Privacy Policy

Effective date: 9 April 2026 · Last updated: 9 April 2026
Applies to: aerlou.com and all Aerlou products and services

1. Who We Are

Aerlou is an AI-powered productivity and sales copilot for real estate professionals, operated through aerlou.com. Our registered place of business is in the United Arab Emirates. For all privacy-related enquiries, contact us at:

• Email: privacy@aerlou.com
• Website: aerlou.com

2. Legal Framework

Aerlou processes personal data in compliance with the following applicable laws and regulations:

• UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) — the primary data protection law of the United Arab Emirates.
• UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021) — governing unlawful access and misuse of data and electronic systems.
• Dubai International Financial Centre (DIFC) Data Protection Law 2020 — where applicable to users operating within DIFC jurisdiction.
• Meta WhatsApp Business Platform Policies — governing our use of the WhatsApp Business API as an authorised integration partner.
• Where users are located in or interact with individuals from the European Economic Area, we additionally observe the principles of the General Data Protection Regulation (GDPR) as a matter of best practice.

3. What Data We Collect

3.1 Data You Provide Directly

• Full name, email address, and phone number provided during account registration
• Professional details including agency name, RERA broker number, and role
• Payment information (processed via our payment provider; we do not store raw card data)
• Communications you send to Aerlou through WhatsApp, email, or our web dashboard
• Voice notes submitted to the platform (transcribed and processed; original audio may be retained for quality assurance for up to 30 days)
• Documents you upload or forward to the platform (PDFs, images, contracts, payment plans)

3.2 Contact and Lead Data You Input

• Names, phone numbers, email addresses, and notes relating to your clients, leads, and contacts that you provide to Aerlou for the purpose of follow-up management and pipeline organisation
• Conversation history and context that you share with Aerlou about those contacts
• Property preferences, budgets, viewing notes, and deal stage information relating to your clients

3.3 Data Generated Through Use

• Usage logs, interaction timestamps, feature access patterns, and session data
• Device type, operating system, browser type, and IP address
• WhatsApp message metadata (message timestamps, delivery status) processed via the WhatsApp Business API
• AI interaction transcripts and task execution logs for the purpose of quality, safety, and service improvement

3.4 Data From Integrations

If you connect third-party services (including PropSpace, Bitrix24, Google Calendar, or email accounts), we access only the data necessary to fulfil the integration function you have requested. We do not access or store data beyond the scope of the connected integration.

4. How We Use Your Data

We do not use your personal data or your contacts' data to train third-party AI models. We do not sell, rent, or share personal data with advertisers or data brokers.

5. AI Processing and Data Use

Aerlou uses large language models (LLMs) from third-party AI providers to generate responses and execute tasks. The following applies to all AI processing:

• Your messages, voice notes, and documents are transmitted to LLM providers under data processing agreements that prohibit those providers from using your data to train their models.
• We use a hybrid routing model in which different tasks may be processed by different AI providers based on task complexity. All providers are bound by equivalent data protection commitments.
• We apply prompt caching, which stores non-sensitive system context (such as UAE market knowledge) to reduce latency and cost. Cached content does not include your personal data or contact data.
• AI-generated outputs are provided as informational assistance. You retain full responsibility for reviewing and approving any action taken on the basis of AI outputs, particularly actions that affect your clients or third parties.

6. WhatsApp and Meta Data Handling

Aerlou integrates with the WhatsApp Business API operated by Meta Platforms Ireland Limited. The following applies:

• We are an independent controller of personal data processed through our WhatsApp integration. We are not an agent of Meta in respect of that data.
• WhatsApp message content processed through the Business API is subject to Meta's Business Messaging Terms in addition to this Privacy Policy.
• WhatsApp messages sent on your behalf by Aerlou use pre-approved message templates for outbound communications outside the 24-hour service window, in compliance with Meta's policies.
• We do not store WhatsApp message content beyond the period necessary to provide the service, subject to the retention periods set out in Section 10 below.
• End-to-end encryption applies to messages between users on the standard WhatsApp personal platform but does not apply to WhatsApp Business API communications, which are processed in decrypted form by our systems to enable AI functionality. You should make your clients aware of this if relevant.

7. Agency Accounts and Multi-User Data

Where you use Aerlou under an Agency tier account, the following additional terms apply:

• The agency account administrator (the "Agency Admin") has access to aggregated performance metrics, lead overlap detection reports, and pipeline analytics across all seats under the account.
• The Agency Admin does not have access to the full content of individual broker conversations with Aerlou or the full text of client communications unless a specific data export has been requested and approved.
• Individual broker personal WhatsApp conversations with clients remain private to that broker. What surfaces to the Agency Admin is structured metadata: contact count, last interaction date, pipeline stage, and follow-up compliance status.
• Where a broker's seat is removed from the account, their contact history and pipeline data is retained within the agency account in accordance with the lead inheritance feature. Individual brokers may request a copy of their own data in accordance with Section 11 before their account is closed.
• The Agency Admin is a co-controller in respect of data processed through the Agency tier. The agency accepts data controller responsibilities for ensuring that its brokers have appropriate consent to process client data through the platform.

8. Data Sharing and Third Parties

We share personal data only in the following circumstances:

8.1 Service Providers (Processors)

We share data with third-party service providers who assist us in operating the platform. All providers are bound by data processing agreements and are permitted to use data only for the specific purpose for which it was shared. These include:

• Cloud infrastructure and hosting providers
• AI model providers (for language model inference)
• WhatsApp Business Solution Provider (BSP)
• Payment processing providers
• Customer support and communications tools
• Analytics and error monitoring services

8.2 CRM and Integration Partners

Where you have authorised a third-party integration (such as PropSpace or Bitrix24), we transmit the data required to fulfil that integration on your instruction. You should review the privacy policies of any third-party platforms you connect.

8.3 Legal Obligations

We may disclose personal data to government authorities, regulators, or law enforcement where we are legally required to do so under UAE law or applicable international obligations. We will notify you of any such disclosure where legally permitted to do so.

8.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify users prior to such a transfer taking effect and ensure that the receiving entity is bound by equivalent data protection obligations.

9. International Data Transfers

Aerlou's primary infrastructure is hosted within cloud data centres. Data may be processed outside the UAE where our AI providers or infrastructure partners operate data centres in other jurisdictions, including the European Union and the United States. Where such transfers occur, we ensure they are conducted under appropriate safeguards, including standard contractual clauses or equivalent mechanisms recognised under the UAE PDPL.

10. Data Retention

Following the applicable retention period, data is securely deleted or anonymised. Anonymised or aggregated data that cannot be used to identify any individual may be retained indefinitely for product analytics purposes.

11. Your Rights

Under the UAE PDPL and applicable data protection law, you have the following rights in respect of your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to correction: Request that inaccurate or incomplete data be corrected.
• Right to deletion: Request deletion of your personal data, subject to legal retention obligations.
• Right to portability: Request your data in a structured, machine-readable format where technically feasible.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@aerlou.com. We will respond within 30 days. We may require verification of your identity before fulfilling a request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

12. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Role-based access controls limiting internal access to personal data
• Regular security assessments and vulnerability testing
• Multi-factor authentication for all administrative system access
• Incident response procedures and breach notification protocols

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authority, within the timeframes prescribed by applicable law.

13. Cookies and Tracking

Our website at aerlou.com uses cookies and similar technologies for the following purposes:

• Strictly necessary cookies: Required for the website and platform to function. Cannot be disabled.
• Performance cookies: Help us understand how users interact with our website (anonymous analytics). You may opt out.
• Functional cookies: Remember your preferences and settings. You may opt out.

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings or our cookie preference centre on the website.

14. Children

Aerlou is a professional platform intended for use by individuals aged 18 and over. We do not knowingly collect personal data from persons under the age of 18. If we become aware that a minor has provided personal data, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify registered users of material changes by email or through the platform at least 14 days before the changes take effect. The updated policy will be published at aerlou.com/privacy with the revised effective date. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

16. Contact and Complaints

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, contact us at privacy@aerlou.com.

If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office (dataoffice.ae) or the relevant supervisory authority in your jurisdiction.