01 / 16
Who We Are
This Privacy Policy explains how iluxa AI collects, uses, stores, shares and protects personal data in connection with the operation of the iluxa AI platform. It applies to all users of the Platform including subscribing venue businesses ("Clients") and the end customers of those businesses ("End Users").
Iluxa AI LLC operates the iluxa AI platform — an agentic AI booking and operations system for UAE hospitality and wellness businesses. We are the data controller in respect of personal data collected through our website, marketing activities and our business relationship with Clients. In relation to End User data processed through the Platform on behalf of Clients, we act as a data processor.
Our registered address is: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E. (Registration number 2648498.)
Our data protection contact is reachable at: hello@iluxa.ae
Our registered address is: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E. (Registration number 2648498.)
Our data protection contact is reachable at: hello@iluxa.ae
02 / 16
Who This Policy Covers
This Privacy Policy applies to three categories of individuals whose personal data we may process:
- Clients — businesses and individuals who have subscribed to the iluxa AI platform, including owners, managers and authorised staff of subscribing venues.
- End Users — customers and guests of iluxa AI Clients who interact with the Platform through WhatsApp or voice channels when booking services at a Client venue.
- Website Visitors — individuals who visit iluxa.ae, complete our contact or demo request forms, or interact with our marketing communications.
Note for End Users: If you are an end customer of a business that uses iluxa AI — for example, if you booked a salon appointment or beach club cabana through a WhatsApp conversation — your data is processed on behalf of that business (our Client). For questions about how that business handles your data, please contact them directly. iluxa AI processes your data only in our capacity as a technology service provider to that business.
03 / 16
Data We Collect
3.1
Client Data
- Identity data — name of business owner or primary contact, job title, trade licence details
- Contact data — email address, phone number, WhatsApp number, business address
- Account data — login credentials (stored in hashed form), subscription plan, billing history
- Venue configuration data — service catalogues, staff names and qualifications, pricing, business rules and deposit settings provided during onboarding
- Financial data — billing contact details, payment method information (processed and stored by our payment processor — we do not store full card details)
- Communications data — emails, support messages and any other correspondence with iluxa AI
3.2
End User Data
- Contact data — phone number (from WhatsApp or voice call), name (if provided during the conversation)
- Booking data — service requested, preferred date and time, staff preference, location selected
- Conversation data — the content of WhatsApp messages and voice call transcripts processed by the Platform
- Payment data — deposit payment confirmation (not full card details, which are handled by the payment processor)
- Interaction history — prior bookings made through the Platform for the same Client venue
3.3
Website Visitor Data
- IP address and device/browser information via analytics tools
- Pages visited, time on site and referral source
- Name, email and phone number submitted via our contact or demo request forms
- Cookie data as described in Section 12
3.4
Data We Do Not Collect
iluxa AI does not intentionally collect sensitive personal data including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data or criminal record information. If any such data is inadvertently received through a booking conversation, it will not be stored or processed beyond what is strictly necessary.
04 / 16
How We Collect Data
- Directly from Clients — during the subscription sign-up process, onboarding, and ongoing account management
- Through the Platform — automatically, when End Users interact with the Platform via WhatsApp or voice channels operated on behalf of Clients
- From our website — when individuals submit forms, request demos or interact with our site
- From third-party services — including Meta (WhatsApp delivery data), AGNTIX (voice call data), and analytics providers
- From marketing interactions — when individuals respond to our email campaigns, social media content or paid advertisements
05 / 16
How We Use Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Platform to Clients — processing bookings, managing availability, sending confirmations | Client data, End User data | Contract performance |
| Client account management — billing, subscription administration, support | Client data | Contract performance |
| Onboarding and configuration — building venue setup, service catalogues, staff profiles | Client data, venue configuration data | Contract performance |
| Platform improvement — analysing aggregated usage patterns to improve AI accuracy and features | Anonymised aggregated data | Legitimate interest |
| Security and fraud prevention — monitoring for unusual activity, protecting system integrity | Account data, usage data | Legitimate interest |
| Marketing to prospects — sending information about iluxa AI to interested businesses | Website visitor data, form submissions | Consent / Legitimate interest |
| Legal compliance — meeting obligations under UAE law including tax, anti-money laundering | Client data, financial data | Legal obligation |
| Responding to enquiries — demo requests, support queries, complaints | Contact data, communications data | Legitimate interest / Consent |
06 / 16
Legal Basis for Processing
Under UAE Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (PDPL), we rely on the following legal bases for processing personal data:
- Contract performance — processing necessary to provide the Platform to Clients under our subscription agreement
- Legitimate interests — processing for platform security, fraud prevention, product improvement and marketing to business contacts, where these interests are not overridden by individual rights
- Legal obligation — processing required to comply with UAE law including tax, regulatory reporting and record-keeping obligations
- Consent — for marketing to individuals who have opted in to receive communications from us, and for any non-essential cookies on our website
End User data is processed under the authority of the Client as data controller. Clients are responsible for ensuring they have an appropriate legal basis for collecting and using their customers' data through the Platform.
07 / 16
Third-Party Services
The iluxa AI Platform operates as an agentic AI system that depends on the following third-party services. Data is shared with these providers as necessary to deliver the Platform's functionality. Each provider processes data in accordance with their own privacy policies and data processing agreements:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Meta Platforms, Inc. | WhatsApp Business API — delivery and receipt of WhatsApp messages between Platform and End Users | Phone numbers, message content | USA / Global |
| AGNTIX | Voice AI infrastructure — processing inbound voice calls, speech-to-text, call management | Voice recordings, call transcripts, phone numbers | USA |
| Anthropic, PBC | Claude language model — AI language processing, understanding booking intent and generating responses | Conversation content (anonymised where possible) | USA |
| Supabase, Inc. | Database infrastructure — storage of booking records, client configurations, staff profiles | All Platform data | USA / EU |
| Render Services, Inc. | Cloud hosting — hosting and running the iluxa AI application | All data in transit through the application | USA |
| Payment Processor (TBC) | Processing deposit payments from End Users | Payment details (not stored by iluxa AI) | TBC |
Important: iluxa AI does not sell personal data to third parties. Data shared with the providers above is shared solely for the purpose of delivering the Platform's functionality and not for those providers' own marketing or commercial purposes, subject to their respective terms of service.
08 / 16
International Data Transfers
Several of the third-party services listed in Section 7 are based in the United States and process data outside the UAE. Under the UAE PDPL, international transfers of personal data are permitted where the recipient country offers an adequate level of data protection, or where appropriate safeguards are in place.
Where data is transferred internationally, iluxa AI relies on the contractual commitments of its third-party service providers (including their standard contractual clauses and data processing agreements) as the basis for such transfers. The Client acknowledges that by using the Platform, End User data will be processed by services operating outside the UAE as described in Section 7.
Clients who have specific data residency requirements should contact us at hello@iluxa.ae to discuss whether alternative configurations are available.
Where data is transferred internationally, iluxa AI relies on the contractual commitments of its third-party service providers (including their standard contractual clauses and data processing agreements) as the basis for such transfers. The Client acknowledges that by using the Platform, End User data will be processed by services operating outside the UAE as described in Section 7.
Clients who have specific data residency requirements should contact us at hello@iluxa.ae to discuss whether alternative configurations are available.
09 / 16
Data Retention
9.1
Client Data
We retain Client account data for the duration of the subscription and for 3 years following termination, to satisfy legal, accounting and dispute resolution requirements. Financial and billing records are retained for 5 years in accordance with UAE commercial law requirements.
9.2
End User Booking Data
End User booking data is retained on behalf of the Client for the duration of the Client's subscription, plus 30 days following termination, after which it is permanently deleted from iluxa AI's systems.
9.3
Conversation Data
WhatsApp message content and voice call transcripts processed through the Platform are retained for booking verification purposes for a period of 90 days from the date of the interaction, after which they are deleted from active systems. Residual copies in backup systems are purged on a rolling 30-day backup cycle.
9.4
Website and Marketing Data
Data collected from website visitors and marketing interactions is retained for a maximum of 24 months from the date of collection, or until a withdrawal of consent is received, whichever is earlier.
9.5
Early Deletion
We will delete personal data earlier than the above periods where: (a) a valid erasure request is received and no legal basis for retention exists; (b) the data is no longer necessary for the purpose for which it was collected; or (c) we are required to do so by applicable law.
10 / 16
Data Security
iluxa AI implements the following technical and organisational security measures to protect personal data:
- Encryption in transit — all data transmitted between users, the Platform, and third-party services is encrypted using TLS 1.2 or higher
- Encryption at rest — data stored in our database infrastructure is encrypted at rest
- Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis
- Authentication — secure authentication protocols are used for all administrative access to Platform systems
- Third-party security — we select third-party providers who implement industry-standard security measures and maintain relevant security certifications
- Security reviews — we conduct periodic reviews of our security practices and update controls as threats evolve
Despite these measures, no system is entirely secure. In the event of a confirmed data breach that is likely to result in risk to individuals, we will notify affected Clients without undue delay and within 72 hours of becoming aware, in accordance with our obligations under the UAE PDPL.
11 / 16
Your Rights
Under the UAE Federal Decree Law No. 45 of 2021, individuals whose personal data we process have the following rights:
- Right of access — you may request a copy of the personal data we hold about you
- Right to correction — you may request correction of inaccurate or incomplete personal data
- Right to erasure — you may request deletion of your personal data where we no longer have a legal basis to retain it
- Right to restrict processing — you may request that we limit the processing of your data in certain circumstances
- Right to data portability — you may request your personal data in a structured, commonly used format
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Right to object — you may object to processing based on legitimate interests where your rights override those interests
Note for End Users: If you are an end customer of a business using iluxa AI and wish to exercise rights in relation to booking data held about you, we recommend contacting the business directly in the first instance, as they are the data controller for that data. You may also contact us at hello@iluxa.ae and we will assist in coordinating with the relevant Client.
11.1
How to Submit a Request
To exercise any of the above rights, please contact us at hello@iluxa.ae with your name, contact details and a description of your request. We will respond within 30 calendar days. We may request proof of identity before processing your request. We will not charge a fee for legitimate requests unless they are manifestly unfounded or excessive.
12 / 16
Cookies & Tracking
Our website (iluxa.ae) uses cookies and similar tracking technologies. We use the following categories of cookies:
- Strictly necessary cookies — required for the website to function. These cannot be disabled.
- Analytics cookies — used to understand how visitors interact with our website, including pages visited and time on site. These are set only with your consent.
- Marketing cookies — used to track the effectiveness of our advertising campaigns. Set only with your consent.
You can manage your cookie preferences through our cookie consent banner when you first visit the site, or by adjusting your browser settings at any time. Disabling certain cookies may affect the functionality of the website. The Platform itself (WhatsApp and voice channels) does not use cookies.
13 / 16
Children's Privacy
The iluxa AI Platform and website are not directed at children under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.
If a venue serves individuals under 18, the Client is responsible for ensuring appropriate consent mechanisms are in place for any data collected through the Platform.
If a venue serves individuals under 18, the Client is responsible for ensuring appropriate consent mechanisms are in place for any data collected through the Platform.
14 / 16
Client Responsibilities
Clients who use the iluxa AI Platform to process End User data are acting as data controllers in respect of that data. This means they have independent obligations under the UAE PDPL, including:
- Maintaining a lawful basis for collecting and processing End User personal data through the Platform
- Providing End Users with clear and accessible privacy information, including that a third-party AI platform (iluxa AI) processes their booking data on the Client's behalf
- Handling data subject access requests, correction requests and erasure requests received from their End Users in a timely manner
- Ensuring any data uploaded to the Platform during onboarding (such as staff personal information) is collected and shared lawfully
- Notifying iluxa AI promptly of any data subject requests that require iluxa AI's assistance to fulfil
Clients who require a formal Data Processing Agreement (DPA) with iluxa AI — for example, to satisfy their own regulatory obligations — should contact us at hello@iluxa.ae.
15 / 16
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's functionality, applicable law, or guidance from the UAE Data Office. When we make material changes, we will notify Clients by email to the address on record and update the "Last Updated" date at the top of this document.
We encourage all users to review this Policy periodically. Continued use of the Platform following the effective date of any update constitutes acceptance of the revised Policy.
The current version of this Privacy Policy is always available at: iluxa.ae/privacy
We encourage all users to review this Policy periodically. Continued use of the Platform following the effective date of any update constitutes acceptance of the revised Policy.
The current version of this Privacy Policy is always available at: iluxa.ae/privacy
16 / 16
Contact & Complaints
For any questions, concerns or requests relating to this Privacy Policy or the way we handle personal data, please contact our data protection contact:
Data Protection Contact
Iluxa AI LLC
Email: hello@iluxa.ae
Address: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.
Website: iluxa.ae
Address: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.
Website: iluxa.ae
16.1
Complaints
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the UAE Data Office, the supervisory authority responsible for enforcing the UAE PDPL. Information about the UAE Data Office and how to submit a complaint is available at uaedataoffice.ae.