Privacy Policy

Last Updated: [05.06.2026]

This Privacy Policy, as amended or otherwise changed from time to time (the “Privacy Policy” or “Policy”), explains the manner in which Zay Me LLC-FZ, license number 456643353, address Meydan Grandstand, 6th floor, Sheba, Dubai, UAE (hereinafter the “Company” or “Zay”) maintains and discloses user information obtained through its website https://zay.me/ and or the App Zay Me (together referred to as “Zay Platform” as established in the Terms). The terms “we,” “us,” and “our” refer to the Company.

By using the Zay Platform, you acknowledge that you have read and understood this Privacy Policy. Zay processes your personal data on the lawful bases described in the “What are the grounds for data processing?” section below. Where processing is based on consent, you may withdraw that consent at any time as described in this Policy; withdrawal does not affect the lawfulness of processing that occurred before withdrawal. Where processing is based on contractual necessity or legal obligation, it cannot be withdrawn without terminating your use of the relevant Service.

This Privacy Policy describes how we collect, use and otherwise handle “Personal Data” (for the avoidance of doubt, personal data is any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person) that you provide or make available to us, or that we collect from you, when you use Zay Platform, and explains the circumstances in which we may transfer this to others.

The Company is an independent data controller in respect of the Personal Data it processes in connection with Zay Platform and the Services as described in the Terms of Use (“Terms”). The terminology not defined in this Privacy Policy shall be defined in accordance with the Terms.

Where Users are located in the United Kingdom or the European Economic Area, or where processing activities have a sufficient connection to those jurisdictions, Zay also gives effect to the principles of the UK General Data Protection Regulation (“UK GDPR”) and the EU General Data Protection Regulation (“EU GDPR”) on a best-efforts basis as a matter of good practice and to satisfy the requirements of its third-party partners. The Company as data controller based in the UAE is also subject to the regulations and requirements of the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“PDPL”).

This Policy does not govern the processing activities Kulipa, Monavate (being a “Financial Partner” as engaged by Kulipa, identified and defined in Kulipa’s Terms, referred here as the “Card Issuer” as well), Privy or any other technical provider involved in the operation of the Wallets or payment transactions conducted outside of the Platform by means of the Card. Each operates as an independent data controller and publishes its own privacy documentation. Zay’s transfer of your data to those parties is a controller-to-controller disclosure, as explained further in this Policy. You acknowledge and agree that you are responsible for familiarizing yourself with the mentioned privacy documentation, and, if you do not agree with the data processing practices of the mentioned providers, you shall not use the Card, Card Wallet or Privy Wallet as the case may be.

On occasion, the Company may revise this Privacy Policy to reflect changes in the law, our Personal Data collection and use practices, the features on the Site, or advances in technology. If material changes are made to this Privacy Policy, the changes will be prominently posted on the Website.

What if I do not want to accept this Privacy Policy?

By using Zay Platform, you signify your acceptance of this Policy. If you do not agree to this Policy, please do not use Zay Platform. Your continued use of Zay Platform following the posting of changes to this Policy will be deemed as your acceptance of those changes.

In case you disclose any Personal Data regarding any third person (e.g. your family members) to us, you are obliged to refer them to this Policy.

What information does the Company collect?

We collect Personal Data, as described below.

Our App has built-in integration with Kulipa which allows Kulipa to collect Personal Data from you, such as:

  • your full name;
  • government-issued identity document (type, document number, issuing country, expiry date, and document image);
  • selfie photograph taken during liveness verification;
  • liveness check result and confidence score;
  • telephone number;
  • your residential address and geolocation data;
  • source of funds declaration, for example, a written statement describing the lawful origin of funds you intend to load onto your Card Wallet;
  • your email address.

The exact types of Personal Data collected by Kulipa is explained in more detail in Kulipa’s privacy documentation.

We receive the following list of your Personal Data from Kulipa:

  • your full name;
  • your jurisdiction of residence and address;
  • your email address.

If you provide us feedback or contact us via email, we will collect your name and email address directly, as well as any other content included in the email, in order to send you a reply.

Some information is collected automatically by our servers:

  • Our servers (which may be hosted by a third-party service provider) collect information from you, including your browser type, operating system, Internet Protocol (“IP”) address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session), domain name, and/or a date/time stamp for your visit.
  • As is true of most websites, we gather certain information automatically and store it in log files. This information includes IP addresses, browser type, Internet service provider (“ISP”), referring/exit pages, operating system, date/time stamp, and clickstream data.
  • Like many online services, we use cookies to collect information. “Cookies” are small pieces of information that the Website sends to your computer’s hard drive while you are viewing the Website.
  • We retain information on your behalf, such as transactional data and other session data linked to your account.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic data). Zay does not collect or store your raw biometric data (such as facial geometry templates). Biometric processing is conducted by Sumsub and Kulipa as independent controllers.

Please note we don’t process information related to your Card number or other payment data. Your Card issuance and transactions are handled by Kulipa/Card Issuer and do not go through our servers.

To provide you with our services, the Company may use third-party software components. Some of these third-party materials may be subject to other terms and conditions. By accepting our Privacy Policy, you indicate your agreement to the terms and conditions of such providers (whether applicable).

We may use the data we collect for the purpose of testing, analysis, research, statistics and overall development of the services. Also, we may share some of the collected data with third parties only for analysis and statistics to improve our services.

Zay may use aggregated, anonymised data (which no longer constitutes Personal Data) for internal analytics, product testing, and service improvement.

What are the grounds for data processing?

We use the following basis to collect and process your data: performance of a contract, compliance with legal obligations, our legitimate interest, and your consent.

Description of why the Company processes your Personal Data (processing purpose) Legal basis for the processing purpose Categories of Personal Data used by the Company for the processing purpose
To provide you with the Services Necessary to perform a contract to which you (as the data subject) are a party (including for the procedures for concluding, amending or terminating the contract) Account registration data
Data that we receive automatically
Data collected via the App
Third-party data
Safety and security Legitimate interest Account registration data
Third-party data
Communications and marketing Performance of a Contract
Consent
Legitimate interest
Account registration data
Data collected via the services
Compliance with legal obligations (applicable AML/CFT and Sanctions restrictions) of the Company’s partners involved in the provision of the Services and/or integrated into the Zay Platform Compliance with legal obligations Account registration data
Data that we receive automatically
Data collected via the services

Journey of your Personal Data / Data Controllers

Your experience involves multiple parties, each of which independently determines how and why it processes your Personal Data. None of these parties acts as a mere processor executing another party’s instructions in respect of the data flows described below.

Party Jurisdiction Independent Controller Role
Kulipa France Collects Personal Data for the identification process through Kulipa widget integrated in the App. Receives KYC data from third-party providers through Sumsub. Acts as independent controller throughout.
Zay UAE Collects data directly from you or receives part of the Personal Data provided to Kulipa from Kulipa and/or Privy/other third party providers directing you to the Platform (phone number/email address); Acts as independent controller throughout.
Monavate EEA and the UK Processes the Data received from Kulipa and under applicable AML/CFT/Sanctions screening obligations as independent controllers for Card issuance, payment processing, and their own regulatory compliance. Governed by Card Issuer’s privacy policies, GDPR obligations and the UK GDPR rules whether applicable. Acts as independent controller throughout.
Privy USA Processes email, User identifier number and phone number, as well as cryptographic and wallet-related data as an independent controller for self-custody Wallet infrastructure. Acts as independent controller.

User as a data subject acknowledges and agrees cross-border data transfer is necessary to enter into or perform a contract involving or benefiting the data subject and, by accepting this Privacy Policy and using Zay Platform, the User has expressly consented to such data transfers.

How does the Company use the information it collects?

Zay uses your Personal Data solely for the following purposes:

  • Account creation and management required for the provision of the Services: registering your account, and maintaining your account settings and history;
  • Fraud prevention and platform security: using geolocation, device signals, and behavioural patterns to identify and prevent fraud and unauthorised access;
  • Customer support: responding to your queries and resolving complaints and disputes;
  • App improvement: analysing aggregated, anonymised usage data to improve the App features;
  • Legal proceedings and regulatory response: processing data as necessary to establish, exercise, or defend legal claims, and to respond to lawful requests from regulatory or law enforcement authorities

The Company does not sell user and/or anonymous data to any third party.

Marketing and newsletter subscriptions

[Please note that the information given below is an example, your processes and collected data may differ, let us know if this should be changed or deleted]

We collect information about your behaviour within Zay Platform to offer you interesting information and offers regarding our services and products. This information includes your profile information and user status. This information is processed automatically and you as a user will notice it by seeing more relevant content when signed in. We do not share this information with third parties. The processing of such personal data is based on our legitimate interest to develop and promote our services and products.

If you have subscribed to our mailing list, we will send you information on our new activities, events and products. We can also send special offers directed to a special user group, users of a certain region, etc. Adding you to our mailing list is based on your consent. You may also unsubscribe from the mailing list anytime by clicking the unsubscribe link at the bottom of each message.

Customer support

[Please note that the information given below is an example, your processes and collected data may differ, let us know if this should be changed or deleted]

In case you need to contact our customer support, our support personnel will handle your contact information and the contents of your communication. Please do not share any sensitive data in your communication with our customer support. We keep a record of the contents of the support tickets to make sure that you receive quality service and to develop our products and services. The processing of your Personal Data in connection with your communication with our customer service is based on the service agreement between you and the Company as well as our legitimate interest to follow up on the quality of our customer service, to verify the actions taken based on your request and to develop our service in the future.

How does the Company share your Personal Data?

It may be necessary to disclose your information to comply with any law, court orders, or government request, defend against claims, investigate or bring legal action against illegal or suspected illegal activities, enforce our Terms, or protect the rights, safety, and security of the Company, our users, or the public.

Other than as stated in this Privacy Policy, the Company does not disclose any of your Personal Data to third parties unless required to do so by law enforcement, court order, or in compliance with legal reporting obligations.

We may share some or all of your Personal Data in connection with or during the negotiation of any merger, financing, acquisition or dissolution transaction or proceeding involving the sale, transfer, divestiture, or disclosure of all or a portion of our business or assets. In the event of insolvency, bankruptcy, or receivership, Personal Data may also be transferred as a business asset.

If another company acquires the Company, business, or assets, that company will possess the Personal Data collected by us and will assume the rights and obligations regarding your Personal Data as described in this Privacy Policy.

Zay Platform may contain links to other third-party websites which are regulated by their own privacy documentation. The Company is not responsible for the privacy documentation of these third-party websites even if they were accessed using the links from our site.

How long do we store your Personal Data?

We keep the data you have provided to us on your user account for the whole period of your customer relationship and as long as it is necessary with regard to the purposes of the processing described above.

Zay retains your data for the following periods, consistent with UAE PDPL requirements:

Category Retention period
Identity Data (full name, phone number, email address, jurisdiction of residence, address, etc.) 5 years from account closure
Geolocation data 5 years from account closure
Device and technical data 2 years from collection
Support and complaints communications retained for 5 years where connected to a transaction or compliance matter; otherwise 3 years.

We may be obliged to store some Personal Data for a longer time, taking into account factors including

  • legal obligation(s) under applicable law to retain data for a certain period of time;
  • statute of limitations under applicable law(s);
  • (potential) disputes; and
  • guidelines issued by relevant data protection authorities.

Whilst we continue to process your Personal Data, we will ensure that it is treated in accordance with this Privacy Policy. Otherwise, we securely erase your information once this is no longer needed.

Where do we get and how do we transfer your Personal Data?

We do not transfer your personal data to Kulipa/Monavate, these data will be collected directly by Kulipa for AML/CFT/Sanction screening / regulatory compliance and for the independent Card approval decision.

Kulipa may disclose some of your Personal Data to Zay as described above, and this is a controller-to-controller disclosure. Kulipa and/or Monavate receive and process this data as independent data controllers under their own privacy policies and under applicable legislations (including French law and EU GDPR). Zay has no control over, and accepts no responsibility for, how Kulipa and/or Monavate processes your data following receipt. You may exercise your data subject rights in relation to Kulipa’s or Monavate’s processing directly with Kulipa or Monavate.

The legal basis for this transfer is contractual necessity (provision of the Services available via the Platform). For the contractual necessity purposes and for the provision of the Services, we may transfer to Privy the following Personal Data: email address, User ID number and phone number.

We also share your Personal Data with our third-party service providers based both inside and outside of the European Economic Area and the United Arab Emirates who we engage to provide services in relation to our Platform for the purposes of:

  • hosting and maintaining Zay Platform;
  • providing data storage;
  • assisting us with database management, and in order to assist us with related tasks or processes.

The transfer of your Personal Data to third parties may involve your Personal Data being sent outside of the UAE, to locations that may not provide the same level of protection as those where you first provided the information. However, we will only transfer your Personal Data outside of the UAE:

  • for the EEA data subjects: where the transfer is to a place or by a method or in circumstances that are regarded by the European Commission as providing adequate protection for your Personal Data;
  • where we have put in place standard data protection clauses adopted by the relevant data protection authorities; or
  • where none of the above applies but we are still legally permitted to do so, for example, if the transfer is necessary for the establishment, exercise or defence of legal claims.

You can request further detail about the safeguards that we have in place in respect of transfers of Personal Data outside of the UAE and where applicable a copy of the standard data protection clauses that we have in place by contacting us at [email protected].

What legal rights do you have in relation to your information?

Under certain circumstances, you have the following rights under data protection laws in relation to your Personal Data:

  • request access to your Personal Data;
  • request correction of your Personal Data;
  • request to stop processing your Personal Data for direct marketing purposes;
  • right not to be subject to automated decision making, including profiling;
  • erasure of your Personal Data;
  • object to the automated decision making;
  • request the restriction of processing your Personal Data;
  • request transfer of your Personal Data.

Not all Personal Data owners’ rights are ‘absolute’.

How can you send requests regarding your information?

You can make a request regarding your information by emailing [email protected].

Unless you have made a corresponding request, we will retain your information for as long as your account has not been closed or as needed to provide you access to your account.

Where do we store your Personal Data?

The information we collect is primarily stored on secure servers [please indicate the jurisdiction(s)]. We will take all steps reasonably necessary to ensure that Personal Data is treated securely and in accordance with this Privacy Policy.

What security precautions does the Company take to protect me?

We take the protection of your Personal Data seriously. We use industry-standard data encryption technology and have implemented restrictions related to the storage of and the ability to access your Personal Data. However, despite all of our efforts, please note that no transmission over the Internet or method of electronic storage can be guaranteed to be 100% secure.

Complaints

Where the processing is based on consent, you have the right to withdraw your consent for data processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent, you can contact us with the use of [email protected].

You may also file a complaint with the appropriate supervisory authority if you believe that your rights have been violated.

Contacting Us

If you have any questions about our Privacy Policy as outlined above, please contact us at [email protected].