P4ML Unified Privacy Policy (GDPR + UAE PDPL + ADGM + CCPA-aligned)

This Privacy Policy explains how P4ML (“P4ML”, “we”, “us”, or “our”) collects, uses, discloses, and protects Personal Data across our products and services, in accordance with the UAE Personal Data Protection Law (PDPL), ADGM Data Protection Regulations, the EU General Data Protection Regulation (GDPR), and other applicable laws. Where relevant, we also provide a CCPA supplement for California residents.

Last updated: [01/11/2025]

Contact Details and Identity of Controller

• Data Controller: P4ML Ltd [13870]
• Registered Address: [Workspace 3808, Level 7, Al Maryah Tower,  ADGM Square, Al Maryah Island, Abu Dhabi, UAE]
• Email: privacy@p4ml.com
• DPO: [Patrick J Moloney]. Email: dpo@p4ml.com
• Telephone: [+971585980445]
• EU Representative (if required by GDPR Art. 27): [Empower Data Governance, Maynooth University, Ireland]

We act as Controller for most processing. For specific features delivered on behalf of enterprise customers, we may act as a Processor; in those cases, our customers remain Controllers and we process under their instructions.

Part A – Scope, Definitions, and Legal Bases

What is Personal Data?

“Personal Data” means any information relating to an identified or identifiable natural person (e.g., name, email, IP address, device identifiers). “Special Categories” include health data, biometric data for unique identification, and other sensitive attributes. We only process Special Categories when strictly necessary, with appropriate safeguards and legal bases (e.g., explicit consent or employment law obligations).

Applicability

This Policy applies to:

• End users of the P4ML apps, websites, and services
• Enterprise clients and their authorized users
• Job applicants and employees (employee-specific notices may supplement this Policy)
• Event participants, website visitors, and other contacts

Lawful Bases

We rely on one or more of:

• Consent (e.g., health analytics, marketing, cookies)
• Contract (e.g., to provide subscribed features)
• Legal obligation (e.g., tax, security, or employment laws)
• Legitimate interests (e.g., product security, fraud prevention, service analytics) balanced against your rights
• Vital interests and public interest (only where applicable)

You can withdraw consent at any time using in-app controls or by contacting us. Withdrawal does not affect prior lawful processing.

Part B – Data We Collect

We apply data minimization and purpose limitation by design.

• Account and Identity Data: name, email, phone, address, age, gender (where provided), company, role
• Authentication and Security Data: credentials, session tokens, MFA data, logs, access records
• Device and Usage Data: IP address, device type, OS, app version, crash logs, page/app screens visited, timestamps, referral URLs, performance metrics
• Location Data: approximate or precise location when you enable location services
• Fitness/Wellness and App-Generated Data (Special/Sensitive where applicable): activity metrics, goals, challenges participation, progress, optional measurements from integrated wearables or apps; processed only with explicit consent where required
• Transaction and Billing Data: subscription tier, invoices, payment tokens (stored by our PCI-compliant providers), VAT/Tax details
• Communications and Preferences: support tickets, survey responses, marketing preferences, consent logs
• Employment/Recruitment Data (applicants/employees): CV/resume, qualifications, identity verification, background checks where permitted by law, right-to-work documentation, compensation data; employee-specific retention and processing rules apply
• Cookies/Tracking: session, preference, security, analytics, and advertising cookies (see Cookies section)

We do not sell Personal Data.

We do not use fully automated decision-making that produces legal or similarly significant effects without human oversight. Limited profiling may be used for security (fraud/anomaly detection), personalization, or analytics with appropriate safeguards.

Children: Our services are not intended for children under 18. We do not knowingly collect data from children under 18. If you believe a child provided data, contact us for removal.

Part C – How We Use Personal Data

• Provide and maintain services and features
• Create and manage accounts and subscriptions; billing and collections
• Secure the services: detect, prevent, and investigate fraud, abuse, and security incidents
• Product analytics, quality, and performance improvements using aggregated/de-identified data where possible
• Customer support and service communications
• Event management and business development, with consent where required
• Legal compliance (AML/KYC where applicable), regulatory reporting, and dispute handling
• Marketing with consent or as permitted by law; you can opt out at any time
• Recruitment and HR management for applicants and employees in accordance with employment law

We will never claim ownership of your personal data or your commercial rights in it. Any statements to the contrary in third-party policies do not apply to P4ML. Where we generate anonymized or de-identified insights, we ensure they cannot reasonably be re-identified and use them to improve our services, conduct research, or report aggregated statistics. We do not share de-identified data with governments unless legally required and subject to rigorous due process.

Part D – Sharing and Transfers

We do not sell Personal Data.

We may share Personal Data with:

• Service providers (processors) under written contracts with confidentiality, security, and data protection obligations (e.g., hosting, analytics, email/SMS, customer support, payment processors)
• Enterprise customers (where you use P4ML under your employer’s subscription) according to the customer’s instructions and applicable agreements
• Professional advisors, auditors, and insurers under confidentiality
• Authorities when legally required or to protect rights, safety, and security (after validating requests and minimizing scope)
• Parties to corporate transactions (merger, acquisition, restructuring) under appropriate safeguards and notices

Cross-border transfers:

• Where data leaves its origin jurisdiction, we use appropriate safeguards:
• EU/UK: Standard Contractual Clauses and Transfer Risk Assessments
• ADGM/UAE PDPL: ADGM adequacy decisions, contractual clauses, and organizational/technical measures
• Regional hosting: Where feasible, we offer regional data hosting (including UAE) to minimize outbound transfers. If a transfer is necessary, we apply the safeguards above and ensure equivalent protection.

Part E – Security

We maintain administrative, technical, and physical controls aligned to industry standards:

• Encryption in transit (TLS 1.2+) and at rest
• Role-based access control, least-privilege, MFA for privileged users, regular access reviews
• Network security: firewalls, segmentation, IDS/IPS, vulnerability management, and secure SDLC
• Endpoint protection, anti-malware, patching, logging and monitoring, audit trails
• Vendor due diligence and DPAs with processors
• Employee training and confidentiality commitments
• Incident response and breach notification procedures meeting GDPR/PDPL timelines and thresholds

No system is 100% secure; we continuously improve our controls.

Part F – Data Retention

We retain Personal Data only as long as necessary for the purposes outlined, complying with:

• Legal/regulatory retention requirements
• Contractual obligations and limitation periods
• Business needs with documented retention schedules and deletion timelines

When data is no longer needed, we securely delete or anonymize it.

Part G – Cookies and Tracking

Types of cookies we use:

• Strictly necessary (session/security)
• Preferences (remember settings)
• Analytics (usage and performance)
• Advertising/retargeting (only with consent where required)

Your choices:

• Use browser settings and our cookie banner to manage preferences
• Opt out of marketing cookies at any time via our Preference Center
• If you block cookies, some features may not function

Part H – Your Rights

Subject to applicable law, you may have the right to:

• Information and access to your Personal Data
• Rectification of inaccuracies
• Erasure (“right to be forgotten”)
• Restriction of processing
• Data portability (machine-readable copy)
• Object to processing based on legitimate interests or direct marketing
• Withdraw consent at any time (without affecting prior processing)
• Lodge a complaint with your supervisory authority

How to exercise your rights:

• In-app: Settings → Privacy → Data Rights
• Email: privacy@p4ml.com or dpo@p4ml.com
• Identity verification may be required. We respond within statutory timelines (e.g., GDPR 1 month).

Account deletion:

• Use Settings → Account → Delete Account Permanently
• We will delete your personal data within 3 business days, unless retention is required by law or to resolve disputes, enforce agreements, or comply with security/legal obligations.

Supervisory contacts (examples):

• EU: See your national DPA
• ADGM Office of Data Protection: https://www.adgm.com/operating-in-adgm/office-of-data-protection, Data.Protection@adgm.com, +971 (2) 333 8888
• UAE PDPL: UAE Data Office (as applicable)
• UK: ICO

Part I – International, UAE, and EU Specific Disclosures

• GDPR: We comply with Articles 13/14 transparency, Article 30 records, DPIAs where required, and timely breach notification (Articles 33/34).
• UAE PDPL and ADGM: We reference and follow applicable PDPL and ADGM requirements, including cross-border transfer safeguards, DPO designation, and data subject rights.
• Health/Fitness Data: Treated as sensitive. We will only process with explicit consent or another clear lawful basis and apply elevated safeguards. No sale of health data.

Part J – Enterprise Features and Processors

• When P4ML acts as Processor for enterprise customers, we process data under the customer’s instructions, with DPAs and appropriate technical/organizational measures.
• Data disclosures to an employer (Controller) are governed by the enterprise agreement and applicable law. We provide transparency to users in-app where feasible.

Part K – Changes to This Policy

We may update this Policy to reflect legal, technical, or business developments. We will post updates with a new “Last updated” date and provide notice for material changes (e.g., in-app notification or email). Continued use after effective date indicates acceptance of changes.

Part L – CCPA/CPRA Supplement (California Residents)

If the CCPA/CPRA applies, you have rights to:

• Know/access: categories and specific pieces of Personal Information collected, sources, purposes, and categories of third parties shared with
• Correction and deletion (subject to exceptions)
• Opt-out of “sale” or “sharing” of PI for cross-context behavioral advertising; P4ML does not sell Personal Information
• Non-discrimination for exercising your rights

Submit requests via privacy@p4ml.com or in-app. We will verify your identity and respond within statutory timelines. Authorized agents may submit requests with proof of authority.

Categories of PI collected (12 months): identifiers, commercial information, internet or network activity, geolocation (if enabled), professional info, inferences (for personalization/security), and sensitive data (e.g., health metrics, only with consent). Sources: you, your devices, enterprise customers, service providers, publicly available sources. Purposes: as described in this Policy. Disclosures: to service providers, enterprise customers per contract, advisors, and authorities as required by law. No sale of PI.

Part M – How to Contact Us

• Privacy inquiries and rights requests: privacy@p4ml.com
• Data Protection Officer: dpo@p4ml.com
• Postal: [Insert full postal address]

If you believe your rights have been infringed, you can contact us or your supervisory authority.

What We Explicitly Do Not Do

• We do not claim ownership or commercial rights over your Personal Data.
• We do not sell Personal Data, including health/fitness data.
• We do not perform solely automated decisions that produce legal or similarly significant effects without human involvement.
• We do not share de-identified data with governments absent a binding legal obligation and due process.