Your privacy matters to us. This Privacy Policy explains what personal data MYLO collects, why we collect it, how we use and protect it, and what rights you have over your data. Please read this document carefully.
1. WHO WE ARE AND HOW TO CONTACT US
MYLO Middle East FZE (‘MYLO’, ‘we’, ‘us’, ‘our’) is a Free Zone Establishment registered at Dubai Silicon Oasis under Dubai Law No. 16 of 2005, licensed by the Dubai Silicon Oasis Authority (DSOA). We operate the MYLO loyalty program aggregation platform at www.mrmylo.com and via the MYLO mobile application.
| Data Controller | MYLO Middle East FZE |
| Registered Address | Dubai Silicon Oasis, Dubai, UAE [complete address to be inserted] |
| Privacy Contact | privacy@mrmylo.com |
| Data Protection Officer | [Name to be appointed] — privacy@mrmylo.com |
| Regulatory Authority | UAE Data Office | Dubai Silicon Oasis Authority (DSOA) |
Under UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (‘UAE DPL’), MYLO acts as the Data Controller for Personal Data collected through our Services. Where we process data on behalf of business clients, we act as a Data Processor subject to the terms of the applicable Data Processing Addendum.
2. PERSONAL DATA WE COLLECT
2.1 Data You Provide to Us
When you register for or use MYLO, you provide us with the following categories of Personal Data:
| Data Category | Examples | Purpose |
|---|---|---|
| Registration Data | Full name, email address, phone number, nationality, date of birth | Account creation and identity verification |
| Authentication Credentials | Password (hashed), two-factor authentication data | Secure account access |
| Loyalty Program Tokens | OAuth tokens, API keys, read-only access credentials for connected programs | Program aggregation (no raw passwords stored) |
| Payment Information | Billing name, payment method details (processed by third-party payment processor; MYLO does not store full card data) | Premium subscription billing |
| User Content | Reviews, ratings, community posts, tips submitted by you | Platform features and community |
| Communications | Emails, support tickets, feedback submitted to MYLO | Customer support and service improvement |
| Preferences | Notification settings, display preferences, opted-in communications | Service personalisation |
2.2 Data We Collect Automatically
When you use MYLO, we automatically collect certain technical and usage data:
| Data Category | Examples | Purpose |
|---|---|---|
| Device Data | Device type, operating system, browser type, unique device identifiers, mobile advertising IDs | Service operation and security |
| Log Data | IP address, access timestamps, pages visited, features used, error logs, referral URLs | Security monitoring and debugging |
| Usage Analytics | Feature interactions, session duration, navigation patterns, click data, search queries within MYLO | Service improvement and personalisation |
| Location Data | Approximate location derived from IP address (we do not collect precise GPS location unless you explicitly grant permission) | Regional service delivery |
| Cookie and Tracking Data | Session cookies, persistent cookies, local storage, analytics identifiers | See Section 5 — Cookies and Tracking |
2.3 Data from Third-Party Loyalty Programs
When you connect Loyalty Programs to MYLO, we receive data from those programs via their APIs. This data typically includes:
- Program account identifiers and membership numbers
- Points, miles, cashback, or reward balances
- Transaction history (as made available by the program’s API)
- Tier or membership status
- Points expiry dates and eligibility information
- Redemption options and availability data
This data is collected on your behalf under your authorisation. MYLO treats Loyalty Program data as Personal Data and applies equivalent protections. We access only the minimum data necessary for the aggregation and display features of the Services (data minimisation principle).
2.4 Data from Third-Party Services
If you connect your MYLO account with social media or third-party identity providers (where available), we may receive basic profile data such as your name and email address from that service, subject to that platform’s privacy settings.
2.5 Data We Do NOT Collect
For clarity, MYLO does not:
- Store your raw Loyalty Program passwords
- Process or store full payment card numbers (PCI DSS compliant via processor)
- Collect your precise GPS location without explicit consent
- Access Loyalty Program transaction capabilities — our access is read-only
- Sell or rent your Personal Data to third-party marketers
3. HOW WE USE YOUR PERSONAL DATA
MYLO processes your Personal Data only where we have a valid legal basis to do so under UAE Federal Decree-Law No. 45 of 2021. The legal bases we rely on are: (a) Contractual Necessity — processing necessary to provide the Services you have contracted for; (b) Legitimate Interests — processing for our legitimate business interests where not overridden by your rights; (c) Consent — where you have given explicit consent, which you may withdraw at any time; (d) Legal Obligation — processing required by applicable law.
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Account creation and management | Contract | Registration data, credentials |
| Loyalty Program aggregation and display | Contract | Loyalty tokens, program data |
| Sending transactional notifications (balances, expiry alerts) | Contract / Legitimate Interest | Contact info, loyalty data |
| Processing subscription payments | Contract | Payment info, billing data |
| Responding to customer support requests | Contract / Legitimate Interest | Communications, account data |
| Improving and developing the Services | Legitimate Interest | Usage analytics, feedback |
| Security monitoring and fraud prevention | Legitimate Interest / Legal Obligation | Log data, device data |
| Sending marketing and promotional communications | Consent | Contact info, preferences |
| Personalising your experience | Legitimate Interest / Consent | Usage data, preferences |
| Complying with legal and regulatory obligations | Legal Obligation | All relevant data |
| Analytics and business intelligence (anonymised) | Legitimate Interest | Aggregated usage data |
| KYC and identity verification (where required) | Legal Obligation | Registration data |
3.1 Marketing Communications
We will only send you marketing emails, push notifications, or promotional content if you have explicitly opted in. You may withdraw consent and unsubscribe at any time via: (a) the unsubscribe link in any marketing email; (b) Account Settings > Notifications > Marketing Preferences; (c) emailing privacy@mrmylo.com.
Withdrawal of marketing consent does not affect transactional communications related to your account or services.
3.2 Automated Decision-Making
MYLO may use automated processing to personalise loyalty program recommendations and expiry alerts. These automated processes do not constitute solely automated decision-making with significant legal effects. You have the right to request human review of any automated decision that significantly affects you by contacting privacy@mrmylo.com.
4. SHARING YOUR PERSONAL DATA WITH THIRD PARTIES
4.1 Categories of Recipients
MYLO shares Personal Data with third parties only where necessary, as follows:
| Recipient Category | Purpose | Safeguards |
|---|---|---|
| Cloud Infrastructure (e.g. AWS, Azure, GCP — UAE region) | Hosting, storage, and processing of Services | Data Processing Agreement; UAE-based servers |
| Analytics Providers (e.g. Google Analytics, Mixpanel) | Usage analytics and service improvement | Data anonymisation; DPA; opt-out available |
| Email / Marketing Platform (e.g. Mailchimp, Braze) | Transactional and marketing email delivery | Data Processing Agreement; consent-based |
| Payment Processors (e.g. Stripe, Telr, PayTabs) | Processing Premium subscription payments | PCI DSS compliant; DPA; minimum data only |
| Third-Party Loyalty Programs | API data retrieval on your behalf | Read-only access; your authorisation |
| Legal and Compliance Advisors | Legal advice, regulatory compliance | Professional confidentiality obligations |
| Law Enforcement / Regulatory Authorities | Where required by law or court order | Only to extent legally required |
4.2 No Sale of Personal Data
MYLO does not sell, rent, or trade your Personal Data to any third party for their independent marketing or commercial purposes. Your data is used solely to provide and improve the Services.
4.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of MYLO’s assets, your Personal Data may be transferred to the successor entity as part of the transaction. MYLO will notify you via email and/or prominent in-app notice before your data is transferred and becomes subject to a different privacy policy.
4.4 Aggregated and Anonymised Data
MYLO may share aggregated, anonymised, or de-identified data (which cannot reasonably identify you) with third parties for business analytics, research, and industry insights. This data is not Personal Data and is not subject to this Privacy Policy.
5. COOKIES AND TRACKING TECHNOLOGIES
5.1 What Are Cookies
Cookies are small text files placed on your device when you visit a website or use an application. MYLO uses cookies and similar technologies (including local storage, pixel tags, and SDKs) to operate and improve our Services.
5.2 Categories of Cookies We Use
| Cookie Type | Purpose | Can You Opt Out? |
|---|---|---|
| Strictly Necessary | Essential for core functionality: authentication, session management, security. Cannot be disabled. | No — required for the service to function |
| Functional | Remember your preferences, language settings, and customisations. | Yes — via cookie settings |
| Analytics & Performance | Understand how users interact with MYLO; measure performance; improve features. Data is aggregated. | Yes — via cookie settings or opt-out links |
| Marketing & Advertising | Deliver relevant promotional content. Only used with your consent. | Yes — by withdrawing consent |
5.3 Cookie Consent
When you first access MYLO’s website, you will be presented with a Cookie Consent Banner allowing you to accept, reject, or customise your cookie preferences (see Cookie Banner document). Your preferences are stored and can be updated at any time via the ‘Cookie Settings’ link in the website footer or Account Settings.
5.4 Third-Party Cookies
Third-party services integrated with MYLO (such as analytics providers) may set their own cookies subject to those providers’ privacy policies. MYLO does not control third-party cookies but endeavours to list them in our Cookie Declaration available at www.mrmylo.com/cookies.
5.5 Analytics Opt-Out
You may opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-on available at tools.google.com/dlpage/gaoptout. For other analytics providers, opt-out mechanisms are available within Cookie Settings.
5.6 Do Not Track
Some browsers include a ‘Do Not Track’ (‘DNT’) feature. MYLO currently does not respond to DNT signals. However, you may achieve similar privacy by adjusting your cookie preferences as described above.
6. DATA RETENTION
MYLO retains your Personal Data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account and Registration Data | Duration of account + 3 years after closure | Contractual records; legal obligations |
| Loyalty Program Data | Duration of connection + 12 months after disconnection | Service provision; dispute resolution |
| Payment and Billing Records | 7 years from transaction date | UAE commercial and tax law requirements |
| Usage Analytics Data | 26 months (aggregated indefinitely in anonymised form) | Service improvement; industry practice |
| Customer Support Communications | 3 years from resolution | Quality assurance; dispute resolution |
| Marketing Opt-In Records | Until consent is withdrawn + 3 years thereafter | Compliance evidence |
| Security and Access Logs | 12 months (90 days for detailed logs) | Cybersecurity; incident investigation |
| User Content (reviews, posts) | Duration of account; 12 months after deletion request | Community integrity; moderation |
| Legal Hold Data | As directed by applicable legal authority | Legal compliance |
After applicable retention periods, MYLO will securely delete or anonymise your Personal Data. Anonymised data is not Personal Data and may be retained indefinitely for research and analytics purposes.
7. DATA SECURITY
7.1 Security Measures
MYLO implements appropriate technical and organisational measures to protect your Personal Data against unauthorised access, loss, destruction, alteration, or disclosure. Our security measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- No storage of raw Loyalty Program passwords — OAuth 2.0 tokens only
- Role-based access controls limiting staff access to Personal Data
- Regular security assessments, vulnerability scanning, and penetration testing
- Two-factor authentication available for all user accounts
- Secure SDLC (Software Development Lifecycle) practices
- Staff training on data protection and information security
- Physical security of UAE-based data centre facilities
- Incident response procedures and business continuity planning
7.2 UAE Data Residency
All Personal Data collected from MYLO users is stored on servers located exclusively within the United Arab Emirates. MYLO does not transfer Personal Data outside the UAE except as described in Section 8 of this Policy.
7.3 User Responsibility
While MYLO implements robust security measures, security of your account also depends on your actions. You are responsible for maintaining the confidentiality of your Account credentials and for immediately notifying us of any suspected unauthorised access.
7.4 ISO and Industry Standards
MYLO targets compliance with internationally recognised information security standards including ISO 27001 (Information Security Management) and SOC 2 Type II (Service Organisation Controls). Certification status is available upon request.
8. DATA BREACHES AND INCIDENT NOTIFICATION
8.1 Breach Response
In the event of a Personal Data breach, MYLO will:
- Immediately activate our incident response procedure upon discovery
- Assess the scope, nature, and risk of the breach
- Notify the UAE Data Office within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights, in accordance with UAE Federal Decree-Law No. 45 of 2021
- Notify affected users without undue delay when the breach is likely to result in high risk to their rights and freedoms
- Document all breaches in our internal data breach register
8.2 User Notification
Where you are required to be notified of a breach, MYLO will contact you via your registered email address with: (a) a description of the nature of the breach; (b) the categories and approximate volume of data affected; (c) likely consequences of the breach; (d) measures taken or proposed to address the breach and mitigate its effects; (e) contact details for follow-up questions.
8.3 KSA Breach Requirements
For users in Saudi Arabia, MYLO will additionally comply with any breach notification requirements under the Saudi Personal Data Protection Law and will notify the Saudi Data and Artificial Intelligence Authority (SDAIA) as required.
9. INTERNATIONAL DATA TRANSFERS
9.1 Primary Data Residency
MYLO stores all user Personal Data on servers located in the United Arab Emirates. We do not routinely transfer Personal Data outside the UAE.
9.2 Limited International Transfers
In limited circumstances, Personal Data may be accessed by or transferred to third parties outside the UAE, including:
- Cloud provider infrastructure teams for support and maintenance (subject to strict contractual controls)
- Global analytics providers processing anonymised or aggregated data
- Legal advisors in connection with cross-border legal matters
9.3 Transfer Safeguards
Where Personal Data is transferred outside the UAE, MYLO applies appropriate safeguards including:
- Standard Contractual Clauses (SCCs) or equivalent contractual protections
- Adequacy assessments of the destination country’s data protection framework
- Data Processing Agreements with all international recipients
- Technical controls including encryption during transfer
9.4 GCC Regional Transfers
Transfers within the GCC region (Saudi Arabia, Qatar, Kuwait, Bahrain, Oman) are subject to the data protection requirements of the destination country. MYLO applies appropriate safeguards for each GCC jurisdiction.
9.5 GDPR Considerations
If you are an EU or EEA resident accessing MYLO, your data is processed in accordance with applicable GDPR requirements. The UAE has not been granted an EU adequacy decision; therefore, MYLO relies on Standard Contractual Clauses for any data transfers from the EU. EU users may contact privacy@mrmylo.com for a copy of applicable SCCs.
10. YOUR DATA RIGHTS
10.1 Rights Under UAE Law
Under UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, you have the following rights regarding your Personal Data:
| Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access | Obtain a copy of the Personal Data we hold about you | Email privacy@mrmylo.com |
| Right to Rectification | Correct inaccurate or incomplete Personal Data | Account Settings or email privacy@mrmylo.com |
| Right to Erasure | Request deletion of your Personal Data where no longer necessary or where consent is withdrawn | Account Settings > Delete Account or email privacy@mrmylo.com |
| Right to Restriction | Request that we limit processing of your data in certain circumstances | Email privacy@mrmylo.com |
| Right to Data Portability | Receive a copy of your data in a structured, machine-readable format | Email privacy@mrmylo.com |
| Right to Object | Object to processing based on legitimate interests or for direct marketing purposes | Email privacy@mrmylo.com or unsubscribe links |
| Right to Withdraw Consent | Withdraw consent for consent-based processing at any time without affecting prior processing | Account Settings or email privacy@mrmylo.com |
| Right to Lodge a Complaint | File a complaint with the UAE Data Office or applicable GCC regulator | Contact details in Section 12 |
10.2 How to Submit a Request
To exercise any of the rights above, contact privacy@mrmylo.com with: (a) your full name and registered email address; (b) a clear description of the right you wish to exercise; (c) a copy of a valid identity document for verification purposes. MYLO will respond within 30 days of receipt of a valid request.
10.3 Limitations on Rights
MYLO may decline to comply with a rights request where: (a) the request is manifestly unfounded or excessive; (b) compliance would conflict with a legal obligation; (c) compliance would adversely affect the rights of others. MYLO will explain any refusal in writing.
10.4 KSA-Specific Rights
Users in Saudi Arabia have additional rights under the Saudi Personal Data Protection Law (PDPL), including the right to be informed of the purposes of processing, the right to access and correct data, and the right to withdraw consent. Saudi users may also lodge complaints with SDAIA at www.sdaia.gov.sa.
11. CHILDREN’S PRIVACY
11.1 Minimum Age
MYLO does not knowingly collect Personal Data from children under the age of 13. Our Services are directed at users aged 13 and older, with parental or guardian consent required for users aged 13-17.
11.2 Parental Consent for Minors (Ages 13-17)
Users between 13 and 17 years of age may only use MYLO with verifiable parental or guardian consent. Parents or guardians who consent on behalf of a Minor accept responsibility for the Minor’s use and agree to the Terms of Service and this Privacy Policy on the Minor’s behalf.
11.3 Limited Data Processing for Minors
For users identified as Minors, MYLO limits data collection and processing to what is strictly necessary for the Services. We do not use Minors’ data for targeted advertising or profiling.
11.4 Parental Rights
Parents or guardians of Minor users have the right to: (a) review the Personal Data collected about their child; (b) request correction or deletion of their child’s data; (c) withdraw consent and request Account closure. To exercise these rights, contact privacy@mrmylo.com with proof of identity and guardianship.
11.5 Discovery of Underage Users
If MYLO discovers that a user under 13 has registered without parental consent, we will immediately suspend the Account, notify the parent or guardian (if contact information is available), and delete all associated Personal Data. If you are a parent who believes your child under 13 has created a MYLO Account, please contact privacy@mrmylo.com immediately.
12. REGULATORY AUTHORITIES AND COMPLAINTS
If you believe MYLO has not handled your Personal Data in accordance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority:
| UAE Data Office | UAE Data Protection authority | Website: [To be confirmed] | Email: [To be confirmed] |
| DSOA | Dubai Silicon Oasis Authority — MYLO’s primary regulator | www.dso.ae | +971 4 501 5000 |
| Dubai Consumer Rights | Consumer complaints | consumerrights.ae | 600 545 555 |
| SDAIA (KSA Users) | Saudi Data and Artificial Intelligence Authority | www.sdaia.gov.sa |
| CITC (KSA Users) | Saudi Communications and Information Technology Commission | www.citc.gov.sa |
We encourage you to contact us first at privacy@mrmylo.com before lodging a regulatory complaint, as we are committed to resolving privacy concerns promptly and fairly.
13. CHANGES TO THIS PRIVACY POLICY
13.1 Right to Update
MYLO may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or our Services. We will always publish the current version at www.mrmylo.com/privacy with the effective date.
13.2 Notice of Material Changes
For material changes — meaning changes that significantly affect your rights or how we process your data — MYLO will:
- Send an email notification to your registered email address at least 30 days before the change takes effect
- Display a prominent banner or in-app notification alerting you to the changes
- Where required by UAE law, seek your renewed consent for new processing activities
13.3 Continued Use
Your continued use of MYLO after the effective date of an updated Privacy Policy constitutes acceptance of the updated terms. If you do not agree to the changes, you should delete your Account before the effective date.
14. CONTACT INFORMATION
For all privacy-related inquiries, data rights requests, or concerns:
| Data Controller | MYLO Middle East FZE |
| Privacy Email | privacy@mrmylo.com |
| Data Protection Officer | [Name to be appointed] — privacy@mrmylo.com |
| General Support | support@mrmylo.com |
| Postal Address | MYLO Middle East FZE, Dubai Silicon Oasis, P.O. Box [Insert], Dubai, UAE |
| Response Time | Within 30 days of receiving a valid request |
| DPO Registration | [To be completed upon DPO appointment] |
Last Updated: [INSERT DATE] | Version 1.0
Compliant with: UAE Federal Decree-Law No. 45 of 2021 (DPL) | Dubai Law No. 16 of 2005 | DSOA Regulations | Saudi PDPL (secondary) | GDPR-aligned principles