Privacy Policy

maivis is operated by Mango Technologies Ltd., a company registered at the Dubai International Financial Centre (DIFC) Innovation Hub, Gate Avenue, Dubai, UAE (Company Number: CL5222). Mango Technologies Ltd. is the Data Controller responsible for your personal data under the DIFC Data Protection Law 2020.

maivis is a Family Wealth Intelligence platform providing personal finance aggregation, Wealth Resilience Index scoring, and insights, accessible at maiviswealth.com and via the maivis WhatsApp service. maivis is not a financial advisory service, investment manager, bank, or regulated financial institution.

Data Controller:

Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE

Privacy Enquiries:

privacy@maiviswealth.com

Data Protection Officer:

dpo@maiviswealth.com

EU Representative (GDPR Art. 27):

To be confirmed. Contact privacy@maiviswealth.com for EU data enquiries.

UK Representative (UK GDPR Art. 27):

To be confirmed. Contact privacy@maiviswealth.com for UK data enquiries.

This Privacy Policy applies to all members globally. It complies simultaneously with: DIFC Data Protection Law 2020 (as amended by DIFC Laws Amendment Law No. 1 of 2025) as primary; DPDPA 2023 (India) and, until May 2027, the SPDI Rules under IT Act Section 43A; UK GDPR and Data Protection Act 2018; EU GDPR (Regulation 2016/679); CCPA/CPRA (California); and PIPEDA (Canada). Where these regimes impose different requirements, we apply the stricter standard.

3.1 Data Collected Directly From You

Identity Data: name, phone number, WhatsApp number, email address, nationality, country of residence. Financial Asset Data: property values, gold holdings, investment portfolios, cash balances (manually entered). Documents: passport, visa, property deeds, insurance certificates (encrypted on your device via AES-256-GCM before upload; maivis stores only ciphertext). Family Member Data: names, relationships, phone numbers of family members you add (see Section 12).

3.2 Data Collected Indirectly From Third Parties (GDPR Article 14)

We obtain read-only financial data from your bank accounts through: Lean Technologies (UAE banks), Setu/Finvu Account Aggregator (Indian banks, RBI AA framework), and Plaid (US, UK, Canadian banks). This data is obtained after you provide explicit consent during the banking connection flow. Categories: account identifiers, balances, and transaction history. Financial transaction data may inadvertently reveal special category data (political donations, religious tithing, medical payments); we process this on the basis of your explicit consent.

3.3 Usage and Analytics Data

maivis uses two analytics systems: PostHog (self-hosted on GCP) for in-product analytics including feature interactions, screen views, and funnel completion; and Firebase Analytics (GA4) for the maiviswealth.com landing page, tracking page views, scroll depth, and CTA clicks. PostHog data never leaves maivis infrastructure. GA4 data is processed by Google within the EEA with IP anonymisation enabled. Neither system stores personally identifiable information.

Contractual Necessity (DIFC Art. 10(1)(b), GDPR Art. 6(1)(b)): Account creation, financial data aggregation, net worth calculation, WhatsApp message delivery, core service functionality.

Explicit Consent (DIFC Art. 10(1)(a), GDPR Art. 6(1)(a), DPDPA Section 6): Sensitive financial data, document vault, banking connections, family member data, analytics cookies. Consent is granular, purpose-specific, and withdrawable.

Legitimate Interest (DIFC Art. 10(1)(f), GDPR Art. 6(1)(f)): Anonymised product analytics, fraud prevention, security monitoring. Not applicable to India members (DPDPA does not recognise legitimate interest).

maivis uses AI services (Google Vertex AI, Anthropic Claude) to generate insights, briefings, and financial summaries. We employ a data minimisation gateway that strips all personal information before any data reaches AI providers. AI services receive only anonymised category percentages and financial trends. Never your name, account numbers, addresses, or individual asset details.

AI-generated outputs (insights, score context, briefing summaries) are transient and not permanently stored. The AI Data Gateway ensures compliance with the data minimisation principle under DIFC Article 11, GDPR Article 5(1)(c), and DPDPA Section 6.

All conversation data (chat transcripts, message delivery status, contact preferences) is stored in maivis-controlled infrastructure on GCP. No third-party SaaS platform has access to customer communication data.

5.1 Storage Locations

• UAE and Middle East: Cloud SQL me-central1 (Doha, Qatar).
• India: Cloud SQL asia-south1 (Mumbai). Compliant with RBI data localisation.
• UK, US, Canada: Cloud SQL us-east1 (South Carolina, USA).

5.2 Cross-Border Transfer Mechanisms

• EU → DIFC: EU SCCs (June 2021, Module 2 C-to-P) + Transfer Impact Assessment.
• UK → DIFC: UK IDTA or UK Addendum to EU SCCs + Transfer Risk Assessment.
• DIFC → US: DIFC Standard Contractual Clauses.
• DIFC → India: DIFC SCCs. DPDPA permits transfers by default (no negative list as of March 2026). RBI data localisation mandates India-only storage for payment system data.
• UAE onshore → DIFC: Onshore UAE is a "Third Country" under DIFC law. Transfers require DIFC SCCs or Article 27 derogations.

Documents are encrypted on your device before upload using AES-256-GCM. Encryption key derived from FIDO2/passkey credential via Argon2id (128-bit salt, 3 iterations, 64 MB memory). The key is never transmitted to our servers. maivis stores only ciphertext and cannot access plaintext under any circumstances, including legal requests. Under GDPR Article 34, CCPA §1798.82, and DIFC Article 42, breach notification to individuals may be exempted if encryption key was not compromised.

We share data with the following processors, each under documented instructions and a Data Processing Agreement. See DPA Review Checklist v2.2 for detailed per-provider status.

We do not sell your personal data. For members in the US: we do not "sell" or "share" (as defined under CCPA/CPRA) your personal information. For members who connect via Plaid: Plaid's privacy policy is available at plaid.com/legal.

• Active account data: Lifetime of account + 3 years post-deletion request.
• Banking access tokens: Purged within 24 hours of disconnection.
• Deleted account data: Purged within 90 days (except legal retention requirements).
• Canadian members (FINTRAC): Financial transaction records retained 5 years.
• Breach records (PIPEDA): Retained 24 months.
• Anonymised analytics: Retained indefinitely (no PII).

10.1 All Members (DIFC DP Law Arts. 31-39)

Access (Art. 31); rectification (Art. 32); erasure (Art. 33); restriction (Art. 34); portability in machine-readable format (Art. 35); objection (Art. 36); objection to automated decision-making (Art. 38); withdrawal of consent (Art. 12(5)); complaint to Commissioner (Art. 60).

10.2 India (DPDPA Sections 11-14)

Access summary (Section 11); correction and erasure (Section 12); grievance redressal (Section 13); nomination right: nominate a person to exercise your rights on death or incapacity (Section 14, unique to Indian law). Response: 7 days per DPDP Rules 2025, Rule 14.

10.3 California (CCPA/CPRA)

Right to know (categories and specific PI collected in 12 months); delete; correct; opt out of sale/sharing (maivis does not sell/share PI); limit use of Sensitive PI (financial data = SPI under §1798.140(ae)). We honour Global Privacy Control (GPC) browser signals automatically.

10.4 EU/UK (GDPR Arts. 15-22)

Access; rectification; erasure; restriction; portability; objection; automated decision-making rights. AI-generated intelligence involves automated processing. You may obtain human intervention, express your viewpoint, and contest automated decisions.

10.5 Response Timelines

Internal standard: 72-hour regulator notification with immediate CERT-In escalation for India incidents.

maivis uses AI to generate Intelligence outputs: Wealth Resilience Index, portfolio analysis, subscription auditing, daily briefings. Models: Gemini Flash (93%), Claude Sonnet 4.6 (5%), Perplexity Sonar (2%). Under GDPR Article 22 and DIFC Article 38, you may request human review, express your viewpoint, or contest any AI output. Contact privacy@maiviswealth.com. You may request erasure of AI-generated insights and conversation data.

When you add family members, we inform each via WhatsApp invitation (containing this Privacy Policy link) per GDPR Article 14. Your consent cannot substitute for adult family members' own consent. Each must accept the invitation. For minors: DPDPA requires verifiable parental consent under 18 with identity verification; COPPA threshold is 13 (US); UK/EU GDPR threshold is 13-16. maivis applies the strictest applicable standard.

maivis may communicate with you via WhatsApp (Meta Cloud API), email (via Cloud Functions + Gmail API), Telegram, push notifications, in-app messaging, Instagram direct messages, or Twitter/X direct messages, based on your channel preferences. You may manage preferences at any time via Settings → Notifications.

For WhatsApp: message metadata (phone, delivery status, timestamps) is processed by Meta Platforms, Inc. on US servers, constituting a cross-border transfer covered by DIFC SCCs. Content is not stored beyond a 24-hour processing window. Opt out by replying "STOP" (disables WhatsApp interface).

For other channels: each platform's own data processing terms apply to message delivery metadata. maivis does not store message content on third-party platforms beyond delivery requirements. All communications are archived for regulatory compliance.

WhatsApp-only members are not subject to the Cookie Policy (no browser cookies used).

maivis uses: Firebase Auth session cookies (strictly necessary); Firebase Analytics GA4 cookies on maiviswealth.com (optional, require consent for EU/UK); PostHog (self-hosted, no cookies, product analytics only); Stripe payment session cookies (functional, checkout only); CSRF protection tokens (strictly necessary). Full details in our Cookie Policy at maiviswealth.com/cookies.

maivis is not directed at individuals under 18. No behavioural monitoring or targeted advertising directed at children. See Section 13 for guardian consent requirements.

The DIFC Laws Amendment Law No. 1 of 2025 introduced a private right of action allowing data subjects to bring compensation claims directly in DIFC Courts for financial and non-financial damage, in addition to complaints to the Commissioner.

Material changes notified via WhatsApp and email at least 30 days before taking effect. Continued use constitutes acceptance. You may delete your account if you disagree.

Privacy Enquiries:

privacy@maiviswealth.com

Data Protection Officer:

dpo@maiviswealth.com

Legal Matters:

legal@maiviswealth.com

Postal:

Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE

Complaints: DIFC Commissioner of Data Protection; Data Protection Board of India; ICO (UK); your EU supervisory authority; California Attorney General; Office of the Privacy Commissioner of Canada.