Legal Document

Privacy
Policy

This Policy explains how Fairlyst Software Systems L.L.C. collects, uses, shares, stores, and protects personal data and organizational information across Fairlyst, RICO by Fairlyst, our website, client portals, ESG evidence workflows, and related services.

Effective Date

03 May 2026

Version

1.3.0

Primary Jurisdiction

UAE · Abu Dhabi

Document ID

DOC-LEGAL-002

Who We Are

Fairlyst Software Systems L.L.C. ("Fairlyst", "we", "us", or "our") is an enterprise software company registered in the United Arab Emirates with operations based in Abu Dhabi, UAE.

We develop and operate Fairlyst and RICO by Fairlyst, also described as Regenerative Innovation for Climate Outcomes, an AI-assisted ESG evidence platform for document classification, field extraction, source attribution, emissions calculation support, review workflows, and evidence-pack preparation.

Questions about this Policy or our data practices may be directed to the privacy contact listed in Section 16.

Scope and Data Protection Roles

This Policy applies to our website, demo requests, client portals, Platform registration, support communications, pilot deployments, subscriptions, and use of RICO by Fairlyst or related services.

Fairlyst may act in different privacy roles depending on the context:

Controller: For personal data we collect directly for our own purposes, such as website enquiries, demo requests, account administration, billing, support, marketing communications, security monitoring, and business operations.
Processor or service provider: For personal data contained in Client-uploaded documents, ESG evidence, supplier records, operational records, employee metrics, reviewer comments, and reporting workflows that we process on behalf of a Client under an agreement.
Joint or independent roles: In some cases, the applicable Order Form, Data Processing Agreement, or local law may define a different role or allocation of responsibility.

Where required, Fairlyst and the Client may enter into a separate Data Processing Agreement that governs processing of personal data in more detail.

Business Use Only

RICO by Fairlyst is an enterprise B2B service and is not intended for personal, household, or consumer use. If mandatory consumer, e-commerce, privacy, or local-law rights apply and cannot lawfully be excluded, this Policy does not limit those rights.

Data We Collect

We collect different categories of data depending on your relationship with Fairlyst and how you use the Platform.

Category	Examples	Source
Account Data	Name, work email, job title, organization name, role, account permissions, login details, and user status.	Provided by user, Client administrator, or account setup workflow.
Client Content	Sustainability reports, ESG records, emissions records, utility bills, invoices, fuel records, supplier documents, operational records, uploaded files, reviewer comments, and supporting evidence.	Uploaded, submitted, imported, or configured by Client or Authorized Users.
Extracted Data and Outputs	Extracted fields, source references, field confidence indicators, review status, calculation records, emissions outputs, dashboards, exports, and evidence packs.	Generated by the Platform from Client Content and user actions.
Platform Usage Data	Feature usage, session activity, user actions, audit-history events, system logs, error events, timestamps, and support diagnostics.	Automatically collected during Platform use.
Technical Data	IP address, browser type, device type, operating system, timezone, approximate location, authentication events, and security logs.	Automatically collected by our systems or service providers.
Communication Data	Support tickets, emails, demo requests, sales enquiries, pilot discussions, meeting notes, and feedback.	Provided by users, prospects, Clients, or advisors.
Billing and Commercial Data	Invoice contact details, billing address, VAT or tax information, plan details, purchase history, and contract metadata.	Provided by Client or generated during commercial administration.

Sensitive and Regulated Data

Fairlyst does not intentionally request personal health data, government-issued identity numbers, payment card numbers, financial account credentials, classified information, or other highly sensitive data unless expressly agreed in writing and supported by appropriate safeguards. Clients must not upload sensitive or regulated data unless they have the necessary rights, notices, consents, lawful bases, and contractual authorization to do so.

How We Use Your Data

We process data for specific business, contractual, security, operational, and legal purposes. Depending on the applicable law, the legal basis may include contract performance, legitimate interests, consent, legal obligation, or Client instructions under a Data Processing Agreement.

Platform delivery: To provision, operate, maintain, secure, troubleshoot, and support Fairlyst, RICO, client accounts, and related services.
ESG evidence workflows: To classify documents, extract fields, link values to source evidence, support calculations, maintain review records, and generate outputs requested by Client.
AI-assisted processing: To process uploaded content or extracted text through AI systems for document classification, field extraction, summarization, calculation support, and review assistance.
Security and fraud prevention: To detect unauthorized access, misuse, credential compromise, unusual activity, technical errors, data-integrity risks, and platform abuse.
Customer support: To respond to enquiries, manage support tickets, troubleshoot problems, configure pilots, and provide onboarding or implementation assistance.
Product improvement: To improve Platform performance, reliability, workflows, usability, and features using aggregated, anonymized, or de-identified information where reasonably possible.
Legal and contractual compliance: To comply with applicable laws, enforce agreements, preserve records, respond to legal requests, and manage disputes.
Marketing communications: To send product updates or relevant content to prospects and Clients where permitted by law or based on consent. You may opt out of marketing emails at any time.

AI Processing and Your Documents AI-Specific

RICO uses AI-assisted functionality to classify documents, extract fields, summarize content, support calculations, identify inconsistencies, and prepare reviewable ESG evidence records. AI-assisted outputs may contain errors, omissions, misclassifications, or incomplete extractions and must be reviewed by authorized human users before formal use.

Fairlyst may use third-party AI service providers, including Anthropic where applicable, to process uploaded content or extracted text for document classification, field extraction, summarization, calculation support, and review assistance.
Fairlyst does not permit third-party AI service providers to use Client Content to train public foundation models unless expressly agreed in writing or unless Client independently provides feedback or consent directly to that provider.
Fairlyst does not use Client documents to train, fine-tune, or improve public AI models.
AI processing may generate field-level confidence indicators, review status, source references, extracted fields, summaries, calculations, or suggested classifications.
The Platform may record timestamped extraction events, reviewer actions, comments, corrections, approvals, exports, and change history to support source-linked audit history.
Retention, logging, and processing by AI providers are governed by applicable commercial terms, data processing terms, Order Forms, and security documentation.

Arabic and Multilingual Documents

The Platform may support Arabic, English, or multilingual documents where technically available. Extraction quality may vary depending on language, layout, scan quality, handwriting, OCR quality, terminology, source-document structure, and translation quality. Clients remain responsible for human review and validation of all Arabic, bilingual, translated, or multilingual outputs before use.

Important: Clients must not upload personal health records, government-issued identity numbers, payment card data, financial account credentials, classified information, or any content whose AI processing is restricted under applicable law unless expressly agreed in writing and supported by appropriate safeguards.

Data Sharing and Subprocessors

Fairlyst does not sell, rent, or trade personal data. We share data only where necessary to deliver the Platform, comply with law, protect rights and security, support business operations, or fulfill Client instructions.

Recipient Type	Purpose	Data Involved
AI Service Providers	Document classification, field extraction, summarization, calculation support, and review assistance.	Uploaded content, extracted text, prompts, outputs, metadata, and processing logs where applicable.
Platform and Hosting Providers	Application hosting, storage, workflow management, backups, availability, and infrastructure operations.	Account Data, Client Content, Extracted Data, Outputs, usage logs, and system metadata.
Support and Communications Tools	Customer support, onboarding, service notices, security alerts, and account communications.	Contact details, support messages, account details, troubleshooting data, and service history.
Analytics and Monitoring Tools	Performance monitoring, error detection, usage analytics, product improvement, and security diagnostics.	Usage logs, technical data, aggregated statistics, and event metadata.
Professional Advisors	Legal, financial, accounting, security, insurance, or audit support.	Relevant business, legal, contractual, or operational information, subject to confidentiality obligations.
Competent Authorities	Compliance with applicable law, court order, regulator request, or legal process.	Information required by law or necessary to protect legal rights.

Material subprocessors may include providers such as Anthropic for AI processing and Zoho Creator or related infrastructure providers for application hosting and workflow operations, depending on the applicable deployment. A current list of material subprocessors is available upon written request to legal@fairlyst.com or as provided in an applicable Data Processing Agreement, Order Form, or Security & Data Handling document.

International Transfers and Data Residency

Fairlyst is based in the United Arab Emirates and may support Clients operating across multiple jurisdictions. Depending on your deployment, account configuration, subprocessors, support needs, and applicable Order Form, data may be processed in the UAE, GCC, Saudi Arabia, Europe, the United States, Africa, or other regions where Fairlyst or its subprocessors operate.

Where data is transferred internationally, Fairlyst uses appropriate safeguards where required by applicable law. These may include contractual safeguards, data processing agreements, standard contractual clauses or equivalent mechanisms, security measures, regional hosting commitments, or Client-specific terms.

Unless a specific data-residency commitment is expressly stated in an applicable Order Form, Data Processing Agreement, or enterprise agreement, Client acknowledges that Client Content, Extracted Data, Outputs, usage data, support communications, and related technical data may be hosted, stored, accessed, or processed in the United Arab Emirates or other jurisdictions by Fairlyst, its affiliates, infrastructure providers, AI service providers, support providers, and subprocessors.

Zoho Creator and other infrastructure providers may host data in region-specific data centers depending on account setup, country selection, and configuration. The applicable hosting region for a specific Client deployment should be confirmed in the relevant Order Form, security documentation, or Data Processing Agreement.

Fairlyst processes personal data in accordance with this Policy and, where applicable, the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, as well as other data protection laws that may apply to the relevant Client, data subjects, processing location, and contractual arrangement.

GCC and Africa Deployments

For deployments outside the United Arab Emirates, including GCC and African jurisdictions, Fairlyst and Client may agree to supplemental local-law, data-protection, procurement, tax, language, hosting, or regulatory terms in an applicable Order Form, Data Processing Agreement, or signed addendum.

Data Retention and Deletion

We retain data only for as long as reasonably necessary to fulfill the purposes described in this Policy, provide the Platform, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support Client workflows. Retention periods may vary by Client agreement, deployment type, jurisdiction, and legal requirement.

Data Category	Typical Retention Approach	Primary Reason
Account Data	During account life and for a reasonable period after termination, unless deletion is required earlier or retention is legally required.	Account administration, support, legal compliance, and business records.
Client Content	During the active subscription, pilot, or agreed retention period, subject to export and deletion terms in the applicable agreement.	Platform delivery and Client evidence workflows.
Extracted Data and Evidence Records	During the active subscription or agreed evidence-retention period, unless deleted by Client or retained under contract or law.	Review history, ESG evidence management, and reporting support.
Audit History and Usage Logs	For a period reasonably necessary for security, troubleshooting, compliance, and audit-history purposes.	Security, accountability, and service integrity.
Support Correspondence	For a reasonable period after the last interaction or as required for business records.	Support continuity and dispute management.
Billing Records	As required by applicable accounting, tax, commercial, VAT, and legal obligations.	Tax, accounting, and commercial compliance.

Upon contract termination, Clients may request data export or deletion in accordance with the applicable Order Form, Terms, Data Processing Agreement, or written instructions. Unless otherwise agreed, Fairlyst will provide export functionality or reasonable export assistance for 30 days after termination before deleting or deactivating production access to Client Content, subject to legal retention obligations and backup deletion cycles.

Security

Fairlyst uses reasonable technical and organizational measures designed to protect personal data and Client Content against unauthorized access, misuse, alteration, loss, and disclosure. However, no software platform, AI system, cloud infrastructure, transmission method, or storage system can be guaranteed to be completely secure.

Role-based access workflows and account-level permission controls where supported by the deployment.
Authentication and administrative access controls for Platform administration.
Encryption, backup, data-segregation, and infrastructure safeguards provided by relevant hosting and platform providers where applicable.
Security monitoring, logging, and troubleshooting processes designed to detect errors, misuse, or unauthorized access.
Source-linked review history and timestamped system events to support accountability and evidence workflows.
Incident-response procedures designed to investigate, contain, and notify affected Clients where legally or contractually required.
Subprocessor and infrastructure certifications may vary by provider, region, data center, and account configuration.

Enterprise Clients may request security documentation, subprocessor information, data-processing details, or procurement support as part of a paid plan, pilot, security review, or applicable Order Form.

Your Rights Action Available

Depending on your jurisdiction, role, and relationship with Fairlyst, you may have rights in relation to your personal data. To exercise any rights, contact us at privacy@fairlyst.com. We will respond within the timeframe required by applicable law, or within 30 days where no shorter period applies.

Right of Access

Request a copy of personal data we hold about you and information about how it is processed.

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of personal data where it is no longer necessary, subject to legal or contractual retention obligations.

Right to Portability

Request data in a structured, commonly used, machine-readable format where applicable.

Right to Restrict Processing

Request that we limit processing in certain circumstances, such as while a dispute about accuracy is resolved.

Right to Object

Object to processing based on legitimate interests or direct marketing where applicable.

Right to Withdraw Consent

Where processing is based on consent, withdraw consent at any time without affecting prior lawful processing.

Right to Complain

Lodge a complaint with the relevant data protection authority, including the UAE Data Office where applicable.

Client-Controlled Data

Where Fairlyst processes personal data on behalf of a Client, we may refer your request to the relevant Client or ask you to contact that Client directly, depending on our legal role and the applicable Data Processing Agreement.

Cookies and Tracking

The Fairlyst website and Platform may use cookies, local storage, pixels, server logs, and similar technologies for authentication, security, functionality, analytics, and service performance. We do not use Client ESG data for third-party advertising.

Strictly necessary technologies: Required for authentication, session management, load balancing, fraud prevention, and security.
Functional technologies: Used to remember preferences such as language, region, dashboard settings, or display choices.
Analytics technologies: Used to understand aggregated usage patterns, diagnose errors, improve performance, and develop better product experiences.
Marketing technologies: Used on public website pages only where permitted by law or consent, and not applied to Client ESG evidence inside the Platform unless expressly disclosed.

You may manage cookie preferences through your browser settings or any cookie settings panel made available on the Fairlyst website. Disabling certain cookies may affect Platform functionality.

Language, Arabic, and Translations

This Privacy Policy may be made available in English, Arabic, or other languages for convenience, accessibility, or regional use. Unless expressly stated otherwise in a signed agreement, the English version shall be the controlling version for interpretation and administration of this Policy.

If any Arabic or other translated version conflicts with the English version, the English version shall prevail to the maximum extent permitted by applicable law. Where applicable law requires an Arabic version or gives legal effect to an Arabic version, Fairlyst will use commercially reasonable efforts to ensure the Arabic version reflects the meaning of the English version.

Fairlyst may provide privacy, operational, legal, billing, security, support, or service notices in English and, where commercially reasonable, Arabic. Clients remain responsible for ensuring that their Authorized Users, administrators, and contracting personnel understand notices provided through the Platform, by email, or through account communications.

Children's Privacy

The Fairlyst Platform is an enterprise B2B service and is not directed at, nor intended for use by, individuals under the age of 18. We do not knowingly collect personal data from minors.

If you believe that a minor has provided personal data to Fairlyst, please contact us at privacy@fairlyst.com and we will take reasonable steps to delete such data where required by law.

Business Transfers

If Fairlyst is involved in a merger, acquisition, financing, corporate restructuring, sale of assets, joint venture, change of control, insolvency process, or similar transaction, personal data and Client Content may be transferred as part of that transaction, subject to confidentiality obligations and applicable law.

Where required, Fairlyst will provide notice of material changes in ownership, data-processing responsibility, or privacy practices that affect active Clients.

Policy Updates

Fairlyst may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, subprocessors, Platform features, AI processing, or business operations.

Material changes will be communicated to active Clients by email, in-Platform notification, website notice, or another reasonable method where required by law or contract. The updated Policy will identify its version number and effective date.

Your continued use of the Platform after the effective date of an updated Policy constitutes acceptance of the updated Policy to the extent permitted by applicable law. Where consent is required for a new processing activity, we will request consent separately.