Legal

Privacy Policy

Effective date: 1 April 2026

This Privacy Policy explains how Doro Technologies Ltd (Doro, we, us, our) collects, uses, shares, and protects personal data when you use our platform, our website, our WhatsApp interface, or any related service we provide.

Document version 1.0Effective 1 April 2026

Doro is registered in the Dubai International Financial Centre under licence number CL12687 and is registered with the DIFC Commissioner of Data Protection under SR-708142. Our processing of personal data is governed by DIFC Data Protection Law No. 5 of 2020 and Amendment Law No. 1 of 2025 (together, the "DIFC DPL").

1. Who we are and how to contact us

Data controller: Doro Technologies Ltd
Registered office:Innovation One, Level 1, Zaa'beel Second, Dubai International Financial Centre, Dubai, United Arab Emirates
DIFC registration: CL12687
DIFC DP registration: SR-708142

For all data protection matters, including data subject rights requests, complaints, or questions about this policy, please contact our Data Protection Contact:

Email: compliance@paywithdoro.com
Postal:Doro Technologies Ltd, Innovation One, Level 1, Zaa'beel Second, DIFC, Dubai, UAE

We respond to all data protection inquiries within 5 business days and resolve substantive requests within 30 days, in accordance with DIFC DPL.

2. Who this policy applies to

This policy applies to all individuals whose personal data we process in connection with the Doro platform, including:

Real estate agents registered with a verified UAE agency on Doro
Agency principals and authorised representatives of agencies on Doro
Beneficial owners of agencies on Doro (where required for compliance)
Property buyers engaging with a Doro payment link
Property sellers receiving funds through Doro
Visitors to our website and WhatsApp interface
Counterparties and third parties whose data appears in transaction documents we process

Doro is a closed B2B platform restricted to verified UAE real estate businesses and the parties to their transactions. The platform is not available to the general public.

3. Age restriction

Doro is strictly limited to users aged 18 and over. We verify the age of all agents (via UAE PASS and Emirates ID) and all buyers (via Sumsub identity verification). We do not knowingly collect personal data from any individual under 18.

If we become aware that we have collected personal data from a person under 18, we will delete that data promptly. If you believe we have inadvertently processed data of a minor, please contact compliance@paywithdoro.com.

4. Personal data we collect

We collect personal data directly from you when you interact with Doro and indirectly from our verified partners and from public registries. The categories below describe what we collect about each user type.

4.1 Agents (real estate professionals)

When you register as an agent on Doro, we collect:

Full name (in English and Arabic)
Date of birth
Nationality
Emirates ID reference (verified via UAE PASS, we do not retain the Emirates ID image or full number)
Verified mobile number and email address (received from UAE PASS)
RERA Broker Registration Number (BRN) and registration status
Agency affiliation
Specialisation and languages spoken (optional)

Throughout your use of Doro, we additionally process:

Transaction records you create
Documents you forward, upload, or generate via the platform
Communications you send to Doro through email, in-platform messaging, and WhatsApp
Platform behavioural data (login times, session activity, dashboard interactions)
Device and connection data (browser, operating system, IP address, approximate location)

4.2 Agency principals and authorised representatives

When your agency registers on Doro, we collect about each principal and authorised representative:

Full name
Government-issued identity document
Position within the agency
Email and phone
Specimen signature where applicable

4.3 Beneficial owners of agencies

For compliance purposes, we collect about each beneficial owner holding 25% or more of an agency:

Full name
Date of birth
Nationality
Identity document reference
Sanctions, PEP, and adverse media screening outcomes (received from our identity verification provider)
Source of wealth narrative (where required)

4.4 Buyers

When you engage with a Doro payment link, we collect:

Email address (verified via one-time password)
Mobile number and WhatsApp number
Identity verification outcome (the pass-or-fail result of identity verification performed by our licensed PSP partner via Sumsub, described further in section 5 below)
Source wallet address (for cryptocurrency payments)
Source bank details (for fiat payments)
Source of funds documentation (for transactions above defined thresholds)
Self-declared profession, nationality, and country of residence
Stated purpose of purchase
Behavioural data (device, IP, session, form interactions)
Communications with Doro through email, in-platform messaging, and WhatsApp

4.5 Sellers

When you confirm receipt details for a Doro transaction, we collect:

Full name (matched against the registered owner of the property on the title deed)
Bank account details (IBAN, holder name, bank country)
Identity verification outcome where required
Title deed reference
Communications with Doro

4.6 Counterparties whose data appears in transaction documents

Property transaction documents we process, including sale and purchase agreements, title deeds, NOCs, and similar, contain personal data about parties to the transaction. We process this data on the basis described in section 6 below. We do not separately collect this data from those individuals; we receive it as part of the transaction documentation forwarded by the agent.

4.7 Website visitors

When you visit paywithdoro.com or any subdomain we operate, we collect:

IP address (anonymised after 24 hours)
Browser and device information
Pages viewed, time on page, referring URL
Anonymous analytics data via Vercel Analytics and PostHog
Authentication cookies if you log into the platform

We do not use third-party advertising trackers or marketing pixels.

5. How we receive identity verification data

For buyer identity verification, Doro uses an architecture in which our licensed Payment Service Provider (PSP) partner hosts the identity verification flow with Sumsub. The buyer completes verification through a Sumsub-hosted interface presented to them via Doro. The full identity record, including the document image, biometric data, and liveness check, is collected and held by Sumsub on behalf of the licensed PSP partner.

Doro receives only the verification outcome (pass, fail, or escalate), together with structured metadata necessary to operate the deal (for example, the buyer's verified name and nationality). Doro does not collect, store, or process biometric data and does not retain identity document images.

Where Doro performs additional checks beyond identity verification, such as cross-referencing a title deed against Dubai Land Department records, those checks are performed against public registry data and do not involve sensitive personal data.

6. Why we process personal data, lawful bases

For each category of processing, we rely on a specific lawful basis under DIFC DPL Article 8.

6.1 Performance of a contract (Article 8(1)(b))

We process the following on the basis that it is necessary to deliver the service we have contracted to provide:

Account creation, authentication, and access management
Transaction record creation and management
Communications related to your transactions (status updates, notifications, receipts)
Banking and payment instruction handling
Audit log of platform activity

6.2 Compliance with legal obligation (Article 8(1)(c))

We process the following because we are required to do so by applicable law, including UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and DIFC commercial record-keeping requirements:

Identity verification outcomes for buyers and counterparty identity records
Source of funds documentation
Sanctions, PEP, and adverse media screening outcomes
Transaction records retained for the periods required by UAE AML and commercial law
Suspicious activity reporting where applicable

6.3 Legitimate interests (Article 8(1)(f))

We process the following on the basis of our legitimate interests, having weighed those interests against your privacy rights:

Behavioural data and device fingerprinting for fraud prevention and platform security
Cross-deal pattern analysis to detect anomalies and protect platform integrity
Communication content for service improvement and dispute resolution
Aggregate, anonymised analytics for product improvement
Limited communications about service changes that materially affect your use of the platform

You have the right to object to processing on the basis of legitimate interests. Where you do so, we will assess your objection and either stop the processing or explain the compelling legitimate grounds that override your objection.

6.4 We do not rely on consent except where specifically noted

Doro does not rely on consent as the lawful basis for the processing categories above. Where consent is the appropriate basis, for example for any future marketing communications or for processing additional categories of data not described in this policy, we will request your consent specifically and you will have the right to withdraw it at any time.

We do not currently send marketing communications to any user. All communications from Doro are transactional and necessary for the operation of the service.

Doro shares personal data with a limited set of operational partners and only where necessary to deliver the service. We do not sell personal data, and we do not share it for marketing purposes.

7.1 Categories of recipients

Category	Examples	Purpose
Identity verification provider	Sumsub	Identity verification, sanctions screening, PEP screening, adverse media
Licensed Payment Service Providers	Our contracted PSP partners	Custody, currency conversion, fiat settlement, regulated compliance decisioning
Cloud infrastructure	AWS Middle East (Bahrain region), Google Cloud	Platform hosting and data storage
Communications infrastructure	Resend, WhatsApp Business API (Meta)	Transactional email and WhatsApp notifications
Analytics	Vercel Analytics, PostHog	Anonymised platform analytics and product improvement
Authentication	Google (via Google Sign-In)	Optional sign-in flow for users who choose Google authentication
Identity authentication	UAE PASS	Verified federated identity for UAE residents
Public registries	Dubai Land Department, RERA	Verification of title deeds, broker registrations, agency status
Legal and professional advisors	DIFC-based compliance and legal counsel	Specialist advice and independent review

A current sub-processor list with operating jurisdiction and contractual basis is maintained at paywithdoro.com/legal/subprocessors and updated as our partner stack evolves. We will notify users of material changes to our sub-processor stack through reasonable means before the change takes effect.

7.2 What each recipient receives

Each recipient receives only the personal data necessary for the specific function they perform on our behalf. We do not provide bulk access to our data to any third party.

7.3 PSP partners as independent controllers

Our licensed PSP partners are independent data controllers for the data they receive in connection with their regulated activities (custody, conversion, settlement, compliance decisioning). When you engage with a Doro payment link, your data flows both to Doro (as controller for our platform-level activities) and to the relevant licensed PSP (as controller for regulated payment activities). Each party is independently responsible for its handling of your data.

8. Where we process personal data and cross-border transfers

Doro's primary infrastructure is hosted in the Middle East region (specifically AWS Middle East in Bahrain, with Google Cloud Dubai as a complementary region). Most processing of platform data occurs within this region.

Some sub-processors operate outside the DIFC. The table below summarises the transfer arrangements:

Recipient	Jurisdiction	Transfer mechanism
Sumsub	UK and EU	Adequacy decision (DIFC Commissioner has confirmed adequacy for UK and EU member states) and a Data Processing Agreement
AWS Middle East	Bahrain	Transfer assessment under DIFC DPL 2025 amendment, supported by AWS Data Processing Addendum
Google Cloud (Dubai region)	UAE	Within UAE, no cross-border transfer outside the GCC
Resend	United States	Standard Contractual Clauses
WhatsApp Business API (Meta)	United States	Standard Contractual Clauses
PostHog	EU and US	Standard Contractual Clauses; data residency in the EU where configured
Vercel Analytics	United States	Standard Contractual Clauses
Google (sign-in services)	United States	Standard Contractual Clauses

For all transfers outside the DIFC, we maintain documented transfer assessments and contractual safeguards as required by DIFC DPL Articles 26 and 27.

9. How long we retain personal data

We retain personal data only for as long as we have a lawful basis to do so. The following retention periods apply:

Category	Retention period	Basis
KYC outcomes (pass/fail status)	5 years from last transaction with the data subject	UAE AML record-keeping standard
Transaction records	7 years from the deal closing date	UAE commercial record-keeping requirement
Source of funds documentation	5 years from the deal closing date	UAE AML record-keeping standard
Sanctions and screening outcomes	5 years from the screening event	UAE AML record-keeping standard
Property documents (SPA, title deed, Form F)	7 years from the deal closing date	Commercial and AML record-keeping
Banking and payment instruction data	7 years from the deal closing date	Commercial record-keeping
Account and authentication data (active)	Duration of account plus 5 years	Contract performance and AML alignment
Behavioural data (device, IP, session)	12 to 24 months	Legitimate interest in fraud prevention
Communications (email, WhatsApp, SMS)	2 years from the date of communication	Legitimate interest in service delivery and dispute resolution
Anonymised analytics	12 months	Legitimate interest
Audit log	7 years	Best practice and commercial record-keeping
Sanctions match register entries	5 years from the match event	UAE AML record-keeping
Suspicious Activity Report records	5 years from filing	UAE AML record-keeping

Where you exercise your right to erasure, we will delete data unless we are required to retain it under one of the categories above. In that case, we will explain which retention obligation applies and delete the data once the obligation expires.

10. Your rights

Under DIFC DPL, you have the following rights in relation to your personal data:

10.1 Right of access (Article 32)

You have the right to obtain confirmation of whether we are processing your personal data and, where we are, a copy of that data and the context in which we process it.

10.2 Right of rectification (Article 33)

You have the right to have inaccurate personal data corrected. Where the data has been disclosed to a recipient, we will inform that recipient of the correction unless doing so is impossible or disproportionate.

10.3 Right of erasure (Article 34)

You have the right to have your personal data deleted in defined circumstances, including where we no longer need the data, where you withdraw consent, or where you successfully object to processing. The right is subject to retention obligations described in section 9.

10.4 Right to restrict processing (Article 35)

You have the right to require us to limit our processing of your personal data in defined circumstances, for example while we verify the accuracy of contested data.

10.5 Right to data portability (Article 36)

For data we process on the basis of contract performance, you have the right to receive the data in a structured, commonly used, machine-readable format and to transmit it to another controller.

10.6 Right to object (Article 37)

You have the right to object to processing based on legitimate interests. We will assess any objection and either cease the processing or explain the compelling legitimate grounds that override your objection.

10.7 Right to lodge a complaint

You have the right to lodge a complaint with the DIFC Commissioner of Data Protection at any time. The Commissioner can be contacted at:

DIFC Commissioner of Data Protection
The Gate, Level 14
Dubai International Financial Centre
PO Box 506812, Dubai, UAE
commissioner@dp.difc.ae

We encourage you to contact us first so we can address your concern directly.

10.8 How to exercise your rights

To exercise any of the rights above, contact compliance@paywithdoro.com. We will:

Acknowledge your request within 5 business days
Verify your identity to ensure we are responding to the right person
Resolve the request within 30 days, or explain why a longer period is required (DIFC DPL allows up to 60 additional days for complex requests)
Provide our response in writing free of charge in normal circumstances

11. Security of personal data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage. These measures include:

Encryption in transit (TLS) and at rest
Restricted access controls based on role and necessity
Logging and monitoring of access to personal data
Regular review of security controls and access permissions
Backup and disaster recovery procedures
Sub-processor security obligations under written agreements
Staff training on data protection and security

11.1 Personal data breaches

If a personal data breach occurs that is likely to result in risk to your rights and freedoms, we will:

Notify the DIFC Commissioner of Data Protection within 72 hours of becoming aware of the breach
Notify affected individuals without undue delay where the breach is likely to result in high risk
Maintain a record of the breach, our assessment, and remedial actions taken

12. Cookies and similar technologies

When you visit our website, we use a small number of cookies and similar technologies. These fall into the following categories:

12.1 Strictly necessary

Authentication cookies and session cookies that are required for the platform to function. These cannot be disabled without breaking the service.

12.2 Analytics

We use Vercel Analytics and PostHog for anonymised product analytics. These tools are configured for privacy: they do not collect personally identifiable information for analytics purposes and they respect Do Not Track signals where the underlying tooling supports it.

12.3 No advertising or tracking

We do not use third-party advertising cookies, social media tracking pixels, or marketing trackers.

You can configure your browser to reject cookies. Doing so may affect your ability to use authenticated features of the platform.

13. Automated decision-making

Doro uses automated systems to support our compliance and platform integrity controls, including document classification, cross-referencing against public registries, and pattern detection for fraud prevention. Where automated processing produces a decision that significantly affects you (for example, a decision to decline a transaction), the decision is reviewed by a human before final action is taken.

You have the right to obtain human review of any automated decision that significantly affects you. To request review, contact compliance@paywithdoro.com.

14. WhatsApp interface

Doro provides a WhatsApp interface as part of the service. Through WhatsApp, agents can forward documents, voice notes, photographs, and conversational content to Doro for filing, classification, and verification. Buyers and sellers may also receive transactional notifications through WhatsApp.

When you use Doro's WhatsApp interface:

Your messages and forwarded content are processed by Doro for the purposes described in section 6
Voice notes are transcribed for the purposes of filing and verification
Forwarded documents are classified, extracted, and cross-referenced as part of platform processing
Forwarded content may contain personal data about third parties (for example, a buyer's identity document forwarded by an agent). Agents are contractually obliged to forward only content that relates to legitimate Doro transactions.
WhatsApp itself processes your messagesas a platform, Meta's privacy policy applies to that processing
All content forwarded to Doro becomes part of the deal audit trail and is retained per the periods in section 9

If you do not wish to use the WhatsApp interface, the same workflows are available through the web platform.

15. Changes to this policy

We may update this policy from time to time to reflect changes in our processing, applicable law, or partner stack. We will:

Post the updated policy at this URL with a revised effective date
Notify users of material changes through reasonable means at least 30 days before the change takes effect
Obtain consent where the change requires consent under DIFC DPL

The effective date at the top of this policy reflects the most recent version. Earlier versions are available on request.

For details of how this policy interacts with our other terms, see our Terms of Service and our compliance overview.

16. Governing law and dispute resolution

This policy is governed by DIFC law. Any dispute arising from or in connection with this policy is subject to the exclusive jurisdiction of the DIFC Courts.

This does not affect your right to lodge a complaint with the DIFC Commissioner of Data Protection or any other competent supervisory authority.

Document control

Item	Detail
Document title	Privacy Policy
Version	1.0
Effective date	1 April 2026
Owner	Mohamed Kheir, Data Protection Contact
Review cycle	Annual at minimum, and within 30 days of any material change
Next scheduled review	April 2027

Doro Technologies Ltd
Innovation One, Level 1, Zaa'beel Second
Dubai International Financial Centre, Dubai, UAE
DIFC Registration No. CL12687 · DIFC DP Registration No. SR-708142
compliance@paywithdoro.com