Privacy Policy

maivis is operated by Mango Technologies Ltd., a company registered at the Dubai International Financial Centre (DIFC) Innovation Hub, Gate Avenue, Dubai, UAE (Company Number: CL5222). Mango Technologies Ltd. is the Data Controller responsible for your personal data under the DIFC Data Protection Law 2020.

maivis is a Family Wealth Intelligence platform providing personal finance aggregation, Family Resilience Score (FRS) scoring, and intelligence, accessible at maiviswealth.com. maivis is not a financial advisory service, investment manager, bank, or regulated financial institution.

Data Controller:

Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE

Privacy Enquiries:

privacy@maiviswealth.com

Data Protection Officer:

dpo@maiviswealth.com. Our Data Protection Officer can be contacted directly by data subjects and supervisory authorities.

EU Representative (GDPR Art. 27):

For EU/EEA residents, contact: legal@maiviswealth.com. Mango Technologies Ltd. is in the process of appointing a natural person established in an EU member state as required by GDPR Art. 27. In the interim, enquiries are handled by our legal team. Response within 72 hours.

UK Representative (UK GDPR Art. 27):

For UK residents, contact: legal@maiviswealth.com. Response within 72 hours.

Legal General:

legal@maiviswealth.com

This Privacy Policy applies to all members globally. It complies simultaneously with: DIFC Data Protection Law 2020 (as amended by DIFC Laws Amendment Law No. 1 of 2025) as primary; the Digital Personal Data Protection Act 2023 (India, DPDP Act) and, until May 2027, the SPDI Rules under IT Act Section 43A; UK GDPR and Data Protection Act 2018; EU GDPR (Regulation 2016/679); CCPA/CPRA (California); and PIPEDA (Canada). Where these regimes impose different requirements, we apply the stricter standard.

India (DPDP Act 2023): For users who are Indian citizens or whose data is processed in India, we comply with the Digital Personal Data Protection Act 2023. As a Data Fiduciary, we collect and process personal data only for specified lawful purposes with your consent. You have the right to access, correct, and erase your personal data, and to nominate a representative for data-related matters.

3.1 Data Collected Directly From You

Identity Data: name, date of birth, phone number, email address, nationality, country of residence. We collect your date of birth to provide age-appropriate allocation education (for example, illustrating how a suitable mix commonly shifts with time horizon). It is not used for advertising or profiling. Financial Asset Data: property values, gold holdings, investment portfolios, cash balances (manually entered). Documents: passport, visa, property deeds, insurance certificates (encrypted on your device via AES-256-GCMbefore upload; maivis stores only ciphertext). Family Member Data: names, relationships, phone numbers of family members you add (see Section 12). Entity Ownership Data: names and types of legal entities (trusts, holding companies, SPVs, foundations, partnerships) and asset ownership percentages linked to them.

3.2 Data Collected Indirectly From Third Parties (GDPR Article 14)

We obtain read-only financial data from your bank accounts through: Lean Technologies (UAE banks) and Plaid (US, UK, Canadian banks). This data is obtained after you provide explicit consent during the banking connection flow. Categories: account identifiers, balances, and transaction history. Financial transaction data may inadvertently reveal special category data (political donations, religious tithing, medical payments); we process this on the basis of your explicit consent.

3.3 Closed Beta and Demo Showcase

maivis is offered on a single plan. During the closed beta it is free for the first three months, after which it continues as a paid subscription. The processing described in this Policy applies to all registered accounts, whether in the free beta period or paid. The public demo at maiviswealth.com/demo is an anonymized product showcase built on fictional family data. It requires no registration and collects no personal data beyond the analytics described in Section 3.4.

3.4 Usage and Analytics Data

maivis uses two analytics systems: PostHog (self-hosted on GCP) for in-product analytics including feature interactions, screen views, and funnel completion; and Firebase Analytics (GA4) for the maiviswealth.com landing page, tracking page views, scroll depth, and CTA clicks. PostHog data never leaves maivis infrastructure. GA4 data is processed by Google within the EEA with IP anonymisation enabled. Neither system stores personally identifiable information.

Contractual Necessity (DIFC Art. 10(1)(b), GDPR Art. 6(1)(b)): Account creation, financial data aggregation, net worth calculation, core service functionality.

Explicit Consent (DIFC Art. 10(1)(a), GDPR Art. 6(1)(a), DPDPA Section 6): Sensitive financial data, document vault, banking connections, family member data, analytics cookies. Consent is specific-purpose, and withdrawable.

Legitimate Interest (DIFC Art. 10(1)(f), GDPR Art. 6(1)(f)): Anonymized product analytics, fraud prevention, security monitoring. Not applicable to India members (DPDPA does not recognize legitimate interest).

maivis performs automated analysis of your financial data to provide educational insights. We use AI services (Google Gemini Enterprise Agent Platform with Gemini Flash, Anthropic Claude via Google Cloud Model Garden, and Google Search Grounding for real-time market context) to generate intelligence, briefings, portfolio analysis, financial summaries, allocation guidance, expert-model comparison, fee analytics, document intelligence, debt and recovery analysis, portfolio signals, scenario modelling, tax-loss harvesting alerts, currency hedging analysis, lifestyle benchmarks, and private market valuations. These outputs are general educational information, not personal financial advice or a recommendation to transact in any specific product. We employ a Privacy Gateway that strips all personally identifiable information before any data reaches AI providers. AI services receive your financial values (asset holdings, property values, spending amounts, jurisdictions) because meaningful analysis requires them. AI services never receive your name, email, phone number, account numbers, passport numbers, government IDs, or any other personal identifier.

In practice: AI sees “$2.3M in real estate across UAE and India” but never “[Name], Emirates NBD account 4521.” Every AI call is logged to an audit trail recording provider, data scope, token count, and PII redaction count.

The Gemini Enterprise Agent Platform operates under contractual Zero Data Retention (ZDR). Under our agreement with Google, your data is processed but not stored or used for training by Google's AI systems. This is a contractual commitment, not a technical impossibility; data transits Google infrastructure for processing. Anthropic Claude is accessed via Google Cloud Model Garden under the same ZDR terms. No Anthropic API key is used. No data is sent directly to Anthropic. Google Search Grounding receives only generic market queries (e.g. “wealth management considerations for families with assets in UAE and India”) with no family-specific financial data. The AI Data Gateway ensures compliance with the data minimisation principle under DIFC Article 11, GDPR Article 5(1)(c), and DPDPA Section 6.

6.1 Storage Locations

• UAE and Middle East: Cloud SQL Google Cloud (Doha, Qatar).
• India: Cloud SQL asia-south1 (Mumbai). Compliant with RBI data localisation.
• UK, US, Canada: Cloud SQL us-east1 (South Carolina, USA).

6.2 Cross-Border Transfer Mechanisms

• EU → DIFC: EU SCCs (June 2021, Module 2 C-to-P) + Transfer Impact Assessment.
• UK → DIFC: UK IDTA or UK Addendum to EU SCCs + Transfer Risk Assessment.
• DIFC → US: DIFC Standard Contractual Clauses.
• DIFC → India: DIFC SCCs. DPDPA permits transfers by default (no negative list as of March 2026). RBI data localisation mandates India-only storage for payment system data.
• UAE onshore → DIFC: Onshore UAE is a "Third Country" under DIFC law. Transfers require DIFC SCCs or Article 27 derogations.

6.3 Data Residency & Jurisdiction

Your stored personal data (account records, financial values, encrypted documents, database records, and backups) is held on Google Cloud regional infrastructure. Primary storage for UAE and Middle East members is Google Cloud region me-central1 (Doha, Qatar). Storage for India members is Google Cloud region asia-south1 (Mumbai), consistent with RBI data localisation. We do not transfer your stored personal data outside these regions to a different jurisdiction without your consent or another lawful transfer mechanism described in Section 6.2.

AI processing is a distinct activity from storage. Our AI workloads run on the Google Gemini Enterprise Agent Platform. For technical processing, generated requests may transit Google compute regions in the US and EU. This processing operates under contractual Zero Data Retention: your data is processed but is not stored or used to train Google's models in any region. Only de-identified financial values reach the AI platform. Your name, email, phone number, account numbers, and government identifiers are stripped by our Privacy Gateway before any AI call, as described in Section 5.

Storage and processing of your data are governed primarily by the DIFC Data Protection Law 2020. For Indian members, processing in India is additionally governed by the Digital Personal Data Protection Act 2023. Where these regimes impose different requirements, we apply the stricter standard, as stated in Section 2.

Documents are encrypted on your device using AES-256-GCM before upload. The document encryption key (DEK) is hardware-wrapped by Google Cloud KMS (Google Cloud, FIPS 140-2s) and stored alongside the ciphertext. The plaintext DEK is never persisted to disk or database. It exists only transiently in server memory during the wrap/unwrap operation. We store ciphertext plus a wrapped DEK; we cannot decrypt your files without an authenticated KMS unwrap request. Every decrypt event is logged in a Merkle-anchored audit trail.

We share data with the following processors, each under documented instructions and a Data Processing Agreement. See DPA v2.2 for detailed per-provider status.

We do not sell your personal data. For members in the US: we do not "sell" or "share" (as defined under CCPA/CPRA) your personal information. For members who connect via Plaid: Plaid's privacy policy is available at plaid.com/legal.

• Active account data: Lifetime of account + 3 years post-deletion request.
• Banking access tokens: Purged within 24 hours of disconnection.
• Deleted account data: A deletion request opens a 30-day grace period (cancellable during that window); data is then permanently purged, except where law requires longer retention.
• Canadian members (FINTRAC): Financial transaction records retained 5 years.
• Breach records (PIPEDA): Retained 24 months.
• Anonymized analytics: Retained indefinitely (no PII).

10.1 All Members (DIFC DP Law Arts. 31-39)

Access (Art. 31); rectification (Art. 32); erasure (Art. 33); restriction (Art. 34); portability in machine-readable format (Art. 35); objection (Art. 36); objection to automated decision-making (Art. 38); withdrawal of consent (Art. 12(5)); complaint to Commissioner (Art. 60).

10.2 India (DPDPA Sections 11-14)

Access summary (Section 11); correction and erasure (Section 12); grievance redressal (Section 13); nomination right: nominate a person to exercise your rights on death or incapacity (Section 14, unique to Indian law). Response: 7 days per DPDP Rules 2025, Rule 14.

10.3 California (CCPA/CPRA)

Right to know (categories and specific PI collected in 12 months); delete; correct; opt out of sale/sharing (maivis does not sell/share PI); limit use of Sensitive PI (financial data = SPI under §1798.140(ae)). We honor Global Privacy Control (GPC) browser signals automatically.

10.4 EU/UK (GDPR Arts. 15-22)

Access; rectification; erasure; restriction; portability; objection; automated decision-making rights. AI-generated intelligence involves automated processing. You may obtain human intervention, express your viewpoint, and contest automated decisions.

10.5 Response Timelines

In the event of a personal data breach, we will notify affected users and relevant supervisory authorities (including the DIFC Commissioner of Data Protection) within 72 hours of becoming aware of the breach, in accordance with DIFC DPL 2020, GDPR Article 33, and applicable data protection laws. We will also notify you directly if the breach is likely to result in a high risk to your rights and freedoms.

Internal standard: 72-hour regulator notification with immediate CERT-In escalation for India incidents.

maivis uses AI to generate Intelligence: Family Resilience Score (FRS), asset analysis, subscription auditing, daily briefings. Models used: Gemini Flash (primary, ~93% of requests), Claude Sonnet via Google Cloud Model Garden (~5%), Google Search Grounding for real-time market data (~2%, generic market queries only, no personal data transferred). All AI processing routes through the Gemini Enterprise Agent Platform under Google's Zero Data Retention terms. Under GDPR Article 22 and DIFC Article 38, you may request human review, express your viewpoint, or contest any AI output. Contact privacy@maiviswealth.com.

When you add family members, we inform each via email invitation (containing this Privacy Policy link) per GDPR Article 14. Your consent cannot substitute for adult family members' own consent. Each must accept the invitation. For minors: we require confirmation from the account holder that appropriate parental or guardian consent has been obtained before adding any family member under 18. We do not independently verify this consent but reserve the right to remove accounts where this requirement has not been met. COPPA threshold is 13 (US); UK/EU GDPR threshold is 13-16. maivis applies the strictest applicable standard.

maivis may communicate with you via email (via Gmail API), push notifications, and in-app messaging, based on your channel preferences. You may manage preferences at any time via Settings → Notifications.

Each platform's own data processing terms apply to message delivery metadata. maivis does not store message content on third-party platforms beyond delivery requirements. All communications are archived for regulatory compliance.

maivis uses: Firebase Auth session cookies (strictly necessary); Firebase Analytics GA4 cookies on maiviswealth.com (optional, require consent for EU/UK); PostHog (self-hosted, no cookies, product analytics only); Stripe payment session cookies (functional, checkout only); CSRF protection tokens (strictly necessary). Full details in our Cookie Policy at maiviswealth.com/legal/cookie-policy.

maivis is not directed at individuals under 18. No behavioral monitoring or targeted advertising directed at children. See Section 13 for guardian consent requirements.

The DIFC Laws Amendment Law No. 1 of 2025 introduced a private right of action allowing data subjects to bring compensation claims directly in DIFC Courts for financial and non-financial damage, in addition to complaints to the Commissioner.

maivis does not collect government-issued identity documents for identity verification (KYC) as part of account registration. Documents uploaded to the Vault (such as passports, visas, or ID cards) are stored encrypted for your own record-keeping purposes and are not used for KYC verification. Users are responsible for ensuring their use of the platform complies with applicable anti-money-laundering and tax reporting obligations in their jurisdictions. maivis is not an identity verification service and does not substitute for KYC processes required by regulated financial institutions.

Material changes notified via email at least 30 days before taking effect. Continued use constitutes acceptance. You may delete your account if you disagree.

Privacy Enquiries:

privacy@maiviswealth.com

Data Protection Officer:

dpo@maiviswealth.com

Legal Matters:

legal@maiviswealth.com

Postal:

Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE

Complaints: DIFC Commissioner of Data Protection; Data Protection Board of India; ICO (UK); your EU supervisory authority; California Attorney General; Office of the Privacy Commissioner of Canada.