PLM Portal LLC — Property Listings Market Effective 17 May 2026 · Last updated 6 June 2026 · Version 1.1
This Privacy Policy explains how PLM Portal LLC ("PLM", "we", "our"), licensed by the Dubai Department of Economy and Tourism (Trade License 1473120), collects, uses, stores, and shares your personal information when you use the PLM Portal iOS or Android applications, the PLM Portal web site, or any related service (collectively the "Service").
PLM operates the Service in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and the UAE Data Office's implementing regulations.
1. Information we collect
Identity data from UAE PASS — when you sign in with UAE PASS we receive your name, Emirates ID number (for citizens and residents), UAE PASS UUID, nationality, and authentication-strength flag (SOP1/SOP2/SOP3). For visitor accounts, we receive a Unified ID instead of Emirates ID.
Contact data from UAE PASS — email address and UAE mobile number, as registered with UAE PASS.
Property data you provide — building name, unit number, title deed reference, listing price, listing terms, and supporting documents (Contract F, ownership confirmation).
Financial data — Real Estate Broker Number (BRN) for agents; IBAN and bank name for both landlords (to receive payouts) and agents (to authorise DDS mandates).
Transaction data — bids placed, contracts signed, payments collected and disbursed, DDS authority references.
Usage data — actions taken in the app (listing created, bid placed, contract accepted, etc.), timestamps, IP address.
Diagnostics - Crash Data — anonymised crash reports (stack traces, OS version, app build, device model) collected via Sentry when the app or backend encounters an unhandled error. Used solely for App Functionality (debugging and stability). Not linked to your identity.
Diagnostics - Performance Data — anonymised performance traces (request latency, screen-load times, transaction sampling) collected via Sentry. Used solely for App Functionality (performance tuning). Not linked to your identity.
2. How we use your information
Authenticate you via UAE PASS, including verifying you are the rightful owner of a property you list (cross-checked with Dubai Land Department records via DLD2 integration).
Match landlords with licensed real estate agents through the reverse-auction mechanism that is the Service's core function.
Generate, present, and store the digital agreements (Contract A, Contract F, Listing Rights Agreement) you sign within the Service.
Authorise and collect the platform consideration (20% + 5% VAT) via the UAE Direct Debit System (DDS) once a sale or rental is brokered and validated.
Disburse the landlord's share of sale proceeds to your registered IBAN.
Send service notifications (new bids, contract status changes, payment confirmations) via in-app, push, email and SMS.
Detect and prevent fraud, abuse, and breaches of the Terms of Service.
Comply with our legal obligations under UAE law (anti-money-laundering, tax, real-estate brokerage regulations).
3. Lawful basis
We process your data based on (a) your explicit consent given when you first authenticate via UAE PASS and accept these Terms, (b) the performance of the contract between you and PLM, (c) compliance with UAE legal obligations, and (d) PLM's legitimate interest in operating a secure marketplace.
4. Sharing with third parties
We share your data with:
UAE PASS / TDRA — for authentication and digital signatures.
Dubai Land Department — to verify property ownership.
UAE Direct Debit System (Etihad Payments) — to set up DDS mandates and collect considerations.
Your designated bank — to validate IBANs and process payouts.
The other party of a brokered transaction — your contact details are revealed to the agent / landlord only after the digital agreement is signed.
Sub-processors — the following service providers process personal data on PLM's behalf under data-processing agreements consistent with the PDPL:
Google Firebase (real-time database, hosted in Asia-Southeast 1 / Singapore).
Render Inc. (backend application hosting; also records IP address and request metadata in server access logs).
Sentry (sentry.io) - crash and performance monitoring for both the iOS app and the backend. Receives anonymised diagnostic data; may incidentally record IP address.
Twilio, Inc. (twilio.com) - parent company of SendGrid and upstream provider for transactional email; also provides Twilio Programmable Messaging if SMS notifications are enabled.
SendGrid (a Twilio company) - transactional email delivery.
Apple Inc. (apple.com) - App Store distribution (receives your App Store account identifier linked to the install) and Apple Push Notification Service / APNs (receives device push tokens for notification delivery).
Netlify, Inc. (netlify.com) - hosts the public marketing site at plm-dxb.com. The marketing site serves static HTML and does not collect personal data from visitors; Netlify is listed here for completeness.
Dubai Land Department (DLD) - property ownership cross-check at listing time. The lookup is one-way: PLM submits a title-deed reference and receives a yes/no ownership match; no personal data is shared back to DLD beyond the reference being queried.
5. Cross-border transfers
Personal data may be processed outside the UAE in jurisdictions where our sub-processors operate (notably the United States and Singapore). Transfers are governed by contractual safeguards and limited to what is strictly necessary to operate the Service.
6. Data retention and deletion
User accounts: kept for as long as your account is active.
Account deletion request: when you tap Profile → Delete account in the app, your account immediately enters a "scheduled-for-deletion" state. Marketing notifications stop straight away, but your account remains functional so you can complete your in-flight legal obligations (signing Contract F, confirming DDS, settling payouts). Once you have no active listings, open auctions, or in-flight contracts, your personal data (name, email, phone, Emirates ID, broker identifiers, push tokens) is automatically anonymised on the next daily sweep. We may delay anonymisation beyond your request date until your legal obligations under existing contracts close, but in no case more than 365 days, after which anonymisation runs unconditionally.
Transaction records (bids, signed contracts, payouts, invoices, DDS authority references): kept for 7 years from the date of the transaction to comply with the UAE Commercial Transactions Law and tax law. After your account is anonymised, these records remain in our systems but no longer carry your personal identifiers — they reference an opaque "Deleted User" tombstone.
Activity audit log: kept for 18 months for fraud-detection and security-investigation purposes.
Cancellation: you can cancel a scheduled deletion at any time before anonymisation runs by signing back into the app and tapping Cancel deletion. Performing new activity (posting a listing, placing a fresh bid) also offers to cancel the scheduled deletion at that time.
Crash and performance data (Sentry): retained for 90 days, then automatically purged.
Anonymised analytics: aggregated and stripped of identifiers, retained indefinitely for product analytics and historical reporting.
This staged approach is permitted under PDPL Article 14, which expressly allows a controller to delay or refuse erasure when processing remains necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims. Active rental contracts on PLM are exactly such an obligation.
7. Your rights under the PDPL
Subject to the law's exceptions, you have the right to (a) be informed about how we process your data, (b) access and obtain a copy of your data, (c) request correction of inaccurate data, (d) request deletion of your data ("right to be forgotten"), (e) restrict or object to processing, (f) port your data to another service, (g) withdraw consent at any time, and (h) lodge a complaint with the UAE Data Office.
To exercise any of these rights, email privacy@plm-dxb.com. We respond within 30 days.
8. Security
We protect your data with industry-standard measures: TLS in transit, encryption at rest, role-based access controls on our backend, regular dependency scans, and a separation between staging and production credentials. UAE PASS handles all sign-in and signature operations through cryptographic protocols certified under eIDAS-equivalent standards.
9. Data breach notification
In accordance with PDPL Article 14 and the UAE Data Office's implementing regulations, if PLM becomes aware of any personal-data breach that may compromise the confidentiality, integrity, or availability of your data, we will:
Notify the UAE Data Office / TDRA within 72 hours of becoming aware of the breach, including the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the mitigation measures taken.
Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, using the contact channels on file (email, push, in-app message).
Maintain an internal breach register documenting each incident, the facts, its effects, and the remedial action taken, available for inspection by the UAE Data Office on request.
10. Automated decision-making
PLM Portal uses one automated decision-making mechanism that may produce legal or similarly significant effects, disclosed here in accordance with PDPL Article 16:
72-hour auction auto-award. When a 72-hour auction window expires without a manual landlord acceptance, PLM Portal automatically selects the highest-ranked bid(s) - based on bid amount and agent ranking - up to the listing's exclusivity limit (1 winner for exclusive listings, 3 for non-exclusive). The result is a binding match with the selected agent(s) and the issuance of a Contract A or Listing Rights Agreement for signature.
Right to human review. Landlords retain the right to dispute, manually override, or request human review of any auto-award within a 24-hour grace period following the award. To exercise this right, contact privacy@plm-dxb.com or use the in-app dispute flow.
Right to object. You may object to this automated decision-making at any time before the auction window closes by withdrawing your listing.
11. Children
The Service is not intended for users under 18. UAE PASS does not permit minors to create accounts, which prevents under-18 access at the authentication layer.
12. Changes to this policy
We may update this policy as the Service evolves. We will notify you in-app at least 30 days before material changes take effect.
13. Mobile platform-specific data handling
The PLM Portal mobile applications run on Apple iOS and Google Android. Each platform exposes a small set of system services that require disclosure here.
Push notification tokens. On iOS, PLM collects an Apple Push Notification Service (APNs) device token. On Android, PLM collects a Firebase Cloud Messaging (FCM) registration token issued by Google. Tokens are linked to your PLM user id and used solely to deliver in-app alerts (bid placed, contract validated, payout sent, legal notices). Tokens are deleted when you sign out or uninstall the application.
Runtime notification permission (Android 13+ and iOS). Both platforms prompt you to allow notifications on first sign-in. You can revoke this permission at any time in your device settings. Denying notifications does not restrict any functionality but you will not receive bid or contract alerts.
Photo and document access. When you attach a title deed scan, listing photo, or Contract F PDF, PLM requests temporary access to the photo library or file picker through the operating system's standard permission model. On Android this is the READ_MEDIA_IMAGES permission introduced in Android 13; on iOS this is the Photos limited-access prompt. PLM does not enumerate or upload any file you do not explicitly pick.
Camera access. Optional. Used only when you tap "Scan deed" or "Take photo" to capture a document directly. PLM does not access the camera at any other time.
Device fingerprint. PLM records a SHA-256 fingerprint of certain non-personal device attributes (hardware model class, OS major version, app build number, install timestamp) to detect coordinated abuse, prevent multi-account fraud, and protect winning auctions. The fingerprint is one-way; it cannot be reversed to identify a specific device.
Google Play Install Referrer. On Android, Google Play passes an install-referrer string to PLM the first time the app is launched. We use this only to attribute the install source (e.g. an opt-in tester URL). The referrer is discarded after attribution.
No Google Advertising ID (GAID). PLM does not request, collect, or use the Google Advertising ID.
Diagnostic logs. Capacitor (the cross-platform shell that wraps the PLM web application) emits standard application logs to the operating system. PLM does not exfiltrate these logs from your device. Crash reports are forwarded to our error-monitoring vendor (Sentry, EU region) without personal data attached.
In-app deletion path. You can delete your account directly inside the app at any time: Profile → Account → Delete account. The flow is described in Section 6: marketing notifications stop immediately, transactional notifications continue while you have in-flight legal obligations, and anonymisation runs automatically on the daily sweep once those obligations close (or at the 365-day ceiling at the latest).
14. Data Protection Officer
In accordance with PDPL Article 11, because PLM processes sensitive personal data (Emirates ID numbers and IBAN details) at scale, we have designated a Data Protection Officer:
The DPO is your point of contact for any question, request, or complaint relating to the processing of your personal data, and acts as PLM's liaison with the UAE Data Office.
15. Contact
PLM Portal LLC
Office 603, owned by Kamel Hashim Mohamed Issa Rouhi, Burdubai, Business Bay, Dubai, United Arab Emirates
Email: privacy@plm-dxb.com
Trade License: 1473120 · DCCI: 596068 · CR: 2535628