Privacy Policy
Last updated: 5 June 2026
1. Plain-English summary
This document is long because UAE privacy law requires it to be. Here is what matters in 60 seconds:
- Who we are: Disruptive Real Estate Broker LLC, a Dubai brokerage regulated by the Dubai Land Department's Real Estate Regulatory Agency (RERA) under permit number ORN 1167819.
- What we collect: your name, contact details, what property/area/budget you asked about, what you do on the site, what we discuss with you over WhatsApp / phone / email, and the cookies that make the site work.
- Why: to respond to your enquiry, match you with the right broker, send you relevant property options you asked for, comply with UAE law (RERA, AML, tax), and improve the site.
- Who sees it: our agents, and the third-party services that power the site (full list in §10). We do not sell your data.
- We record conversations. Calls with our brokers are recorded; WhatsApp messages on our brokerage number are stored; emails are logged in our CRM. This is industry-standard for real estate, required for compliance, and disclosed in the first message on every channel.
- Your rights: access, correct, delete, restrict, object, withdraw consent, complain. See §15.
- You can opt out of marketing communications and non-essential cookies at any time. See §11 and §14.
We comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and apply equivalent protections — including the EU GDPR — for visitors based in the EU, UK or other jurisdictions with comparable laws.
2. Who we are
| Legal name | Disruptive Real Estate Broker LLC |
| Commercial activity | Real estate brokerage services in the Emirate of Dubai |
| Regulator | Dubai Land Department — Real Estate Regulatory Agency (RERA) |
| RERA Office Registration Number (ORN) | 1167819 |
| Registered office | Office 2105, 21st Floor, Citadel Tower, Dubai, United Arab Emirates |
| Data controller | Disruptive Real Estate Broker LLC (we determine why and how your personal data is processed) |
| Contact for privacy matters | admin@disruptiveestate.com |
| General contact | info@disruptiveestate.com |
| Brokerage WhatsApp | +971 52 758 2342 |
For complaints relating to our RERA-regulated activities, you may also contact the Dubai Land Department directly at 600 555 556 or via dubailand.gov.ae.
For data-protection-specific complaints, the UAE supervisory authority is the UAE Data Office (uaedataoffice.ae). Visitors in the EU/UK may also contact their local data protection authority.
3. Scope of this policy
This policy applies to all personal data we collect or process:
- when you visit disruptiveestate.com or any of its subdomains, including the mobile and tablet versions;
- when you submit any form on the website;
- when you communicate with us by WhatsApp on our brokerage number (+971 52 758 2342), by phone on any number assigned to our brokerage, or by email;
- when you create or use an account on the website (for saved searches, favourites, or related personalised features);
- when you meet with one of our brokers in person at one of our offices, a property viewing, or a real estate event;
- when we receive information about you from third parties (e.g. lead-generation portals, our advertising platforms, our partner developers).
This policy does not apply to:
- third-party websites linked from our site (each has its own privacy policy);
- data we process strictly for employment purposes (covered by a separate internal HR policy).
4. Definitions
For clarity throughout this policy:
| Term | Meaning |
|---|---|
| "Personal data" | Any information relating to an identified or identifiable individual ("you" / "data subject") |
| "Processing" | Any operation performed on personal data, including collection, storage, use, disclosure, deletion |
| "Controller" | The party that determines purposes and means of processing — i.e., Disruptive Real Estate Broker LLC |
| "Processor" | A third party that processes personal data on our behalf, under contract (e.g., AWS, HubSpot) |
| "PDPL" | The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its executive regulations |
| "GDPR" | EU Regulation 2016/679, the General Data Protection Regulation |
| "RERA" | Dubai's Real Estate Regulatory Agency |
| "DLD" | Dubai Land Department |
| "AML" | Anti-Money Laundering (Federal Decree-Law No. 20 of 2018 in the UAE) |
| "CRM" | Customer Relationship Management system — our central platform for managing leads, contacts, and communications |
5. Personal data we collect
We only collect what we need to provide our services, comply with law, and improve the site. Categories below.
5.1 Information you give us directly
When you submit any of the forms on the site (homepage inquiry form, listing inquiry, off-plan project inquiry, community page inquiry, developer page inquiry, valuation request on /sell, contact form, agent-profile inquiry, saved-search signup, brochure download), we collect:
- Identity: full name (as you provide it).
- Contact: phone number (with country code), email address (where provided).
- Free text: any message or notes you choose to add.
- Property interest: which listing, project, area, building, developer, or property type you specifically asked about.
- Intent: your stated purpose (buy / rent / off-plan / sell / invest).
- Budget: the price or rent range you indicated, where provided.
- Mortgage status: for buyers, whether you are paying cash, pre-approved for a mortgage, or not started — where you tell us.
- Move-in date: for renters, your target move-in date and tenancy term, where provided.
When you create an account on the site:
- Email address (your sign-in identifier).
- Password: hashed by Amazon Cognito; we never see or store the plaintext password.
- Unique user ID issued by Amazon Cognito.
- Account events: timestamps of sign-up, email verification, sign-ins, password resets.
When you use account-only features (saved searches, favourites):
- The listings, projects, areas, and search filters you choose to save.
- The dates you saved/removed them.
When you communicate with us on WhatsApp, by phone, or by email — see §6.
5.2 Information we collect automatically when you visit the site
Whether or not you have an account, we collect the following on every visit:
- Technical data: IP address (truncated where possible for analytics), browser type and version, operating system, device type (mobile / tablet / desktop), screen and viewport dimensions, preferred language, preferred colour scheme.
- Approximate location: city, region, and country derived from your IP via Amazon CloudFront's edge-location headers. Used to pre-select your phone country code and serve the right currency.
- Connection: time of visit, referring URL (which site sent you to us), pages viewed, time spent per page, scroll depth, clicks on key UI elements (CTAs, navigation, listings, agent buttons).
- Form interactions: if you start a form and leave without submitting, we record the fact of the abandonment and the page you abandoned it on (we do not retain the contents of unsubmitted form fields).
5.3 Marketing attribution data ("UTM" + click identifiers)
To understand which advertising campaigns and channels brought you to our site, and to calculate marketing return on investment, we capture:
- UTM parameters present in the URL when you arrived:
utm_source,utm_medium,utm_campaign,utm_term,utm_content. - Click identifiers from advertising platforms:
gclid(Google Ads),fbclid(Meta / Facebook / Instagram),ttclid(TikTok),msclkid(Microsoft / Bing). - First-touch attribution: the very first set of UTM/click identifiers we ever saw on your device, frozen in browser
localStorageand never overwritten — so when a returning visitor finally converts months later, we still know which original campaign brought them in. - Last-touch attribution: the most recent set of UTM/click identifiers, refreshed each visit.
- Landing page: the first URL on our site for the current session and for first-touch.
- External referrer: the off-site URL that linked you to us, if any.
5.4 Behavioural data (CRM engagement tracking)
If you have submitted a form, clicked an email link from us, or signed in with an account, our CRM (HubSpot) sets a first-party tracking cookie (hutk) on your device for up to 13 months. This cookie lets us:
- attribute subsequent visits — across sessions and devices that link back via email click — to your Contact record;
- record which listings, projects, communities, developers, and pages you view across visits;
- calculate an internal Engagement Score based on which pages you view, how often you return, whether you start forms, and other interactions;
- alert your assigned broker in real time when you return to the site (a "comeback alert") so they can follow up quickly.
This is first-party tracking — the data stays inside our CRM. It is not used for advertising-platform targeting and is not shared with advertising networks.
If you wish to opt out of comeback / behavioural tracking, contact admin@disruptiveestate.com. We will suppress your Contact in HubSpot within 30 days.
5.5 Information from third parties
We receive data about you from:
- Property Finder LLC — when you submit a lead on a Property Finder listing that originates from our brokerage, Property Finder forwards your contact details to us.
- Dubizzle Limited and Bayut/dubizzle — same mechanism for leads originating on their portals against our listings.
- Advertising platforms (Google Ads, Meta, TikTok, Microsoft Advertising, LinkedIn) — campaign-level conversion attribution data; not individual personal data unless you've separately interacted with us.
- Dubai Land Department (DLD) — public property transaction registry data (sales, rentals, project registrations, RERA permits) which we use to power market insights. This data describes properties and transactions, not you personally.
- Our partner developers — where you previously consented to a developer sharing your data with our brokerage in connection with a specific project enquiry.
5.6 Information from in-person and meeting interactions
When you meet with one of our brokers (in our office, at a property viewing, or at an event), we record:
- a written meeting note in our CRM summarising what was discussed, what properties were shown, and any next steps;
- where you authorise it, photographs or scanned copies of the documents you provide (ID, proof of address, proof of funds) — for KYC/AML purposes only.
5.7 Special-category / sensitive data
We do not seek to collect sensitive personal data (racial or ethnic origin, religious beliefs, political opinions, trade-union membership, genetic or biometric data, health data, data concerning a person's sex life or sexual orientation). If you voluntarily disclose such information in a free-text message (e.g., explaining a relocation reason), we will process it only to respond to your enquiry and will not use it for any other purpose.
5.8 Children
The site and our services are not directed at individuals under 18. We do not knowingly collect personal data from children. If you become aware that a child has submitted personal data to us, contact admin@disruptiveestate.com and we will delete it within 30 days.
6. Conversation recording and disclosure (calls, WhatsApp, email)
We record, log, and retain all communications between you and Disruptive Real Estate Broker LLC on company-owned channels. This is standard practice for regulated real estate brokerages and is required for our compliance, quality assurance, dispute resolution, and AML obligations.
6.1 Phone calls
All inbound and outbound phone calls between you and a Disruptive broker on a brokerage-issued phone line (typically routed through our voice-over-IP provider, Aircall, or equivalent) are:
- announced at the start with an audible disclosure ("This call may be recorded for quality and compliance purposes");
- recorded in full audio;
- transcribed automatically;
- stored in our CRM on the Contact and Deal records they relate to;
- accessible only to your assigned broker, our admin team (Owner and senior management), and the third-party processors strictly necessary to store the recording (Aircall, HubSpot, AWS).
You may decline to be recorded by:
- ending the call after the recording disclosure plays, OR
- requesting in writing that we contact you only via channels you nominate where recording is not active.
We respect this request; however, please note that we are unable to assign you a broker through the standard intake flow if you decline all recorded channels, because our compliance obligations require that lead-handling work be auditable.
6.2 WhatsApp messages
All WhatsApp conversations between you and any Disruptive broker take place on our brokerage WABA number +971 52 758 2342. All messages — inbound and outbound — are:
- delivered through the official WhatsApp Business API operated by Meta;
- routed via our CRM (HubSpot) shared-inbox interface, where any authorised broker may respond;
- stored on Meta's servers and synchronised to our CRM Contact records;
- accessible only to the broker assigned to your Deal, our admin team, and the third-party processors strictly necessary to deliver the service.
The first message you receive on our WhatsApp number includes a disclosure ("Messages on this number are stored for quality and compliance"). By continuing the conversation after that disclosure, you consent to the recording.
If a broker contacts you from a personal WhatsApp account that is not our brokerage WABA number, that conversation is outside the scope of this policy and outside our official records. This is a breach of our internal policy by the broker concerned. Please report it to admin@disruptiveestate.com so we may investigate.
6.3 Email
When you email us at any @disruptiveestate.com address, or a broker emails you from one, the email — including its subject, body, attachments, headers, and any reply chain — is logged in our CRM on your Contact record. Tracking pixels in our outbound marketing emails may also record:
- whether and when you opened the email;
- which links you clicked.
Every outbound marketing email contains an unsubscribe link in the footer.
6.4 In-person meetings
Notes from in-person meetings (office, viewings, events) are logged manually in the CRM by the attending broker, typically within one hour of the meeting. We may also send you a WhatsApp follow-up summary of the meeting on the brokerage WhatsApp number; that summary is logged the same way as any other WhatsApp message.
We do not audio- or video-record in-person meetings unless we have explicitly told you we will and you have agreed.
7. How we use your personal data
We use your personal data only for the purposes listed below, and only on a lawful basis described in §8.
| Purpose | Categories of data used | Lawful basis |
|---|---|---|
| Respond to your enquiry — assign a broker, share property options, schedule viewings, follow up | Identity, contact, property interest, intent, budget, communications | Performance of a contract; legitimate interest |
| Run your account — sign-in, account management, transactional notifications (verification, password reset) | Account credentials, account events | Performance of a contract |
| Personalise the site — pre-select country code, remember currency/unit preference, surface relevant nearby listings | Technical, automatic, account preferences | Legitimate interest |
| Run marketing campaigns — re-engage cold leads, send saved-search alerts, push new launches matching your stated interest | Identity, contact, property interest, marketing consent | Consent (you can withdraw any time) |
| Comeback alerts to your broker — notify your assigned broker when you return to the site | Behavioural tracking, CRM identification cookie | Legitimate interest; you can opt out |
| Comply with legal and regulatory obligations — RERA recordkeeping, AML / KYC checks, tax records, audits, court orders | All categories | Legal obligation |
| Anti-fraud / security — detect spam form submissions, abusive traffic, attempted account takeover, scraping | Technical, automatic | Legitimate interest |
| Improve the site — measure which pages, listings, features, and channels work, A/B test improvements | Technical, automatic, behavioural (only after analytics consent) | Consent (analytics cookies); legitimate interest (aggregated, non-identifying) |
| Dispute resolution and complaints handling | All categories, including conversation records | Legitimate interest; legal obligation |
| Internal training and quality assurance | Conversation records (anonymised where possible) | Legitimate interest |
We do not sell your personal data to anyone, ever.
We do not use your data for automated decision-making with legal or similarly significant effects on you. The CRM Engagement Score described in §5.4 is used to alert a human broker; it does not autonomously make decisions that affect your access to property or pricing.
8. Lawful bases for processing
Under the UAE PDPL, and equivalent regimes where applicable, we rely on the following legal bases. The base used depends on the specific purpose, mapped in §7:
- Consent — for analytics cookies, marketing cookies, direct-marketing emails / WhatsApp / SMS, and the placement of advertising-platform pixels. You give consent through our cookie banner or by ticking explicit marketing opt-ins. You may withdraw at any time without affecting the lawfulness of prior processing.
- Performance of a contract — to operate your account, deliver the brokerage services you request, and respond to property enquiries you submit.
- Legitimate interests — to secure the site against fraud, debug and improve the platform, run anonymous aggregate analytics, send transactional notifications, and operate the comeback alerting layer of our CRM. Where we rely on legitimate interests, we conduct a balancing assessment and respect your right to object (§15).
- Legal obligation — RERA recordkeeping, AML/CFT obligations under Federal Decree-Law No. 20 of 2018, tax recordkeeping under UAE Federal Tax Law, court orders, and other legal requirements that apply to a Dubai-licensed brokerage.
9. Marketing communications
We will send you marketing communications (email, WhatsApp, SMS) only:
- in response to your specific request (e.g., you asked us to send Marina listings); or
- with your prior consent obtained at the point of data collection.
Marketing communications include: new listing alerts matching your saved searches, new off-plan project launches matching your stated interest, market updates, newsletters, and re-engagement messages.
Every marketing communication includes a clear opt-out mechanism:
| Channel | How to opt out |
|---|---|
| Click the Unsubscribe link in the email footer | |
| Reply STOP to the message | |
| SMS | Reply STOP to the message |
| All channels at once | Email admin@disruptiveestate.com requesting full marketing suppression |
Opting out of one channel suppresses you across all marketing channels — a single opt-out flips a single flag on your Contact record.
Opting out of marketing does not affect transactional or service messages (e.g., a broker responding to a specific property question you asked).
This complies with the UAE TDRA Anti-Spam Regulation and equivalent rules in other jurisdictions.
10. Service providers, processors, and other recipients
We share your personal data only with the parties below, each strictly limited to the data needed for the function described and bound by a written data processing agreement where required by law.
10.1 Our brokers and internal staff
Disruptive brokers act under Disruptive Real Estate Broker LLC. They have access to the personal data of leads assigned to them, plus aggregated team data. Visibility within our CRM is restricted to "own deals only" for sales agents; the Owner and senior management see across the team. All staff are bound by confidentiality clauses in their employment contracts.
10.2 Hosting and infrastructure
| Provider | Function | Data location |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Website hosting (Amplify), serverless functions (Lambda), authentication (Cognito), database (DynamoDB, RDS), file storage (S3), email delivery (SES), edge content delivery (CloudFront) | Primary: eu-central-1 (Frankfurt, EU). Some routing functions globally distributed. |
| Cloudflare, Inc. (if used for any function) | DNS and DDoS protection (where applicable) | Globally distributed |
10.3 Customer Relationship Management (CRM)
| Provider | Function | Data location |
|---|---|---|
| HubSpot, Inc. | Contact records, deals, communications history, automation, analytics, dashboards. The central CRM for all lead and customer data. | United States, with EU storage option enabled where available |
10.4 Communications
| Provider | Function | Data location |
|---|---|---|
| Meta Platforms, Inc. (WhatsApp Business API) | Inbound and outbound WhatsApp messages on our brokerage number | Globally distributed (Meta infrastructure) |
| Aircall SAS (or equivalent VoIP provider, when implemented) | Phone-call infrastructure, call recording, transcription | France / EU |
| Google LLC (Google Workspace) | Email infrastructure for @disruptiveestate.com mailboxes |
Globally distributed |
| Amazon SES (Simple Email Service) | Transactional email delivery (lead notifications, verifications) | eu-central-1 (Frankfurt) |
10.5 Listing inventory and property data
| Provider | Function | Data scope |
|---|---|---|
| Property Finder LLC | Provides listing inventory (properties, photos, prices) shown on the website via its Edge API | Property data, not personal data; some lead forwarding when you contact through a PF-originated listing |
| Dubai Land Department / RERA | Public registry data — sales transactions, permits, project registrations, developer registrations | Public property data, not personal data |
10.6 Analytics and advertising (only after you consent)
| Provider | Function |
|---|---|
| Google LLC | Google Analytics 4, Google Tag Manager, Google Ads, Google Search Console |
| Meta Platforms, Inc. | Meta Pixel (Facebook / Instagram advertising), Conversions API |
| Microsoft Corporation | Microsoft Advertising (Bing Ads) conversion tracking, Microsoft Clarity session-replay (where enabled) |
| TikTok Pte. Ltd. | TikTok Pixel, TikTok Ads conversion API |
| LinkedIn Corporation | LinkedIn Insight Tag (where enabled) |
All of the above respect the Google Consent Mode v2 defaults set by our cookie banner: tags do not fire and pixels do not load until you grant consent through the banner.
10.7 Monitoring and operations
| Provider | Function |
|---|---|
| Functional Software, Inc. (Sentry) | Application error monitoring and CSP violation reporting. Captures IP address and limited user-context data when an error fires. |
| DebugBear Ltd. | Synthetic performance monitoring of the website (no personal data collected — these are automated robots) |
| PageSpeed Insights API (Google LLC) | Performance audits (no personal data) |
| Better Stack (Better Uptime) | Site uptime monitoring (no personal data) |
| MapTiler AG and OpenStreetMap Foundation | Map tiles for the location panel on listing and project pages |
| OpenRouteService | Travel-time calculations from listings to nearby amenities — only coordinates are sent, never personal data |
| Strapi (self-hosted) | Content management for editorial content (off-plan projects, communities, agent profiles, blog posts). Hosted on AWS within our infrastructure. |
10.8 Future planned subprocessors
The following are planned and will be added once integrated; this list will be updated:
- Aircall (or alternative VoIP) for phone-call capture and recording.
- Calendar / scheduling tools (e.g., HubSpot Meetings).
- Document signing platforms (e.g., DocuSign) for booking deposits, MOUs, and other agreement workflows.
10.9 Government, regulatory, and legal recipients
We may disclose personal data to:
- the Dubai Land Department, including the Real Estate Regulatory Agency (RERA), where required for permit verification, complaints, or audits;
- the UAE Central Bank and the Financial Intelligence Unit, for AML/CFT reporting where suspicious activity is identified or where required by law;
- UAE Federal Tax Authority and other tax authorities, for tax recordkeeping;
- UAE courts, including the Dubai Courts of First Instance, in response to lawful orders or to assert or defend legal claims;
- other UAE law-enforcement authorities in response to lawful requests.
10.10 Corporate transactions
In the event of a merger, acquisition, reorganisation, sale of all or substantially all of our assets, or similar transaction, your personal data may be transferred to the successor or acquiring entity. You will be notified of any such change of controller in advance, where required by law.
10.11 Other recipients with your consent
We do not share your personal data with any other party — including other brokerages, partner developers, or marketing networks — without your prior specific consent.
11. Cookies, pixels, localStorage, and similar tracking technologies
The site uses cookies and equivalent client-side storage to function and, with your consent, to measure use and to run marketing campaigns.
A cookie banner appears on your first visit. You can accept all, reject non-essential, or pick per category. You can change your decision at any time by clicking the "Cookie settings" link in the footer.
11.1 Categories
Strictly necessary (always active — required for the site to work):
| Storage key | Purpose | Duration |
|---|---|---|
dre_consent_v1 |
Records your cookie consent decision | 365 days (localStorage) |
| Cognito auth tokens | Keeps you signed in to your account | Up to 30 days |
dre-preview |
Pre-launch site bypass cookie (will be removed at launch) | 365 days |
next-auth.csrf-token (or equivalent) |
Cross-site request forgery protection on forms | Session |
Functional (always active — improve usability, no analytics):
| Storage key | Purpose | Duration |
|---|---|---|
prefs |
Stores your currency (AED/USD/EUR) and unit (sqft/sqm) preference | Persistent (localStorage) |
dre_visited_at |
Session start time, used to calculate time on site | Session |
dre_landing_v1 |
The first page of the current session | Session |
dre_utm_v1 |
Last-touch UTM parameters | Session |
dre_first_touch_v1 |
First-touch marketing attribution | 13 months (localStorage) |
Analytics (off by default — only set after you accept):
| Provider | Cookies set | Purpose |
|---|---|---|
| Google Analytics 4 | _ga, _ga_*, _gid |
Aggregated visitor metrics, pages viewed, events, conversions |
| Google Tag Manager | _gtm, others as configured |
Loads other analytics/advertising tags |
| Microsoft Clarity (if enabled) | _clck, _clsk |
Session replay heatmaps; personal data masked |
Marketing (off by default — only set after you accept):
| Provider | Cookies / pixels set | Purpose |
|---|---|---|
| Google Ads | _gcl_au, __Secure-3PAPISID, etc. |
Conversion tracking and retargeting for Google search and display ads |
| Meta Pixel | _fbp, _fbc |
Conversion tracking and audience matching for Facebook and Instagram ads |
| TikTok Pixel | _ttp, _tt_* |
Conversion tracking for TikTok ads |
| Microsoft Advertising | MUID, _uetsid, _uetvid |
Conversion tracking for Bing/LinkedIn ads |
| LinkedIn Insight Tag (if enabled) | bcookie, lidc, others |
Conversion tracking for LinkedIn ads |
First-party CRM tracking (set only if you have submitted a form, clicked an email link, or signed into an account):
| Storage key | Purpose | Duration |
|---|---|---|
hutk |
HubSpot visitor identification cookie — attributes subsequent visits to your Contact record | Up to 13 months |
__hssrc, __hssc, __hstc |
HubSpot session / source attribution | Session to 13 months |
11.2 Google Consent Mode v2
Before any analytics or advertising tag fires, we apply Google Consent Mode v2 with all ad_storage, analytics_storage, ad_user_data, and ad_personalization signals defaulted to denied. Tags only run after you grant the corresponding consent through the banner. Google's services (Analytics, Ads, Tag Manager) automatically respect your decision under Consent Mode.
11.3 Do Not Track
Some browsers send a Do Not Track ("DNT") signal. Because there is no agreed standard for honouring DNT, we do not currently change behaviour based on the signal alone — but you can achieve an equivalent outcome by rejecting non-essential cookies through our banner.
12. International data transfers
Wherever practical, we host data in the eu-central-1 region of Amazon Web Services (Frankfurt, EU). Some subprocessors named in §10 are located outside the UAE — primarily:
- United States (Google, Meta, HubSpot, Microsoft, Sentry, AWS for some functions);
- European Union / EEA (Aircall, MapTiler, AWS Frankfurt);
- Other jurisdictions as expressly listed in §10.
Where personal data is transferred outside the UAE, we rely on one or more of the following safeguards:
- the destination country's status under the UAE PDPL as a country with adequate data protection (per the UAE Cabinet's decisions on cross-border transfers);
- Standard Contractual Clauses or equivalent contractual safeguards in our data processing agreements with each subprocessor;
- the EU Commission's Standard Contractual Clauses (where data subjects in the EU are concerned);
- the UK International Data Transfer Addendum (where data subjects in the UK are concerned);
- your explicit consent to a specific transfer (rarely used).
You can request a copy of the safeguard applicable to a specific transfer at admin@disruptiveestate.com.
13. How long we keep your data
We retain personal data only as long as necessary for the purpose for which it was collected, plus any additional period required by law.
| Category | Retention period | Why |
|---|---|---|
| Lead enquiries (form submissions, WhatsApp inbound) | Indefinite while you are an active or reasonably-likely-future customer, subject to your right of erasure (§15) | Real estate decisions can resurface 5-7+ years later (golden-visa renewal, repeat purchase, dispute); historical conversation data is more valuable over time |
| Recorded phone calls | Indefinite, subject to erasure | Compliance, AML, dispute resolution |
| WhatsApp conversation history | Indefinite, subject to erasure | Same |
| Email correspondence | Indefinite, subject to erasure | Same |
| User account profile | Until you delete the account; then erased within 30 days, except where law requires longer retention | Account is your record |
| Saved favourites / saved searches | Until you remove them, or up to 30 days after account deletion | Tied to account |
| Cookie consent record | 365 days from your last decision | To remember your preference |
| Analytics aggregated reports | Indefinite (anonymous / aggregated) | Trend analysis |
| Google Analytics per-user data | 14 months (the default Google retention setting) | Industry-standard |
| AML / KYC records | Minimum 5 years after the end of the business relationship or transaction, per UAE Federal Decree-Law No. 20 of 2018 | Legal obligation |
| Tax records | 5 years from the end of the relevant tax period, per UAE Federal Tax Law | Legal obligation |
| Court records or active litigation | Until the matter is concluded and the appeals period expires | Legal obligation |
When you exercise your right of erasure (§15), we remove your personal data from active systems within 30 days, except for records we are legally required to keep (which we retain in a restricted-access archive for the minimum legal period).
After the retention period expires, data is either deleted or fully anonymised (so it can no longer be associated with you).
14. Security measures
We apply industry-standard technical and organisational measures designed to protect your data:
Technical:
- TLS 1.3 encryption in transit for all web traffic;
- AWS-managed encryption at rest for all data stored in our database, file storage, and CRM (where supported);
- Web Application Firewall (AWS WAF) in front of the site to block known malicious traffic patterns;
- Content Security Policy headers to prevent cross-site scripting attacks;
- DKIM, SPF, and DMARC anti-spoofing configured for
@disruptiveestate.comoutbound email; - Strict identity-and-access-management (IAM) controls, with least-privilege roles and no shared credentials;
- Cognito-managed password hashing (we never see or store plaintext passwords);
- Multi-factor authentication required for all admin and broker accounts;
- Encrypted backups with point-in-time recovery for our database;
- Secrets stored in AWS Secrets Manager, not in code or environment files;
- Continuous error and security monitoring via Sentry, with CSP violation reporting.
Organisational:
- Confidentiality clauses in every employment contract;
- Mandatory data-protection and AML training for every new staff member, refreshed annually;
- Role-based access controls in the CRM ("own deals only" for sales agents; broader for admin);
- Regular random sampling and audit of broker conversations for quality and compliance;
- Documented incident response and breach notification procedures.
No system is 100% secure. If we ever suffer a personal-data breach that is likely to result in a risk to your rights, we will notify you and the UAE Data Office (and, where applicable, equivalent EU/UK supervisory authorities) within 72 hours of becoming aware, as required by law.
15. Your rights
Subject to the UAE PDPL — and to the EU/UK GDPR where applicable — you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you, plus a summary of how we use it.
- Right to rectification — request that we correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request that we delete your personal data, subject to legal-retention obligations described in §13.
- Right to restriction of processing — request that we limit how we use your data while a dispute is being resolved or in similar circumstances.
- Right to object — object to processing based on our legitimate interests; we will stop unless we have compelling grounds that override your rights, or we need the data to defend a legal claim.
- Right to data portability — receive your personal data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
- Right to withdraw consent — withdraw any consent you previously gave, at any time, without affecting the lawfulness of prior processing.
- Right to lodge a complaint — with the UAE Data Office or, where applicable, the data protection authority in your country of residence.
15.1 How to exercise your rights
Email admin@disruptiveestate.com with the request. To protect against impersonation, we may ask you to verify your identity (e.g., by confirming the email address on file, or providing a copy of government ID for high-risk requests).
We will respond within 30 days of receipt of a verifiable request. For complex or voluminous requests, we may extend by a further 60 days and will notify you of the extension within the initial 30-day window.
There is no charge for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive — in which case we may charge a reasonable administrative fee or refuse to act, as permitted by law.
16. Automated decision-making and profiling
We use limited automated processing to:
- calculate your CRM Engagement Score (§5.4) — used to alert a human broker, not to make any decision affecting you directly;
- detect spam, fraud, and abusive submissions — borderline cases are reviewed by a human;
- match new listings to your saved-search criteria — purely a filter, not a decision affecting you.
We do not make any decision that produces legal effects or similarly significantly affects you (such as approving or denying a tenancy, mortgage, or property purchase) based solely on automated processing.
17. Children's data
The site and our services are not directed at children under 18. We do not knowingly collect personal data from individuals under 18. If you become aware that we have inadvertently collected such data, contact admin@disruptiveestate.com and we will delete it within 30 days.
18. Third-party sites and content
The site may link to third-party websites (developer websites, government portals, news articles, social media). We are not responsible for the content or privacy practices of those sites. Read their privacy policies before submitting personal data to them.
Some pages embed third-party content (Google Maps, MapTiler tiles, video players). Embedded content may set cookies and collect data subject to its own provider's privacy policy.
19. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, new third-party services, new legal requirements, or for clarity. The "Last updated" date at the top of this document reflects the latest version.
For material changes — including new categories of personal data, new third-party recipients of sensitive data, changes to your rights, or anything materially affecting how your data is processed — we will:
- post a prominent notice on the website at least 30 days before the change takes effect; and
- where you have an account, send you an email notification.
Continued use of the site after a change takes effect constitutes acceptance of the updated policy. If you do not agree with a change, you may exercise your rights under §15 (including erasure).
20. Severability
If any part of this Privacy Policy is found to be invalid or unenforceable by a competent authority, the remaining parts continue in full force and effect. The invalid part will be modified to the minimum extent necessary to make it enforceable while preserving its intent.
21. Governing law
This Privacy Policy is governed by the federal laws of the United Arab Emirates and the laws of the Emirate of Dubai. Any dispute relating to this policy or to the processing of your personal data shall be subject to the exclusive jurisdiction of the Courts of Dubai, subject to any mandatory consumer-protection rule of your country of residence.
22. Contact us
| Privacy enquiries and rights requests | admin@disruptiveestate.com |
| General enquiries | info@disruptiveestate.com |
| +971 52 758 2342 | |
| Office | Office 2105, 21st Floor, Citadel Tower, Dubai, United Arab Emirates |
| Postal correspondence | Disruptive Real Estate Broker LLC, Office 2105, 21st Floor, Citadel Tower, Dubai, United Arab Emirates |
For complaints we do not resolve to your satisfaction, you may escalate to the UAE Data Office at uaedataoffice.ae or to the data protection authority of your country of residence.