Privacy Policy

Version 1.0 | Effective Date: 22 April 2026 | PDPL Compliant

At SparkHour, your privacy matters. This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and what rights you have. It is written to comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL").

1. Who We Are

SparkHour FZ-LLC ("SparkHour", "we", "us", "our") is the data controller of your personal data under UAE law.

• Licensed as a Free Zone (FZ) entity by Sharjah Media City Free Zone Authority (Shams)
• Registered for VAT with the UAE Federal Tax Authority
• Registered Office: Sharjah Media City (Shams), Al Messaned, Sharjah, United Arab Emirates
• Privacy contact / Designated Data Protection Contact: privacy@sparkhour.ae
• General contact: contact@sparkhour.ae

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through:

• The SparkHour website at www.sparkhour.ae
• The SparkHour mobile applications (when released)
• Emails, chat, and other communications with SparkHour
• Any other service that links to this Privacy Policy

It applies to all Users — Creators, Studio Hosts, and visitors.

3. Personal Data We Collect

3.1 Data You Provide

• Identity: full name, date of birth, Emirates ID or passport number, nationality
• Contact: email, mobile, billing/physical address
• Account: username, hashed password, profile photo, preferred language
• Studio Host data: trade license, tenancy/Ejari documents, bank account info, tax status (VAT/TRN), Space photos/descriptions
• Booking data: bookings, dates, durations, attendee counts, messages
• Payment data: stored by Stripe; we only store tokenised references and last four digits
• Verification: KYC documents, selfies where applicable
• Content: reviews, ratings, messages, photos, videos

3.2 Data Collected Automatically

• Device: IP address, device type, OS, browser, language
• Usage: pages visited, clicks, searches, session duration, referring URL
• Location: approximate from IP; precise GPS only with permission
• Cookies (see Section 9)

3.3 Data From Third Parties

• Stripe (payment confirmation, fraud signals)
• Google (if you sign up via Google)
• Identity verification/fraud prevention providers
• Other Users (reviews, messages)

4. Why We Collect Your Data (Legal Bases Under PDPL)

We process under PDPL Article 4 legal bases:

1. CONTRACTUAL NECESSITY: to operate your account and services.
2. LEGAL OBLIGATION: tax (Federal Decree-Laws No. 8 of 2017 and No. 47 of 2022), AML (Federal Decree-Law No. 20 of 2018), consumer protection (Federal Law No. 15 of 2020), regulatory requests.
3. LEGITIMATE INTEREST: fraud prevention, security, service improvement, analytics, enforcement.
4. CONSENT: marketing, optional cookies, precise location.
5. VITAL INTERESTS: protecting life/safety in rare cases.

5. How We Use Your Data

• Operate the Platform and facilitate Bookings
• Verify identity and eligibility
• Process payments, Payouts, refunds
• Communicate (account, Bookings, support)
• Send service notifications (confirmations, cancellations, receipts)
• Send marketing (with consent; opt out anytime)
• Detect/investigate/prevent fraud and security incidents
• Moderate Listings and content for UAE law/Guidelines compliance
• Comply with legal/regulatory/tax obligations
• Analyse usage and improve the Platform (aggregated/de-identified)
• Enforce our Terms, Studio Host Agreement, policies

6. Who We Share Your Data With

6.1 Other Users

• First name, profile photo, review history visible to others
• Studio Hosts see Creator's first name and booking details after confirmation
• Full Space address released to Creator only after Studio Host confirms and KYC is complete
• Messages routed through the Platform

6.2 Service Providers (Data Processors)

We engage carefully selected third parties. Each has signed a written Data Processing Agreement (DPA) with SparkHour that includes the protections required by PDPL Article 26, and each is subject to confidentiality and security standards:

• Stripe Payments Europe, Ltd. — payment processing, payouts, fraud detection
• Supabase, Inc. — database hosting and authentication
• Vercel, Inc. — application hosting and content delivery
• Resend (Plus Five Five, Inc.) — transactional email delivery
• Google LLC — analytics, maps, reCAPTCHA
• Identity verification and KYC providers (where integrated)
• Customer support and ticketing tools

A current sub-processor list is available on request from privacy@sparkhour.ae.

6.3 Legal & Regulatory

• UAE authorities, courts, regulators, law enforcement (court order, regulatory/tax enquiry)
• To protect SparkHour/Users/public
• In corporate transactions (merger, acquisition, financing)

6.4 With Your Consent

We share with any other party only with your explicit consent.

7. International Data Transfers

Some service providers are located outside the UAE (US, EU). Under PDPL Article 22, transfers occur under adequate protection:

1. Binding contractual safeguards in our DPAs imposing PDPL-equivalent obligations;
2. Explicit consent where provided;
3. Contract performance or legal obligation.

Copies of our standard contractual clauses and the current list of cross-border data flows are available on request from privacy@sparkhour.ae.

8. How Long We Keep Your Data

Retained per PDPL Article 8:

• Account data: account duration + 5 years (UAE commercial records)
• Booking/payment records: 5 years (tax + AML)
• KYC documents: 5 years after relationship ends (AML)
• Marketing consent records: until withdrawn + 1 year
• Content: active account then archived/de-identified
• Fraud records: up to 7 years for ongoing legal need

Then securely deleted or anonymised.

9. Cookies & Similar Technologies

Used for:

• Login and preferences (strictly necessary)
• Analytics (consent)
• Marketing (consent)

Manage via our cookie banner (reopenable via footer "Cookie settings") or browser settings.

10. Your Rights Under PDPL

You have the following rights:

• Be informed (Article 13)
• Access (Article 14)
• Correction (Article 15)
• Deletion (Article 16) — subject to retention obligations
• Restrict processing (Article 17)
• Data portability (Article 18)
• Object (Article 19)
• Rights regarding automated decision-making, including human review (Article 20)
• Withdraw consent anytime

10.1 How to Exercise Rights

Email privacy@sparkhour.ae — this is also our designated data protection contact for PDPL purposes. Response within 30 days per PDPL Article 25. Identity verification may be required.

10.2 Right to Lodge a Complaint

You may complain to the UAE Data Office. We'd appreciate the chance to address concerns first — privacy@sparkhour.ae.

11. Data Security

Measures include:

• TLS 1.2+ in transit; AES-256 at rest
• Strong password hashing (bcrypt/argon2)
• Role-based access, row-level security
• 2FA for admin accounts
• Regular patching, vulnerability scanning, backups
• PCI-DSS compliance via Stripe — no full card numbers stored
• Audit logging
• Staff training

Breach notification to UAE Data Office and affected individuals per PDPL Article 9.

12. Children's Privacy

The Platform is for 18+. We don't knowingly collect data from under-18s. If a child provided data, contact privacy@sparkhour.ae immediately.

Where a Booking involves minors (family shoots, school sessions), the Studio Host and the adult Creator organising the Booking are responsible for parental/guardian consents and compliance with the UAE Child Rights Law (Federal Decree-Law No. 3 of 2016, "Wadeema's Law").

13. Marketing Communications

With consent, we may send marketing emails. Opt out:

• Unsubscribe link in any marketing email
• Account notification preferences
• privacy@sparkhour.ae

Opt-out doesn't affect service-related communications.

14. Third-Party Links

Platform may link to third-party sites. Their policies govern. Review before interacting.

15. Changes to This Policy

Material changes: 30 days notice by email or Platform. "Effective Date" at top shows last update.

16. Contact Us

• Email: privacy@sparkhour.ae
• General: contact@sparkhour.ae
• Mail: SparkHour FZ-LLC, Sharjah Media City (Shams), Al Messaned, Sharjah, United Arab Emirates

Acknowledged within 7 days; substantive response within 30 days per PDPL.

17. Governing Law

Governed by the federal laws of the United Arab Emirates, including the PDPL. Exclusive jurisdiction of the Federal Courts of Sharjah.