Privacy Policy
Effective Date: 25 February 2026 · Last Updated: 25 February 2026
1. Who We Are
Polly Technologies FZ-LLC ("Message Polly", "we", "us", "our") operates an AI-powered platform that helps businesses optimise WhatsApp Business messaging and digital advertising performance. This Policy applies to our website at messagepolly.com (the "Site") and our platform and services (the "Platform").
We comply with applicable data protection laws based on where you are located, including:
- UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law, "PDPL")
- DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020), where applicable
- EU General Data Protection Regulation ("GDPR")
- UK General Data Protection Regulation ("UK GDPR")
- Singapore Personal Data Protection Act 2012 ("PDPA")
- KSA Personal Data Protection Law ("Saudi PDPL")
- Turkish Law No. 6698 on the Protection of Personal Data ("KVKK")
Our EU/EEA and UK Article 27 representative details are available upon request at privacy@messagepolly.com.
2. Our Two Roles
When we act as a controller — for website visitors, prospects, and our own client contacts — we determine how and why personal data is processed. This Policy applies directly to you.
When we act as a processor — when our Platform processes data on behalf of a business client ("Client") — we act solely on that Client's instructions. The Client is the controller and is responsible for their own privacy obligations to their customers ("End Users"). If you are an End User and wish to exercise your rights, contact the relevant Client directly. We will support Clients in responding to such requests.
3. Data We Collect
As Controller
Website visitors and prospects: name, email address, phone number, company name, and job title submitted via forms or correspondence; and automatically collected data including IP address, browser type, pages visited, session duration, and referral source.
Clients: business contact and billing details; account configuration settings necessary to operate the Platform; and account activity and security logs.
As Processor (on behalf of Clients)
- WhatsApp messaging data: phone numbers, message content, delivery and read status, opt-in and opt-out records. We process this data on the basis of consent obtained and documented by the Client. We maintain records of Client's warranties regarding valid opt-in. Where an End User's opt-out request is received directly by Message Polly, we will forward it to the relevant Client for immediate action.
- Advertising and conversion data: campaign performance metrics, conversion events, and audience signals transmitted to Meta's APIs via our first-party measurement infrastructure deployed on Client domains. Where our infrastructure transmits hashed personal data (such as hashed email addresses or phone numbers) to Meta's Conversions API for matching purposes, this transmission occurs only under Client's instruction and is subject to Client's legal basis for such processing.
- Customer contact lists: data uploaded or synced by Clients for audience creation and campaign targeting.
We do not use End User data for any purpose beyond providing the Platform to the Client. We do not use WhatsApp Business Solution Data to train AI models.
4. How We Use Data
As Controller
GDPR / UK GDPR — Legal Bases
| Purpose | Legal Basis |
|---|---|
| Operating and improving the Platform | Performance of contract; legitimate interests |
| Responding to enquiries and demo requests | Pre-contractual steps; legitimate interests |
| Billing and account management | Performance of contract; legal obligation |
| Security monitoring and fraud prevention | Legitimate interests |
| Marketing to business contacts | Legitimate interests (with right to opt out) |
| Legal and regulatory compliance | Legal obligation |
UAE Data Subjects — Legal Bases
Where you are a data subject located in the United Arab Emirates, our processing of your personal data is based on the following lawful grounds under UAE PDPL (Federal Decree-Law No. 45 of 2021): performance of a contract to which you are party or steps taken at your request prior to entering into a contract; compliance with a legal obligation to which we are subject; or your explicit consent, which we will request separately where required. Where UAE law requires explicit consent as the basis for a processing activity, we will obtain it before commencing that processing. We do not rely on legitimate interests as a standalone lawful basis for processing personal data of UAE-resident data subjects where such basis is not recognised under UAE PDPL.
Turkish Data Subjects — Legal Bases
Where you are a data subject located in Turkey, our processing of your personal data is based on the lawful grounds set out in KVKK Articles 5 and 6: performance of a contract; compliance with a legal obligation; your explicit consent; or the legitimate interests of the data controller, where such basis is recognised and balanced against your rights. Processing activities for Turkish data subjects are disclosed in our KVKK Clarification Text (Aydınlatma Metni) in Section 15 of this Policy.
Singapore Data Subjects — Legal Bases
Where you are a data subject located in Singapore, our processing of your personal data is based on consent, contractual necessity, or other grounds recognised under the Singapore PDPA, as applicable to each processing purpose.
As Processor
We process End User data strictly as instructed by the relevant Client under our Data Processing Agreement ("DPA"). Purposes include WhatsApp message delivery, Meta advertising campaign management, conversion measurement, and advertising performance optimisation.
5. First-Party Measurement
We offer Clients an optional first-party measurement technology that, when installed, captures conversion and behavioural signals on the Client's website and transmits those signals to Meta's APIs (including via Meta's Conversions API). This technology operates under the Client's own domain.
Joint controller analysis: We have assessed whether the first-party measurement technology creates a joint controller relationship under GDPR Article 26 (consistent with the CJEU's Fashion ID judgment). Where Message Polly co-determines the purposes or means of data collection through the configuration of event types or data fields transmitted to Meta, we will execute a GDPR Article 26 joint controller agreement with the relevant Client prior to deployment. Where Message Polly operates as a pure processor executing only the Client's instructions, the standard DPA governs. Clients may request confirmation of the applicable legal structure for their specific deployment from privacy@messagepolly.com.
Clients who deploy this technology are responsible for ensuring valid legal bases, appropriate cookie consent mechanisms, and privacy disclosures to their End Users, including disclosure that conversion signal data is transmitted to Meta Platforms and processed subject to Meta's Privacy Policy.
6. AI-Powered Processing
Our Platform uses Polly, our proprietary AI, to automate and optimise advertising campaigns and messaging workflows on behalf of Clients. This includes automated processing relating to audience targeting, budget allocation, and message scheduling.
Polly is powered by cloud-based AI infrastructure. Our AI infrastructure providers are contractually prohibited from using data processed through our Platform to train or improve their own models. We do not use WhatsApp Business Solution Data to train or improve any AI model.
Where automated processing produces decisions with meaningful effects on End Users, the relevant Client is responsible for ensuring appropriate legal bases, disclosures, and human oversight. End Users may contact the relevant Client to request human review.
7. Data Sharing
We do not sell personal data.
- Subprocessors: We engage vetted third-party providers for cloud infrastructure, AI processing, payments, and operations. All Subprocessors are contractually bound to data protection standards no less protective than this Policy. A current named Subprocessor list, including data processing regions, is available to Clients on written request at privacy@messagepolly.com.
- Meta Platforms: Our Platform transmits data to Meta via its APIs. Such transmission is governed by Meta's Platform Terms and the relevant Client's own agreement with Meta. As a Tech Provider under Meta's Platform Terms, we are required to maintain a list of our Clients and may be required to provide Client contact information to Meta as part of Meta's audit and compliance processes. Clients consent to this disclosure as part of the Terms of Service.
- Legal requirements: We disclose data where required by applicable law, court order, or regulatory authority.
- Business transfers: In the event of a merger, acquisition, or asset sale, personal data may transfer as part of that transaction. Affected parties will be notified as required by applicable law.
8. International Transfers
We operate across the UAE, Singapore, Turkey, and KSA. Personal data may be transferred to and processed in jurisdictions outside your country of residence.
We apply appropriate safeguards to all cross-border transfers:
- GDPR/UK GDPR: Standard Contractual Clauses (EU SCCs, Module 2) and UK IDTA as applicable.
- UAE PDPL: Appropriate contractual safeguards pending publication of adequacy decisions by the UAE Data Office.
- KSA PDPL: Explicit data subject consent or other mechanisms approved by the Saudi NDMO.
- Singapore PDPA: Binding contractual protections to a standard comparable to the PDPA, incorporating PDPC model contractual clauses where required.
- KVKK: KVKK Board-approved standard contractual clauses or explicit data subject consent, as described in Section 15.
Details of the transfer mechanism applicable to your data are available upon request at privacy@messagepolly.com.
9. Cookies and Tracking Technologies
On your first visit to the Site, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You may withdraw or update your consent at any time by clicking the cookie preferences link in the footer of the Site.
Strictly necessary cookies: Required for core Site functionality. Cannot be disabled.
Analytics (Google Analytics): We use Google Analytics to understand how visitors interact with the Site. This service collects data including IP address, pages visited, session duration, and browser type, and transmits it to Google for processing in accordance with Google's Privacy Policy. These cookies are only set with your consent. You can opt out at any time using Google's opt-out tool.
Conversion measurement: We use our own measurement technology on the Site to capture conversion signals and transmit them to Meta's Conversions API for the purpose of measuring the effectiveness of our own marketing campaigns. This means that certain data (which may include hashed contact information such as email address, and behavioural signals such as page views and events) is transmitted to Meta Platforms, Inc. and Meta Platforms Ireland Ltd, and is processed by Meta subject to Meta's Privacy Policy. These cookies are only set with your consent.
You can also manage cookie preferences through your browser settings. Disabling certain cookies may limit Site functionality.
10. Data Retention
| Data | Retention Period |
|---|---|
| Client account data | Duration of contract + 7 years |
| Website and analytics data | 24 months |
| Marketing contact data | 3 years from last engagement, or until opt-out |
| End User data (as processor) | As specified in the applicable DPA |
| Security and audit logs | 12 months |
Data is securely deleted or irreversibly anonymised at the end of the applicable retention period, subject to any longer retention required by applicable law or Meta's Platform Terms, or any shorter period required by Meta's deletion obligations.
11. Security
We implement technical and organisational measures appropriate to the risk, including encryption of data in transit and at rest, access controls, Client data separation, and regular security reviews. In the event of a personal data breach, we will notify affected parties and relevant supervisory authorities within the following timeframes:
- GDPR / UK GDPR: 72 hours to the competent supervisory authority; without undue delay to affected Data Subjects where there is a high risk to their rights and freedoms.
- UAE PDPL: As required under implementing regulations (expected to align with 72-hour notification); notification to the UAE Data Office as prescribed.
- Singapore PDPA: Within 3 calendar days to the PDPC where the breach meets the mandatory notification threshold; notification to affected individuals as required.
- KVKK: Within 72 hours to the KVKK Board per Board guidance; notification to affected data subjects without undue delay.
- Saudi PDPL: Within 72 hours to the NDMO.
Notification to supervisory authorities is separate from and does not substitute for notification to affected individuals.
12. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your personal data, object to its processing, and withdraw consent where processing is consent-based.
| Jurisdiction | Response Timeframe |
|---|---|
| GDPR / UK GDPR | 30 days (extendable by a further 30 days for complex requests, with notification) |
| UAE PDPL | 30 days per implementing regulations |
| Singapore PDPA | 10 business days for access requests |
| KVKK | 30 days |
| Saudi PDPL | 30 days |
To exercise any right, contact us at privacy@messagepolly.com with your name, contact details, and a description of your request. We may need to verify your identity before processing your request.
End Users should direct requests to the relevant Client in the first instance. We will assist Clients in responding to End User requests.
13. Changes to This Policy
We may update this Policy periodically. The "Last Updated" date at the top reflects the most recent revision. Material changes will be communicated to Clients directly at least 30 days before taking effect.
14. Contact and Complaints
Polly Technologies FZ-LLC
HD20C, First Floor, In5 Tech
Dubai Internet City
Dubai, United Arab Emirates
privacy@messagepolly.com
EU/EEA and UK data subjects who are not satisfied with our response have the right to lodge a complaint with their local supervisory authority. Turkish data subjects may lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Board). Singapore data subjects may lodge a complaint with the Personal Data Protection Commission (PDPC). Saudi data subjects may contact the National Data Management Office (NDMO).
15. KVKK Clarification Text (Aydınlatma Metni) — Turkish Data Subjects
This section constitutes the Clarification Text (Aydınlatma Metni) required under Article 10 of Turkish Law No. 6698 on the Protection of Personal Data (KVKK) for data subjects located in the Republic of Turkey.
Data Controller Identity
Polly Technologies FZ-LLC, HD20C, First Floor, In5 Tech, Dubai Internet City, Dubai, UAE (privacy@messagepolly.com) acts as the data controller for personal data processed in connection with this website and our Platform.
Purposes of Processing
Your personal data is processed for the following purposes:
- Providing and operating the Platform and its features
- Responding to enquiries and requests
- Managing client accounts and billing
- Security monitoring and fraud prevention
- Compliance with legal obligations
- Marketing communications (where explicit consent has been obtained)
Legal Bases (KVKK Articles 5 and 6)
Processing is conducted on the basis of: (a) your explicit consent where required; (b) necessity for the performance of a contract to which you are a party; (c) compliance with a legal obligation; or (d) the legitimate interests of the data controller, balanced against your fundamental rights and freedoms, where applicable under KVKK.
Recipients
Your personal data may be transferred to: our cloud infrastructure providers; our AI processing infrastructure; our payment processor; our analytics provider; Meta Platforms; and regulatory authorities where required by law. A full list of recipients is available upon request.
International Transfers
Your personal data is transferred to Polly Technologies FZ-LLC in the UAE, which is not on Turkey's list of countries with adequate data protection. The transfer is conducted on the basis of: [your explicit consent / KVKK Board-approved standard contractual clauses — to be specified per Client onboarding mechanism]. You have the right to withdraw consent for international transfer at any time.
Your Rights under KVKK Article 11
You have the right to: (a) learn whether your personal data is being processed; (b) request information about the processing; (c) learn the purpose of processing and whether it is used consistently with that purpose; (d) know the third parties to whom your data has been transferred domestically or abroad; (e) request correction of incomplete or incorrect data; (f) request deletion or destruction of personal data where processing conditions are no longer met; (g) request notification of corrections/deletions to third parties; (h) object to an adverse result arising from automated processing; and (i) claim compensation for damage arising from unlawful processing.
To exercise your rights, submit a written request to privacy@messagepolly.com. We will respond within thirty (30) days.
VERBİS Registration
We are assessing our VERBİS (Data Controllers Registry) registration obligation under KVKK. Where registration is required, it will be completed before systematic processing of Turkish-resident personal data commences at scale.
16. Singapore PDPA Notice
Individuals located in Singapore may contact us at privacy@messagepolly.com to exercise their rights under the Singapore PDPA, including the right to access and correct their personal data. We will respond within ten (10) business days for access requests. Complaints may be referred to the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
17. KSA PDPL Notice
Individuals located in the Kingdom of Saudi Arabia may contact us at privacy@messagepolly.com to exercise their rights under the Saudi PDPL. Cross-border transfers of Saudi-resident personal data are conducted subject to applicable transfer mechanisms under the Saudi PDPL. Complaints may be referred to the National Data Management Office (NDMO).