Last updated: April 2026  ·  Version 1.0

Section 01

Who We Are

Rendevy is a UAE-based Software-as-a-Service (SaaS) platform that provides AI-powered appointment booking and management services for businesses including clinics, salons, wellness centres, and other appointment-driven businesses operating in the UAE.

Rendevy acts as a data controller for personal data we collect directly (e.g. admin account information), and as a data processor on behalf of our business customers (clinics and salons) for the personal data of their clients and patients.

Data Controller: Rendevy Platform

Contact: privacy@curiousstack.co

Jurisdiction: United Arab Emirates

Section 02

Personal Data We Collect

We collect only the minimum data necessary to provide our services.

Client / patient data (collected when a person interacts with a business's booking chatbot):

  • WhatsApp phone number (used as the primary identifier)
  • Full name (provided during booking registration)
  • Email address (optional; used for email appointment reminders)
  • Appointment history (dates, times, assigned staff, location)
  • Preferred language
  • Consent timestamp and version
  • Voice call metadata (call timestamps, call duration, caller ID) — collected when you interact with or receive an outbound appointment reminder via phone call

Business admin user data (collected when a clinic or salon signs up):

  • Name and email address
  • Role and location assignment
  • Login activity timestamps

Automatically collected data:

  • Conversation timestamps and message counts (not full message transcripts)
  • System and security audit logs (access events, changes to records)
  • Session authentication tokens
Important: Our booking chatbot and voice call service are designed to handle appointment scheduling only. Please do not share clinical health information, diagnoses, medications, or sensitive medical details via WhatsApp or phone call. Such information is outside the scope of this service.
Section 03

How We Use Your Data

  • Providing the service — booking, managing, and cancelling appointments on your behalf
  • Appointment reminders — sending WhatsApp messages, email notifications, and outbound voice call reminders about upcoming appointments
  • Registration — creating and maintaining your account within the platform
  • Security and fraud prevention — detecting and preventing misuse of our platform
  • Platform improvement — aggregated, anonymised analytics to improve service quality (no individual profiling)
  • Legal compliance — meeting our obligations under UAE law and applicable regulations
Section 04

Lawful Bases for Processing

Under the UAE Personal Data Protection Law (PDPL, Federal Decree-Law No. 45 of 2021) and the EU General Data Protection Regulation (GDPR) where applicable, we rely on the following lawful bases:

Processing activityLawful basis
Booking and managing appointmentsContract performance — necessary to deliver the service you requested
WhatsApp messaging and remindersConsent — you confirm consent by replying YES to our onboarding message; withdraw anytime by replying STOP
Outbound voice call remindersConsent — covered by the same YES consent given during WhatsApp onboarding; withdraw anytime by replying STOP or emailing privacy@curiousstack.co
Security and audit loggingLegitimate interests — protecting the platform and our users
Email notificationsConsent / contract performance
Health record retention (medical clinics)Legal obligation — UAE Federal Law No. 2 of 2019 on health data

You may withdraw consent for WhatsApp communications at any time by replying STOP to any message from our chatbot. To opt out of voice call reminders specifically, reply STOP via WhatsApp or email privacy@curiousstack.co. Withdrawing consent will not affect appointments already booked.

Section 05

Sub-Processors & Data Sharing

We share your data only with the third-party service providers listed below, who process it solely on our instructions and under Data Processing Agreements:

Sub-processorPurposeLocation
Microsoft AzureDatabase storage (CosmosDB), AI processing (Azure OpenAI)UAE North (primary); data residency policy enforced
TwilioWhatsApp message delivery and voice callsUnited States
GoogleStaff calendar scheduling (appointment slots only; no client PII)United States / Global
SendGrid (Twilio)Email appointment remindersUnited States
Microsoft Azure MonitorApplication performance and error loggingUAE North (primary)

We do not sell your personal data. We do not share it with third parties for their own marketing purposes.

We may disclose data to law enforcement or regulatory authorities where required by UAE law or a valid court order.

Section 06

Cross-Border Data Transfers

We store your data primarily in the UAE North Azure data centre. Some processing operations involve sub-processors located outside the UAE (see Section 5).

Where personal data is transferred outside the UAE, we ensure appropriate safeguards are in place, including:

  • Data Processing Agreements with adequate data protection obligations
  • Standard contractual clauses where required for transfers to non-adequate countries
  • Technical measures including encryption in transit and at rest

For clients whose data may constitute health data under UAE Federal Law No. 2 of 2019, we take additional steps to minimise cross-border processing and apply the highest available safeguards.

Section 07

How Long We Keep Your Data

Data categoryRetention periodBasis
Appointment records (medical clinics)Up to 10 years from last appointmentUAE Health Data Law minimum
Appointment records (wellness / non-medical)Up to 5 years from last appointmentCommercial records standard
Client registration dataDuration of active relationship + 3 years after last activityPDPL data minimisation
WhatsApp conversation logs24 monthsOperational need; deleted thereafter
Voice call logs (metadata only — no recordings stored)12 monthsOperational need and dispute resolution; deleted thereafter
System and application logs6–12 monthsSecurity monitoring
Security incident and audit logs5 yearsLegal defence and regulatory compliance
Consent recordsDuration of relationship + 5 yearsProof of lawful basis for processing

When retention periods expire, data is securely deleted or irreversibly anonymised. You may request earlier deletion — see Section 8.

Section 08

Your Rights

Under the UAE PDPL (and GDPR where applicable), you have the following rights regarding your personal data:

RightWhat it meansHow to exercise
AccessObtain a copy of the personal data we hold about youEmail privacy@curiousstack.co
RectificationCorrect inaccurate or incomplete dataVia the chatbot or email
ErasureRequest deletion of your personal dataEmail privacy@curiousstack.co
PortabilityReceive your data in a structured, machine-readable formatEmail privacy@curiousstack.co
Withdraw consentStop receiving WhatsApp communications and/or voice call remindersReply STOP to any WhatsApp message; or email privacy@curiousstack.co to opt out of voice calls specifically
ObjectionObject to processing based on legitimate interestsEmail privacy@curiousstack.co
RestrictionRestrict processing of your data pending a disputeEmail privacy@curiousstack.co

We will respond to all valid requests within 30 days. Erasure requests may be subject to legal retention obligations (e.g. health records required to be retained under UAE law).

To exercise any of these rights, contact us at privacy@curiousstack.co. We may need to verify your identity before processing your request.
Section 09

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure:

  • Encryption in transit — all data is transmitted over HTTPS / TLS
  • Encryption at rest — all database storage is encrypted by Microsoft Azure
  • Access controls — role-based access control (RBAC) limits who can view data; staff see only masked contact details
  • Audit logging — all access to and modifications of personal data are logged with timestamps and actor identity
  • Secret management — credentials are stored in Azure Key Vault, not in application code
  • IP allowlisting — admin access can be restricted to approved IP ranges
  • Breach notification — in the event of a personal data breach, we will notify the UAE Data Office and affected individuals within the timeframes required by law (target: 72 hours)
Section 10

Cookies

The Rendevy WhatsApp chatbot does not use cookies.

The Rendevy admin web panel uses the following cookies:

  • Session cookie — a functional cookie that keeps you logged in during your admin session. This cookie is strictly necessary for the service to work and does not require your consent. It expires automatically after 8 hours of inactivity.

We do not use third-party tracking, advertising, or analytics cookies on the admin panel.

Section 11

Data Protection Officer

We have designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and compliance with the UAE PDPL and applicable regulations.

DPO Contact: privacy@curiousstack.co

You may contact the DPO with any questions about how your personal data is processed, or to exercise your data subject rights.

Section 12

Complaints & Regulatory Authority

If you are not satisfied with how we handle your personal data or respond to your rights request, you have the right to lodge a complaint with the UAE Data Office:

UAE Data Office

Website: www.uaedataoffice.gov.ae

If you are located in the European Union, you may also contact your local EU data protection supervisory authority.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify business customers via email at least 30 days before the change takes effect
  • Notify WhatsApp users via the chatbot for significant changes affecting their rights

Continued use of the service after the effective date of any changes constitutes acceptance of the updated policy.

Version history: v1.0 — April 2026 (initial publication)

Section 14

Contact Us

For any privacy-related questions, requests, or concerns:

Email: privacy@curiousstack.co

Subject line: Privacy Request — [your name or phone last 4 digits]

We aim to acknowledge all requests within 2 business days and resolve them within 30 days.