscribe link.

5. Who We Share Your Data With

We never sell your personal data to any third party. We do not share it for cross-context targeted advertising other than what is explicitly described in the cookies section (Google AdSense).

Stripe Inc. (Payment Service Provider): Card data is passed directly from your browser to Stripe at the moment of payment. Stripe’s processing is governed by their privacy policy at stripe.com/privacy.

Google Analytics and Google AdSense: We use Google Analytics 4 to measure aggregated platform usage (IP anonymization enabled), and Google AdSense to display contextual advertising on free-tier pages only.

Cloud Hosting and Infrastructure Providers: We rely on a cloud hosting provider in the European Union, a global content delivery network (CDN), and a transactional email provider. All these vendors are bound by GDPR-compliant Data Processing Agreements.

Large Language Model (LLM) Providers: When you use AI features, we send your query to an LLM provider headquartered in either the United States or the European Union. Processing occurs without persistent storage at the provider (zero-retention mode), and your queries are not used to train the provider’s models.

Legal Authorities and Corporate Acquirers: We may disclose your data in response to a court order, an official regulator request, or a criminal investigation.

6. AI Processing and Specific Disclosures

EL7.AI uses Large Language Models (LLMs) from specialized third-party providers headquartered in the United States and the European Union to power features including: the AI chat assistant, financial news summarization, economic content translation, signal generation, and market data analysis.

We contract only with providers offering explicit contractual commitments to: not retain queries after the response is completed (zero-retention mode), never use your queries to train their models, encrypt data in transit and at rest, and comply with SOC 2 Type II and ISO 27001.

Avoid Submitting Sensitive Data: We strongly recommend you never input highly sensitive personal data into AI conversations, such as: card numbers, passwords, national ID numbers, medical details, or third-party confidential information.

AI Outputs Are Informational Only: All outputs produced by AI systems on the Platform are general information for educational and informational purposes only, not personal investment advice. AI models can be wrong, hallucinate, or produce biased or inaccurate content.

Automated Decision-Making and Right to Object: We do not make legally or financially binding decisions about you through purely automated processing without human intervention. You have the right to request human review under GDPR Article 22 and UAE PDPL Article 19.

Internal Model Training: We do not train our own AI models on your personal data or chat content without your explicit consent.

7. International Data Transfers

Your personal data may be transferred to and processed outside the United Arab Emirates. The main destinations include: the European Union (server and database hosting), the United States (LLM provider, Stripe, Google Analytics/AdSense).

Transfer Safeguards under GDPR: We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission in Decision 2021/914.

Transfer Safeguards under UAE PDPL: Article 22 of the UAE PDPL requires for transfers outside the country appropriate contractual safeguards. We rely on Data Processing Agreements (DPAs) signed with all our partners.

Additional Technical Safeguards: TLS 1.3 encryption for all data in transit, AES-256 encryption at rest on databases and backups, separation of credentials from personal data, and periodic security reviews of sub-processors.

8. Data Retention Periods

We apply purpose limitation and data minimization. At the end of the retention period, data is irreversibly deleted from live systems and backups within a maximum of 90 days.

Account Data: Retained for as long as your account is active. Upon account deletion request, we delete this data within 30 days. If your account remains dormant for 36 consecutive months, we send a 30-day pre-deletion notice.

Billing Data and Financial Transactions: Retained for seven (7) years from the date of each transaction, in compliance with UAE Federal Law No. 8 of 2017 on Value-Added Tax. This period cannot be reduced even if you request deletion.

Usage Data and Technical Logs: Retained for 24 months for analytics and diagnostics, then anonymized or deleted. Security logs retained for 12 months.

User Content: Retained for as long as your account is active. You may delete any individual item at any time. Upon account deletion, all your content is deleted within 30 days.

Backups: We retain encrypted database backups for 35 days on a rolling schedule. When your data is deleted from the live system, backups continue until their cycle ends and are then automatically deleted.

9. Your Rights as a Data Subject

Applicable laws (GDPR, UAE PDPL, CCPA) grant you a range of fundamental rights to control your personal data. You may exercise these rights free of charge through your account privacy settings, or by writing to support@el7.ai.

Right of Access: You have the right to request a complete copy of your personal data we hold. In account settings we provide a "Download My Data" button.

Right to Rectification: If your personal data is inaccurate or incomplete, you have the right to correct it immediately. Most fields are editable directly from account settings.

Right to Erasure: You have the right to request deletion of your account and personal data in full. Deletion is final and irreversible. The only exception is tax-invoice data legally required to be retained for 7 years.

Right to Data Portability: You have the right to receive your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another service provider.

Right to Object: You have the right to object to processing based on legitimate interest, direct marketing, or automated decision-making.

Right to Withdraw Consent: If specific processing is based on your consent, you can withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

Additional Rights for California Residents (CCPA/CPRA): You have the right to request disclosure of categories of data sold or shared (we do not sell data), the right to non-discrimination, and the right to limit use of sensitive data. Write to support@el7.ai with "CCPA Request" in the subject.

Lodging a Complaint: If you believe we have processed your data unlawfully, you have the right to lodge a complaint with the competent supervisory authority in your country.

10. Cookies and Their Management

We use cookies and similar storage technologies to operate the Platform correctly. Our cookies fall into four main categories, all controllable through the "Cookie Settings Center."

Essential Cookies (cannot be disabled): Necessary for core platform functionality: authentication cookie, language cookie, dark/light-mode cookie, CSRF protection cookie. These cookies do not track you across other sites.

Performance and Analytics Cookies (optional): Includes Google Analytics 4 (with IP anonymization) and Microsoft Clarity (without recording keystrokes in sensitive fields).

Functional Cookies (optional): Remember your preferences such as instruments pinned to your dashboard, collapsed/expanded section state, last selected timeframe, and notification preferences.

Advertising Cookies (optional, free-tier pages only): We use Google AdSense to display contextual ads on free-tier pages only (ads never appear inside the paid dashboard). To disable personalized ads, go to adssettings.google.com.

Browser-Level Cookie Management: Your browser provides tools to clear or block cookies entirely. For users with "Do Not Track" or "Global Privacy Control" signals: we honor these signals.

11. Children and Underage Users

EL7.AI is designed for adults (18 years and older). We do not allow account creation for persons under 18.

If we discover that a user under 18 has created an account, we will: immediately suspend the account, delete all associated personal data within 7 days, refund any payments.

For Parents and Guardians: If you believe your child has created an EL7.AI account, please contact us immediately at support@el7.ai. We treat such requests with urgency (within 48 business hours).

Educational Course Content: Some educational content discusses leverage, derivatives, and high-risk instruments. This content is designed for adults aware of financial-market risk.

12. Security and Technical Safeguards

We apply rigorous technical and organizational measures to protect your data from unauthorized access, loss, alteration, or disclosure.

Encryption in Transit: All communications between your browser and our servers are encrypted using TLS 1.3 with certificates from internationally recognized certificate authorities. We strictly enforce HTTPS (HSTS enabled).

Encryption at Rest: Databases and backups are encrypted with AES-256 at the disk level. Passwords are never stored in plaintext — we use bcrypt with a cost factor of 12 and a per-user salt.

Access Control and Authentication: We apply the principle of least privilege. For users, we provide optional two-factor authentication (TOTP), new-device login alerts, and monitoring of failed login attempts.

Network Segmentation: The production database is isolated in a private subnet inaccessible from the public internet. We use two layers of firewalls to detect and block distributed attacks, SQL injection, and common exploitation attempts.

Your Role in Security: We recommend you: use a strong unique password, enable two-factor authentication, never share login credentials, log out when using public devices.

13. Security Breach Notification

In the event of a security breach exposing your personal data to actual risk, we are committed to a fast and transparent response policy.

Authority Notification (GDPR): Under GDPR Article 33, we notify the competent supervisory authority within 72 hours of becoming aware of a breach if it is likely to result in a risk to users’ rights.

Authority Notification (UAE PDPL): Under UAE PDPL Article 9, we notify the UAE Data Office "without delay" (interpreted as less than 72 hours).

Notifying Affected Users: If the breach poses a high risk to your rights, we notify you directly via email without undue delay. The notification includes a clear non-technical description of what happened, the affected data, the potential risks, the steps we have taken, and recommended actions for you.

14. Marketing Communications

We respect your email privacy and adhere to a strict prior-explicit-consent (Opt-In) principle for all marketing communications.

Types of Email We Send: (1) Transactional — sent automatically and not disable-able: subscription confirmation, password reset, invoices, security alerts. (2) Service Notifications — alerts you yourself have configured. (3) Marketing — requires explicit consent.

Unsubscribe: Every marketing email contains a one-click unsubscribe link in the footer. Clicking immediately unsubscribes you without requiring login.

Frequency Cap: We commit to a self-imposed cap: one weekly newsletter and promotional campaigns no more than twice monthly.

15. Automated Decision-Making and Predictive Analytics

We use algorithms and AI systems to deliver some Platform features. These systems operate within a framework of human oversight and transparency safeguards.

Nature of Automated Outputs: All analyses, signals, recommendations, and summaries produced by AI systems on the Platform are informational and educational only, not personal investment advice. No legally or financially binding decisions about you are made through purely automated processing without human intervention.

Fraud Detection (the only semi-automated case): We may decline a payment based on automated fraud signals. You have the right to: request human review of the decision, obtain a general explanation of the refusal reason.

Your Rights under GDPR Art. 22 and PDPL Art. 19: You shall not be subject to a decision based solely on automated processing that produces legal effects on you. You have the right to: obtain human intervention, express your view, and challenge the decision.

16. Changes to this Policy

We may update this Privacy Policy from time to time in response to changes in law, service developments, or guidance from regulators.

Announcing Updates: For material changes, we notify you by: (1) direct email to your registered address, (2) a prominent in-product notice on sign-in, and (3) updating the "Last Updated" date. Notification occurs at least thirty (30) days before the change takes effect.

Your Implicit Consent: Continuing to use the Platform after the update takes effect is implicit consent to the new terms. If you do not agree to material changes, you may delete your account before they take effect, with a refund of the unused portion of any paid subscription.

17. Contacting the Data Protection Officer

If you have any question, enquiry, complaint, or request relating to this Policy, you can contact our Data Protection Officer (DPO) through the channels described below.

Email: support@el7.ai — this is the official documented channel for all privacy-related requests. We acknowledge receipt within 5 business days and provide a full response within 30 days.

Postal Address: EL7.AI, Dubai, United Arab Emirates.

Identity Verification Requirements: We may ask you to verify your identity before processing sensitive requests. We delete ID copies as soon as verification completes.

Supervisory Authorities: UAE: UAE Data Office. EU: list of national supervisory authorities at edpb.europa.eu. UK: Information Commissioner’s Office (ICO). California: California Privacy Protection Agency (CPPA).