Privacy · سياسة الخصوصية

Privacy policy — in plain English.

What we collect, why we collect it, who we share it with, and how long we keep it. Written to comply with the UAE Personal Data Protection Law (Federal Decree-Law 45/2021) and read without a lawyer.

Last updated 2026-06-06 Active version privacy@bluewhalefincore.com

1. Who we are

BlueWhale Fincore is the e-invoicing platform operated by BlueWhale Consulting & Technologies (India), the offshore engineering parent, in conjunction with its UAE leg — an Ajman Free Zone entity currently in incorporation. The Ajman Free Zone company will be the UAE-resident data controller for customer data once incorporation is complete; until then, the parent company acts as controller under the same standards.

When we say we or BlueWhale Fincore in this policy, we mean both entities acting together for the purpose of running the service. When we say you, we mean the business that signs up, plus the individual employees of that business who use the platform.

For privacy questions, the single contact point is privacy@bluewhalefincore.com.

2. What we collect

Four buckets. Nothing else.

Account data

Company name, TRN, trade licence number, billing address, the email and mobile number of each user, their role, and (if you choose UAE Pass sign-in) the Emirates ID identifier returned by UAE Pass — not a copy of the ID itself.

Invoice data

The invoices you issue and receive: header, line items, tax breakdown, parties, references, attachments. If you upload a paper bill, the photo and the extracted PINT AE fields. This is the regulated payload, kept for the statutory window.

Usage data

Logs of which features were used, when, from which IP and device. No third-party advertising trackers. No cross-site fingerprinting. Anonymised aggregate metrics only, kept for 90 days.

Payment data

Handled end-to-end by Stripe. We never see or store card numbers, CVCs, or full bank details — only a Stripe customer reference and the masked last-four for receipts.

3. Why we collect it

Each bucket has a single, narrow purpose. We do not repurpose data for marketing, model training on customer content, or resale.

  • Account data — to provision your tenant, authenticate users, send service notifications, and bill you. Legal bases: contract performance and your consent at sign-up.
  • Invoice data — to generate PINT AE documents, sign them with XAdES-BES, dispatch via Peppol DCTCE, and report to FTA C5. Legal bases: legal obligation (UAE VAT law, Cabinet Decision 106/2025) and contract performance.
  • Usage data — to keep the service running, debug incidents, detect abuse, and improve uptime. Legal basis: legitimate interest.
  • Payment data — to take subscription fees and issue you a VAT-compliant receipt. Legal basis: contract performance.

4. Who we share it with

A short, named list of sub-processors. We don’t add to it quietly; material changes get 30 days notice (see section 9).

RecipientPurposeData shared
StripeSubscription billing & receiptsBilling email, company name, masked card token
SendGridTransactional email deliveryUser email, message body for notifications
Peppol Access Point5-corner DCTCE dispatch & receiptPINT AE invoice payload as required by Peppol
FTA C5 (UAE Federal Tax Authority)Statutory reporting under Cabinet Decision 106/2025Signed invoice + tax summary, as the law requires
AnthropicBilingual Compliance Coach & AI scanner model callsSpecific document or message you submit for AI assistance; not used to train their models (zero-retention API tier)

We do not sell data. We do not share data with advertisers. We do not run third-party ad pixels on app.bluewhalefincore.com.

5. How long we keep it

Retention is set by the law that governs each bucket. We don’t keep data longer than we have a reason for.

Invoice data5 years · UAE VAT statute
Account dataCustomer-term + 3 years
Application & usage logs90 days rolling window
Backups35 days, encrypted at rest

After the retention period ends, data is deleted or irreversibly anonymised. If a statutory hold (a tax audit, a court order) applies, the affected records are kept until the hold lifts and then deleted on the next cycle.

6. Your rights

Under the UAE Personal Data Protection Law (Federal Decree-Law 45/2021), and the principles we apply globally, you have the following rights over personal data we hold about you:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data. Most of this can be done directly inside the app.
  • Erasure — ask us to delete data we no longer need. Note that we cannot delete invoice data while the 5-year UAE VAT retention period is still running.
  • Restriction — ask us to pause processing for a specific purpose.
  • Portability — ask for your data in a machine-readable format (we ship a one-click export of all invoice data as UBL XML).
  • Objection — object to processing that’s based on legitimate interest (e.g. usage analytics).
  • Withdraw consent — whenever consent is the legal basis, you can withdraw it without losing access to features that rely on contract performance.

Send any of these requests to privacy@bluewhalefincore.com from the email address on file. We respond within 30 days, and faster in practice.

7. Children

BlueWhale Fincore is a B2B service. Tenants are businesses; users are employees of those businesses. The service is not directed at or intended for anyone under 18. We don’t knowingly create accounts for minors. If you believe a minor has signed up, email privacy@bluewhalefincore.com and we’ll delete the account.

8. Cross-border data transfers

The data plane — invoices, account records, backups, every byte of customer payload — lives in UAE-resident infrastructure. It is not copied to India, Europe, or anywhere else as part of normal operation.

The control plane for engineering and on-call support is operated by BlueWhale Consulting & Technologies (India). Engineers there work on the code that runs the service, not on customer data. When a production incident requires access to UAE-resident data, that access is logged, time-bound, audited, and limited to the minimum needed to resolve the incident — same standard the FTA ASP accreditation framework requires.

Where sub-processors process data outside the UAE (Stripe, SendGrid, Anthropic), the transfer is governed by their respective standard contractual clauses and our data processing agreement, and is limited to the narrow data described in section 4.

9. Changes to this policy

If we change this policy in a material way — new sub-processor, broader data use, shorter or longer retention — we’ll give you at least 30 days notice by email to the account admin and by an in-app banner. Non-material edits (typos, link fixes, clarifications) are made silently and reflected in the “Last updated” date at the top.

Past versions are kept in an internal archive and available on request.

10. Contact

One inbox, monitored by humans on UAE business days:

Postal address — Ajman Free Zone (UAE entity, incorporation in progress). Once the address is registered, it will appear here in place of this note.

Ready when you are

Privacy you can read. Compliance you can trust.

Start a 30-day trial and see exactly what data we collect — the export button is on day one, not day ninety.