Eyden Privacy Policy

This Policy applies to personal data we process when you: • access or use the Eyden mobile application, web portal, resident app, admin console, or any related application programming interfaces (APIs); • interact with smart-building integrations connected through the Platform (for example access control, intercoms, visitor management, IoT sensors, utility meters, CCTV metadata, or building management systems); • communicate with us by email, telephone, chat, or through in-app messaging; • visit our websites or marketing pages; or • attend our events, demos, or onboarding sessions.

In most cases, we act as a data processor on behalf of the developer, owners' association, or building/community management entity that has contracted with Zylin (the "Customer"). The Customer determines the purposes and means of processing for community-management activities and is the data controller for that processing. For our own business activities (such as account administration, billing, product analytics, security, and direct communications with Users), Zylin acts as the data controller.

We collect the following categories of personal data:

2.1. Identity and Contact Data Full name, Emirates ID number (where required for tenancy or access verification), passport details (for non-residents and visitors where required), date of birth, nationality, photograph, email address, mobile telephone number, postal address, and emergency contact details.

2.2. Unit, Tenancy and Community Data Unit or villa number, tower or community name, ownership or tenancy status, Ejari or title deed reference, move-in and move-out dates, household member details, vehicle registration plates, parking bay assignments, and pet registration information.

2.3. Access, Security and Building-Operations Data Access-card or digital-key identifiers, entry and exit logs, visitor records and pre-authorisations, delivery logs, intercom call metadata, incident reports, maintenance and service requests, complaints, and CCTV-related event metadata (the Platform does not itself store CCTV video footage unless expressly configured by the Customer).

2.4. Financial and Transactional Data Service-charge invoices and payment status, payment-method tokens (full card numbers are handled by PCI-DSS compliant payment processors and are not stored by Zylin), bank account references for refunds, and transaction history relating to community services, bookings, and marketplace purchases.

2.5. Device, Technical and Usage Data IP address, device identifiers, operating system, browser type, application version, language settings, time-zone, log data, crash reports, in-app event data, feature usage, and approximate location derived from IP. Where you grant permission, the Platform may also process precise device location (for example to validate on-site check-ins by service technicians).

2.6. Communications and User-Generated Content Community announcements you post, poll responses, survey answers, ratings and reviews, chat and message content within the Platform, photos and documents you upload (for example to support a maintenance ticket), and feedback you provide to us.

2.7. Sensitive Data We do not seek to collect special categories of personal data. However, biometric identifiers (such as facial templates used by integrated access-control systems) and health-related information (for example accessibility requirements or incident-related medical notes) may be processed where the Customer has enabled such functionality and an appropriate lawful basis exists. Such data is treated with heightened safeguards as required by the UAE Personal Data Protection Law.

We collect personal data: • directly from you when you register, complete your profile, submit a request, or communicate with us; • from the Customer (developer, owners' association, or management company) that onboards you onto the Platform; • from integrated third-party systems authorised by the Customer (for example access-control hardware, payment gateways, Ejari or title-deed verification services, government identity-verification services, and IoT devices); and • automatically through your use of the Platform, by means of cookies, SDKs, and similar technologies.

We process personal data for the following purposes and on the following legal bases under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") and, where applicable, other data-protection laws: • Provision of the Platform and community-management services — performance of a contract to which you are a party, or processing necessary to take steps at your request prior to entering into a contract; alternatively, the legitimate interests of the Customer in administering the building or community. • Identity verification, access control and security of premises — compliance with legal obligations applicable to the Customer (including tenancy, security and civil-defence requirements) and the legitimate interests of the Customer in safeguarding persons and property. • Billing, collection of service charges and financial reconciliation — performance of a contract and compliance with applicable accounting, tax and anti-money-laundering laws. • Customer support, ticketing and complaints handling — performance of a contract and our legitimate interests in operating the Platform. • Product improvement, analytics, research and development — our legitimate interests in maintaining and improving the Platform, using aggregated or pseudonymised data wherever practicable. • Security, fraud prevention and abuse detection — our legitimate interests and compliance with legal obligations. • Marketing communications about Eyden products and features — your consent, which you may withdraw at any time. • Compliance with legal, regulatory or governmental requests — compliance with legal obligations.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

We disclose personal data only as necessary and to the following categories of recipients: • The Customer that engaged Zylin to deploy the Platform at your building or community, and its authorised personnel (for example board members of an owners' association, building managers, security supervisors, and accountants). • Other Users of the same building or community, but only to the extent necessary for community functions (for example a visitor pre-authorisation will be visible to security staff at the gate). • Service providers and sub-processors that support the Platform, including cloud hosting providers, communications providers (SMS, email, push notifications), payment processors, identity-verification providers, analytics providers, and customer-support tooling. A current list of material sub-processors is available on request. • Integrated systems and devices that the Customer has chosen to connect to the Platform (for example access-control, intercom, parking, and IoT systems). • Professional advisers, auditors, insurers, and potential acquirers in the context of corporate transactions, subject to appropriate confidentiality obligations. • Government authorities, regulators, courts, and law-enforcement agencies where disclosure is required by applicable law or to protect the rights, property, or safety of any person.

We do not sell personal data.

Personal data processed through the Platform is primarily hosted in data centres located in the United Arab Emirates. Where personal data is transferred outside the UAE (for example to sub-processors in other jurisdictions), we will only transfer it to a country that provides an adequate level of protection as recognised under the UAE PDPL, or, where no such adequacy applies, on the basis of appropriate safeguards such as standard contractual clauses, binding corporate rules, your explicit consent, or another lawful transfer mechanism permitted by Article 23 of the UAE PDPL.

We retain personal data only for as long as is necessary for the purposes set out in this Policy, including: • for the duration of your relationship with the Customer (for example while you are a registered owner, tenant, or authorised User); • for any period required by applicable law (for example tenancy, accounting, tax, and security record-keeping requirements); • for the period reasonably required to defend or pursue legal claims; and • for the period specified in our agreement with the Customer.

When personal data is no longer required, we will securely delete, destroy, or anonymise it. Specific retention schedules are available on request and may be configured by the Customer for data within its instance of the Platform.

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful access, loss, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, role-based access controls, multi-factor authentication for administrative access, network segregation, vulnerability management, secure software-development practices, logging and monitoring, regular backups, sub-processor due diligence, and personnel confidentiality obligations and training.

In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify the UAE Data Office and affected individuals as required by the UAE PDPL and its Executive Regulations.

Subject to the UAE PDPL and any other applicable data-protection law, you have the following rights in relation to your personal data: • the right to be informed of the processing; • the right to access your personal data and obtain a copy; • the right to request correction of inaccurate or incomplete data; • the right to request deletion of your personal data; • the right to restrict or object to certain processing, including processing for direct marketing; • the right to data portability in a structured, commonly used, machine-readable format; • the right to withdraw consent at any time where processing is based on consent; • the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where applicable; and • the right to lodge a complaint with the UAE Data Office.

Where Zylin processes your personal data on behalf of a Customer, we may direct your request to that Customer and assist them in responding. We will respond to verifiable requests within the timeframes required by applicable law.

The Platform is intended for use by adults (18 years of age or over). Where a Customer enables features involving minors (for example registering a child as a household member or recording a child's access pass), such data is provided and managed by the parent, legal guardian, or the Customer under their own legal basis. We do not knowingly collect personal data directly from children for our own purposes.

Our websites and the Platform use cookies, software development kits (SDKs), and similar technologies to operate the service, remember your preferences, analyse usage, and improve performance. You can manage cookie preferences through your browser settings or, where available, through an in-app cookie or privacy control. Disabling certain cookies may affect Platform functionality.

For full details on the categories of cookies we use, retention periods, and how to manage your preferences, please see our Cookie Policy at /cookies.

The Platform may contain links to, or integrations with, third-party websites and services (for example payment gateways, government services, marketplaces, and IoT vendors). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third-party service you use.

Eyden may use automated processing for routine operational purposes (for example automated routing of maintenance tickets, anomaly detection in IoT data, or fraud-detection signals). We do not use automated decision-making that produces legal or similarly significant effects on you without appropriate human review or another lawful basis.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated Policy will be posted on the Platform and the "Last Updated" date will be revised. Where changes are material, we will provide additional notice (for example by email or in-app notification) before the changes take effect.

If you have any questions, concerns, or requests regarding this Policy or our processing of your personal data, please contact:

ZYLIN TECHNOLOGIES DMCC Attention: Data Protection Officer DMCC, Dubai, United Arab Emirates Email: info@zylintech.com Telephone: +971 55 803 7188

If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office (https://www.tdra.gov.ae/) or any other competent supervisory authority.