1. Data controller
The data controller responsible for your personal data is Help Yard Cleaning Services LLC OPC (trade license no. CN-5312883), registered in Abu Dhabi, United Arab Emirates.
For data protection inquiries, contact us at or via WhatsApp at +971 50 497 3113.
When HelpYard processes personal data on behalf of a business customer (e.g., employee data entered by an FM company), HelpYard acts as a data processor and the business customer is the data controller. In such cases, processing is governed by a Data Processing Agreement (DPA) between HelpYard and the customer.
2. Personal data we collect
We collect and process the following categories of personal data:
2.1 Website visitor data
- Contact form submissions: Name, email address, company name, and message content
- Pilot signup form: Name, email address, and company name
- Device and browser information: Browser type, operating system, screen resolution, and referring URL
- Analytics data: Page views and visit patterns (collected via Umami, a self-hosted, privacy-focused analytics tool that does not use cookies or collect personally identifiable information)
2.2 Platform user data (SaaS application)
- Account information: Name, email address, phone number, role, and organization
- Employee records: Names, phone numbers, certifications, language abilities, employment details, and assigned properties
- GPS location data: Real-time geographic coordinates of field workers during active work shifts, used for attendance verification and proof of service
- Geotagged photographs: Timestamped photos with location metadata, captured by field workers as proof-of-work documentation
- Task and operational data: Task assignments, completion status, checklists, escalation records, and shift schedules
- Property and zone data: Facility addresses, zone configurations, and QR code scan records
- Environmental sensor data: Readings from connected IoT devices (temperature, humidity, particle counts) — this data is typically not personal data unless linked to an identifiable individual
3. Lawful basis for processing
Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021, "PDPL"), we process personal data based on the following lawful bases:
| Data type | Lawful basis (PDPL Art. 4) |
|---|---|
| Website form submissions | Consent (explicit, at point of submission) |
| Account information | Contractual necessity (required to provide the Service) |
| Employee records | Employment obligations and contractual necessity |
| GPS location data | Employment obligations and contractual necessity |
| Geotagged photographs | Employment obligations and contractual necessity |
| Task and operational data | Contractual necessity |
| Analytics data | Not personal data (anonymized, no cookies) |
Important note on GPS tracking and photos: GPS location tracking and photo capture are active only during assigned work shifts and are used solely for workforce management, attendance verification, and proof-of-service reporting. These features are deactivated outside of working hours. For B2B customers, the employing FM company (as data controller) is responsible for informing employees about GPS tracking and photo capture, obtaining any required consents, and ensuring compliance with applicable employment and data protection laws, including UAE Penal Code Article 378 (regarding photography in private places).
4. Purpose of processing
We process personal data for the following specific purposes:
- Service delivery: Providing, operating, and maintaining the HelpYard platform
- Workforce management: Scheduling shifts, dispatching tasks, tracking attendance, and managing employee assignments
- Proof of service: Verifying task completion through GPS records and geotagged photos
- Compliance monitoring: Generating reports, checklists, and compliance documentation for facility management contracts
- Communication: Responding to inquiries, sending service-related notifications, and providing customer support
- Platform improvement: Analyzing usage patterns (in aggregate) to improve the Service
- Legal compliance: Meeting obligations under UAE law, including record-keeping and regulatory reporting
5. Cross-border data transfers
Your personal data may be transferred to and processed in countries outside the United Arab Emirates. We use the following service providers:
| Service | Data processed | Location | Safeguards |
|---|---|---|---|
| Supabase (PostgreSQL) | All application data | AWS infrastructure (US/EU) | Contractual safeguards (PDPL Art. 23) |
| Cloudflare | Static assets, security | Global CDN (incl. ME PoPs) | No personal data stored persistently |
| WhatsApp (user-initiated) | Messages, phone numbers | Meta servers (US) | User-initiated communication; subject to WhatsApp's own privacy policy |
| Umami Analytics | Anonymized visit data | Self-hosted (Germany) | Not personal data (anonymized) |
As of March 2026, the UAE Data Office has not published an adequacy list or issued Standard Contractual Clauses. Cross-border transfers are conducted under contractual safeguards as permitted by PDPL Article 23, including data processing agreements with each provider that include obligations for data security, confidentiality, and breach notification.
6. Data retention
In accordance with PDPL Article 5, we do not retain personal data longer than necessary to fulfill the purposes for which it was collected. Our retention periods are:
| Data type | Retention period |
|---|---|
| GPS location logs | Duration of contract + 12 months (for dispute resolution) |
| Geotagged photographs | Duration of contract + 12 months (proof-of-work retention) |
| Employee records | Duration of employment + minimum 2 years (as required by UAE Labor Law, Federal Decree-Law No. 33/2021) |
| Account information | Duration of subscription + 90 days (data export period) |
| Website form submissions | Until purpose is fulfilled or consent is withdrawn |
| Analytics data | Aggregated and anonymized — no retention limit |
| Task and operational data | Duration of contract + 12 months |
Upon expiration of the retention period, personal data is permanently deleted from active systems. Backup copies are purged within 90 days of the primary deletion.
7. Your rights under UAE PDPL
Under the UAE Personal Data Protection Law (Articles 13-18), you have the following rights regarding your personal data:
- Right of access (Art. 13): You may request a copy of the personal data we hold about you, free of charge.
- Right to correction (Art. 14): You may request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 14): You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected.
- Right to data portability (Art. 16): You may request your personal data in a structured, commonly used, machine-readable format.
- Right to restrict processing (Art. 15): You may request restriction of processing in certain circumstances.
- Right to object (Art. 17): You may object to processing of your personal data for direct marketing purposes or statistical surveys.
- Right to object to automated decisions (Art. 18): You may object to decisions based solely on automated processing that produce legal or similarly significant effects concerning you.
- Right to withdraw consent (Art. 6): Where processing is based on consent, you may withdraw your consent at any time without penalty. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to complain: You have the right to lodge a complaint with the UAE Data Office if you believe your data protection rights have been violated.
How to exercise your rights: Submit a request by email to or via WhatsApp. We will respond to your request within one (1) calendar month of receipt. This period may be extended by up to two (2) additional months for complex or numerous requests, in which case we will inform you of the extension within the first month.
8. Consent
Where we rely on consent as the lawful basis for processing (e.g., website form submissions), consent is:
- Explicit: Given through a clear affirmative action (submitting a form)
- Specific: Tied to a defined purpose stated at the point of collection
- Informed: Provided after you have been informed of how your data will be used
- Revocable: You may withdraw consent at any time by contacting us, without affecting the lawfulness of prior processing
9. Security measures
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
- Encryption at rest: Database storage uses AES-256 encryption
- Access controls: Role-based access control (RBAC) ensures users can only access data relevant to their role and organization
- Row-Level Security (RLS): Database-level policies that enforce data isolation between organizations
- Audit logging: Access to sensitive data is logged for accountability
- DDoS protection: Cloudflare provides network-level protection against distributed attacks
- Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other security headers are enforced
10. Data breach notification
In the event of a personal data breach, we will:
- Notify the UAE Data Office immediately upon becoming aware of the breach, in accordance with PDPL Article 9
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Provide details of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach
- For B2B customers (where HelpYard is a data processor), we will notify the customer (data controller) without undue delay to enable them to fulfill their own notification obligations
11. Cookies and tracking technologies
Our approach to tracking is privacy-first:
- Umami Analytics: We use Umami, a self-hosted, privacy-focused analytics platform. Umami does not use cookies, does not collect personally identifiable information, and does not track users across sites. All data is aggregated and anonymized.
- Cloudflare Analytics: A lightweight JavaScript beacon used for performance monitoring. It does not use cookies or collect personally identifiable information.
- Essential cookies: We use only essential cookies required for session management and security (e.g., authentication tokens in the SaaS application). These are strictly necessary for the Service to function and do not require consent.
We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers. We do not sell personal data to third parties.
12. Children's data
The HelpYard platform is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.
13. Third-party links
Our website and platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated by email or through a notice on our website at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when this policy was most recently revised.
15. Contact for data requests
For any questions about this Privacy Policy, to exercise your data protection rights, or to raise a privacy concern, contact us at:
- Email:
- WhatsApp: +971 50 497 3113
- Address: Abu Dhabi, United Arab Emirates
This Privacy Policy references the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021) and related UAE legislation current as of March 2026. Executive Regulations under the PDPL have not yet been published; specific requirements may be updated when those regulations are issued. Full PDPL compliance is required six months after the Executive Regulations are published by the UAE Cabinet (as of March 2026, these regulations have not yet been issued). This document should be reviewed by a legal professional qualified in UAE data protection law.