Doorkee
BrowseSign in

PRIVACY POLICY

Doorkee www.doorkee.co

Effective Date: 19 March 2026 Last Updated: 19 March 2026

1. Introduction

1.1. This Privacy Policy ("Policy") explains how Doorkee ("we," "us," "our," or the "Company"), a company established and operating in the United Arab Emirates, collects, uses, stores, discloses, and protects your personal data when you access or use our website at www.doorkee.co, our mobile applications, and any related services (collectively, the "Platform").

1.2. Doorkee is the UAE's first outcome-driven rental platform, connecting property owners and tenants to facilitate residential rental transactions. By using the Platform, you agree to the collection and use of your information in accordance with this Policy.

1.3. This Policy has been prepared in compliance with:

  • UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE Data Protection Law");
  • Applicable regulations issued by the UAE Data Office;
  • Where applicable, the principles of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), for users who may be residents of the European Economic Area.

1.4. If you do not agree with this Policy, you should not use the Platform.

2. Information We Collect

We collect different categories of personal data depending on how you interact with the Platform.

2.1. Account Registration Data

When you create an account, we collect:

  • First name (required) and last name (optional);
  • Email address (required);
  • Password (never stored in plaintext; processed through Supabase Auth with bcrypt hashing);
  • Phone number (collected during registration or identity verification);
  • Login provider information, if you register via Google OAuth or Apple OAuth (we receive your name and email from the OAuth provider; we never receive or store your Google or Apple password).

2.2. Identity Verification (KYC) Data

When you perform certain actions on the Platform (such as shortlisting a property, scheduling a visit, placing an offer, or listing a property), you are required to complete identity verification. We collect:

  • User type (owner or tenant);
  • Nationality;
  • Verification method selected (national ID, passport, or driver's licence);
  • Identity document images (front and back scans of your selected document, stored securely in Supabase Storage);
  • Document details extracted during verification, including document ID number, full name as it appears on the document, and date of birth;
  • Phone verification status (verified via one-time password sent to your email);
  • Verification status (not started, in progress, pending, verified, or rejected).

2.3. Property Data

If you are a property owner listing a property, we collect:

  • Property details: name, address, square footage, bedroom count, bathroom count, property type, furniture type, category, and description;
  • Financial information: rental amount (annual rent in AED), preferred cheque count;
  • Location data: latitude and longitude coordinates (if provided);
  • Property documents: Ejari registration document, title deed, tenancy contract, and RERA permit number (all optional);
  • Property images (uploaded to Supabase Storage);
  • Amenity selections;
  • Visit schedule: available dates and time slots for property viewings;
  • Property management data: tenant type preferences, pet policy, tour approval type, community information, possession start date, and lease end date.

2.4. Offer and Transaction Data

When you place or receive rental offers, we collect:

  • Offer details: offer amount, cheque count, preferred move-in date, offer change count, and expiry time;
  • Counter-offer details: counter-offer amount and counter cheque count;
  • Offer status history (decision pending, accepted, rejected, renegotiated, expired, not selected, withdrawn).

2.5. Payment Data

When you make payments on the Platform (e.g., reserve payments for fourth or subsequent offer changes):

  • Payment processing: All payment card details are processed directly by Stripe, our PCI DSS-compliant payment processor. We never receive, access, or store your full card number, CVV, or PIN.
  • Transaction records we store: transaction type, amount, currency (AED), Stripe payment intent ID, Stripe charge ID, Stripe payment method ID (a tokenised reference), transaction status, failure reason (if applicable), refund amounts, and refund dates.

2.6. Visit and Scheduling Data

When you book property viewings, we collect:

  • Visit details: property visited, date, time slot, visit status (scheduled, completed, cancelled);
  • Visit notes (if provided);
  • Reminder status: when the last visit reminder was sent.

2.7. AI Concierge (Dara) Data

Our AI-powered rental concierge, Dara, collects and processes the following data to provide personalised assistance:

  • Conversation history: all messages exchanged between you and Dara, including your questions, requests, and Dara's responses;
  • User preferences learned from interactions: bedroom count preferences, budget range, preferred areas/communities, furniture preferences, and desired amenities;
  • Journey stage: your current stage in the rental process (browsing, comparing, viewing scheduled, offered, accepted, rented, renewal window);
  • Behavioural signals: shortlisted properties, rejected properties, objections raised (e.g., "too expensive," "too far"), positive signals (e.g., "looks good," "interested"), sentiment indicators;
  • Relationship data: conversation count, relationship tier (stranger, acquaintance, regular, VIP), first interaction date, and deal completion date;
  • Discussed topics: a record of up to 20 recent topics discussed with Dara;
  • Tool usage: records of actions Dara performs on your behalf (property searches, pricing lookups, offer placements, viewing bookings), including the parameters used and results returned;
  • Alert subscriptions: alert type, criteria, and preferred notification channel;
  • Feedback: any upvotes or downvotes you provide on Dara's responses, along with context about the message being evaluated.

2.8. Search and Usage Data

We collect information about how you use the Platform:

  • Search logs: search filter parameters and result counts (linked to your user ID if logged in, anonymous if not);
  • Shortlist activity: properties you save to your shortlist;
  • Analytics events: event type, associated metadata, and timestamps for actions such as searches, property views, offers, and conversation starts.

2.9. Lease and Property Management Data

If you have an active lease managed through the Platform, we collect:

  • Lease details: lease type (new or renewal), start date, end date, monthly rent, security deposit, lease status, and lease document URL;
  • Maintenance requests: issue type, description, notes, attachments, cost breakdowns (total, tenant, owner), resolution details, and dates;
  • Invoices: invoice type (rent, service, maintenance), service description, amount, currency, billing date, due date, payment status, and receipt URL.

2.10. Technical Data

We automatically collect certain technical information when you use the Platform:

  • IP addresses: collected for rate limiting purposes (to prevent abuse such as brute-force login attempts) and security monitoring. IP addresses are also logged in AI Concierge audit logs for security purposes;
  • Device and browser information: collected via standard HTTP headers;
  • Authentication cookies: Supabase session cookies required for login functionality (see Section 7 for details).

2.11. Company Data

If you represent a company on the Platform, we may collect:

  • Company details: company name, email, phone number, and logo.

3. How We Use Your Information

We use the personal data we collect for the following purposes:

3.1. Providing the Platform Service

  • Creating and managing your account;
  • Facilitating property listings, searches, and comparisons;
  • Processing rental offers and counter-offers between tenants and owners;
  • Scheduling and managing property visits;
  • Managing leases, maintenance requests, and invoices;
  • Sending visit reminders and offer expiry notifications.

3.2. Payment Processing

  • Processing reserve payments through Stripe for fourth and subsequent offer changes;
  • Managing refunds for unsuccessful offers;
  • Reconciling payment records;
  • Maintaining transaction history for your records and our legal obligations.

3.3. AI Concierge Personalisation

  • Powering Dara, our AI concierge, to provide personalised rental recommendations;
  • Learning your preferences from conversations and tool interactions to improve suggestions over time;
  • Tracking your journey stage to provide contextually relevant assistance;
  • Generating proactive insights such as price drop alerts and new listing matches;
  • Providing market data, pricing intelligence, and negotiation guidance based on Dubai Land Department (DLD) data.

3.4. Identity Verification and Fraud Prevention

  • Verifying user identities before allowing sensitive actions (offers, listings, visits);
  • Preventing duplicate accounts and fraudulent activity;
  • Rate limiting login attempts, registration, and password reset requests to prevent brute-force attacks;
  • Auditing AI Concierge tool executions for security review.

3.5. Communications

  • Sending transactional email notifications via Resend for events including: new offers received, offer status changes, visit confirmations, visit reminders, verification status updates, and property approval decisions;
  • Sending alert notifications based on your subscriptions (price drops, new listings matching your criteria, renewal reminders, market shifts).

3.6. Analytics and Service Improvement

  • Analysing search patterns and user behaviour to improve Platform features;
  • Monitoring AI Concierge quality through feedback aggregation and response scoring;
  • Running A/B experiments on AI Concierge prompts to improve response quality;
  • Generating market intelligence from aggregated, anonymised usage patterns;
  • Monitoring errors and Platform health through Sentry.

3.7. Legal Compliance

  • Complying with UAE laws and regulations, including anti-money laundering requirements;
  • Responding to lawful requests from government authorities and law enforcement;
  • Establishing, exercising, or defending legal claims;
  • Maintaining records as required by applicable law.

3.8. Legal Basis for Processing

We process your personal data on the following legal bases under the UAE Data Protection Law:

  • Contractual necessity: Processing required to provide the Platform services you have requested (Sections 3.1, 3.2, 3.5);
  • Legitimate interest: Processing for security, fraud prevention, analytics, and service improvement (Sections 3.4, 3.6);
  • Legal obligation: Processing required to comply with applicable laws (Section 3.7);
  • Consent: Processing of optional data and AI Concierge personalisation (Section 3.3). You may withdraw consent at any time (see Section 8).

4. Information Sharing and Disclosure

We share your personal data only in the following circumstances:

4.1. Between Platform Users

  • Tenants and owners: When you place an offer on a property, the property owner can see your first name and offer details (amount, cheque count, preferred move-in date). Full property addresses are visible on listings. Contact details are shared only after a deal is accepted.
  • Visit scheduling: When you book a visit, the property owner is notified of the scheduled date and time.

4.2. Payment Processor — Stripe

We share necessary transaction data with Stripe, Inc. (headquartered in the United States) to process payments. Stripe is PCI DSS Level 1 certified. Stripe's handling of your data is governed by Stripe's Privacy Policy. Data shared includes: transaction amounts, currency, and payment method tokens. We never share your full card details with Stripe through our systems; those are collected directly by Stripe's secure payment elements.

4.3. Email Provider — Resend

We share your email address and notification content with Resend to deliver transactional emails (offer notifications, visit reminders, verification updates). Resend processes this data solely for email delivery on our behalf.

4.4. AI Service Providers

To power Dara, our AI concierge, we transmit conversation data to the following AI model providers:

  • Anthropic (Claude models) — headquartered in the United States;
  • OpenAI (GPT models) — headquartered in the United States;
  • Google (Gemini models) — headquartered in the United States.

The data sent to these providers includes: your conversation messages, relevant context about your preferences and journey stage, and the results of tool calls. These providers process the data to generate AI responses and do not use your data to train their models (per our enterprise agreements). Conversations are routed to different providers based on complexity (simple queries, complex analysis, or image-based requests).

4.5. Cloud Infrastructure — Supabase

All Platform data is stored on Supabase infrastructure, which provides our PostgreSQL database, user authentication, and file storage services. Supabase data is hosted on cloud infrastructure.

4.6. Error Monitoring — Sentry

We use Sentry for error monitoring and application performance tracking. When errors occur, Sentry may receive technical context including: error messages, stack traces, request URLs, and anonymised user identifiers. Sentry does not receive your personal content or conversations.

4.7. Rate Limiting — Upstash Redis

We use Upstash (Redis-based) for rate limiting to prevent abuse of authentication endpoints. Upstash stores only rate limit counters keyed by hashed IP addresses. No personal content, names, or email addresses are sent to Upstash.

4.8. Hosting — Vercel

The Platform is hosted on Vercel. Vercel processes HTTP requests and may have access to IP addresses and request headers as part of standard hosting infrastructure.

4.9. Law Enforcement and Legal Requirements

We may disclose your personal data to law enforcement agencies, regulatory authorities, or other third parties if required to do so by law, court order, or legal process, or if we believe in good faith that such disclosure is necessary to:

  • Comply with applicable law or regulation;
  • Protect our rights, property, or safety, or that of our users or the public;
  • Investigate or prevent suspected fraud or illegal activity.

4.10. Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will provide notice before your personal data becomes subject to a different privacy policy.

4.11. No Sale of Personal Data

We do not sell your personal data to third parties. We do not share your personal data with third parties for their independent marketing purposes.

5. Data Security

We implement the following technical and organisational measures to protect your personal data:

5.1. Encryption

  • All data transmitted between your device and our servers is encrypted using HTTPS/TLS;
  • Data at rest in our database is encrypted by Supabase's infrastructure.

5.2. Database Security

  • Row Level Security (RLS): Our PostgreSQL database enforces row-level security policies, ensuring that users can only access data they are authorised to view. RLS policies are enforced at the database level, independent of application code;
  • Parameterised queries: All database queries use Prisma ORM with parameterised inputs to prevent SQL injection attacks.

5.3. Authentication Security

  • Password hashing: Passwords are hashed using bcrypt via Supabase Auth. We never store plaintext passwords;
  • Account enumeration prevention: Login, registration, and password reset responses are designed to prevent attackers from determining whether an account exists;
  • Rate limiting: Authentication endpoints (login, register, forgot password) are rate-limited to 6 attempts per minute per IP address to prevent brute-force attacks;
  • Secure session management: Authentication sessions are managed via Supabase with HTTP-only, secure cookies;
  • OAuth security: Google and Apple OAuth flows use validated redirect URLs with origin checking to prevent open redirect attacks.

5.4. Access Controls

  • Role-Based Access Control (RBAC): Administrative access is controlled through a granular permission system with roles, modules, and permissions;
  • Admin portal separation: The admin login portal is separated from the user login portal, with server-side enforcement;
  • Deactivated account enforcement: Deactivated accounts cannot log in, even with valid credentials.

5.5. AI Concierge Security

  • Prompt injection protection: Dara includes defences against prompt injection attacks;
  • Tool execution auditing: All actions Dara performs on behalf of users are logged to an audit trail with user ID, IP address, tool name, parameters, and results;
  • Access control: User conversations are private; authenticated users can only access their own conversation history;
  • Message role validation: Conversation messages loaded from the database are validated to prevent instruction injection;
  • Input sanitisation: User inputs are sanitised before storage to prevent cross-site scripting and injection attacks.

5.6. Infrastructure Security

  • Rate limiting: All API endpoints are protected by rate limiting via Upstash Redis, with per-process fallback keys;
  • CRON job authentication: Scheduled background tasks (offer expiry, payment reconciliation, conversation cleanup) are protected by timing-safe secret verification;
  • Origin validation: Email redirect URLs are validated against an allowlist of trusted origins.

6. Data Retention

We retain your personal data for the following periods:

6.1. Account Data

Your account data (name, email, phone, user type) is retained for as long as your account remains active. You may request deletion of your account at any time (see Section 8).

6.2. Identity Verification Data

Verification documents and identity information are retained for as long as your account remains active and for any additional period required by UAE anti-money laundering or know-your-customer regulations.

6.3. Conversation History

  • Anonymous conversations (from users who are not logged in): Automatically deleted after 30 days by our scheduled cleanup process;
  • Authenticated user conversations: Retained until you request deletion of your account.

6.4. AI Concierge Memory

User preferences, journey state, behavioural patterns, and relationship data are retained until you:

  • Request a preference reset (clears search preferences but preserves relationship data); or
  • Request full account deletion (complete data erasure compliant with privacy regulations).

6.5. Soft-Deleted Records

When certain records are "deleted" on the Platform (properties, offers, shortlists, visits, leases, maintenance requests, invoices), they are soft-deleted — marked with a deletion timestamp but retained in the database for audit and legal compliance purposes. Soft-deleted records are hidden from the user interface.

6.6. Payment and Transaction Records

Payment transaction records are retained in accordance with UAE financial record-keeping requirements, which may require retention for a minimum period after the transaction date even after account deletion.

6.7. Search Logs and Analytics

Search logs and analytics events are retained for platform improvement purposes. These may be anonymised after 12 months.

6.8. Audit Logs

AI Concierge audit logs (tool execution records) are retained for security and compliance review purposes.

7. Cookies and Tracking Technologies

7.1. Essential Cookies

The Platform uses essential cookies only for authentication and session management:

  • Supabase authentication cookies: These cookies are set by Supabase Auth to maintain your login session, refresh authentication tokens, and ensure secure access to your account. They are strictly necessary for the Platform to function and cannot be disabled while using authenticated features.

7.2. No Advertising Cookies

We do not use third-party advertising cookies, tracking pixels, or behavioural advertising technologies on the Platform.

7.3. Analytics

We collect analytics data through our own database-backed analytics system (search logs, concierge analytics events), not through third-party analytics cookies such as Google Analytics.

7.4. Cookie Management

Since we use only essential cookies required for authentication, there is no option to disable these cookies while using authenticated Platform features. You may clear cookies through your browser settings, but this will end your active session and require you to log in again.

8. Your Rights

Under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and where applicable under the GDPR, you have the following rights regarding your personal data:

8.1. Right of Access

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data. Much of your data is directly accessible through your Platform account (profile, offers, visits, conversations, shortlists).

8.2. Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update your profile information directly through the Platform. For corrections to verification data, please contact us.

8.3. Right to Erasure (Right to Be Forgotten)

You have the right to request deletion of your personal data, subject to our legal obligations to retain certain records. When you request account deletion:

  • Your account and profile data will be deleted;
  • Your AI Concierge memory will be permanently erased (full GDPR-compliant data erasure);
  • Your conversation history will be deleted;
  • Certain transaction records may be retained as required by law (see Section 6.6);
  • Soft-deleted records associated with your account will be permanently removed upon request.

8.4. Right to Data Portability

You have the right to request your personal data in a structured, commonly used, and machine-readable format. Contact us to request a data export.

8.5. Right to Restrict Processing

You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to its processing.

8.6. Right to Object

You have the right to object to processing of your personal data based on our legitimate interests. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

8.7. Right to Withdraw Consent

Where we process your data based on consent (such as AI Concierge personalisation), you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can:

  • Reset your AI Concierge preferences through a conversation with Dara;
  • Request full data erasure by contacting us;
  • Discontinue use of the Platform.

8.8. Exercising Your Rights

To exercise any of these rights, contact us at:

  • Email: support@doorkee.co
  • Subject line: "Data Privacy Request — [Your Right]"

We will respond to your request within 30 days. We may request verification of your identity before processing your request to protect your data from unauthorised access.

8.9. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UAE Data Office or, if applicable, a supervisory authority in the European Economic Area.

9. Children's Privacy

9.1. The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18.

9.2. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that data from our systems.

9.3. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at support@doorkee.co so we can take appropriate action.

10. International Data Transfers

10.1. Doorkee is based in the United Arab Emirates. However, your personal data may be transferred to and processed in countries outside the UAE, including the United States, in connection with our use of the following service providers:

| Service Provider | Purpose | Location | |---|---|---| | Stripe | Payment processing | United States | | Anthropic | AI Concierge (Claude models) | United States | | OpenAI | AI Concierge (GPT models) | United States | | Google | AI Concierge (Gemini models) | United States | | Supabase | Database, auth, storage | Cloud (US/EU) | | Resend | Transactional email delivery | United States | | Sentry | Error monitoring | United States | | Upstash | Rate limiting (Redis) | Cloud | | Vercel | Application hosting | Global edge network |

10.2. When transferring data outside the UAE, we ensure appropriate safeguards are in place, including:

  • Contractual obligations with our service providers requiring them to protect your data to a standard equivalent to UAE law;
  • Use of service providers that maintain industry-standard security certifications (e.g., SOC 2, PCI DSS);
  • Data minimisation — we transfer only the minimum data necessary for each service provider to perform its function.

10.3. For users in the European Economic Area, transfers are made in compliance with GDPR Chapter V, using standard contractual clauses or adequacy decisions where applicable.

11. Changes to This Policy

11.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this Policy indicates when the most recent changes were made.

11.2. For material changes to this Policy, we will notify you by:

  • Posting a prominent notice on the Platform;
  • Sending an email to the address associated with your account;
  • Requiring acknowledgement of the updated Policy on your next login (for significant changes).

11.3. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Policy.

11.4. We encourage you to review this Policy periodically to stay informed about how we protect your data.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

Doorkee United Arab Emirates

  • General Support: support@doorkee.co
  • Data Protection Officer: dpo@doorkee.co
  • Website: www.doorkee.co

For data privacy requests, please include:

  • Your full name and email address associated with your account;
  • A clear description of your request;
  • Any relevant details to help us locate your data.

We will acknowledge your request within 5 business days and provide a substantive response within 30 days.

13. Definitions

For the purposes of this Policy:

  • "Personal data" means any data relating to an identified or identifiable natural person, as defined by UAE Federal Decree-Law No. 45 of 2021;
  • "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, transfer, or deletion;
  • "Controller" means Doorkee, which determines the purposes and means of processing personal data;
  • "Processor" means any third party that processes personal data on our behalf (e.g., Stripe, Resend, Supabase);
  • "Platform" means the Doorkee website (www.doorkee.co), mobile applications, and all related services.

This Privacy Policy is effective as of 19 March 2026.

Doorkee -- UAE's first outcome-driven rental platform.

Doorkee

The smart rental platform for the UAE. Verified properties, transparent offers, easy scheduling.

Platform

  • Browse Properties
  • List a Property
  • Sign In

Company

  • About Us
  • Contact
  • Careers

Legal

  • Privacy Policy
  • Terms of Service
  • Refund Policy
© DoorKee 2025