PRIVACY POLICY

This Privacy Policy (hereinafter referred to as the "Policy") is an Agreement between Reelly Tech Ltd and the Visitor or User of the website (hereinafter collectively referred to as the "User") to regulate the relationship related to the collection, processing, storage, protection, disclosure of personal data of Users.

This Policy is a public offer that is addressed to a fully capable entity.

By registering on the https://www.reelly.ai/ Website or visiting the Website without registering, the User consents to the collection and processing of his personal data, as well as gives the Website Operator the right to perform other actions with Personal Data that are provided for by this Policy.

The fact of acceptance of this Policy (unconditional acceptance of all conditions contained in this document without exception, made by visiting the Website or by registration) is recorded by the Website Operator in electronic form. The information registered by the Website Operator about the acceptance of the offer can be used as evidence in any instances, including in court.

The Privacy Policy is an integral part of the Terms and Conditions of Use of the Platform. The terms used in the Policy are filled with the meaning that is disclosed in the Terms and Conditions of Use of the Platform.

ATTENTION!

IF YOU DO NOT AGREE WITH ANY OF THE PROVISIONS OF THIS POLICY, PLEASE STOP USING THE SITE AND, IF NECESSARY, REQUEST THE SITE OPERATOR TO DELETE THE PERSONAL INFORMATION THAT WAS RECEIVED BY HIM IN CONNECTION WITH YOUR VISIT TO THE SITE.

If you have any questions, you should contact the info@reelly.ai support service for clarification of the terms and individual provisions of this Policy

1.GENERAL PROVISIONS

1.1. The Data Controller is REELLY Tech Ltd, a private company registered with the Dubai International Financial Centre (DIFC), United Arab Emirates, with commercial license No CL6648, with its registered office at Unit 208, Level 1, Gate Avenue – South Zone, Dubai International Financial Centre, Dubai, United Arab Emirates, (hereinafter referred to as the "Operator", "Reelly", "we", "us").

1.2. This Policy governs the processing of personal data when using the following Reelly services:

web platform;
CRM modules;
AI analytics tools;
functionality for agents and developers;
web and mobile applications (if applicable);
API and integrations with external services.

1.3. Reelly Platforms is a SaaS platform for real estate agents and developers, including CRM tools, user behavior analytics, and marketing tools that enable communication between agents and developers.

1.4 The processing of personal data is carried out in accordance with:

DIFC Data Protection Law 2020 (Law No. 5 of 2020);
DIFC Data Protection Regulations;
principles of transparency and fair data processing, including the provisions of Regulation 10 applicable to the use of AI analytical tools. At the same time, the AI modules of the platform do not carry out automated decision-making that can have a legally significant or other significant impact on the User.

1.5. The following terms are used in this Policy:

Personal data is any information relating to an identified or identifiable natural person.
Processing – any operation performed with Personal Data (collection, storage, analysis, transfer, etc.).
User means an individual who uses the Reelly platform as an agent, representative of a developer or other person.
Controller – a person who determines the purposes and means of personal data processing.
Processor – a person who processes data on behalf of the Operator.
AI tools are algorithms for automated data analysis used by Reelly to improve the quality of service, without making decisions that have a significant impact on the user.
Third parties - service providers, partner agencies, developers, as well as external technical, marketing and analytical services.

‍

2. CATEGORIES OF PERSONAL DATA PROCESSED
Reelly processes only those categories of personal data that are necessary for the functioning of the platform, the fulfillment of contractual obligations, ensuring security and improving the quality of the service.
Data provided by the User independently. This category includes data that the User specifies when registering, filling out a profile, interacting with the functions of the platform or uploads to confirm professional qualifications:
The data processed includes the following categories.

Last name, first name, patronymic;
contact details (phone number, email address, links to social networks);
photo (avatar);
professional information (position, company, role - agent, broker, developer, etc.);
the number of the permit, the date of its issue and the period of validity;
uploaded documents (license, certificates, proof of professional experience, etc.);
information on work experience and qualifications;
financial information necessary for the operation of the services (for example, subscription status, top-up operations);
text messages and attachments provided through chat support or the platform's built-in communication modules.

2.2.2. Data collected automatically. When using the platform, technical and analytical data is collected, including:

IP address, device type, and operating system;
browser language, equipment settings;
Unique device identifiers
dates and times of visits, URLs of transitions;
cookies and similar technologies;
event data (errors, failures, delays);
Technical logs (log files).

This data is used to monitor the platform, analytics, and ensure the stability and security of services.

2.2.3. Behavioral data. Reelly collects advanced information about user behavior on the platform, which includes:

Activity history (clicks, transitions, page openings)
activity in CRM modules;
interaction with sales and analytical tools;
statistics of visits to objects and offers;
Tagging statuses, priorities, and tags
Records of interactions between agents and developers (e.g., contact requests)
information about the time of activity and attendance;
internal analytical indicators (for example, activity, efficiency, correctness of filling out the profile).

However, behavioral data is used solely for analytical purposes and does not lead to automated decision-making.

2.2.4. Professional data. The following data may be processed:

number and status of the license or other permit;
issuing authority;
date of issue and validity of the permit;
confirmation of the availability of a permit through third-party sources (for example, open registries);
the name of the employing company;
length of service;
information about previous sites, visits, results of work;
Verified verification: "crosschecked in DLD" or similar parameters.

2.2.5. Financial data. As part of the use of the platform, the following may be processed:

subscription status (free/paid);
balance replenishment operations;
applicable tariffs;
Transaction history within the platform (if applicable).

Reelly does not store credit card data, such data may be processed exclusively by payment providers.

2.2.6. Data obtained from third parties. Reelly may obtain additional data from external sources, including:

partner agencies and developers (e.g. confirmation of cooperation);
public registries (for example, agent license checks);
analytics and marketing communications services;
AI providers and technical tools.

2.2.7. Data related to professional qualifications. In rare cases, the user can upload documents that contain:

an image of an identity card;
documents on professional status or accreditation;
other data necessary to confirm his role in the field of real estate.

Such data is processed in strictly limited ways and is not used outside of the purpose of verifying the user's competence.

2.2.8. Data on minors. Reelly does not process data from anyone under the age of 18. If such data is detected, it is deleted.

‍‍

3. PURPOSES OF PERSONAL DATA PROCESSING AND LEGAL BASIS

3.1. Reelly processes personal data only when it is necessary for the operation of the platform, the fulfillment of obligations to Users or compliance with applicable law. In accordance with the DIFC Data Protection Law 2020, data processing is only possible if there are one or more legal grounds.

3.2. Purposes and legal grounds for processing:

Purpose of processing	What data is used	Legal basis
User registration on the platform	Name, Phone, Email, Company, Role	Performance of the contract
Create an agent or developer profile	Profile data, photo, permit, professional information	Performance of the contract
Providing access to the functionality of the platform	All the necessary user data	Performance of the contract
Ensuring the operation of CRM and analytical modules	Behavioral Data, Profile Data, Activity History	Legitimate interests of the operator, provided that there is no damage to the user's rights
AI behavior analytics (without automatic decision-making)	behavioral data, activity, interactions	Legitimate interests (service quality analytics)
Improving the quality of the platform	Technical data, logs, user actions	Legitimate interests
Verification of professional information (e.g. verification of licenses or registers)	Data of permits, verification data	Performance of the contract or Legitimate interests
Communication with the user (support, notifications)	Email, Phone, Messages	Performance of the contract
Sending information messages	Contact Details	Legitimate interests
Marketing messages	Contact details, activity	User consent (opt-in), if required
User-initiated transfer of data to developers	Agent contact details	Performance of the contract or User Consent
Making payments, tariffs and subscriptions	Transactional data	Performance of the contract
Platform analytics and statistics (in anonymized form)	Technical and behavioral data	Legitimate interests
Compliance with legislation, responding to requests from authorities	any necessary data	Legal obligation
Reelly's Protection, Abuse Investigation	Activity history, user behavior	Legitimate interests

3.3. Description of the main legal bases

3.3.1. Performance of a contract is used when the processing of data is necessary for:

user registration,
provision of services and access,
CRM functioning,
ensuring communication between agents and developers.

3.3.2. Legitimate interests. Reelly uses this legal mechanism when the processing:

does not violate the rights and freedoms of the user;
is necessary for the operation of the platform;
ensures the improvement of the quality of service;
Used for analytics, performance monitoring, and abuse prevention.

Reelly conducts a balancing of interests assessment to ensure that no processing infringes users' rights.

3.3.3. Accord. Used in strictly restricted scenarios:

receiving marketing materials;
when the user independently clicks "Transfer contact to developer" or a similar button;
In the event that it is necessary to send data to third parties outside the standard mechanisms of the platform.

3.3.4. Legal obligation. Used in situations where Reelly needs to transmit or process data to:

compliance with DIFC requirements;
responding to requests from government agencies;
AML/KYC obligations (if applicable).

3.3.5. Processing of children's data. Reelly does not process data from anyone under the age of 18. If such data is identified, it will be deleted immediately.

3.4 Processing restrictions. The User has the right to request the restriction of processing if:

the data is incorrect;
the processing is unlawful;
Data is no longer needed by Reelly;
The user is contesting legitimate interests.

‍

4. USING AI TOOLS

4.1. Reelly uses data analysis technologies and machine processing algorithms to improve the quality of the User experience, increase the efficiency of the platform and provide analytical recommendations. At the same time, these algorithms do not make automated decisions that can have a legally significant or other significant impact on the User.

4.2. Purpose of AI tools. The AI at Reelly acts solely as an auxiliary analytical mechanism, not as a decision-making system. Reelly's AI tools are used for the following tasks:

analysis of the User's behavior on the platform;
identifying interests and preferences within the framework of working with objects and CRM;
formation of analytical reports;
providing recommendations to the user or developer within the interface;
automation of certain technical functions (for example, processing messages or system hints);
improving user experience and quality of service.

4.3. Categories of data used by AI.

4.3.1. The following data can be used to operate the algorithms:

behavioral data (history of actions on the platform, activity);
professional data (agent or developer profile);
technical data (device type, system events);
user profile data;
anonymized statistical data.

4.3.2. AI algorithms are not used to analyze or process data belonging to special categories if such data is not required for the functioning of the service.

4.4. Lack of automated decision-making. Any significant decisions are made solely by a person on the basis of business processes and agreements between Users and developers. Reelly doesn't use AI to:

assignment of legally significant statuses;
decision-making regarding access to services;
blocking, sanctions or restrictions on functionality;
definitions affecting the User's rights;
choosing one User instead of another based on the results of automatic analysis.

4.5. The user can request an explanation of any action displayed on the platform and get a response from a competent employee. Reelly provides:

Human validation of AI findings where applicable;
the User's ability to clarify, request correction or dispute the conclusions of analytics;
limiting the influence of AI only to recommendations and tips.

4.6. The platform provides transparency regarding the work of AI:

analytical results are displayed in a clear and accessible form;
Reelly provides the User with information about the logic of the recommendations, if technically possible;
The user can request additional clarification based on the results of the analytics.

4.7. Reelly conducts internal risk assessments to ensure that the use of AI does not infringe on Users' rights. To protect the data used in AI:

data encryption is applied during transmission and storage;
access to data is limited by roles and access levels;
algorithms are trained on anonymized data where possible;
AI results are not used for decision-making without human intervention;
internal quality control of models is applied.

For the operation of AI, external technological services (for example, Google Cloud, OpenAI) can be used, to which fragments of data can be transferred exclusively as part of technical operations: processing requests, generating tips, providing analytics. At the same time: providers do not make decisions regarding Users, do not access data beyond the scope of technical processing, do not use data for model training, unless otherwise expressly agreed, use agreed protection mechanisms and SCC (in case of cross-border transfers).

‍

5. PROFILING AND ANALYTICS

5.1. Reelly uses data analysis tools and evaluation mechanisms to improve the quality of service, increase the efficiency of interaction between Users and developers, and optimize the performance of the platform. At the same time, profiling does not lead to automated decision-making that can have a legally significant or other significant impact on the User.

5.2. Profiling means the analysis of the User's personal and behavioral data to obtain analytical indicators, including: activity statistics, analysis of visits to objects or offers, analysis of interaction with CRM functionality, assessment of the completeness and correctness of filling out the profile, analysis of the frequency of logins and communications, determination of the level of involvement in the platform.

5.3. These indicators are used for: analytical reports displayed by the Users themselves, information tips, improving the quality of recommendations, ensuring better interaction between agents and developers.

Profiling is carried out in the interests of the user and helps to improve the quality of service. Reelly uses profiling exclusively for the following purposes: improving user productivity, providing statistics and analytical reports, optimizing the interface, identifying technical and UX problems, analyzing trends in the use of the platform, improving the quality of recommendations within the platform.

5.4. Any decisions that lead to specific actions (for example, choosing a partner) are made by people, not algorithms.

5.5. Analytics metrics are provided for informational purposes only. Profiling does not have a legally significant effect, does not affect the rights of the User, is not used to make decisions regarding admission, blocking or restrictions, and is not used for discriminatory analysis.

5.6. The User's right to object to profiling. In case of objection, some of the platform's functionality may be limited. The User has the right to object to profiling, to request an explanation of profiling methods, to request correction of data if the analytics are based on erroneous information, to limit the use of behavioral data (within the limits of technical feasibility).

In most cases, Reelly uses behavioral data in an aggregated, de-identified form, without the ability to identify a specific User.

5.7. Security measures for profiling. Reelly provides access control to analytical data, activity logging, processing of sensitive analytical data on the side of EU servers, the use of secure cloud services, and limiting the amount of information collected by the principle of data minimisation.

‍

6. COOKIES AND TRACKING TECHNOLOGIES

6.1. Reelly uses cookies and similar technologies (including web beacons, pixel tags, browser local storage, and SDKs) to ensure the proper operation of the platform, improve user experience, perform analytics, and support marketing functions.

6.2. Cookies can be used for the following purposes: ensuring authorization and saving user settings, analyzing user behavior and improving the interface, supporting marketing and advertising tools, ensuring security and preventing fraud.

6.3. Detailed information about the types of cookies, their storage periods, the tracking technologies used, as well as third parties using cookies on the platform, is set out in a separate Cookie Policy posted at: https://www.reelly.ai/terms/cookie-policy

6.4. The user can manage their cookie settings or disable individual categories through the browser interface or system functionality, in accordance with the instructions set out in the Cookie Policy.

‍

Google Cloud (Hosting & Data Processing)
Google Analytics / GA4
OpenAI API (Processing Custom Requests as Part of Analytics)
Meta (Meta Pixel)
Telegram / Manychat (communications)
other services that ensure the technical functioning of the platform

7.1. Reelly transfers personal data to third parties only in cases where it is necessary for the functioning of the platform, the provision of services, the performance of contractual obligations to Users, as well as within the framework of the User's own initiative. The transfer of data is carried out in accordance with the DIFC Data Protection Law 2020, the principles of data minimization and secure processing.

7.2. Reelly may share data with the following categories of recipients:

7.2.1. Technical Service Providers

7. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

7.2.2. Development and Support Tool Providers

Contractors providing technical support for the platform
Logging and monitoring services

7.2.3. Partner agencies and user service companies

Real Estate Agencies
Brokerage companies

7.2.4. The transfer of data to developers is carried out only with the consent of the User or to provide the User with the functions of the platform related to the interaction between agents and developers.

7.2.5. Advertising and marketing providers:

Analytics services
advertising platforms
Mailing and communication providers

7.2.6. Government agencies and regulators. In cases provided for by law.

Reelly does not share personal data with developers without the User's actual consent. The transfer of the agent's contact details to the developer may occur only in the following cases, when the interaction between the agent and the developer is part of the functionality that the User uses voluntarily, when the transfer of data is necessary for the fulfillment of the terms of service provided by the platform.

7.2.7. AI tools are used by Reelly in a limited and controlled manner. In order for these tools to work, it may be necessary to transfer data to the following providers:

OpenAI API
Google Cloud AI

7.2.8. The transfer of data to these services is carried out only to the extent necessary to perform a technical function (e.g. analysis of the request), without the transfer of data that is not required for processing, without the use of data by the provider to train its own models (unless otherwise expressly authorized by the User), without making automated decisions on the part of the providers.

7.3. Transfer of data to analytics and marketing services. As part of analytics and marketing, Reelly may share technical and anonymized data:

Google Analytics (GA4);
Meta Pixel;
Telegram/Manychat;
other analytical tools.

7.4. Transfer of data to technical and cloud providers. Such providers act as Processors and are not allowed to use the data outside of the purposes specified by Reelly. In order to ensure the operation of the platform, Reelly may transfer data to technical providers:

cloud services;
CDN services;
log storage services;
communication API.

7.5. Transfer of data in cases provided for by law. Transfers are made only to the minimum extent necessary to comply with the law. Reelly can transfer data:

at the request of a court or regulator;
within the framework of a legal obligation;
to investigate abuse or violation of the terms of service;
to protect the rights and legitimate interests of Reelly.

7.6. Data Transfer Limits. Reelly does not transmit:

data to third parties without a legal basis;
data for automated decision-making;
data relating to the agent's licenses or documents, unnecessary, except in cases expressly initiated by the User.

‍

8. CROSS-BORDER TRANSFER OF PERSONAL DATA

8.1. The Reelly platform carries out cross-border transfers of personal data only in cases where it is necessary for the operation of the services and in the presence of appropriate legal protections provided by the DIFC Data Protection Law 2020.

8.2. The main storage of personal data is carried out on servers located in the European Union (EU). The cloud providers used by Reelly provide a level of protection that complies with DIFC requirements and current EU legislation.

8.3. Transfer of data to third countries (USA and other countries). Such transfers are made only to the extent necessary for the performance of specific technical operations and are not used by the providers for independent purposes. In the course of the platform's operation, data may be transferred to services located outside the EU and DIFC, including:

OpenAI (USA);
Meta (United States) - Meta Pixel and advertising tools;
Google (US / Global Data Centers);
Telegram (global distributed infrastructure);
and other services that ensure the technical operation of the platform.

8.4. Legal protection mechanisms (SCC and other tools). These measures ensure a level of protection for personal data comparable to the requirements of DIFC and European legislation. Data will only be transferred to third countries with appropriate guarantees, including:

Standard Contractual Clauses (SCC), approved by the European Commission and recognized by the DIFC as a safeguard mechanism;
additional technical measures (encryption, data minimization, pseudonymisation);
contractual restrictions for external providers (DPAs) that exclude the use of data for third-party purposes;
limiting the amount of data transferred to countries with an inadequate level of protection to only what is necessary to perform technical functions.

Transfer of data to developers and partners in other countries. Reelly does not share data with such partners without the User's voluntary actions. If the User uses the functionality of the platform that involves interaction with developers, agencies or partners located outside the EU or DIFC, then the transfer of data is carried out: at the initiative of the User himself, on the basis of his will (for example, a request for communication), to the minimum extent necessary, only within the framework of the agreed functionality of the platform.

Exceptional cases of transfer. Personal data may be transferred to third countries without additional protection mechanisms only in cases provided for by law, for example: at the request of state authorities or a court, to protect the vital interests of the User, to fulfill Reelly's obligations to regulatory authorities.

8.5. In certain cases, when using external technical tools and development services, the processing of personal data may be carried out on servers of providers located outside the EU and DIFC. Such transfer is performed exclusively to the extent necessary for the execution of technical functions and only subject to appropriate safeguards, including Standard Contractual Clauses (SCC), encryption, data minimisation and pseudonymisation. Reelly ensures that every external provider engaged for hosting or data processing complies with the requirements of the DIFC Data Protection Law 2020 and does not use the data for its own purposes. External providers may operate infrastructure in multiple regions worldwide. Reelly does not intentionally host user data in any specific country; the choice of data location is determined by the technical hosting/processing provider within the framework of the applicable Data Processing Agreement (DPA). All such providers are required to ensure a level of data protection comparable to the requirements of the DIFC.

8.6. Additional security measures. To protect data in cross-border transfers, Reelly uses:

encryption of data in transit and at rest;
distribution of access roles;
security monitoring;
Restriction of access to data by external providers.

‍

9. PERSONAL DATA RETENTION PERIODS

9.1. Reelly retains personal data only for as long as necessary to fulfill the purposes of processing, to fulfill contractual obligations, to comply with legal requirements and to protect the rights and legitimate interests of Reelly or Users. Once the purposes of the processing have been achieved, the data will be deleted or anonymized, unless further storage is required by law or to protect the rights of the parties.

9.2. Retention periods by data category:

Data category	Shelf life	Foundation
Profile data (name, contacts, company)	while active + 12 months or until deleted at the request of the user	Performance of the contract / Legitimate interests
Professional data (licenses, documents)	while active + 12 months or until deleted at the request of the user	Performance of the contract
Behavioral data (activity log, activity)	while active + 12 months or until deleted at the request of the user	Legitimate interests (analytics and security)
Technical data (logs, error information)	while active + 12 months or until deleted at the request of the user	Ensuring the security and stability of the service
Financial data (transactions, balance sheet)	while active + 12 months or until deleted at the request of the user	Legal obligation
Correspondence with support	while active + 12 months or until deleted at the request of the user	Legitimate interests
Data transferred to developers at the initiative of the user	while active + 12 months or until deleted at the request of the user	Performance of the contract
Anonymized data	Not limited (not considered personal)	Unlimited

9.3. Criteria for determining retention periods. The following criteria are used to establish retention periods:

the need for data to provide Reelly services;
obligations under the contract with the User;
Reelly's legitimate interests, including defending against claims;
the requirements of DIFC, EU or other applicable jurisdictions;
Technical needs (e.g., backups)
Data minimization and access restriction.

9.4. Deleted data is unrecoverable and is no longer used by Reelly. After the expiration of the established time limits, the data is deleted in one of the following ways:

complete removal from active systems;
anonymization, which excludes the possibility of identifying the User;
Deletion from backups as the backup cycle is updated.

9.5. Some data may be retained for longer if it is necessary to comply with tax, accounting or other legal requirements, there is an open investigation of a violation of the rules of use of the platform, it is necessary to protect the rights of Reelly or the User in judicial or administrative proceedings, it is required by regulatory authorities (for example, the DIFC Commissioner of Data Protection).

‍

10. USER RIGHTS

10.1. The user whose personal data is processed by Reelly has all the rights provided for by the DIFC Data Protection Law 2020. The exercise of these rights is free of charge (except in cases strictly defined by law, for example, abuse of requests).

10.2. Reelly ensures transparency in the processing of data, timely response to user requests, and compliance with its obligations within the framework of applicable law. The user can send requests by e-mail: info@reelly.ai.

10.3. The right to access personal data. The user has the right to receive:

confirmation of the fact of personal data processing;
a list of processed data;
purposes of processing;
data categories;
the categories of third parties to whom the data is transferred;
retention periods;
information on cross-border data transfer mechanisms.

The request is processed within 1 month.

10.4. Right to rectification. The user has the right to request the correction of inaccurate or outdated data, the completion of incomplete data. Reelly makes changes within a reasonable timeframe.

10.5. Right to erasure. The User may request the deletion of personal data if: the data is no longer necessary for the purposes of processing, the processing is based on consent and the consent is withdrawn, the data has been processed unlawfully, the User has successfully objected to the processing. Exceptions are possible if storage is required by law or necessary to protect Reelly's rights.

10.6. Right to restriction of processing. The User may request the restriction of data processing if: the data is inaccurate, the processing is unlawful, but the User does not want to be deleted, the data is no longer needed by Reelly, but the User needs it for the protection of rights, the User contests legitimate interests. In the event of a restriction, the data is not used, stored only for the purpose of storing or protecting rights.

10.7. Right to object to processing. The user has the right to object to data processing based on: Reelly's Legitimate Interests, direct marketing, behavioral analytics. Reelly will cease processing unless it can prove that there are legitimate grounds that outweigh the interests of the User.

10.8. Right to data portability. The user can receive his data in a structured, commonly used, machine-readable format, and/or transfer it to another operator. Applicable to data: provided by the User himself, processed on the basis of consent or contract.

10.9. Right to withdraw consent. If the processing is based on consent, the User may withdraw it at any time, without giving reasons. The withdrawal of consent does not affect the lawfulness of the processing carried out prior to the withdrawal.

10.10. AI-related and profiling rights. As Reelly does not use automated solutions that: create legally significant consequences or significantly affect the User, the User has the following guarantees:

the right to demand an explanation of the logic of the analytical tools;
the right to request a review of the findings of the analysis by a person;
the right to object to the use of profiling;
the right to restrict the use of behavioural data (within the limits of technical feasibility).

10.11. Right to lodge a complaint. The user can:

send a complaint to Reelly at support@reelly.io,
file a complaint with the Commissioner of Data Protection (DIFC) if they believe their rights have been violated.

10.12. Response time to requests. Reelly responds to User requests:

within 1 month from the date of receipt;
the period can be extended for another 1 month in case of complex requests (with mandatory notification of the User).

‍

11. MARKETING COMMUNICATIONS

11.1. Reelly may use the User's contact details to send informational and marketing communications, as well as to display personalized recommendations within the platform. Marketing activities are carried out strictly in accordance with the requirements of the DIFC Data Protection Law 2020 and the principles of transparency.

11.2. Types of marketing communications. Depending on the User's interaction with the platform, Reelly may direct:

notifications about new platform features;
recommendations for improving the profile and efficiency of work in CRM;
news about real estate projects, facilities and opportunities;
messages about special offers and promotions;
Reminders about subscription status or available rates
training materials and content aimed at improving the efficiency of agents and developers.

11.3. Reasons for Sending Marketing Communications. Marketing communications are sent on one of two legal grounds:

11.3.1. Consent of the User. The user gives consent voluntarily and can withdraw it at any time. Used for:

email newsletters,
SMS notifications (if applicable),
advertising communications outside the platform.

11.3.2. Reelly assesses the balance of interests and ensures that such communications do not violate the User's rights and freedoms. Used for:

notifications within the platform,
recommendations based on the User's actions,
messages necessary to improve the quality of the service.

11.4. Transfer of data to advertising and analytics services. In order to implement marketing functions, Reelly may share technical or anonymized data with the following services:

Meta (Facebook/Instagram Pixel);
Google Analytics / GA4;
Telegram / Manychat;
mailing services;
advertising platforms.

Data transfer is carried out:

only to the minimum extent necessary;
without the transmission of sensitive data;
using security mechanisms (including SCC for data transfers to the United States).

11.5. Personalized recommendations. Such recommendations are not automated decision-making and do not create legally significant consequences. Reelly may display personalized recommendations and offers to the User based on:

its activity;
interests within the platform;
professional profile;
interaction with CRM objects and tools.

11.6. Opting out of marketing communications. The user can at any time:

unsubscribe from email newsletters using the "Unsubscribe" link in the email;
Turn off push notifications (if applicable)
change notification settings within the platform;
send a request for info@reelly.ai.

Opting out of marketing communications:

does not affect access to the platform;
does not limit the functionality of services.

11.7. Restrictions on marketing activities. Reelly is committed to:

not to use the User's personal data without a legal basis;
not to transfer data to third parties for marketing purposes without the consent of the User;
not to use profiling for discriminatory or aggressive marketing practices.

‍

12. SAFETY PRECAUTIONS

12.1. Reelly takes technical and organizational measures to protect Users' personal data from unauthorized access, alteration, disclosure or destruction. The security measures comply with the requirements of the DIFC Data Protection Law 2020, as well as the security principles of international standards.

12.2. Organizational security measures. Reelly provides:

distribution of access levels depending on the role of the employee;
restricting access only to those employees who need it to perform their job duties;
confidentiality of employees and contractors (NDAs and mandatory policies);
regular training of employees in the basics of information security and data protection;
appointment of a Data Protection Lead / Manager;
internal regulations on the handling of personal data;
procedures for responding to requests from data subjects and regulators.

12.3. Technical security measures. For data protection, the following are used:

encryption of data in transit (TLS/HTTPS);
encryption of data at rest (where applicable);
protection of servers and infrastructure through modern security tools;
systems for detecting anomalies and hacking attempts;
multi-factor authentication (MFA) for administrative panels;
Audit logs;
real-time monitoring of systems.

12.4. Protect your data when using cloud services. As the data is stored in the EU (EU data centers):

cloud providers (Google Cloud, etc.) are required to comply with EU security standards;
access to data is subject to contractual restrictions (Data Processing Agreements);
data is transmitted in the minimum necessary volume;
SCC mechanisms are used when interacting with services outside the EU.

12.5. Restricting access to data. Reelly applies the principle of need-to-know, including:

role differentiation of employees;
strict control of rights and permits;
regular audit of access rights;
automatic disabling or narrowing of rights when the employee's role changes.

12.6. Data protection during processing by AI tools. AI tools are used within strict boundaries:

data transmitted to external AI providers is minimized;
personal data is not used to train models unless expressly authorized by the User;
secure API keys and protocols are used;
algorithms work in isolated environments;
AI results are verified by humans (human oversight);
The correctness and quality of analytics are monitored.

12.7. Data protection in the interaction between agents and developers. When transferring user data to other platform participants:

data is transmitted only on the initiative or explicit action of the User;
secure transmission channels are used;
Only authorized representatives of developers or agents get access;

12.8. Protect your data from external threats. Reelly uses:

constant monitoring of unauthorized access attempts;
intrusion detection systems (IDS/IPS);
regular updates of security systems and libraries;
API security control;
restriction of external integrations and access keys.

12.9. Backup

data is backed up according to a schedule that ensures continuity of work;
Backups are stored in secure environments.
Backups are regularly updated and deleted after the retention periods expire.

12.10. Risk assessment and security audit. Reelly conducts:

regular internal security audits;
automated vulnerability analyses;
risk assessment;
Audit of compliance with data protection controls.

‍

13. DATA SECURITY BREACHES

13.1. Reelly takes all possible measures to protect the personal data of Users. However, in the event of a security incident, a response procedure developed in accordance with the requirements of the DIFC Data Protection Law 2020 is in place.

13.2. In the event of a leak, unauthorized access or other incident that may result in: damage, destruction, alteration, disclosure, loss of personal data, Reelly will notify the Commissioner of Data Protection (DIFC) within 72 hours of discovering the incident if such incident poses a risk of violation of the rights and freedoms of data subjects. The notice contains:

a description of the nature of the incident;
Categories of affected data
Number of affected users
remedial measures taken or proposed;
measures taken to prevent such incidents.

13.3. Reelly notifies Users if an incident may cause significant harm to them, poses a high risk to their rights and freedoms, or requires the User to take action (e.g., change password). The notification is sent:

by email,
through the platform interface,
other available means, if required.

13.4. Internal response procedures. Reelly has internal treatments including:

immediate detection and localization of the incident;
analysis of the scale and causes;
blocking unauthorized access;
restoring the integrity of systems;
interaction with technical providers;
Record all activities in the incident log.

13.5. Incident log. Records are kept in accordance with the DIFC Regulations. Reelly logs all data security incidents, including:

date and time of detection;
Description of the incident
Categories of affected data
the response measures taken;
information about the notification of the regulator and Users.

13.6. Responsibility and prevention of recurrence. Once the incident is resolved, Reelly conducts:

internal security audit;
analysis of causes and vulnerabilities;
updating procedures and technical measures;
training of employees;
Revision of access and infrastructure configurations

‍

14. PROCESSING OF MINORS' DATA

14.1. Reelly is intended for use by adult users - agents, brokers, representatives of developers and other professional participants in the real estate market. The platform does not target children or minors.

14.2. Prohibition of data processing of persons under 18 years of age. Reelly does not knowingly process personal data of anyone under the age of 18. Registration, profiling, using the platform or providing data by minors is not allowed.

14.3. Verification of age information. If necessary, Reelly may take reasonable steps to verify that the User is of legal age, including:

analysis of the data provided;
verification of professional information (for example, broker's license, data of an agency employee);
Additional requests for information in case of doubt.

14.4. Actions in case of detection of data of minors. If Reelly becomes aware that data of a person under the age of 18 has been: provided during registration, uploaded to the profile, transmitted as a result of a mistake by the User, then Reelly: immediately deletes this data, blocks the profile (if one has been created), notifies the person who provided the data (if possible), takes measures to prevent the recurrence of such cases.

14.5. Obligations of the user. The User acknowledges that:

he has reached the age of 18;
uses the platform for professional purposes;
does not provide data of minor third parties.

‍

15. CHANGES TO THIS POLICY

15.1. Reelly reserves the right to update or change this Policy at any time to:

take into account changes in legislation (including DIFC Data Protection Law);
reflect new features or updates to the platform;
adapt to changes in the technologies used;
to provide greater transparency and protection for Users.

15.2. Procedure for notification of changes. Reelly notifies Users of material changes to the Policy in one or more of the following ways:

publication of the updated version on the site;
notification within the platform;
by sending an e-mail to the address specified during registration;
displaying a pop-up notification when you log in to the service.

15.3. Cases where re-consent is required. In these cases, the platform may ask for proof of consent before proceeding with processing. Repeated consent or explicit action by the User may be required if the changes:

significantly change the purposes of data processing;
expand the list of data collected by the platform;
relate to the transfer of data to third parties for new purposes;
affects data transferred outside the EU or DIFC;
change the grounds for data processing based on consent.

15.4. Effect of the Policy after changes. Continued use of the platform after the publication of changes means the User's consent to the updated Policy, unless otherwise requires explicit confirmation. The User has the right to:

stop using the platform;
delete your profile;
Ask for clarification by email info@reelly.ai.

‍

16. CONTACT INFORMATION

16.1. The User may contact Reelly with any questions related to the processing of personal data, the exercise of his/her rights or requests under this Policy. Contacts of the Data Controller

REELLY Tech Ltd

Unit 208, Level 1, Gate Avenue – South Zone

Dubai International Financial Centre

Dubai, United Arab Emirates

Commercial License No.: CL6648

Email for inquiries: info@reelly.ai

Appeals are considered within the period set by the DIFC Data Protection Law 2020.

16.2. The Company is not required to appoint a Data Protection Officer (DPO) under the DIFC Data Protection Law 2020 and does not appoint one at this time. All questions related to the processing of personal data can be sent to: info@reelly.ai

16.3. Contacts of the regulator - Commissioner of Data Protection (DIFC). The user has the right to file a complaint directly with the regulatory authority if he believes that his rights have been violated.

Commissioner of Data Protection

Dubai International Financial Centre

The Gate, Level 14

P.O. Box 74777

Dubai, United Arab Emirates

Official

website: https://www.difc.ae/business/registrars-and-commissioners/commissioner-of-data-protection/

Email: dpo@difc.ae

16.4. Procedure for filing a complaint. Reelly recommends contacting us first to resolve the issue as quickly as possible. The user can:

Contact Reelly directly:
info@reelly.ai
If the decision is not satisfactory, file a complaint with the Commissioner of Data Protection:

via the online-form on the DIFC website,
or by email above.

‍