Lemsa Privacy Policy

Effective: [insert launch date] · Last updated: [insert date]

This is a lawyer-reviewable first draft. Before publishing, pass it to a UAE lawyer who specialises in data protection / healthcare and ensure it is consistent with: Federal Decree-Law No. 45 of 2021 (UAE Personal Data Protection Law — PDPL); DHA, DOH, and MOH patient-privacy guidance; and — if you plan to serve EU tourists — the GDPR.

1. Who we are

Lemsa is a mobile marketplace operated by Lemsa FZ-LLC, a United Arab Emirates free-zone company (the "Company", "we", "our", or "us"). Our registered address is [insert address]. You can reach us at privacy@lemsa.ae at any time.

Lemsa connects patients with independent, licensed clinics in the UAE so they can discover, book, and pay for exclusive treatment packages. We are a marketplace, not a medical provider. Your treatment is delivered by the clinic you choose, and the clinic is the data controller for any clinical record it creates about you. Lemsa is the data controller for the information we collect through the app itself.

2. What personal data we collect

We collect only the data we need to operate the marketplace. This falls into five buckets:

Account data. Your name, email address, phone number in E.164 format, date of birth (optional), gender (optional), treatment interests (optional), profile photo (optional). If you sign in with Apple, Google, Instagram, or TikTok, we also receive the identifier, email, and display name those providers share.

Booking data. The clinics you browsed, packages you bookmarked, bookings you made, dates and times you attended, the amount you paid, reviews you left, and any pre-booking notes you provided to the clinic (for example, allergies you listed).

Payment data. Card brand and last four digits only. Full card numbers and CVVs are handled by our payment gateway partner (Telr) and never touch Lemsa's servers. We receive a tokenised reference to process refunds and Pro subscriptions.

Technical and usage data. Device model, operating system and version, app version, preferred language, approximate location (city-level) if you grant the permission, a device identifier used to send push notifications, crash logs and performance traces.

Creator data. If you connect an Instagram or TikTok account to access the Deals tab, we receive your handle, follower count, and public profile metadata. We do not read your private messages or posts.

3. How we use your data

We process your data for the following purposes:

Delivering the marketplace. Showing clinic listings near you, letting you book an appointment, sending a confirmation and reminders to you and the clinic, processing your payment, issuing refunds, managing disputes.

Account security. Verifying your phone number via one-time codes, detecting fraudulent bookings, preventing account takeover.

Product improvement. Aggregated and de-identified analytics to understand which screens are slow, which flows are confusing, and which features are underused. We never try to re-identify individuals from this data.

Marketing — only with your consent. If you opt in in app settings, we send you occasional emails or push notifications about new packages and promotions. You can opt out at any time.

Creator deals. If you connect a social account, we use your handle and follower count to gate eligibility for the Deals tab and to share your basic profile with clinics you apply to.

Legal. Preserving transaction records for the periods required by UAE tax and consumer-protection law, and responding to lawful requests from UAE authorities.

4. Legal bases

Under the UAE PDPL, we rely on the following legal bases:

We rely on the performance of a contract to process your account and booking data; on consent for optional data (location, marketing, social connections); on legitimate interests for fraud prevention, security, and aggregate product analytics; and on legal obligation for record-keeping required by tax, consumer, and health-sector law.

Where we rely on consent, you can withdraw it at any time in the app under Profile → Privacy & security. Withdrawal does not affect the lawfulness of processing before withdrawal.

5. Who we share data with

We share only what each recipient needs, and only under written contracts that bind them to our privacy standards.

Clinics you book with. Your name, phone, booking code, appointment time, and any pre-booking notes you provided. They never see your payment details or other clinics' bookings.

Payment partners. Telr (and its card-network acquirers) to process your payments. They process card data as a joint controller under PCI-DSS Level 1 standards.

Infrastructure partners. AWS (Bahrain region) for hosting, OneSignal for push notifications, Unifonic for SMS, Sentry for crash reporting, PostHog for product analytics. These process data under instructions from us.

Law enforcement and regulators. Only in response to a valid legal request, and only the minimum data required to comply.

We do not sell your data. We do not share your data with advertisers.

6. Where your data lives

We primarily store your data in the United Arab Emirates (AWS me-central-1) and/or the Kingdom of Bahrain (AWS me-south-1). Some partners may process data in the European Union under Standard Contractual Clauses. If we ever transfer your data outside the UAE, we will do so only under an adequacy finding or equivalent safeguards as required by the PDPL.

7. How long we keep it

Account data, while your account is open. Booking and payment records, for seven years after the transaction as required by UAE VAT and commercial law. Reviews, indefinitely (with your name replaced by your initials after two years). Crash logs, 90 days. Push notification device identifiers, while your account is active plus 30 days.

When you delete your account, we anonymise data we are required to keep and delete the rest within 30 days.

8. Your rights

Under the UAE PDPL you have the right to be informed about our processing; to access the personal data we hold about you; to correct inaccurate data; to delete your data (subject to legal retention obligations); to restrict or object to processing; to data portability in a machine-readable format; and to withdraw consent. You also have the right to complain to the UAE Data Office.

To exercise any of these rights, email privacy@lemsa.ae or use the in-app Profile → Privacy & security → Download my data / Delete my account controls. We respond within 30 days.

9. Security

We hold ISO 27001-aligned controls. Specifically: TLS 1.3 in transit, AES-256 at rest, hardware-backed secure enclave on the mobile device, Face ID / Touch ID on supported devices, least-privilege database roles, audit logging of every admin action, quarterly third-party penetration tests. We will notify you within 72 hours of any data breach that is likely to affect your rights or freedoms.

10. Children

Lemsa is not intended for anyone under 18. We do not knowingly collect data from minors. If we learn that we hold data about a minor, we will delete it.

11. Changes

We will notify you in app and by email at least 30 days before any material change to this policy takes effect.

12. Contact

Data Protection Officer, Lemsa FZ-LLC — privacy@lemsa.ae — [insert address].