PLM Portal LLC — Property Listings Market Effective 17 May 2026 · Version 1.0
This Privacy Policy explains how PLM Portal LLC ("PLM", "we", "our"), licensed by the Dubai Department of Economy and Tourism (Trade License 1473120), collects, uses, stores, and shares your personal information when you use the PLM Portal iOS application or any related service (collectively the "Service").
PLM operates the Service in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and the UAE Data Office's implementing regulations.
1. Information we collect
Identity data from UAE PASS — when you sign in with UAE PASS we receive your name, Emirates ID number (for citizens and residents), UAE PASS UUID, nationality, and authentication-strength flag (SOP1/SOP2/SOP3). For visitor accounts, we receive a Unified ID instead of Emirates ID.
Contact data from UAE PASS — email address and UAE mobile number, as registered with UAE PASS.
Property data you provide — building name, unit number, title deed reference, listing price, listing terms, and supporting documents (Contract F, ownership confirmation).
Financial data — Real Estate Broker Number (BRN) for agents; IBAN and bank name for both landlords (to receive payouts) and agents (to authorise DDS mandates).
Transaction data — bids placed, contracts signed, payments collected and disbursed, DDS authority references.
Usage data — actions taken in the app (listing created, bid placed, contract accepted, etc.), timestamps, IP address.
Diagnostics - Crash Data — anonymised crash reports (stack traces, OS version, app build, device model) collected via Sentry when the app or backend encounters an unhandled error. Used solely for App Functionality (debugging and stability). Not linked to your identity.
Diagnostics - Performance Data — anonymised performance traces (request latency, screen-load times, transaction sampling) collected via Sentry. Used solely for App Functionality (performance tuning). Not linked to your identity.
2. How we use your information
Authenticate you via UAE PASS, including verifying you are the rightful owner of a property you list (cross-checked with Dubai Land Department records via DLD2 integration).
Match landlords with licensed real estate agents through the reverse-auction mechanism that is the Service's core function.
Generate, present, and store the digital agreements (Contract A, Contract F, Listing Rights Agreement) you sign within the Service.
Authorise and collect the platform consideration (20% + 5% VAT) via the UAE Direct Debit System (DDS) once a sale or rental is brokered and validated.
Disburse the landlord's share of sale proceeds to your registered IBAN.
Send service notifications (new bids, contract status changes, payment confirmations) via in-app, push, email and SMS.
Detect and prevent fraud, abuse, and breaches of the Terms of Service.
Comply with our legal obligations under UAE law (anti-money-laundering, tax, real-estate brokerage regulations).
3. Lawful basis
We process your data based on (a) your explicit consent given when you first authenticate via UAE PASS and accept these Terms, (b) the performance of the contract between you and PLM, (c) compliance with UAE legal obligations, and (d) PLM's legitimate interest in operating a secure marketplace.
4. Sharing with third parties
We share your data with:
UAE PASS / TDRA — for authentication and digital signatures.
Dubai Land Department — to verify property ownership.
UAE Direct Debit System (Etihad Payments) — to set up DDS mandates and collect considerations.
Your designated bank — to validate IBANs and process payouts.
The other party of a brokered transaction — your contact details are revealed to the agent / landlord only after the digital agreement is signed.
Sub-processors — the following service providers process personal data on PLM's behalf under data-processing agreements consistent with the PDPL:
Google Firebase (real-time database, hosted in Asia-Southeast 1 / Singapore).
Render Inc. (backend application hosting; also records IP address and request metadata in server access logs).
Sentry (sentry.io) - crash and performance monitoring for both the iOS app and the backend. Receives anonymised diagnostic data; may incidentally record IP address.
Twilio, Inc. (twilio.com) - parent company of SendGrid and upstream provider for transactional email; also provides Twilio Programmable Messaging if SMS notifications are enabled.
SendGrid (a Twilio company) - transactional email delivery.
Apple Inc. (apple.com) - App Store distribution (receives your App Store account identifier linked to the install) and Apple Push Notification Service / APNs (receives device push tokens for notification delivery).
Netlify, Inc. (netlify.com) - hosts the public marketing site at plm-dxb.com. The marketing site serves static HTML and does not collect personal data from visitors; Netlify is listed here for completeness.
Dubai Land Department (DLD) - property ownership cross-check at listing time. The lookup is one-way: PLM submits a title-deed reference and receives a yes/no ownership match; no personal data is shared back to DLD beyond the reference being queried.
5. Cross-border transfers
Personal data may be processed outside the UAE in jurisdictions where our sub-processors operate (notably the United States and Singapore). Transfers are governed by contractual safeguards and limited to what is strictly necessary to operate the Service.
6. Data retention
User accounts: kept for as long as your account is active, and for up to 7 years after account closure to satisfy the UAE Commercial Register and tax record-keeping obligations.
Transaction records (bids, signed contracts, payouts, invoices, DDS authority references): kept for 7 years from the date of the transaction to comply with the UAE Commercial Transactions Law and tax law.
Activity audit log: kept for 18 months for fraud-detection and security-investigation purposes.
Closed accounts: identity data deleted within 90 days of closure unless retention is required by law (in which case it is moved to the 7-year transaction-records bucket).
Crash and performance data (Sentry): retained for 90 days, then automatically purged.
Anonymised analytics: aggregated and stripped of identifiers, retained indefinitely for product analytics and historical reporting.
7. Your rights under the PDPL
Subject to the law's exceptions, you have the right to (a) be informed about how we process your data, (b) access and obtain a copy of your data, (c) request correction of inaccurate data, (d) request deletion of your data ("right to be forgotten"), (e) restrict or object to processing, (f) port your data to another service, (g) withdraw consent at any time, and (h) lodge a complaint with the UAE Data Office.
To exercise any of these rights, email privacy@plm-dxb.com. We respond within 30 days.
8. Security
We protect your data with industry-standard measures: TLS in transit, encryption at rest, role-based access controls on our backend, regular dependency scans, and a separation between staging and production credentials. UAE PASS handles all sign-in and signature operations through cryptographic protocols certified under eIDAS-equivalent standards.
9. Data breach notification
In accordance with PDPL Article 14 and the UAE Data Office's implementing regulations, if PLM becomes aware of any personal-data breach that may compromise the confidentiality, integrity, or availability of your data, we will:
Notify the UAE Data Office / TDRA within 72 hours of becoming aware of the breach, including the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the mitigation measures taken.
Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, using the contact channels on file (email, push, in-app message).
Maintain an internal breach register documenting each incident, the facts, its effects, and the remedial action taken, available for inspection by the UAE Data Office on request.
10. Automated decision-making
PLM Portal uses one automated decision-making mechanism that may produce legal or similarly significant effects, disclosed here in accordance with PDPL Article 16:
72-hour auction auto-award. When a 72-hour auction window expires without a manual landlord acceptance, PLM Portal automatically selects the highest-ranked bid(s) - based on bid amount and agent ranking - up to the listing's exclusivity limit (1 winner for exclusive listings, 3 for non-exclusive). The result is a binding match with the selected agent(s) and the issuance of a Contract A or Listing Rights Agreement for signature.
Right to human review. Landlords retain the right to dispute, manually override, or request human review of any auto-award within a 24-hour grace period following the award. To exercise this right, contact privacy@plm-dxb.com or use the in-app dispute flow.
Right to object. You may object to this automated decision-making at any time before the auction window closes by withdrawing your listing.
11. Children
The Service is not intended for users under 18. UAE PASS does not permit minors to create accounts, which prevents under-18 access at the authentication layer.
12. Changes to this policy
We may update this policy as the Service evolves. We will notify you in-app at least 30 days before material changes take effect.
13. Data Protection Officer
In accordance with PDPL Article 11, because PLM processes sensitive personal data (Emirates ID numbers and IBAN details) at scale, we have designated a Data Protection Officer:
The DPO is your point of contact for any question, request, or complaint relating to the processing of your personal data, and acts as PLM's liaison with the UAE Data Office.
14. Contact
PLM Portal LLC
Office 603, owned by Kamel Hashim Mohamed Issa Rouhi, Burdubai, Business Bay, Dubai, United Arab Emirates
Email: privacy@plm-dxb.com
Trade License: 1473120 · DCCI: 596068 · CR: 2535628