Compliance — PDPL & GDPR
Effective 17 June 2026
Broker OS is designed to help licensed brokerages meet their obligations under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and the EU General Data Protection Regulation (GDPR).
Controller and processor roles
- You (the brokerage) are the controller of the contacts, leads, deals, and documents you create or import. You decide why and how that data is processed.
- Nelkins Technologies is the processor. We process tenant data only on your documented instructions, to operate the service for you.
- For your own account data (your login, billing), we act as controller.
Lawful basis
- Performance of a contract — to deliver the service you subscribe to.
- Legitimate interests — securing, maintaining, and improving the service, balanced against your rights.
- Consent — for optional marketing communications, which you can withdraw at any time.
- Legal obligation — where law requires retention or disclosure.
Data-subject and data-principal rights
Individuals whose data is processed have the following rights under PDPL and GDPR. Where the data sits in a brokerage's workspace, we support the controller in fulfilling them.
| Right | What it means |
|---|---|
| Access | Get a copy of the personal data we hold about you. |
| Rectification | Correct data that is inaccurate or incomplete. |
| Erasure | Have your data deleted where we have no overriding obligation to keep it. |
| Portability | Receive your data in a structured, machine-readable export. |
| Object / Restrict | Object to or limit certain processing, including marketing. |
| Withdraw consent | Withdraw consent at any time where processing relies on it. |
To exercise a right, email privacy@nelkins-os.xyz. We verify identity before acting and respond within 30 days. Account export and deletion are also available directly from your account settings.
International transfers
Where data is processed outside the UAE or EEA by a sub-processor, transfers are covered by appropriate safeguards (such as Standard Contractual Clauses and equivalent measures). Our sub-processors are listed on the Sub-processors page.
Retention
We retain tenant data for as long as your account is active and then for a limited, documented period to meet legal and audit obligations, after which it is deleted or irreversibly anonymised.
Data Processing Agreement (DPA)
We offer a DPA incorporating GDPR Article 28 processor terms and PDPL obligations, including our sub-processor list and the data-firewall commitment described under Tenant Isolation. Request a copy at privacy@nelkins-os.xyz.