Activity Hub

Legal

Privacy Policy

Effective 2026-05-19 · Aligned with UAE Federal Decree-Law No. 45/2021 (PDPL)

1. Summary

We collect the minimum personal data needed to operate a booking marketplace — identity, contact, booking history, payment tokens (never card numbers), and device/usage signals. We share data with the operator you book with, our payment processor, and our infrastructure providers. We do not sell your data.

2. Controller

Activity Hub FZ-LLC, Dubai, UAE is the data controller for personal data collected through the platform. Operators are independent controllers for the data they process about their own bookings; we are joint controller for booking creation.

3. What we collect

  • Identity & contact: name, email, phone, country.
  • Account: hashed password (for credentials provider), magic-link tokens, sign-in IP and timestamp.
  • Bookings: activities you viewed, saved, and booked; party size; scheduled dates; messages with operators.
  • Payment: payment provider tokens and last-4 of card. We never store full card numbers.
  • Reviews: ratings and written reviews you post.
  • Device & usage: browser type, IP, language, pages visited, error reports (Sentry).
  • Location: only when you grant browser geolocation permission on the map page; not stored on our servers.

4. Why we use it

  • To create and manage your account, bookings, and refunds.
  • To share with the operator the minimum information they need to serve you (name, party size, scheduled time, age if relevant).
  • To prevent fraud, enforce these terms, and comply with UAE law.
  • To improve the platform — analytics on aggregated, non-identifying usage.
  • To send transactional emails (booking confirmations, cancellations, reminders). We do not send marketing emails without your opt-in.

5. Lawful bases

  • Performance of the contract when we process bookings and payments.
  • Legitimate interest for fraud prevention, error reporting, and product analytics.
  • Consent for non-essential cookies and marketing.
  • Legal obligation for tax, anti-money-laundering, and complaints handling.

6. Sharing

  • Operators: only the data they need to fulfil your booking. Operators are contractually bound to use it only for that purpose.
  • Payment processor: Network International / Stripe / Tabby (depending on the chosen method). They are PCI-DSS certified.
  • Infrastructure: Vercel (hosting), Upstash (rate-limit), Sentry (error monitoring), our database provider.
  • Authorities: when required by UAE law or court order.
  • We do not sell or rent your personal data.

7. International transfers

Some processors are located outside the UAE. We rely on the contractual safeguards permitted by UAE PDPL Article 23, and on each processor's own compliance framework (GDPR, ISO 27001, SOC 2).

8. Retention

  • Account data: while your account is active, plus 7 years for tax/audit (UAE Federal Law).
  • Booking and payment records: 7 years.
  • Inquiry messages: 2 years from the last message.
  • Reviews: indefinitely (or until you delete your account, in which case authorship is anonymised).
  • Server logs: 90 days.

9. Your rights

Under the UAE PDPL you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data deleted (subject to legal retention obligations).
  • Withdraw consent for processing that depended on it.
  • Object to processing for direct marketing.
  • Receive your data in a portable, machine-readable format.
  • Complain to the UAE Data Office.

To exercise any of these, email privacy@activityhub.ae (placeholder). We respond within 30 days.

10. Cookies

See the dedicated cookies policy.

11. Children

The platform is for users aged 18 and over. Minors may participate in activities only under the booking and supervision of an adult who accepts these terms on their behalf.

12. Changes

Material changes will be notified in-app at least 14 days before they take effect.

13. Contact

Privacy queries: privacy@activityhub.ae. General contact: contact us.