Privacy policy — in plain English.
What we collect, why we collect it, who we share it with, and how long we keep it. Written to comply with the UAE Personal Data Protection Law (Federal Decree-Law 45/2021) and read without a lawyer.
1. Who we are
BlueWhale Fincore is the e-invoicing platform operated by BlueWhale Consulting & Technologies (India), the offshore engineering parent, in conjunction with its UAE leg — an Ajman Free Zone entity currently in incorporation. The Ajman Free Zone company will be the UAE-resident data controller for customer data once incorporation is complete; until then, the parent company acts as controller under the same standards.
When we say we or BlueWhale Fincore in this policy, we mean both entities acting together for the purpose of running the service. When we say you, we mean the business that signs up, plus the individual employees of that business who use the platform.
For privacy questions, the single contact point is privacy@bluewhalefincore.com.
2. What we collect
Four buckets. Nothing else.
Account data
Company name, TRN, trade licence number, billing address, the email and mobile number of each user, their role, and (if you choose UAE Pass sign-in) the Emirates ID identifier returned by UAE Pass — not a copy of the ID itself.
Invoice data
The invoices you issue and receive: header, line items, tax breakdown, parties, references, attachments. If you upload a paper bill, the photo and the extracted PINT AE fields. This is the regulated payload, kept for the statutory window.
Usage data
Logs of which features were used, when, from which IP and device. No third-party advertising trackers. No cross-site fingerprinting. Anonymised aggregate metrics only, kept for 90 days.
Payment data
Handled end-to-end by Stripe. We never see or store card numbers, CVCs, or full bank details — only a Stripe customer reference and the masked last-four for receipts.
3. Why we collect it
Each bucket has a single, narrow purpose. We do not repurpose data for marketing, model training on customer content, or resale.
- Account data — to provision your tenant, authenticate users, send service notifications, and bill you. Legal bases: contract performance and your consent at sign-up.
- Invoice data — to generate PINT AE documents, sign them with XAdES-BES, dispatch via Peppol DCTCE, and report to FTA C5. Legal bases: legal obligation (UAE VAT law, Cabinet Decision 106/2025) and contract performance.
- Usage data — to keep the service running, debug incidents, detect abuse, and improve uptime. Legal basis: legitimate interest.
- Payment data — to take subscription fees and issue you a VAT-compliant receipt. Legal basis: contract performance.
5. How long we keep it
Retention is set by the law that governs each bucket. We don’t keep data longer than we have a reason for.
| Invoice data | 5 years · UAE VAT statute |
| Account data | Customer-term + 3 years |
| Application & usage logs | 90 days rolling window |
| Backups | 35 days, encrypted at rest |
After the retention period ends, data is deleted or irreversibly anonymised. If a statutory hold (a tax audit, a court order) applies, the affected records are kept until the hold lifts and then deleted on the next cycle.
6. Your rights
Under the UAE Personal Data Protection Law (Federal Decree-Law 45/2021), and the principles we apply globally, you have the following rights over personal data we hold about you:
- Access — ask for a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data. Most of this can be done directly inside the app.
- Erasure — ask us to delete data we no longer need. Note that we cannot delete invoice data while the 5-year UAE VAT retention period is still running.
- Restriction — ask us to pause processing for a specific purpose.
- Portability — ask for your data in a machine-readable format (we ship a one-click export of all invoice data as UBL XML).
- Objection — object to processing that’s based on legitimate interest (e.g. usage analytics).
- Withdraw consent — whenever consent is the legal basis, you can withdraw it without losing access to features that rely on contract performance.
Send any of these requests to privacy@bluewhalefincore.com from the email address on file. We respond within 30 days, and faster in practice.
7. Children
BlueWhale Fincore is a B2B service. Tenants are businesses; users are employees of those businesses. The service is not directed at or intended for anyone under 18. We don’t knowingly create accounts for minors. If you believe a minor has signed up, email privacy@bluewhalefincore.com and we’ll delete the account.
8. Cross-border data transfers
The data plane — invoices, account records, backups, every byte of customer payload — lives in UAE-resident infrastructure. It is not copied to India, Europe, or anywhere else as part of normal operation.
The control plane for engineering and on-call support is operated by BlueWhale Consulting & Technologies (India). Engineers there work on the code that runs the service, not on customer data. When a production incident requires access to UAE-resident data, that access is logged, time-bound, audited, and limited to the minimum needed to resolve the incident — same standard the FTA ASP accreditation framework requires.
Where sub-processors process data outside the UAE (Stripe, SendGrid, Anthropic), the transfer is governed by their respective standard contractual clauses and our data processing agreement, and is limited to the narrow data described in section 4.
9. Changes to this policy
If we change this policy in a material way — new sub-processor, broader data use, shorter or longer retention — we’ll give you at least 30 days notice by email to the account admin and by an in-app banner. Non-material edits (typos, link fixes, clarifications) are made silently and reflected in the “Last updated” date at the top.
Past versions are kept in an internal archive and available on request.
10. Contact
One inbox, monitored by humans on UAE business days:
Postal address — Ajman Free Zone (UAE entity, incorporation in progress). Once the address is registered, it will appear here in place of this note.
Privacy you can read. Compliance you can trust.
Start a 30-day trial and see exactly what data we collect — the export button is on day one, not day ninety.