Privacy Policy

This Privacy Policy explains how Elcara LLC-FZ ("Elcara", "we", "us", or "our") collects, uses, and protects information about you when you visit elcara.io (the "Site") or use our services. Elcara LLC-FZ is the controller of your personal data and is a company registered in the Meydan Free Zone, Dubai, United Arab Emirates.

By using the Site or our services, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

We collect information in the following ways:

• Information you provide. When you contact us or submit a form, we may collect your name, email address, company or project name, phone number, and the contents of your message.
• Usage data. We may automatically collect information such as your IP address, browser type, device information, pages visited, and the dates and times of your visits.
• Cookies and similar technologies. We may use cookies and similar technologies to operate and improve the Site (see Section 5).

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our services;
• Respond to your enquiries and provide customer support;
• Improve, personalize, and develop the Site and our services;
• Communicate with you about updates, offers, and relevant information;
• Detect, prevent, and address technical issues, fraud, or abuse; and
• Comply with applicable legal obligations.

3. Legal Bases for Processing

Where applicable law (including the EU and UK General Data Protection Regulation) requires a legal basis, we rely on one or more of the following:

• Consent — for example, for non-essential cookies and for marketing communications;
• Performance of a contract — to provide the services you request or take steps before entering into a contract;
• Compliance with a legal obligation; and
• Our legitimate interests, namely: securing our Site and systems, preventing fraud and abuse, analyzing and improving our services, and conducting business-to-business direct marketing to our existing professional contacts — except where those interests are overridden by your rights and freedoms.

4. Cookies and Consent

We use cookies and similar technologies to operate the Site. With your consent, we may also use cookies to understand how the Site is used and to support our marketing.

• Essential cookies are necessary for the Site to function and are set without consent.
• Non-essential cookies (such as analytics and marketing cookies) are only set after you give your prior, informed consent.

We currently use only essential cookies and do not set analytics or marketing cookies. If we introduce non-essential cookies in the future, then — where required by law (including the EU GDPR and ePrivacy Directive and the UK Privacy and Electronic Communications Regulations) — we will present a cookie consent banner before any such cookies load and provide a "Cookie Settings" control so you can change or withdraw your consent at any time. You can also control cookies through your browser settings, although disabling some cookies may affect how parts of the Site function.

5. Marketing Communications

We only send marketing communications where permitted by applicable law, including the GDPR, the UK Privacy and Electronic Communications Regulations, and the US CAN-SPAM Act. You can opt out of marketing at any time by using the unsubscribe link included in every marketing email, or by contacting us at hello@elcara.io. Opting out of marketing does not affect service-related or transactional messages necessary for our relationship with you.

6. Automated Processing and Artificial Intelligence

We develop and operate software products that use large language models and other artificial-intelligence ("AI") technologies. In relation to personal data:

• We do not use your personal data to train public or third-party AI models.
• Where AI systems process personal data to provide our services, that processing is limited to operating and improving those services.
• We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human involvement. If this changes, we will inform you and provide the safeguards required under GDPR Article 22 and the UAE Personal Data Protection Law.

Where our processing is likely to result in a high risk to individuals (including large-scale processing of sensitive data, systematic monitoring, or certain automated decision-making), we carry out a Data Protection Impact Assessment as required under GDPR Article 35 and UAE PDPL Article 22.

7. How We Share Information

We do not sell your personal information. We may share information with:

• Service providers and partners who perform services on our behalf (such as hosting, analytics, and communications), under appropriate confidentiality and data-protection obligations;
• Authorities or third parties where required by law, regulation, legal process, or to protect our rights, safety, or property; and
• A successor entity in connection with a merger, acquisition, or sale of assets.

8. Data Retention

We retain personal information only for as long as necessary for the purposes set out in this policy. In determining the appropriate retention period we consider:

• the duration of our contract or relationship with you;
• the period needed to provide our services and respond to enquiries; and
• any applicable statutory limitation periods and legal, accounting, or regulatory obligations.

When personal data is no longer required, we delete it or irreversibly anonymize it.

9. International Data Transfers

We are based in the United Arab Emirates, which is not currently recognized by the European Commission or the United Kingdom as providing an adequate level of data protection. Where we transfer personal data from the European Economic Area, the United Kingdom, or other jurisdictions to the UAE or to our service providers in other countries, we put in place an appropriate legal transfer mechanism, including:

• the European Commission's Standard Contractual Clauses (SCCs) for transfers of EU/EEA personal data;
• the UK International Data Transfer Addendum (IDTA), or the UK Addendum to the SCCs, for transfers of UK personal data; and
• for transfers governed by the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), transfer to a country with an adequate level of protection, contractual safeguards obliging the recipient to apply PDPL-level protections, or your explicit consent.

You may request a copy of the relevant safeguards by contacting us.

10. Data Security

We implement reasonable technical and organizational measures designed to protect your information. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Your Rights

Subject to applicable law, you have the right to access, rectify, update, erase, or port your personal data, to object to or restrict certain processing, and to withdraw consent at any time (without affecting the lawfulness of processing carried out before withdrawal). To exercise these rights, please contact us using the details below.

You also have the right to lodge a complaint with a data-protection supervisory authority — including the UK Information Commissioner's Office (ICO), the relevant supervisory authority in your EU/EEA member state, or the UAE Data Office — if you believe our processing of your personal data infringes applicable law.

12. California Privacy Rights

If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), including the rights to know, delete, and correct your personal information, and the right not to be discriminated against for exercising your rights. We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising as those terms are defined under California law. To exercise your rights, contact us using the details below.

13. Children's Privacy

Our Site and services are not directed to children under the age of 18, and we do not knowingly collect personal information from children.

14. Data Protection Contact

For any questions or requests relating to this policy or your personal data, you can contact our data-protection team at hello@elcara.io. We keep our processing activities under review and will appoint a Data Protection Officer where required under UAE PDPL Article 10 — for example, where we carry out large-scale systematic monitoring or large-scale processing of sensitive personal data — or under other applicable law.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised "Last updated" date and will be effective as soon as it is accessible.

16. Contact Us

If you have any questions about this Privacy Policy, you can contact us at: