Privacy Policy

01Introduction and scope

This Privacy Policy explains how WAYV (we, us, our) handles information when your agency uses Broq, our real estate operating system. It applies to our website, the Broq application, and related services.

Broq is a business to business product. Most personal data we process belongs to your agency staff and to the clients your agency manages. Your agency decides what to put into Broq and remains responsible for that data.

02Who we are

WAYV is the company behind Broq, based in Abu Dhabi, United Arab Emirates. We build and operate the platform your agency uses every day, and we are the point of contact for questions about how it handles information.

Our role depends on the data. For your agency's own account information, WAYV may act as a controller. For the client data your agency loads into Broq, such as contacts, listings, and conversations, your agency is the controller and WAYV is the processor acting on your documented instructions.

You can reach our privacy team at privacy@broq.ae with any question about this policy or how we handle your data.

03Information we collect

We collect the information needed to run Broq for your agency. The categories below describe what we hold and why it reaches us.

• Account and profile details, such as your name, email, role, and login credentials.
• Agency and billing information, including your organisation details and payment records.
• CRM data your agency inputs, such as contacts, listings, deals, and notes.
• Communications content synced from connected channels, such as WhatsApp and email.
• Usage and product analytics that show how features are used.
• Device and log data, such as IP address, browser, and activity timestamps.

We collect client personal data only because your agency chose to put it into Broq. We do not gather it independently.

04Sensitive identifiers

Some documents in real estate contain highly sensitive identifiers, such as Emirates ID and passport numbers. We treat these as restricted data.

When content is sent for AI assistance, restricted identifiers are detected and scrubbed at our gateway before the request leaves your tenant. They are never transmitted to AI sub-processors, and they are not used to generate model outputs.

• Restricted fields are redacted at the gateway, not after the fact.
• Redaction happens inside the UAE region.
• Only the minimum context needed for a feature is ever processed.

05How we use information

We use information to provide and operate the service, sync and organise your conversations, and power assistive AI features such as drafting and matching. We also use it to handle billing, provide support, keep the platform secure, improve the product, and meet our legal obligations.

We use the client data your agency loads only to deliver the features your agency chooses to use. We do not use it for advertising, and we do not sell it. Where we analyse usage to improve Broq, we work with aggregated or de-identified data wherever practical.

06AI processing and human oversight

Broq uses AI to draft replies, summarise conversations, and surface matches. These features are assistive. A person on your team reviews AI output before it is sent or acted upon.

We do not make solely automated decisions that produce legal effects for your clients. We also do not use your customer data to train foundation models. Data is processed only to deliver the features your agency uses.

07Legal bases for processing

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the PDPL), we rely on a clear legal basis for each kind of processing.

• Performance of our contract with your agency, to deliver and support Broq.
• Your or your agency's consent, where the law requires it for a specific purpose.
• Our legitimate interests in operating, securing, and improving the service.
• Compliance with legal obligations that apply to us.

Clients whose data your agency holds can contact their agency, as the controller, with questions about how that processing applies to them.

08Data residency and transfers

Customer data is hosted in the UAE region (me-central). In-region storage is the default, and it is where your agency's records live during normal operation.

Where a limited transfer outside the UAE is needed, for example to run a specific sub-processor function, we apply safeguards consistent with the PDPL. Restricted identifiers, such as Emirates ID and passport numbers, do not leave the region. Any transfer is kept to the minimum the feature requires.

09Sharing and sub-processors

We do not sell personal data. We share data only with vetted sub-processors, by category and under contract, so they can help us deliver Broq.

• Cloud hosting and infrastructure providers that run the platform.
• The AI gateway and model providers, which never receive restricted identifiers.
• Messaging and email connectivity providers that sync your conversations.
• Payment processors that handle billing.

We share data with authorities only where we are legally required to do so.

10Data retention

We keep data while your account is active and for as long as we need it to provide the service. After your subscription ends, we keep your data for a limited window so you can export it, then delete or anonymise it.

We may retain certain records for longer where a legal retention obligation requires it. Within these limits, your agency controls the retention of its own client records and can delete them as it sees fit.

11How we protect information

We protect information with layered safeguards built into the platform.

• Encryption in transit and at rest.
• Strict tenant isolation, so one agency cannot see another agency's data.
• Least-privilege access controls and audit logging.
• Gateway scrubbing of restricted identifiers before AI processing.
• Ongoing monitoring of the platform.

No system is perfectly secure. Please help us by keeping your credentials safe and telling us promptly if you suspect any unauthorised access.

12Your rights

Under the UAE PDPL, individuals may request access to their data, rectification of inaccurate data, erasure, restriction of processing, and portability, and may object to or withdraw consent for certain processing.

Because your agency is usually the controller of client data, clients should contact the agency to exercise these rights. Agency users can contact us at privacy@broq.ae, and we will respond within the timeframes the law requires.

13Cookies and similar technologies

We use essential cookies to run the app and keep you signed in, and limited analytics to understand and improve how the product is used.

You can control non-essential cookies through your browser settings. We do not use cookies for third-party advertising.

14Children's data

Broq is a business product intended for real estate professionals. It is not directed at anyone under 18, and we do not knowingly collect children's personal data.

Agencies must not load minors' data into Broq except where it is lawfully required for a transaction.

15Changes to this policy

We may update this policy as the product and the law evolve. We will post the new version here and update the date at the top.

For material changes, we will notify you through the product or by email. If you continue to use Broq after an update takes effect, that means you accept it.

16Contact us

You can reach us about privacy at WAYV, Abu Dhabi, United Arab Emirates, or by email at privacy@broq.ae.

We welcome any question and any request to exercise your rights. Get in touch and we will work with you to resolve your concern.