Privacy Policy

This Privacy Policy describes how SoReel ("we", "us", "our") collects, uses, stores, shares, and protects your personal data when you use soreel.ae and related services (the "Service"). It also explains your rights and how to exercise them.

We process personal data in line with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and applicable implementing regulations.

1. Who we are

SoReel is operated from the United Arab Emirates. For data protection matters, contact us at abdulla@aaogail.com. We are the Controller of personal data described in this policy unless otherwise stated.

2. What we collect

Account data — full name, email address, password hash (we never store plaintext passwords), account type (Creator or Business), date of account creation, language and locale preferences.

Profile data — Instagram, TikTok, YouTube handle(s); follower and engagement counts obtained from social platforms via OAuth or scheduled refresh; bio text; profile picture URL; city or area.

Business and venue data — venue name, category, location, description, cover image, trade licence documents (where uploaded for verification), business representative details.

Contact data — phone or WhatsApp number where you choose to provide one (used to facilitate post-approval contact between matched Creators and Businesses; never displayed publicly).

OAuth access tokens — when you connect Instagram, YouTube, or TikTok, we store access tokens (and refresh tokens where issued) to fetch metrics on your behalf. Tokens are encrypted at rest.

Usage data — Collab applications, approvals, redemptions, post submissions, ratings, in-app messages with support, notification preferences.

Follower snapshots — periodic snapshots of your public follower count from connected platforms, used to report growth attributable to a Collab.

Payment data — for paid plans, our payment processor (Ziina) handles card details directly; we receive only a token, the last four digits, the card brand, and transaction status. We do not store full card numbers.

Technical data — IP address, browser type and version, device OS, pages visited, timestamps, error logs. Collected automatically for security, debugging, and platform integrity.

Communications — emails you send us, support chat messages, transactional email delivery receipts.

3. Legal basis for processing (UAE PDPL Article 5)

We process personal data on the following legal bases:

• Performance of a contract — to operate the Service for which you signed up (Article 5(2)).
• Legitimate interests — fraud prevention, security, service improvement, where these are not overridden by your rights (Article 5(7)).
• Consent — for marketing communications, optional integrations, and any processing you have explicitly opted into (Article 5(1)). You may withdraw consent at any time.
• Legal obligation — to comply with UAE tax, anti-money-laundering, court order, or other regulatory requirements (Article 5(3)).
• Vital interests / public interest — only where required by law (Articles 5(4), 5(5)).

4. How we use your data

• To operate the Service: matching Creators with Businesses, processing applications, generating redemption codes, tracking post submissions.
• To verify identity, trade licences, and social media ownership.
• To calculate Creator reach metrics and AED-equivalent value for Business reporting.
• To send transactional emails (signup confirmation, application status, payment receipts, post reminders, security alerts).
• To send service announcements (planned downtime, terms updates).
• To send marketing communications (tips, new features) — only with your explicit opt-in; you can unsubscribe at any time.
• To detect and prevent fraud, abuse, and Acceptable Use violations.
• To respond to support requests and resolve User disputes.
• To comply with legal obligations and respond to lawful requests from UAE authorities.
• To improve the Service through aggregated, anonymised analytics. This includes anonymous funnel tracking (a random ID stored in your browser to measure where signups drop off) — the ID has no personal data attached unless you complete signup, at which point it links to your account so we can review your own journey.

We do not sell, rent, or trade your personal data. We do not show third-party advertising in the Service. We do not use your data to train third-party AI models.

5. Who we share your data with

Other Users on the Service. When you apply for a Collab, the Business sees your handle, follower count, rating, and any details displayed on your public profile. After a Collab is approved, both parties may see each other's WhatsApp contact number (once it has been verified via our planned WhatsApp verification flow) to coordinate the visit. Email addresses are never exchanged between Users.

Sub-processors. We use the following service providers to operate the Service. They process personal data on our instructions and under written data-processing terms:

• C2P Consultants (United Arab Emirates) — registered Tech Provider for the SoReel Meta app; holds the Meta app credentials on SoReel's behalf and facilitates Instagram API access. C2P processes Platform Data only at SoReel's direction and may not use it for its own purposes.
• Supabase (United States / European Union infrastructure) — database, authentication, file storage, edge functions.
• Resend (United States) — transactional email delivery.
• Ziina (United Arab Emirates) — subscription payment processing.
• Meta Platforms (United States / Ireland) — Instagram OAuth and metrics retrieval (via C2P Consultants as registered Tech Provider); WhatsApp Business API for contact verification and notifications (planned).
• Google (United States / Ireland) — YouTube OAuth and metrics retrieval.
• TikTok / ByteDance (Singapore / Ireland) — TikTok OAuth and metrics retrieval.
• Bluehost (United States) — web hosting for static assets.
• Anthropic (United States) — support-chat assistant model inference for the in-app help bot; data minimised to the support message content.

Legal disclosures. We may share data with UAE authorities, courts, or law enforcement where required by law, court order, or to protect the rights, property, or safety of SoReel, our Users, or the public.

Business transfers. If we are involved in a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to this Privacy Policy or an equivalent successor.

6. Cross-border data transfers

Some of our sub-processors are based outside the UAE (notably United States and European Union). When we transfer your personal data outside the UAE, we rely on:

• The recipient country being deemed by UAE authorities to have an adequate level of data protection, or
• Standard contractual clauses, processor binding rules, or equivalent safeguards required by UAE PDPL Article 22, or
• Your explicit consent for the transfer (Article 23).

7. Data retention periods

We retain your personal data only as long as necessary for the purposes set out in this policy or as required by law. Specific retention periods:

• Account profile and activity: while your account is active.
• After account deletion: personal identifiers wiped within 30 days. Anonymised aggregate statistics may be retained indefinitely.
• Payment and transaction records: 7 years from the transaction date, as required by UAE tax and commercial law.
• OAuth tokens: until you disconnect the integration, plus up to 7 days for safe revocation processing.
• Server logs (IP, technical): 90 days from collection.
• Support chat transcripts: 24 months from the last message.
• Verification documents (trade licence images): until verification is decided plus 18 months, after which deleted unless required for ongoing legal/dispute reasons.
• Backup snapshots: overwritten on a 30-day rolling cycle.
• Legal holds: data subject to active legal proceedings, tax audits, or regulatory investigations is retained until the matter is resolved.

8. Your rights under UAE PDPL

You have the following rights regarding your personal data:

• Right to be informed — about how we process your data (this policy).
• Right of access (Article 13) — request a copy of the personal data we hold about you.
• Right to rectification (Article 14) — correct inaccurate or incomplete data.
• Right to erasure / deletion (Article 15) — delete your personal data, subject to legal retention requirements.
• Right to restrict processing (Article 16) — limit how we use your data in specific circumstances.
• Right to data portability (Article 17) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (Article 18) — to processing based on legitimate interests or for marketing purposes.
• Right to withdraw consent — for processing based on consent, at any time.
• Right not to be subject to solely automated decision-making (Article 19) — that produces legal or similarly significant effects. We do not currently use such automated decision-making.
• Right to lodge a complaint — with the UAE Data Office or other competent authority.

To exercise any of these rights, use our data request form, or email abdulla@aaogail.com. We respond within 30 days as required by Article 24 of the PDPL.

9. Security

We implement appropriate technical and organisational measures to protect your personal data:

• HTTPS / TLS for all data in transit.
• Encryption at rest for OAuth tokens, verification documents, and password hashes.
• Row-level security policies in our database so Users can only access their own data.
• Time-limited authentication sessions with secure tokens.
• Access controls and audit logging for administrative actions.
• Regular security review of code and infrastructure.

No system is perfectly secure. We will notify affected Users and the UAE Data Office of any personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by UAE PDPL Article 9.

10. Children's data

SoReel is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. Creator accounts for users aged 16-17 require parent or guardian consent and are subject to additional safeguards.

If you believe we may have collected data from a child under 16 without proper consent, contact us at abdulla@aaogail.com and we will delete the data promptly.

11. Cookies and similar technologies

We use only essential cookies and local-storage entries required for the Service to function:

• Authentication tokens (Supabase session) — to keep you signed in.
• Wizard draft state (sessionStorage) — to recover unsaved progress in offer or venue setup.
• UI preferences (localStorage) — to remember dismissed notifications and personalisation flags.

We do not use third-party tracking cookies. We do not use advertising cookies. We do not use cross-site behavioural tracking.

If we add product analytics in the future (e.g. PostHog or Google Analytics), we will update this section and obtain consent where required.

12. Marketing communications

We will only send you marketing communications (newsletters, tips, feature announcements) if you have explicitly opted in. You can unsubscribe at any time using the link in any marketing email, or from Settings → Notifications.

Transactional communications (account-critical notices, application status, security alerts, payment receipts) are not marketing and you cannot opt out of them while your account is active.

13. International users

SoReel is operated from the United Arab Emirates and is intended primarily for UAE Users. If you access the Service from outside the UAE, you do so on your own initiative and are responsible for compliance with your local laws. By using the Service from outside the UAE, you consent to your data being transferred to and processed in the UAE.

14. Profile visibility

Some of your data is visible to other Users by design:

• Creator profiles — handle, bio, follower counts, ratings, and any badges are visible to Businesses browsing the Service.
• Venue listings — venue name, category, location, description, cover image, and verification status are visible to Creators browsing the Service.
• WhatsApp contact — visible only after a Collab application is approved, and only between the matched Creator and Business.
• Email addresses — never shared with other Users.
• Verification documents — never shared with other Users.

15. Changes to this policy

We may update this policy. The "Last updated" date at the top will change, and material changes will be notified by email or in-app banner at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

16. Contact and complaints

Data protection enquiries, rights requests, or complaints: abdulla@aaogail.com or via in-app support.

If you believe we have not adequately addressed your concern, you may lodge a complaint with the UAE Data Office or other competent supervisory authority in your jurisdiction.

SoReel — operated from the United Arab Emirates. Compliant with UAE Federal Decree-Law No. 45 of 2021.