Privacy Notice

This Privacy Notice applies to TheValua AI (PTY) Limited ("TheValua", "we", "us"), with its head office at DIFC Innovation One, Mezzanine 1 & 2, Dubai, United Arab Emirates. It explains how we handle personal information when we provide our valuation workflow software ("Service") to professional valuation firms ("Customer Firms") and when individuals interact with our public website.

The Service operates across three regions, governed by their respective data-protection regimes:

• Gulf Cooperation Council (GCC) — the United Arab Emirates (federal jurisdiction and DIFC), the Kingdom of Saudi Arabia, Bahrain, Kuwait, Oman and Qatar.
• Southern Africa — the Republic of South Africa (POPIA), Botswana, Namibia, Zambia, Zimbabwe and Mauritius.
• East and West Africa (English-speaking) — Nigeria (NDPA), Kenya (DPA 2019), Ghana (Data Protection Act 2012) and Tanzania.

When we act for a Customer Firm we are typically a processor(or "operator" under POPIA) of the personal information held in their valuation files. The Customer Firm is the controller(or "responsible party"). For our own commercial and marketing activities — such as enquiries via the public site — we are the controller.

We collect the categories of information set out below.

From individuals at Customer Firms

• Identity and contact data — full name, professional email, phone, role, firm and office.
• Account data — credentials, multi-factor authentication factors, session metadata and audit-trail entries.
• Usage data — pages visited, actions taken in the workspace, IP address, device and browser fingerprint (purely technical), and timestamps.

Inside Customer Firm valuation files

• Property information — address, title-deed extracts, photographs, market evidence and valuer commentary.
• Counterparty information — names of property owners, tenants, landlords, lenders, agents, brokers and other parties relevant to a valuation instruction.
• Engagement information — fee notes, payment status and signed terms of engagement.

From visitors to our public site

• Information you submit through contact forms or by emailing us.
• Strictly necessary cookies and basic analytics (page views, referrer) using privacy-preserving tooling that does not profile you across sites.

We do not knowingly collect special categories of personal data such as health, religious or biometric data. If a valuation instruction would require such data (for example, a specialised property valuation that relies on health-care use evidence), we agree the additional safeguards with the Customer Firm before processing.

We use the information described above to:

• provide, configure and improve the Service;
• authenticate users and protect their accounts;
• maintain audit logs that support professional accountability for valuation work (a regulatory requirement under the various RICS, RVA, SACPVP and TEGoVA-aligned standards Customer Firms operate under);
• communicate about service availability, changes and security matters;
• respond to enquiries received through the public website;
• protect TheValua, our Customer Firms and end users against fraud, misuse and security incidents; and
• comply with legal, regulatory and tax obligations.

The lawful bases we rely on differ by jurisdiction. In the GCC PDPL regimes, the dominant bases are performance of a contract, legitimate interests and, where applicable, consent. Under POPIA in South Africa, we rely on the corresponding contract, legitimate interests of the responsible party or a third party, compliance with an obligation imposed by law and consent.

We share personal information only as needed to operate the Service and only with parties who are bound by contractual confidentiality and security obligations:

• Sub-processors — cloud infrastructure (regional hosting), authentication, email delivery and error monitoring. A current list is maintained in our trust centre and is provided to Customer Firms on request.
• Customer Firm users — within the firm's tenant, information is visible to authorised users in line with the firm's access-control configuration.
• Professional advisers — auditors, lawyers and insurers under confidentiality.
• Authorities — when required by a binding legal request, and only to the extent legally compelled.

We do not sell personal information and we do not share it for third-party advertising purposes.

Personal information may be processed in jurisdictions other than the one in which it was collected. Where this is the case, we transfer information only when one of the following safeguards is in place:

• The destination jurisdiction is recognised by the originating authority as providing an adequate level of protection (for example, a destination assessed as adequate by the UAE Data Office, the SDAIA in Saudi Arabia, or the Information Regulator under POPIA).
• The transfer is governed by contractual safeguards equivalent to the standard contractual clauses adopted in the originating jurisdiction.
• The data subject has given informed and specific consent.
• The transfer is necessary for the conclusion or performance of a contract that is in the data subject's interest.

Customer Firms can request the data residency configuration that applies to their tenant. By default, GCC tenants are hosted in a GCC region and South African tenants are hosted in a region that meets the POPIA conditions for lawful transfer.

We retain personal information for as long as it is needed to provide the Service and for the periods required by law or by the professional obligations of Customer Firms (typically the working life of the valuation file plus the limitation period applicable in the relevant jurisdiction). Audit-trail entries that evidence professional sign-off may be kept for the longer of (a) the period required by the Customer Firm's regulator and (b) seven years from the date of report issuance.

When a Customer Firm terminates its subscription, we make a structured export available for a defined period, after which personal information is deleted or returned in accordance with the signed master services agreement.

We apply administrative, technical and physical safeguards appropriate to the sensitivity of the information we process. These include encryption in transit and at rest, role-based access control, tenant isolation, audit logging, vulnerability management, secure software development practices and least-privilege access for TheValua personnel.

Despite these measures, no system can be made absolutely secure. If we become aware of a personal-data breach we will notify affected Customer Firms and the relevant supervisory authority within the timelines mandated by the applicable law (for example, 72 hours where required by the regulator; "as soon as reasonably possible" under POPIA section 22).

Subject to the conditions and exceptions of the law that applies to you, you have the right to:

• access the personal information we hold about you;
• request correction of inaccurate or incomplete information;
• request deletion or restriction of processing in defined circumstances;
• object to processing based on legitimate interests;
• request portability of information you have provided to us; and
• withdraw consent where processing is based on consent.

If you are an end user inside a Customer Firm's valuation file, the Customer Firm is the controller of that file and is the primary contact for exercising your rights. We will support the Customer Firm to respond.

You may also lodge a complaint with the supervisory authority in your jurisdiction:

• UAE — UAE Data Office; or, for DIFC-onshored matters, the DIFC Commissioner of Data Protection.
• Saudi Arabia — Saudi Data & AI Authority (SDAIA).
• Other GCC member states — the data-protection regulator established under the relevant national framework.
• South Africa — Information Regulator (South Africa).

The Service is intended for professional users in valuation firms. We do not knowingly process personal information of children. If you believe we hold personal information of a child, please contact us so we can investigate and delete it.

We may update this notice from time to time to reflect changes in the law or in our practices. The "last updated" date at the top of the page indicates when the latest revision took effect. Material changes will be highlighted to Customer Firms through the in-app notice channel.

For privacy enquiries, including to exercise any of your rights, contact our data protection function:

TheValua AI (PTY) Limited
DIFC Innovation One, Mezzanine 1 & 2,
Dubai, United Arab Emirates.
Email: privacy@thevalua.ai