Privacy Policy
Last Updated: 20/05/2026, Version 1.2
1. Introduction
Comera Pay L.L.C (the Company/we/our/us), are committed to protecting your privacy. This Privacy Policy (Policy) outlines our practices regarding the collection, processing, and utilization of personal data pertaining to: (i) current and former visitors of our website www.comerapay.com and mobile application (Android & iOS); (ii) individuals registered to use our payment services made available through our Platform (Services); and (iii) authorized representatives, directors or owners of entities registered to use our Services; as applicable (User/you/your).
Personal data or personal information includes any data or information relating to you which may, by itself, or in combination with other data or information, be able to identify you.
By using or accessing our Platform and/or Services, you consent to this Policy and to the data processing purposes and practices stated in it. If you do not agree with the data processing purposes and practices stated in this Policy, you may choose to stop using our Platform. We periodically update this Policy. We encourage you to review this Policy periodically.
2. Purpose and Consent
This Policy has been developed for purposes of compliance with the Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), and the data protection-oriented provisions present in the Retail Payment Services and Card Schemes Regulation, Stored Value Facilities Regulation, Consumer Protection Regulation and Consumer Protection Standards issued by the Central Bank of the UAE (CBUAE).
Without information about you, we may not be able to provide you with the Services or the support you request or require. Some of the Personal Data we obtain is collected to comply with applicable laws and regulations, including anti-money laundering laws. This Policy explains:
- The types of Personal Data we collect about you;
- How we use Personal Data about you;
- Types of information we disclose to third parties and the types of such third parties; and
- How we protect your Personal Data.
For the avoidance of doubt, we may act as the Data Controller in relation to certain Personal Data collected through our Platform. We may engage carefully selected third-party service providers as Data Processors to process Personal Data on our behalf, including providers of cloud infrastructure, security and anti-fraud tools, analytics, communications etc.
3. Amendments to this Policy
From time to time, we may revise, amend, or supplement this Policy to reflect necessary changes in law, our Personal Data collection and usage practices, the features of our offerings, or advances in technology. If any material changes are made to this Policy, the changes may be prominently posted on our Platform. However, the onus is also on you to occasionally familiarize yourself with the contents of this Policy, for your own information.
Changes to this Policy are effective when they are published on our Platform.
4. Personal Data Protection Principles
Your Personal Data is collected and processed in accordance with relevant data protection principles, including lawfulness, fairness, and transparency; purpose limitation; collection limitation; data minimization; accuracy; rectification measures; storage limitation; integrity and confidentiality (security); with all relevant laws and regulations considered; and however applicable.
5. Consent for Performance of Contract, Legal Obligations; Consent Withdrawal
You provide consent to your Personal Data (whether provided directly by you, whether collected by us, or received by us from third parties or otherwise) being processed to satisfy any and all legal obligations arising from any contracts entered into/with/involving you or to deliver any Services to you which you have contracted with us to provide to you; or to take steps at your request prior to entering into a contract with you.
By applying or signing up for Services offered through our Platform, you authorize and consent to our obtaining from, and disclosing to, third parties any Personal Data about you in connection with identity or account verification, fraud detection, or collection procedure, or as may otherwise be allowed or required by applicable law.
You can withdraw such consent. Such withdrawal will not affect the lawfulness of processing based on previously recorded consent. Such withdrawal will take effect within 30 calendar days of submission of request to withdraw consent to process Personal Data. If you wish to submit such a request, please contact us at privacy@comerapay.com.
The specific Personal Data we collect, the method by which we collect such data, the purposes for which we collect such data, how we share such information, and how long we retain such information is explained individually, specifically for your clear, simple, and withdrawable consent below in this Policy.
6. Personal Data We Collect About You
We collect the following Personal Data about you:
| Category | Description |
|---|---|
| Identification Information | Name, email address, home address, phone number, date of birth, and identification details of documents confirming your ID and address. |
| Financial Information | Bank account and payment card numbers, and bank statements. |
| Transaction Information | When and where transactions occur, names of transacting parties, descriptions, payment amounts, etc. |
| Device Information | Location of your device, hardware model, operating system and version, unique device identifier, mobile network information, and device interaction details with our Services. |
| Usage Information | Access time, browser type and language, and IP address. |
| Third-Party Information | Information from third-party verification services, mailing list providers, and publicly available sources (may include government-issued identification number where lawful). |
| Cookies & Web Beacons | Information collected by cookies and web beacons (see Section 9). |
| Documents | Pictures of your ID, utility bills, and other documents as may be requested. |
| Security & Anti-Fraud | Technical information about your device, browser, interaction patterns and IP address collected via security and anti-fraud tools to prevent abuse of our Services. |
| Employment Information | Employment-related information. |
| Other Information | Information you provide when participating in contests, promotions, surveys, or any other communication with us. |
We may collect the Personal Data during the signup process for our Services, or in the course of our identity or account verification process, or in the course of your use of our Services.
You undertake that all Personal Data provided to us by you is true, complete, and accurate and you must notify us of any changes to such Personal Data within a reasonable timeframe after such change has been affected.
We do not knowingly collect data from, or market to, children under 18 years of age. By using the Services, you represent that you are at least 18 years. If we learn that Personal Data from users who are less than 18 years of age has been collected, we will deactivate your access to our Services and take reasonable measures to promptly delete such data from our records.
7. Mode of Collection
| Source | Description |
|---|---|
| Information provided directly | When you interact with us, access our Platform, open a digital wallet or use any Services, we may collect basic information about you and establish an Account. You may also provide information in surveys, promotions, or via email correspondence. |
| Information collected automatically | Technical information (browser, OS, IP, device identifiers, device type), site usage information (traffic patterns, pages viewed, time spent), and site preferences and cookies. |
| Information from third-party services | We collect Personal Data from third party partners who have your consent to share such data, and from authorized partner entities who share data with us to enable Service access. |
8. Use of Personal Data
We do not sell, exchange, or give to any other person your Personal Data, whether public or private, for any reason whatsoever, without your consent, other than for the express purpose of providing our Services to you. We collect, process, and use Personal Data for the following purposes:
| Purpose | Description |
|---|---|
| Service Provision | To provide, improve, personalize, facilitate, measure, customize, and enhance our Services and the design, content, and functionality of our Platform. |
| Analytics | To analyse use of our Services and improve our customer service. |
| Communications | With your prior permission, to send periodic emails, news, surveys, feedback requests, and communications about products, services, contests, promotions, discounts, and offers. |
| Internal Operations | To administer internal IT systems, maintain database back-ups, and keep records in accordance with internal policies and applicable law. |
| Support & Notices | To deliver technical notices, security alerts, support and administrative messages, transaction and Service messages, dispute resolution, fee collection. |
| Legal Claims | To establish, exercise or defend legal claims in court proceedings or administrative procedures. |
| Compliance | To comply with obligations required by law or by written agreements with third parties. |
| Product Development | To develop new products and services. |
| Security & Fraud Prevention | To protect our rights, property, and Service integrity; enforce Terms; verify identity; investigate, detect and prevent fraud, automated abuse, security breaches, and illegal activities, including through third-party security and anti-fraud tools. |
We may use third-party service providers to process your Personal Data in the United Arab Emirates (UAE) and other countries. We ensure that processing by such third parties will be based on a legitimate legal ground, performed in accordance with our lawful instructions, and in compliance with the PDPL and other legal requirements.
9. Cookie Policy
A ‘cookie’ is a small piece of encrypted text saved on the browser or hard drive in your computer or mobile device when you visit a website. It allows us to recognise you and make your next visit easier and the experience of our Services more useful to you.
We use both session/transient cookies (which expire once you close your web browser) and persistent cookies (which stay on your device until you delete them) to collect information that provides you with a more personalized and interactive experience.
How we use cookies: to provide analytics, prevent fraudulent or illegal activity, store your preferences, enable advertisement delivery, recognize when you log in, give you a unique browsing experience, and analyse how you use our sites. Non-essential cookies (such as advertising cookies) are only activated upon obtaining user consent; users may manage or withdraw cookie preferences through Platform settings.
| Type | Purpose |
|---|---|
| Essential Cookies | Essential to let you move around the Platform and use its features. Used to authenticate users and prevent fraudulent use of user accounts. |
| Performance Cookies | Collect anonymous information about how you use the Platform to update and improve it. |
| Functionality Cookies | Remember your choices, username, login details, language preferences and customizations. |
| Advertising & Targeting Cookies | Collect information about visits, browsing habits, links followed, browser, device and IP address to deliver relevant ads and measure campaign effectiveness. |
Cookies preferences: If you delete cookies or refuse to accept them, you might not be able to use all of the features we offer on our Platform. The Company is not responsible for any loss resulting from your decision or inability to use cookies.
10. Processing and Use of Aggregated, Anonymized and De-Identified Data
We may also create, process, collect, use, and share aggregated, anonymized, or de-identified data such as statistical or demographic data for any purpose which may be derived from your Personal Data. We may use this data to comply with legal or regulatory obligations.
We may share such information with members of our group, service providers and our key partners. Some of these third parties may be in jurisdictions outside the UAE; in such cases we will take all necessary steps to ensure that your Personal Data is treated securely and that such transfers are permitted under applicable data protection laws.
We may also use any or all of the Personal Data above to administer and manage our business, to detect and prevent misuse of our Services (including fraud and unauthorized payments), and to enforce our Terms and Conditions or any other contract.
11. Your Refusal, Failure, Inability to Provide Necessary Personal Data
If you fail, neglect and/or refuse to, or are unable to provide us any Personal Data which we necessarily need to provide you with Services, or which we need to collect by law (for example: identification information for KYC/AML obligations), we may not be able to provide you with Services on our Platform. In this case, we have the right to discontinue the provision of Services to you and/or close your Account. In such a situation, we will notify you at the earliest.
12. Processing Without Consent
We may collect and process some of your Personal Data without your knowledge or consent; and only where this is required or permitted by law. We may be compelled to surrender your Personal Data to legal authorities without your express consent, if presented with a court order or similar legal or administrative order, or as required or permitted by the laws, rules and regulations of any nation, state, or other applicable jurisdiction. Other situations include without limitation:
- Where processing is related to Personal Data made publicly available by you;
- Where processing is necessary to initiate or defend procedures relating to claim of rights and legal actions or are associated with legal or judicial procedures;
- Where processing is necessary for the performance of any contract entered into where you are a party or for taking any action upon your request for concluding, amending, or terminating such contract; and
- Where processing is necessary for public interest.
13. Disclosure of Your Information to Third Parties
Any third party that receives or has access to Personal Data is required to protect such data and use it only to carry out the Services they are performing for you or for us, unless otherwise required or permitted by law. We enter into contracts with such third parties binding them to terms no less protective than those in this Policy. On termination of business relationships with such third parties, we shall ensure all Personal Data is either retrieved or destroyed. These third parties include providers of cloud hosting, payment processing, identity verification, analytics, and security or anti-fraud solutions.
We may disclose relevant Personal Data to the following categories of recipients:
| Recipient | Purpose |
|---|---|
| Legal & Regulatory Authorities | To comply with applicable law, governmental requests, judicial proceedings, court orders, or legal process; to investigate potential violations, fraud, or threats; to enforce our Terms. |
| Business Transactions | In connection with mergers, asset sales, financing, acquisitions, dissolution, insolvency, bankruptcy, or receivership. |
| Governmental & Judicial Bodies | Our associates, agents, attorneys, or representatives for compliance with legal obligations or defence of legal claims. |
| Suppliers & Subcontractors | As reasonably necessary for providing Services to you. |
| Advertising Partners | Third-party advertising companies to serve ads, with your express consent. |
| Group Companies & Affiliates | For rendering Services, compliance with applicable laws and quality improvement. |
| Vendors & Service Providers | Payment processing, CRM, data analysis, email delivery, hosting, customer service, QA testing, technical and operational support. |
| Business Partners | For advertising campaigns, contests, special offers, or other events. |
| Other Users | Other users of our Services with whom you interact (for example, when you make a transaction). |
14. International Transfer of Information
Your Personal Data is stored and transferred in compliance with the applicable legislation or regulations of the UAE. Our customers’ data privacy and protection are of utmost importance to us, and we are committed to ensuring compliance with the relevant data protection laws based on their location, in the UAE or cross-border.
Certain third-party service providers, such as payment transaction processors, may be in, or have facilities located in, a different jurisdiction than either you or us. Some international organizations and countries to which your Personal Data may be transferred do not benefit from an appropriate data protection regulatory framework. For such transfers, we ensure a suitable degree of protection through necessary safeguards such as an adequacy decision by the relevant authority, adequate binding corporate rules or the inclusion of standard contractual clauses.
We may also transfer your personal data to recipients outside the UAE based on your express consent; or if such transfer is necessary for judicial processes, contractual performance, international judicial cooperation, or protection of public interest. All cross-border transfers shall be conducted only where permitted under applicable law and subject to appropriate safeguards.
If you wish to procure specific information about the third-party service providers with whom your Personal Data has been shared, please contact us at privacy@comerapay.com.
Operational Resilience and Business Continuity: Subject to applicable legal and regulatory requirements and, where required, prior approval from the CBUAE, the Company may temporarily transfer or store encrypted Personal Data outside the UAE in the event of infrastructure disruption, force majeure, cybersecurity incidents, system failures, regulatory requirements, or other circumstances affecting primary hosting environments. Such arrangements shall be limited to what is necessary to maintain service availability, system integrity, and regulatory compliance, and shall remain in place only for the duration required and approved to restore normal operations. The Company shall ensure that the level of protection to Personal Data during the temporary arrangements remains consistent with applicable laws and regulatory requirements.
15. Third-Party Advertising and Analytics
We may allow third-party service providers to deliver content and advertisements in connection with our Services and to provide anonymous site metrics and analytics services. These third parties may use cookies, web beacons, and other technologies to collect information such as IP address, device identifiers, applications on your device, browsers used, webpages viewed, time spent, links clicked, and conversion information. This information may be used to analyze and track Service usage, determine content popularity, deliver targeted advertising, and better understand how you use our Services.
The third-party service providers that we engage are bound by confidentiality obligations and applicable laws with respect to their use and collection of your information.
This Policy does not apply to, and we are not responsible for, third-party cookies, web beacons, or other tracking technologies, which are covered by such third parties’ privacy policies.
16. Links to Third-Party Websites
Our Platform or communications may contain links to other third-party websites which are not owned or operated by us and are regulated by their own privacy policies. We strongly advise you to review the privacy policy of every platform you visit. This Policy does not apply to, and we are not responsible for, the privacy policies of these third-party websites. These third parties are typically used for:
- Advertising, direct marketing, lead generation and other marketing service providers;
- SMS and email notification service providers;
- Foreign and domestic financial and credit institutions; and
- Auditors.
17. Your Rights in Relation to Your Information
| Right | Description |
|---|---|
| Right to Access | Request information about categories of Personal Data processed, purpose, automated decision making, target sectors, storage controls, rectification/erasure actions, cross-border safeguards, breach actions, and complaint procedures with the UAE Data Office. We may refuse if the request is excessively repeated, contravenes judicial proceedings, impacts information security, or relates to a third party’s privacy. |
| Right to Rectification | Rectify any inaccurate Personal Data and complete any incomplete Personal Data about you. |
| Right to Erasure | Demand erasure if data is no longer necessary, consent has been withdrawn, you object to processing, data has been unlawfully processed, or erasure is required by legislation. May be refused where processing is required by law or for legal claims. |
| Right to Restrict Processing | Restrict processing if you contest accuracy, processing is unlawful, you need the data for legal claims, or you have objected pending verification. |
| Right to Stop Processing | Object to processing carried out for direct marketing, statistical surveys (unless necessary for public interest), or where processing violates PDPL controls. |
| Right to Data Portability | Request transfer of your Personal Data to another entity in a structured, commonly used and machine-readable format where the legal basis is consent or contract and processing is by automated means. |
| Right to Object to Automated Decision Making | Object to automated decision making having legal or serious consequences. May be refused where such processing is performed in accordance with a contract, legislation, or your specific consent. |
| Right to Lodge a Complaint | Lodge a complaint with the UAE Data Office (if you have UAE domicile or place of business) or the Consumer Protection Department at CBUAE. |
18. Submission of Requests for Exercise of Rights
We aim to respond to all legitimate requests without undue delay and within 2 calendar months of receipt of any request from you. Occasionally it may take us longer than 2 calendar months if your request is particularly complex, or if you have made duplicated or numerous requests. In this case, we will notify you of receipt of such request(s) and keep you updated as to the status of progress.
If you wish to exercise any of the rights mentioned under Section 17, please contact us at privacy@comerapay.com. We may need to request specific information from you to help us confirm your identity and ensure your entitlement to such rights. This security measure ensures that your Personal Data is not disclosed to any person who has no right to receive it.
19. Data Retention
We retain Personal Data on your behalf, including customer data, transactional data, and other session data, linked to your Account.
Your Personal Data will be processed for no period longer than as required by us for the purposes it was collected for, for the purposes of using our Services, and for meeting any legal, accounting, reporting, government, regulatory or law enforcement requirements. However, all Personal Data documents, records and files will be securely retained for a minimum of 5 years, as required under the Consumer Protection Regulations and Consumer Protection Standards issued by the CBUAE. Such retention period shall be calculated from the date of closing of your Account.
20. Security Accountability and Data Breach Management
20.1 Accountability for Consumer Data Protection
Comera Pay is fully and primarily accountable for safeguarding the Personal Data of its Users and for the security and integrity of the data storage and transmission facilities under its control. Comera Pay shall implement, maintain, and continuously improve robust technical, organizational, physical, and managerial controls to protect Personal Data at all times, in accordance with the PDPL, the Retail Payment Services and Card Schemes Regulation, the Stored Value Facilities Regulation, the Consumer Protection Regulation, the Consumer Protection Standards, and any other applicable laws and regulations issued by the CBUAE. Personal Data is processed and transmitted by Comera Pay only on the basis of User consent or another lawful basis recognized under the PDPL.
20.2 Information Security Measures
We are committed to ensuring that your Personal Data is protected against unauthorized access, disclosure, alteration, loss, or destruction. We use industry-standard technical mechanisms, including data encryption in transit and at rest, secure authentication, network segmentation, access controls, and continuous monitoring. Our affiliates, Data Processors and vendors with access to Personal Data are contractually bound to apply equivalent security standards. Our facilities and systems are scanned on a regular basis for security holes and known vulnerabilities. Access is restricted to a limited number of authorized personnel bound by confidentiality obligations. Comera Pay maintains business continuity, disaster recovery, and back-up arrangements and conducts periodic testing and regular security risk assessments.
20.3 Responsibilities, Limitations, and User Obligations
Comera Pay takes primary responsibility for implementing and maintaining appropriate physical, technical, organizational, and managerial controls to protect Personal Data within its systems and under its control. Comera Pay shall be accountable for unauthorized access, disclosure, alteration, loss, or destruction of Personal Data directly resulting from a failure of its controls, or from the acts or omissions of its personnel, affiliates, or Data Processors acting on its behalf.
While Comera Pay implements industry standard security measures, no method of electronic transmission or storage can be made absolutely impenetrable. Comera Pay does not guarantee against unauthorized events outside its reasonable control, including sophisticated cyber-attacks that circumvent industry-standard controls, acts of third parties not acting on Comera Pay’s behalf, or compromises of User credentials, devices, or networks not operated or controlled by Comera Pay. This acknowledgement does not limit Comera Pay’s accountability for implementing robust data protection controls.
Users are encouraged to verify the legitimacy of any website, application, or communication requesting financial or payment information. Users should report suspicious communications to privacy@comerapay.com and notify Comera Pay immediately upon becoming aware of any unauthorized access to or use of their Account. Where Users transmit data through channels independently selected by them (such as personal email, SMS, or unsecured public networks), Comera Pay’s controls do not extend to such channels.
Users are responsible for maintaining the confidentiality and security of their Account credentials (including passwords, PINs, biometric or two-factor authentication credentials), and for the security of the devices, networks, and software they use to access the Services. Comera Pay is not responsible for unauthorized access caused directly and primarily by a User’s failure to safeguard their credentials or devices, or by a User’s failure to report a suspected compromise without undue delay.
20.4 Data Breach Notification
In the event of a Personal Data breach affecting a User’s Personal Data, Comera Pay shall, without undue delay and in any case within the timeframes required under the UAE PDPL and applicable CBUAE regulations, notify the UAE Data Office and the CBUAE, and, where the breach is likely to result in a risk to the privacy, confidentiality, or security of the User’s Personal Data, the affected Users.
The notification to affected Users shall describe, in clear and plain language: (i) the nature of the breach; (ii) the categories and approximate number of Users and records affected; (iii) the likely consequences of the breach; (iv) the measures taken or proposed by Comera Pay to address the breach and mitigate its possible adverse effects; and (v) the contact point from whom further information may be obtained.
21. Contacting Us
If you have any questions about our Policy as outlined above, or if you have any complaints, please contact us at privacy@comerapay.com.
If you have any queries or issues pertaining to your information or our Policy, then please do write to us at any time by emailing us at privacy@comerapay.com.
