Privacy Policy.

1. Who we are

This policy is issued by Namaa Al Mostaqbal Information Technology ("Reach More," "we," or the "Company") in its capacity as the operator of the platform and the provider of the services described below.

Company details:

• Name: Namaa Al Mostaqbal Information Technology
• Commercial License Number: 1369140
• Commercial Register Number: 2328416
• Dubai Chamber of Commerce Membership Number: 539683
• Tax Registration Number: 104431019900003
• Unified email for support and privacy: support@reachmore.ai

2. Scope of the policy

2.1 This policy applies to:

• Reach More customers (the "Customer" / the "Company") and their authorized users who use the platform.
• End users (the Customer's customers) whose data may be processed when they interact with the Customer through connected channels, to the extent necessary to provide the service.

3. Definitions

• Personal Data: any information that identifies a natural person or makes them identifiable.
• Sensitive / Financial Data: data that the law requires to be treated with a higher level of protection, such as financial data and payment card data.
• Connected Platforms / Channels: any third party that the Customer connects to Reach More services, such as messaging and social communication platforms (e.g., WhatsApp Business, Instagram, Facebook Messenger, and others), and payment providers.
• Data Controller: the person or entity that determines the purposes and means of processing personal data.
• Processor: the person or entity that processes data on behalf of the Controller and according to its instructions.

4. Data we collect from the Customer

4.1 Categories of data

We may collect the following data upon registration or use of the platform:

• Contact data: name, email address, phone number, username, job role.
• Business data: business name, sector, address, identifying information about the activity.
• Billing data (non-sensitive): billing address, name of the billed party, tax registration (if any), payment record, transaction reference or invoice identifier.

Important notice: we do not store card data or CVV within our systems. Card data is processed and stored at the approved payment gateway provider. We may only receive transaction identifiers (Tokens) or limited verification data.

• Usage and technical data: IP address, device and browser type, operating system, logs, in-system interactions, and performance indicators.
• Support and correspondence data: the content of support requests, tickets, and the attachments provided to us.

4.2 Sources of data

• Directly from you via the website, the platform, or support channels.
• Automatically through technical logs and cookies or measurement tools when used.
• Through integrations you activate with third parties (payment provider, messaging channels, and others).

5. How we use the Customer's data

We use your data for the following purposes:

• Creating and managing the account and providing the services.
• Operating the subscription, billing, collection, and issuing invoices.
• Operating the integrations you activate and enabling the related features.
• Improving the product, the user experience, and internal analytics.
• Communicating with you regarding service updates, alerts, and support.
• Preventing fraud and ensuring the security of the platform and compliance with regulatory requirements.

6. End-user data (the Customer's customers)

6.1 When do we process customers' data?

We process the Customer's end-user data when integrations with connected platforms or channels are activated, or when Reach More is used to communicate with end users or to carry out operations related to the order or support.

6.2 Categories of customer data we may process

Depending on the integrations the Customer activates, these may include:

• Name, phone number, email (if available), shipping address, city, country.
• Order details: order number, products, quantities, status, shipping information.
• Support or messaging conversation data (text or media), in accordance with what the channel provider's policies and the Customer's settings allow.

6.3 Basis of processing

The Customer is the Controller of this data, and Reach More acts as a Processor on its behalf and according to its instructions. The Customer is responsible for obtaining the necessary consents from end users in accordance with the law applicable to it.

8. Data sharing and disclosure

We do not sell or trade in personal data. We may share data only in the following cases:

• With the platforms or channels the Customer connects to carry out the integration operations it has requested.
• With payment providers to process payments and subscriptions, where we usually only receive transaction identifiers.
• With hosting, infrastructure, and security providers to operate the platform under agreements that ensure confidentiality and appropriate security controls.
• For regulatory compliance or to protect rights, including fraud prevention or responding to requests from competent authorities.

9. Storage, retention, and deletion

9.1 PII data related to marketplace and order integrations (Reach More)

• Data is stored in a cloud infrastructure with encryption in transit (TLS) and at rest (Encryption at Rest).
• We retain data for the period necessary to provide the service, complete shipping, resolve operational disputes, and comply with regulatory obligations, if any.
• Automatic deletion: PII data is automatically deleted within 30 days unless there is a regulatory obligation to retain it.
• The Customer has the right to request the deletion of their data, and the request is implemented within 30 days unless there is a regulatory impediment.

9.2 Reach More conversation data

• During an active subscription: we may retain conversation logs and their metadata to operate the service, support, and analytics.
• After the subscription ends: we retain conversations for 90 days, after which they are scheduled for automatic deletion, unless there is a longer regulatory obligation.

10. Privacy roles (Controller / Processor)

• For Customer data: Reach More is generally a Controller to the extent necessary to manage the subscription and account relationship.
• For end-user data (the Customer's customers): the Customer is the Controller, and Reach More is a Processor on its behalf and according to its instructions.

11. Regulatory or contractual bases for processing

We process data based on one or more of the following bases:

• Performance of the contract and provision of the service.
• Compliance with a regulatory obligation.
• Legitimate interests, such as platform security, fraud prevention, and product improvement.
• Consent where required, such as certain marketing communications or messaging-platform requirements.

12. Information security

We apply security controls including, by way of example:

• Role-based access control (RBAC) and the principle of least privilege.
• Multi-factor authentication (MFA) for administrative or sensitive access.
• Periodic security reviews and penetration tests.
• Monitoring of suspicious activities and alerting on them.
• Logging and reviewing access and changes.
• Protecting integration secrets (API credentials) via a secrets manager.
• Code scanning before releases.

Notice: absolute 100% security cannot be guaranteed, but we are committed to applying reasonable measures, regulatorily and technically, to reduce risks.

13. Cross-border data transfers

The nature of the operation may require the use of global providers for hosting, security, or analytics, which may result in data being processed or stored in different countries, with appropriate security and contractual controls applied and in compliance with the relevant regulations as far as possible.

14. Mechanism for submitting requests

Via email: support@reachmore.ai

We may request verification of your identity before executing sensitive requests to protect your data.

15. Security incidents and reporting

Notification of authorities or individuals.

Where the requirements of data protection regulations apply, we may notify the competent authority or affected persons without undue delay if there is a high risk to their rights or interests.

16. Cookies and analytics

We may use cookies or measurement tools to improve the experience and analyze performance. You can control cookie settings from your browser, and disabling them may affect some platform functions.

17. Children's and minors' data

The Reach More platform is intended for use by businesses and entities, and is not directly aimed at children. The Customer bears full responsibility for ensuring that children's data is not processed via the platform in accordance with the applicable laws.

19. Policy updates

We modify this policy from time to time to reflect changes in our services, legal requirements, or best practices. The modification becomes effective upon publication, with an update of the "Last updated" date at the top of the policy.

Reach More keeps a record of previous versions of the policy. Your continued use of the services after the modification takes effect constitutes acceptance of the updated version.