Last updated: April 2026 | Compliant with UAE PDPL (Federal Decree Law No. 45 of 2021)
SrivTCH Technologies LLC ("we", "us", "our") is the Data Controller responsible for your personal data. Company: SrivTCH Technologies LLC Licence: 2431076.01 (Shams Free Zone, Sharjah, UAE) Email: sriv@srivtch.com
We collect the following categories of personal and business data: ACCOUNT DATA: - Full name, email address, phone number - Company name, trade licence number, TRN (Tax Registration Number) - Emirates/country, business address - Password (hashed — never stored in plain text) FINANCIAL DATA: - Sales invoices and purchase bills - Bank transaction data (uploaded by you) - VAT returns and tax calculations - Profit & Loss statements TECHNICAL DATA: - IP address, browser type, device information - Session tokens and authentication logs - API usage and feature access logs AI PROCESSING DATA: - Transaction descriptions sent for AI categorisation (PII masked before processing) - AI decisions, confidence scores, and human corrections
We process your data for the following purposes and legal bases: PURPOSE: Providing the Platform service LEGAL BASIS: Contract performance (Article 4, UAE PDPL) DETAILS: Creating invoices, processing bank statements, generating reports PURPOSE: UAE Tax Compliance assistance LEGAL BASIS: Legal obligation (UAE VAT Law, Corporate Tax Law) DETAILS: VAT calculations, Corporate Tax estimates, FTA-aligned invoice generation PURPOSE: Security and fraud prevention LEGAL BASIS: Legitimate interests (Article 4, UAE PDPL) DETAILS: MFA enforcement, audit logging, security monitoring PURPOSE: AI categorisation and data extraction LEGAL BASIS: Consent (given at registration) DETAILS: Using Claude AI via AWS Bedrock to categorise transactions. PII is masked before any data is sent to AI models. PURPOSE: Service improvement LEGAL BASIS: Legitimate interests DETAILS: Usage analytics, error monitoring, feature usage
We use Artificial Intelligence in our Platform following ISO 42001 AI Management principles: - TRANSPARENCY: All AI decisions are logged with full lineage including model used, prompt version, confidence score, and cost - HUMAN OVERSIGHT: All AI categorisations require human review before being used for tax purposes - DATA MINIMISATION: Personal identifiers are masked before sending any data to AI models — only transaction amounts and sanitised descriptions are processed - EXPLAINABILITY: You can view the reason for each AI categorisation - AUDIT TRAIL: Complete history of AI decisions and human corrections is maintained AI processing uses AWS Bedrock (Claude AI) hosted in eu-west-1 (Ireland). Data sent to AI is processed transiently and not used for model training.
We share your data only with: AWS (Amazon Web Services) — Cloud infrastructure, storage, and AI processing - Data Processing Agreement in place - Data stored in eu-west-1 (Ireland) - AWS is certified under ISO 27001, SOC 2, and GDPR AWS Cognito — Authentication and MFA - User credentials managed by AWS - MFA codes never stored by us We do NOT sell your data to third parties. We do NOT use your data for advertising. We do NOT share your financial data with other businesses. Government disclosure: We may disclose data if required by UAE law, court order, or regulatory authority including the UAE Federal Tax Authority (FTA).
We retain your data as follows: ACCOUNT DATA: For the duration of your subscription + 90 days after termination FINANCIAL DATA: 7 years (UAE VAT Law requires 5 years, we retain 7 for additional safety) AUDIT LOGS: 5 years (ISO 27001 principle) AI DECISION LOGS: 5 years (ISO 42001 principle) SECURITY LOGS: 2 years DELETED ACCOUNTS: Permanently deleted after 90-day retention period You may request deletion of your data at any time (subject to legal retention requirements).
Under Federal Decree Law No. 45 of 2021 (UAE Personal Data Protection Law), you have the right to: RIGHT OF ACCESS: Request a copy of all personal data we hold about you RIGHT OF CORRECTION: Request correction of inaccurate or incomplete data RIGHT OF DELETION: Request deletion of your data (subject to legal retention requirements) RIGHT OF RESTRICTION: Request we restrict processing of your data RIGHT OF PORTABILITY: Receive your data in a machine-readable format RIGHT TO WITHDRAW CONSENT: Withdraw consent for AI processing at any time RIGHT TO OBJECT: Object to processing based on legitimate interests To exercise any of these rights, email: sriv@srivtch.com We will respond within 15 business days.
We implement the following security measures following ISO 27001 principles: ENCRYPTION: - Data in transit: TLS 1.3 - Data at rest: AES-256 encryption on AWS S3 and RDS ACCESS CONTROL: - Mandatory Multi-Factor Authentication (MFA) for all accounts - Role-based access control - Session expiry after 24 hours of inactivity MONITORING: - Complete audit log of all actions with timestamp, user, and IP address - Security event monitoring and alerting INCIDENT RESPONSE: - Data breach notification within 72 hours as required by UAE PDPL - Incident response procedures in place
We use the following cookies: ESSENTIAL COOKIES (cannot be disabled): - srivtch_session: Authentication session token (httpOnly, secure, 24 hours) Purpose: Keeps you logged in securely Cannot be disabled as the Platform cannot function without it We do NOT use: - Marketing or advertising cookies - Social media tracking cookies - Analytics cookies that track you across other websites - Third-party tracking pixels Our session cookie is httpOnly (cannot be accessed by JavaScript) and Secure (only sent over HTTPS).
Your data is stored and processed in the following locations: PRIMARY: AWS eu-west-1 (Dublin, Ireland) — EU data protection standards apply AI PROCESSING: AWS Bedrock eu-west-1 (Ireland) — transient processing only Data transfers are protected by: - AWS Data Processing Agreements - Standard Contractual Clauses (SCCs) - AWS certification under applicable data protection requirements We do not transfer your financial data to countries without adequate data protection laws.
Invoxa is intended for use by businesses and adults aged 18 and above. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that we have collected data from a minor, we will delete it immediately.
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The date of the latest revision is shown at the top of this policy. Continued use of the Platform after changes constitutes acceptance of the updated Privacy Policy.
For privacy-related questions or to exercise your rights: Email: sriv@srivtch.com If you are not satisfied with our response, you may lodge a complaint with: UAE Ministry of Economy — Consumer Protection Department Website: www.economy.gov.ae
Invoxa follows ISO 27001 and ISO 42001 principles in its security architecture and AI governance practices. Our privacy practices are designed to align with UAE PDPL (Federal Decree Law No. 45 of 2021). Important: Invoxa is not formally certified under ISO 27001, ISO 42001, or any other standard at this time. Certification is actively being pursued. These standards are referenced to describe our approach and commitment to data protection, not to imply regulatory approval or certification status. Users should seek independent legal and compliance advice for their specific regulatory obligations.
This Privacy Policy complies with UAE Federal Decree Law No. 45 of 2021 (Personal Data Protection Law). We follow ISO 27001 and ISO 42001 principles. Formal certification is in progress.