Privacy
Policy.

About Us

Crayon AI Labs Ltd ("the Company", "we", "us", or "our") is a company incorporated in the Dubai International Financial Centre (DIFC), DIFC Registration No. 10522, with its registered address at Unit IH-00-01-03-OF-05, Level 3, Innovation Hub, Dubai International Financial Centre (DIFC), Dubai, UAE.

We operate the website at https://www.crayonlabs.ai (the "Website") and any associated products, services, and platforms we may offer (collectively, the "Services").

We are committed to protecting your personal data and your right to privacy. This Policy explains what data we collect, why we collect it, how we use it, and what rights you have.

Scope of this Policy

This Policy applies to all personal data we process about:

• visitors to our Website;
• individuals who contact us through any form, email, or other channel;
• subscribers to our newsletter or waitlist;
• customers or users of any current or future Service; and
• any other person whose personal data we hold or process.

This Policy does not apply to third-party websites linked from our Website. We encourage you to review their own privacy policies.

We Are the Data Controller

Crayon AI Labs Ltd acts as the data controller for personal data collected through the Website and Services. This means we determine the purposes and means of processing your personal data.

For any privacy-related queries, contact us at: privacy@crayonlabs.ai.

What Personal Data We Collect

4.1 — Data you provide directly

We may collect the following categories of personal data:

• Identity data: name, job title, company name;
• Contact data: email address, telephone number, mailing address;
• Communications data: messages, enquiries, or feedback you submit to us;
• Account data: username, encrypted password, and account preferences — if and when account functionality is introduced; and
• Payment and billing data — collected and processed by our third-party payment providers. We do not store full card details.

4.2 — Data we collect automatically

When you visit our Website, we automatically collect certain technical and usage data, including:

• device type, browser type, operating system, and screen resolution;
• IP address and approximate geographic location (country/city level);
• pages visited, time spent on pages, and navigation paths;
• referring URL and search terms used to reach us; and
• cookie identifiers and similar tracking data (see Section 8).

4.3 — Data from third parties

We may receive personal data from third-party sources including analytics providers and publicly available sources such as LinkedIn, used only in accordance with this Policy.

How and Why We Use Your Personal Data

5.1 — To operate and improve the Website and Services

Legal basis: Our legitimate interests in operating and improving our business, including analysing how visitors use the Website and developing new features.

5.2 — To respond to enquiries

Legal basis: Our legitimate interests in communicating with prospective customers and partners, or — where you submit a contact form — performance of a pre-contractual relationship.

5.3 — To send marketing communications

Legal basis: Your consent, where required by applicable law. You may withdraw consent at any time by clicking "Unsubscribe" in any marketing email, or by contacting us at the address in Section 12.

5.4 — To provide our Services and fulfil contracts

Legal basis: Performance of a contract with you, or to take steps at your request before entering into a contract.

5.5 — To comply with legal obligations

Legal basis: Compliance with applicable law, including DIFC law, UAE federal law, and — where applicable — EU law.

5.6 — AI-related processing

Where you interact with any AI-powered features we may offer, we may process your inputs and interactions to generate outputs, to improve system performance, and for safety and trust purposes.

We shall not use your data to train third-party AI models without your explicit consent. We may use anonymised or aggregated data to improve our own internal systems in accordance with our contractual commitments.

Who We Share Your Data With

We do not sell your personal data. We may share it with:

• Service providers: companies providing IT, hosting, analytics, email delivery, payment processing, and other services on our behalf, under confidentiality obligations;
• Analytics providers: including Google LLC (Google Analytics — see Section 8);
• Professional advisors: lawyers, accountants, and auditors, where necessary;
• Investors and acquirers: in connection with due diligence, a merger, acquisition, or financing round, subject to appropriate confidentiality obligations; and
• Regulatory or law enforcement bodies: where required by applicable law, court order, or regulatory requirement.

All third-party processors are required to handle your data securely and only in accordance with our instructions.

International Data Transfers

Our operations are based in the DIFC, Dubai. Some service providers — including Google Analytics — are based outside the UAE and the DIFC, including in the United States and the European Economic Area.

Where we transfer personal data outside the DIFC or the UAE, we take steps to ensure appropriate protections are in place, which may include standard contractual clauses or equivalent safeguards recognised under applicable law.

Cookies and Analytics

8.1 — What are cookies?

Cookies are small text files placed on your device when you visit a website. They allow us to recognise your device and collect information about how you use our Website.

8.2 — Cookies we use

• Strictly necessary cookies: required for the Website to function and cannot be switched off;
• Analytics cookies: used to measure how visitors interact with the Website (see Section 8.3); and
• Preference cookies: used to remember your settings and choices.

8.3 — Google Analytics

We use Google Analytics, a web analytics service operated by Google LLC. Google Analytics uses cookies to collect information about your use of the Website, including browser type, pages visited, and time spent. This data is transmitted to and stored by Google.

We have configured Google Analytics to anonymise IP addresses where this feature is supported by the platform, so that your full IP address is not stored.

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, available at tools.google.com/dlpage/gaoptout. For more information on how Google processes data, see policies.google.com/privacy.

8.4 — Managing cookies

You may configure your browser to refuse some or all cookies. Disabling certain cookies may affect the functionality of the Website. You may also manage cookie preferences via our cookie consent tool when this is implemented on the Website.

How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by applicable law. Our general retention periods are:

• Website analytics data: up to 26 months, after which it is aggregated or deleted;
• Enquiries and contact form submissions: up to 3 years from the date of last contact;
• Account data: for the duration of your account, plus up to 2 years following closure; and
• Legal and financial records: as required by UAE law (generally 5–7 years).

Where we no longer have a legitimate purpose to retain your data, we securely delete or anonymise it.

Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. Measures include encryption of data in transit (TLS), access controls, and regular security reviews.

No method of transmission over the internet is completely secure. We cannot guarantee absolute security and we do not make that representation.

If you believe your personal data has been compromised, please contact us at privacy@crayonlabs.ai.

Your Rights

Depending on your location and applicable law, you may have the following rights:

• Right of access: to request a copy of the personal data we hold about you;
• Right to rectification: to request that we correct inaccurate or incomplete data;
• Right to erasure: to request deletion of your personal data, subject to certain conditions;
• Right to restriction: to ask us to limit how we use your data;
• Right to portability: to receive your data in a structured, machine-readable format;
• Right to object: to object to processing based on legitimate interests; and
• Right to withdraw consent: where processing is based on consent, to withdraw it at any time.

To exercise any of these rights, contact us at privacy@crayonlabs.ai. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are an EU or EEA resident, you have the right to lodge a complaint with your local supervisory authority. If you are in the DIFC, you may contact the DIFC Commissioner of Data Protection.

How to Contact Us

For any questions, requests, or complaints relating to this Privacy Policy, please contact:

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will update the effective date at the top of this document and, where appropriate, notify you by email or a notice on the Website.

Your continued use of the Website or Services after the effective date of an updated Policy constitutes acceptance of that update.

Governing Law

This Privacy Policy is governed by the laws of the Dubai International Financial Centre (DIFC) and applicable UAE federal law. The DIFC Commissioner of Data Protection has regulatory oversight of data protection matters within the DIFC.

Where applicable, we also comply with the requirements of the EU General Data Protection Regulation (GDPR) in relation to the personal data of EU and EEA residents.