Privacy Policy

1. Introduction

Xentra Mind Tech (“Company,” “we,” “our,” or “us”) is committed to protecting personal data, maintaining transparency, and ensuring responsible data handling practices across all of our digital services and operations.

This Privacy Policy explains how we collect, use, process, store, transfer, and safeguard personal data when individuals interact with our website, applications, platforms, AI systems, and related services.

We process personal data in accordance with:

• The General Data Protection Regulation (EU) 2016/679 (GDPR)

• Applicable United Arab Emirates data protection laws, including the UAE Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL), where applicable

• The Protection of Personal Information Act, 2013 (POPIA) of South Africa 

• Other relevant international data protection and privacy regulations

This Privacy Policy applies to:

• Visitors to our website

• Prospective clients and business partners

• Existing clients and enterprise customers

• End users interacting with systems, platforms, mobile applications, or AI solutions developed or managed by us

• Individuals who communicate with us via email, forms, or other digital channels

We are committed to processing personal data lawfully, fairly, and transparently, while implementing appropriate technical and organizational safeguards. By accessing our website, engaging with our services, or entering into a contractual relationship with us, you acknowledge and accept the practices described in this Privacy Policy.

2. Definitions

Personal Data Any information relating to an identified or identifiable natural person (“Data Subject”).

Processing Any operation performed on personal data, whether automated or not.

Controller The entity that determines the purposes and means of processing.

Processor Entity processing data on behalf of the Controller.

Data Subject The individual whose personal data is processed.

Sub‑Processor Third party engaged by the Processor.

AI System ML, LLM, generative AI, or automated decision‑support system deployed by Xentra Mind Tech.

These definitions are aligned with GDPR terminology and applicable data protection standards.

3. Categories of Personal Data We Collect

We collect and process only the personal data necessary for clearly defined and legitimate business purposes.

3.1 Identity & Contact Information

• Full name

• Business email address

• Phone number

• Company name

• Job title or professional role

• Country or region of operation

Used for communication, service delivery, and contractual management.

3.2 Technical & Usage Information

• IP address

• Browser type and version

• Device type and device identifiers

• Operating system

• Referring URLs

• Website interaction logs

• Session activity data

• Cookies and tracking identifiers

• Performance and error diagnostics

Helps improve website performance, detect security incidents, analyze traffic patterns, enhance user experience. Where legally required, consent is obtained for non-essential cookies.

3.3 Business & Project Data

• Project documentation and specifications

• System architecture designs

• API credentials (when required for integrations)

• Infrastructure configuration details

• Application logs and system performance data

• Internal workflow documentation

Processed strictly within service agreements; protected through confidentiality and security controls.

3.4 AI-Related Data (When Applicable)

• Text inputs provided to AI systems

• Structured datasets used for model training or fine-tuning

• Business knowledge bases integrated into AI platforms

• Metadata generated by AI systems

• Model output logs for monitoring and optimization

We process AI-related data under strict governance principles: data minimization, purpose limitation, confidentiality, and isolation between client environments.

Sensitive personal data (health, biometric, financial, or special category data under GDPR Article 9) is processed only where explicitly authorized in writing, legally permissible, under enhanced security safeguards, and with clearly defined contractual protections.

✓ We do not use client data to train public or shared AI models without explicit written consent.

4. Lawful Basis for Processing Personal Data

4.1 Contractual Necessity

We process personal data when it is necessary to enter into, perform, or manage a contract with you or your organization. This includes software development, AI, cloud services, project communications, technical support, system integrations, invoicing, and onboarding. Without this data, we cannot fulfill contractual obligations.

4.2 Legitimate Interest

We may process personal data where necessary for our legitimate business interests, provided such interests are not overridden by your rights. This includes improving services, system security, fraud prevention, analytics, client relationship management, and developing new offerings. We conduct internal assessments to ensure proportionality and transparency.

4.3 Consent

We rely on consent where you have provided clear and affirmative permission. This includes marketing communications, newsletters, surveys, optional cookie tracking, and AI-related processing requiring explicit approval. You may withdraw consent at any time; withdrawal does not affect prior processing lawfulness.

4.4 Legal Obligation

We process personal data where required to comply with applicable laws, regulations, or legal processes. This includes financial reporting, taxation, corporate governance, regulatory compliance, law enforcement requests, and mandated data retention. Only minimum data is processed and retained for the legally required period.

5. Purpose of Data Processing

• Service Delivery and Contract Management: design, develop, deploy, and maintain software, AI systems, mobile applications, cloud platforms under contractual agreements.

• Communication and Support: respond to inquiries, provide customer support, share service-related updates, manage ongoing communication.

• Security and Infrastructure Protection: monitor systems, prevent unauthorized access, detect suspicious activity, ensure integrity and confidentiality.

• Business Operations and Improvement: analyze service performance, internal quality assurance, improve operational efficiency, develop new products.

• Legal and Regulatory Compliance: comply with applicable laws, taxation, financial regulations, industry standards, lawful requests.

We do not process personal data for purposes incompatible with the original purpose unless legally permitted or consent is obtained.

6. Data Retention Policy

We retain personal data only as long as necessary to fulfill the purpose collected, including contractual, legal, accounting, and reporting requirements.

• Contractual and client data: retained for duration of agreement + reasonable post-term period for legal/audit purposes.

• Financial records: retained as required by tax and financial regulations.

• Website analytics data: retained according to internal data minimization policies.

• AI-related processing data: retained only as long as required to deliver agreed services or as defined in client contracts.

At end of retention period, data is securely deleted, anonymized, or returned per contractual obligations. Secure deletion methods prevent data reconstruction.

7. Data Subject Rights

• Right of Access: confirmation of processing and copy of data.

• Right to Rectification: correction of inaccurate/incomplete data.

• Right to Erasure: deletion where no lawful basis for continued processing.

• Right to Restrict Processing: under certain conditions, e.g., accuracy contested.

• Right to Data Portability: transfer in structured, machine-readable format.

• Right to Object: processing based on legitimate interests or direct marketing.

• Right to Withdraw Consent: at any time, without affecting prior processing.

We respond within legally mandated timelines and may require identity verification.

8. International Data Transfers

Where personal data is transferred outside the EEA or country of origin, we implement appropriate safeguards including Standard Contractual Clauses (SCCs), contractual commitments, encryption in transit/at rest, and hosting within adequate jurisdictions. All cross-border transfers are assessed for compliance.

9. Security Measures

Technical Safeguards: End-to-end encryption, HTTPS, firewalls, intrusion detection, vulnerability scanning, multi-factor authentication.

Organizational Safeguards: Role-based access controls, confidentiality agreements, security awareness training, access logging and monitoring.

Infrastructure Controls: Cloud hosting with industry-compliant providers, data segmentation and isolation, backup and disaster recovery planning.

Security practices reviewed periodically to ensure ongoing protection.

10. AI Data Usage & Model Processing

As an AI-first engineering company, we apply additional governance measures for AI services.

• AI Data Processing Principles: data minimization, purpose limitation, confidentiality, transparency, strict contractual boundaries.

• AI Model Training & Fine-Tuning: client data processed only with documented authorization, isolated within dedicated environments, not shared across clients, and never used to train public or general-purpose AI models without explicit written consent.

• AI API Integrations: encrypted data transmission, provider compliance assessment, reviewed retention policies, processing limited to operational necessity.

• Enterprise Isolation: dedicated infrastructure may be provisioned, logical data segregation, role-based permissions.

11. Sub-Processors

We may engage carefully selected sub-processors including cloud hosting providers, infrastructure monitoring services, communication platforms, DevOps or deployment services. All sub-processors are contractually bound by data protection obligations equivalent to this policy. We remain responsible for compliance.

12. Data Breach Notification (Expanded Version)

In the event of a personal data breach: investigate and assess impact promptly, contain and mitigate risks, notify affected clients without undue delay, provide relevant details to support regulatory reporting. Where required under GDPR, supervisory authorities notified within 72 hours of awareness.

13. Data Return & Deletion

13.1 Data Return

Where contractually agreed, we return personal data in structured, commonly used, machine-readable format (JSON, CSV, SQL exports, etc.). Returned data may include user account data, application databases, AI model configuration data, logs or operational records, stored documents or file repositories. Secure encrypted transmission coordinated with Client.

13.2 Secure Deletion

If data return is not requested or once completed, we securely delete personal data unless retention required by law. Secure deletion includes permanent removal from active systems, removal from backups within defined retention cycles, deletion from staging/testing environments, secure wiping methods consistent with industry standards. Deleted data cannot be reconstructed.

13.3 Legal Retention Exceptions

Limited data may be retained where required by tax regulations, financial reporting obligations, regulatory compliance, ongoing legal disputes, or law enforcement/court orders. Retained data is isolated from operational systems, access-restricted, and kept only for legally mandated period. After expiration, data is securely deleted.

Contact Information

Xentra Mind Tech

Email: hello@xentramindtech.com
Registered Address: Al Saqr Business Tower, 91 Sheikh Zayed Rd - Trade Center Second - DIFC - Dubai, United Arab Emirates
Phone: 042409697

For data protection-related inquiries, requests, or complaints, please clearly state the nature of your request. We respond promptly, transparently, and in accordance with legal obligations.