Privacy Policy

This Privacy Policy explains what personal data Hasb collects about you, why we collect it, how we use and protect it, and your rights over it. We try to write in plain English. If anything is unclear, write to dpo@hasb.aiand we'll explain.

Effective: 13 May 2026Version: v1.0Primary law: UAE Personal Data Protection Law (PDPL)Aligned with: EU GDPR · UK GDPR · CCPA/CPRA

Our promise — in one paragraph. Your files belong to you. Hasb staff do not read them. We process them only to run the service for you, never to train AI, never for advertising, never for resale. We use them to build your books because that is the service you signed up for. We disclose them only when you tell us to, when the law forces us to, or when narrowly investigating a credible safety or fraud report. Everything else is off-limits.

1. Who we are (the "controller")

The data controller responsible for personal data described in this Policy is the operating entity behind Hasb, a UAE-domiciled cloud accounting service ("Hasb," "we," "us").

For all privacy matters, including subject-rights requests, complaints, and questions about this Policy, contact:

Data Protection Officer	dpo@hasb.ai
Postal / legal contact	legal@hasb.ai
Security incidents	security@hasb.ai

2. Scope of this Policy

This Policy applies to personal data we process about (a) visitors to hasb.aiand any subdomain; (b) people who sign up for, log into, or use the Service; (c) people on behalf of whom our customers process data using the Service ("data subjects of our customers"); and (d) people who contact us about the Service or apply for a role with us.

For data that our customers process on third parties using Hasb (e.g., when a Hasb customer uploads their own customer or vendor records), Hasb acts as a processor. The customer is the controller of that data and is responsible for the lawful basis on which it is processed. The applicable terms are in our Data Processing Agreement.

3. What we collect, why, and on what legal basis

3.1 Account & identity data

What	Why	Legal basis
Email address, display name, optional avatar initials	To create your account and sign you in via magic link.	Performance of a contract.
IP address, user-agent, sign-in timestamp	To detect suspicious activity, rate-limit sign-in attempts, and audit access.	Legitimate interest (security).
Workspace name, industry, currency, TRN if you provide one	To configure your books correctly.	Performance of a contract.

3.2 Customer Data (your books)

What	Why	Legal basis
Documents you upload: invoices, receipts, bank statements, payroll, ID copies, vouchers, etc.	To extract bookkeeping entries and store the source as audit-trail evidence.	Performance of a contract.
Journal entries, ledgers, balances, drafts of statutory reports	To run the service.	Performance of a contract.
Customer / vendor master data (names, TRNs, addresses, contact details)	To produce invoices, statements, payment runs, and reports.	We process this as a processor on your behalf — you are the controller.

3.3 Usage & product analytics

What	Why	Legal basis
Aggregated, account-level usage counters (e.g., number of bills processed, sign-in count)	To bill you correctly, plan capacity, and detect abuse.	Legitimate interest, performance of a contract.
Pseudonymised crash and performance telemetry	To find and fix bugs.	Legitimate interest (reliability).
Strictly-necessary cookies (session cookie, CSRF token)	To keep you signed in.	Strictly necessary — no consent required.
Theme preference (`hasb_theme_v19`)	To remember your dark/light choice.	Strictly necessary for UX (no tracking purpose).

We do not use third-party advertising cookies, cross-site trackers, or behavioural-advertising pixels. See our Cookie Policy for the complete list.

3.4 AI prompts & conversations

When you chat with Hasb AI, your prompt and any attachments are processed to produce the answer. The prompt and the answer are Customer Data and are processed under clause 3.2. We do not retain prompts for the purpose of training models, and our AI subprocessor is contractually prohibited from doing so. See our Subprocessors list.

3.5 Billing data

If you are on a paid plan, payment is processed by a regulated payment processor (see Subprocessors). We receive only the last-four-digits of your card, the card brand, and the billing email — never the full card number. The processor stores the full card under PCI-DSS controls.

3.6 Support correspondence

If you email us, we keep the thread to provide support and to improve the Service. We don't use support content for advertising or to train AI models.

3.7 Job applicants

If you apply to work at Hasb, we keep the application materials only to consider you for the role and (with your consent) for future relevant openings.

4. How we use your data

To run the service you signed up for.
To bill correctly under your subscription.
To detect, investigate, and prevent abuse, fraud, and security incidents.
To respond to your support requests.
To send transactional emails (sign-in links, security alerts, billing reminders, policy updates). You cannot opt out of these while you have an active account — they are necessary to operate the service.
To send optional product news only if you opt in.
To comply with our legal obligations.

5. What we do not do with your data

We do not train AI models on your data. Not generative AI, not classifier AI, not analytics models.
We do not sell your data. Not personal data, not aggregated data, not de-identified data.
We do not show third-party advertising inside the Service.
We do not browse your files. Staff access is limited to the narrow Trust Exceptions listed in clause 6.
We do not transfer your data to advertisers or data brokers.

6. When Hasb staff may access Customer Data — the "Trust Exceptions"

Hasb operates on a least-privilege model. By default, no employee can read Customer Data. Access only happens in one of these clearly scoped situations:

You ask us to.Opening a support ticket and telling us "please look at this document" counts. We'll log the access, show it to you in the audit trail, and only stay in your data for as long as necessary to help.
Trust & safety. A credible, specific report of fraud, abuse, malware, child-sexual-abuse material, money laundering, sanctions evasion, or terrorism financing — and only to confirm or rebut the report.
Legal compulsion. A valid, narrowly scoped legal order from an authority with jurisdiction over us. We will challenge overbroad requests and, where lawful, notify you so you can object.
Imminent harm. A risk to life or physical safety that requires immediate action.
Operational debugging. An incident affecting you (or that may affect you) that we cannot reproduce without looking at the smallest possible Customer Data sample.

Every such access is recorded in an append-only audit log. On request, we will disclose to you all instances in which a Hasb employee accessed your account.

7. How long we keep your data

Category	Retention
Active Customer Data (books, documents)	For as long as your account is active.
Personal-tier source originals	24 hours from upload (admin-tunable). Structured data stays.
Backups	Encrypted backups for up to 35 days after deletion of source data, then purged.
Audit logs	7 years (UAE statutory minimum for accounting records).
Magic-link tokens	15 minutes maximum; deleted on first use.
Sign-in IP / user-agent	90 days for sign-in fraud detection.
Billing records	10 years (UAE Commercial Companies Law & CT recordkeeping requirements).
Support tickets	3 years from closure.
Job applications	12 months (unless you consent to longer).

When you delete your account, primary Customer Data is removed from production within 90 days. Encrypted backups expire on their own retention cycle (up to 35 days after that). Records we are legally required to keep are retained for the minimum statutory period and then permanently destroyed.

8. Who we share data with

We share personal data only with categories of recipients listed below, under binding contractual safeguards. A full, current list is at /subprocessors.

Subprocessors — cloud hosting (DigitalOcean), object storage, AI inference, email infrastructure, error and performance monitoring, payment processing. Each is contractually bound to confidentiality and minimum-necessary access.
Professional advisors — lawyers, auditors, insurers — only on a need-to-know basis and under confidentiality.
Authorities — when compelled by valid legal process, after we have, where lawful, given you the opportunity to object.
Successors — if Hasb is acquired or merged, your data may be transferred to the successor entity; you will be notified and given the opportunity to export and close your account.

9. International transfers

Hasb operates primary infrastructure in the UAE. Some subprocessors are based in the EU, the UK, or the US. Where personal data is transferred outside the UAE, we rely on (a) recognised adequacy decisions where available; (b) the European Commission's Standard Contractual Clauses (SCCs) with the UK Addendum; and (c) UAE PDPL data-transfer mechanisms approved by the UAE Data Office. We apply supplementary safeguards — encryption in transit and at rest, pseudonymisation where feasible, minimisation of fields transferred, and contractual restrictions on government access.

10. Your rights

You have the following rights (subject to local-law exceptions):

Right of access — a copy of the personal data we hold about you.
Right of rectification — to correct inaccurate data.
Right of erasure ("right to be forgotten") — to delete data, subject to statutory retention.
Right to restrict processing in specific circumstances.
Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
Right to object to processing based on legitimate interest, including direct marketing.
Right not to be subject to a solely automated decision with legal or similarly significant effect on you. Hasb AI is a tool you use; we do not make significant automated decisions about you.
Right to lodge a complaint with the UAE Data Office or your local supervisory authority (e.g., the relevant EU/UK Data Protection Authority, the California Privacy Protection Agency).
California residents (CCPA/CPRA):right to know, delete, correct, opt out of "sale" or "sharing" (we do neither), and limit use of sensitive personal information. To exercise these rights, contact us at dpo@hasb.ai.

To exercise any right, email dpo@hasb.ai. We respond within 30 days, with a possible extension of up to 60 days for complex requests. We do not charge for the first response in a 12-month window. We may ask you to verify your identity before we act on a request.

11. Children

Hasb is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, write to dpo@hasb.ai and we will delete it.

12. Security

Detailed controls are listed in our Security Statement. In summary: data in transit is protected with TLS 1.2+; data at rest is encrypted on disk; production access requires multi-factor authentication; access to Customer Data is least-privilege and audit-logged; sign-in is protected with magic links + optional TOTP and step-up confirmation for sensitive actions; the audit log is append-only with a SHA-256 hash chain so tampering is detectable.

13. Breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify (a) the supervisory authority within 72 hours where required and (b) you without undue delay, with as much detail as we have at that point and follow-up updates as more is known. Where a breach affects encrypted data and the encryption keys have not been compromised, we may rely on that fact in deciding whether notification is required.

14. Do Not Track & opt-out signals

We respect Global Privacy Control (GPC) signals as an opt-out from non-essential cookies and processing. We do not sell or share personal data for cross-context behavioural advertising in any case.

15. Changes to this Policy

We will post any changes here and update the "Effective" date. Material changes will be notified at least 30 days before they take effect, by email or in-product banner. Continued use after the effective date constitutes acceptance.

16. Contact & complaints

Questions: dpo@hasb.ai. If you are not satisfied with our response, you may lodge a complaint with the UAE Data Office or with your local supervisory authority. UAE-domiciled users may also contact the UAE Federal Authority for Identity, Citizenship, Customs & Port Security where applicable.