Skip to content

Privacy Policy

Effective Date: January 15, 2026

1. Introduction

Rawa AI Limited ("Rawa", "we", "us", or "our") is committed to protecting the privacy of individuals whose personal data we process. This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"), the Saudi Arabia Personal Data Protection Law ("Saudi PDPL"), the EU General Data Protection Regulation ("GDPR"), and other applicable data protection legislation.

This policy applies to all personal data processed by Rawa in connection with the operation of the Rawa Content Intelligence platform and our business activities.

2. Data Controller

Rawa AI Limited acts as the data controller for personal data processed in connection with our business operations, including platform user account data. When processing client content data, Rawa acts as a data processor on behalf of our clients (who are the data controllers), as governed by the Rawa Data Processing Agreement.

For any questions or requests regarding this policy or your personal data, please contact us at: privacy@rawa.ai.

3. Data Classification

Rawa classifies data into the following categories:

  • Client Content Data: Content and assets processed through the Rawa platform on behalf of clients — including marketing creatives, campaign assets, AI-generated outputs, and brand guidelines.
  • Platform Account Data: Data required to operate user accounts and provide platform services — including user names, email addresses, job titles, and authentication credentials.
  • Billing Data: Data required for invoicing and payment processing — including billing contact name, company name, and billing address.
  • Usage Data: Platform interaction and performance data — including feature usage logs, session timestamps, device/browser info, and IP addresses.

Rawa maintains a minimal personal data footprint. The only personal data we store is platform account data (names, emails, job titles) and billing contact information. Payment processing is handled by Stripe (PCI DSS Level 1 certified); Rawa does not store credit card numbers, bank account details, or other financial instrument data.

Rawa does not collect or process sensitive personal data (special categories) such as health data, biometric data, religious beliefs, political opinions, or criminal records.

4. Legal Basis for Processing

In accordance with the UAE PDPL, Saudi PDPL, and GDPR, Rawa processes personal data only where a valid legal basis exists:

  • Performance of a contract: Processing user account data to provide platform access and services as agreed in the service agreement.
  • Legitimate interest: Security monitoring, fraud prevention, platform improvement, and analytics to maintain and improve service quality.
  • Legal obligation: Retaining billing and transactional records as required by tax and financial regulations.
  • Consent: Where required and not covered by another legal basis, such as for optional marketing communications.

Where consent is the legal basis, it is obtained in a manner that is freely given, specific, informed, and unambiguous. Data subjects may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Purpose Limitation and Data Minimisation

Personal data is collected and processed only for specific, explicit, and legitimate purposes as required by the UAE PDPL and GDPR. Our platform is designed to function with minimal PII — only what is needed for user authentication, access management, and billing.

6. Data Subject Rights

Data subjects have the following rights under applicable data protection laws (UAE PDPL, GDPR, Saudi PDPL):

  • Right to be informed about how personal data is collected, used, and shared
  • Right of access to personal data held about them
  • Right to rectification of inaccurate or incomplete personal data
  • Right to erasure where there is no compelling legal basis for continued processing
  • Right to restrict processing in certain circumstances
  • Right to data portability in a structured, commonly used, machine-readable format
  • Right to object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent at any time where processing is based on consent
  • Right not to be subject to decisions based solely on automated processing that significantly affect them

Requests should be directed to privacy@rawa.ai. Rawa aims to respond within 30 calendar days. Where Rawa acts as a data processor, requests are forwarded to the relevant client (data controller) for decision.

7. Data Storage and Security

All data is stored on infrastructure provided by Convex, Google Cloud Platform (GCP), and Cloudflare, with the primary data region being US East (Virginia). We implement appropriate technical and organisational security measures to protect your personal information, including encryption, access controls, and monitoring.

For details on our infrastructure, encryption, and security controls, refer to the Rawa Information Security Policy.

8. Data Retention

Data is retained according to the following schedule:

  • Client content data: Duration of active subscription + 30 days
  • Platform account data: Duration of active account + 30 days after termination
  • Billing contact data: As required by applicable tax and financial regulations
  • Usage and analytics data: 12 months from collection
  • Audit logs: Minimum 12 months
  • AI processing data (prompts/outputs): Not retained beyond the session unless the client opts in

Upon expiry of the retention period or upon client request, data is securely deleted using cryptographic erasure or secure overwrite procedures. Clients may request a deletion confirmation certificate.

9. Cross-Border Data Transfers

Rawa's infrastructure is hosted in the United States (US East — Virginia). The transfer mechanisms and safeguards we apply are defined in the Rawa Data Processing Agreement, including adequacy assessments, Standard Contractual Clauses, and data transfer impact assessments as required by the UAE PDPL, Saudi PDPL, and GDPR.

Clients with specific data residency requirements may discuss options as part of the enterprise onboarding process.

10. AI Data Usage

The protections governing how data is processed through AI features are defined in our data handling practices. Client data is never used for AI model training. Processing is ephemeral, and all AI providers are contractually restricted from using data for any purpose beyond fulfilling the immediate request.

11. Third-Party Sharing

Rawa does not sell, rent, or trade personal data. Data is shared only with the sub-processors necessary to deliver the service, under contractual obligations no less protective than those in our Data Processing Agreement.

12. Cookies and Tracking

The Rawa platform uses strictly necessary cookies for session management and authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies that track individual users across websites.

13. Children's Data

The Rawa platform is a business-to-business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will delete it promptly, in accordance with the UAE PDPL and GDPR.

14. Data Breach Notification

In the event of a personal data breach, Rawa will notify affected parties in accordance with the timeline and procedures defined in the Rawa Incident Response & SLA Policy. This includes notification to relevant data protection authorities as required by the UAE PDPL, Saudi PDPL, and GDPR.

15. Data Protection Impact Assessments

Rawa conducts Data Protection Impact Assessments (DPIAs) before undertaking processing activities likely to result in a high risk to data subjects, in accordance with the UAE PDPL and GDPR. Given Rawa's minimal PII footprint, most processing activities do not meet the threshold for mandatory DPIAs; however, we conduct DPIAs as a matter of good practice when introducing new features or processing activities that may affect personal data.

16. Compliance Framework

This policy has been designed to comply with:

  • UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)
  • Saudi Arabia Personal Data Protection Law (Saudi PDPL) and its implementing regulations
  • EU General Data Protection Regulation (GDPR) — where applicable to the processing of EU/EEA data subjects' personal data
  • Other applicable regional data protection laws in jurisdictions where Rawa or its clients operate

Rawa monitors regulatory developments and updates this policy as necessary.

17. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated to affected individuals and clients within 30 days of taking effect.

18. Contact Information

For any questions, concerns, or requests regarding this policy or the processing of your personal data:

We aim to respond to all enquiries within 30 calendar days.