Contents
- 01 Who We Are
- 02 What Data We Collect
- 03 How We Collect Your Data
- 04 Why We Process Your Data
- 05 How We Use Your Data
- 06 AI Processing & Third Parties
- 07 Anonymised Data
- 08 Data Storage & Security
- 09 Cross-Border Transfers
- 10 Data Retention
- 11 Your Rights
- 12 Data Breach Notification
- 13 Children's Privacy
- 14 Website & Cookies
- 15 Data Protection Officer
- 16 Changes to This Policy
- 17 Contact Us
Reya is committed to protecting the privacy of every person who uses our service. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Please read this policy carefully before using Reya.
Section 01
Who We Are
Reya is a household management service that operates via WhatsApp, operated by SecondShift FZ-LLC, a Free Zone Limited Liability Company registered with the Ras Al Khaimah Economic Zone Authority (RAKEZ).
| Legal entity | SecondShift FZ-LLC |
| RAKEZ Licence No. | 47030872 |
| Registered address | VUNE0042, Compass Building, Al Hulaila, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates |
| Issuing authority | Ras Al Khaimah Economic Zone Authority (RAKEZ) |
| Privacy contact | privacy@onereya.com |
We act as the Data Controller for the personal data collected through our service, as defined under the UAE PDPL.
Note: Reya is not a financial institution, bank, insurance company, or regulated entity under any UAE Central Bank or Securities and Commodities Authority regulation. We are a household management service only.
Section 02
What Data We Collect
We collect only the personal data necessary to provide our service.
Registration data
- WhatsApp phone number (used as your unique identifier)
- Household name as you provide it
- Your role within the household (admin, partner, member, or staff)
- Your preferred language and timezone
- Your consent choices, including whether you have agreed to anonymised data research
Spending data
- Receipt images and documents you send to Reya
- Merchant name and location extracted from receipts or messages
- Transaction amounts and currency
- Spend category (Groceries, Dining, Café, Clothing, Gifts, Car, Household Items, Pharmacy, Personal Care, Subscriptions, Travel, Entertainment, Children, Other)
- Date and time of transactions
Interaction data
- WhatsApp message content sent to our service number, including text messages, voice notes, and receipt images
- Message timestamps and unique message identifiers used for duplicate detection
- Service usage activity such as when messages are sent and when reports are read
Website data
- Basic analytics data collected when you visit onereya.com, including pages visited and time spent (see Section 14)
Data we do not collect
- Payment card numbers or bank account details
- Government-issued ID numbers
- Biometric data
- Location data beyond what is visible on receipts
- Data from WhatsApp conversations not addressed to our service number
Section 03
How We Collect Your Data
We collect your personal data through the following means:
- Direct interaction — when you message our WhatsApp service number, register as a household, or invite other household members
- Receipt and message submission — when you or other household members send receipt images, voice notes, or text descriptions to our service
- Automated AI processing — when our AI system extracts structured data from submitted receipts and classifies the intent of messages (see Section 6)
- Website visits — when you visit onereya.com (see Section 14)
We do not collect data from third parties, social media platforms, or any source other than your direct interaction with our WhatsApp service and website.
Section 04
Why We Process Your Data (Legal Basis)
Consent (primary basis)
We rely on your explicit consent as the primary legal basis for processing your personal data. By registering with Reya through our WhatsApp onboarding flow, you provide consent for us to process your data to deliver our household management service. You may withdraw this consent at any time by requesting account deletion.
Contract performance
Some processing is necessary to perform the household management service you have requested, including delivering your weekly spending report and sending receipt confirmations and reminders.
Anonymised market research (separate consent required)
We may use anonymised, aggregated spending data for market research purposes only if you have explicitly provided a separate consent during registration. This consent is optional and is not required to use the Reya service. See Section 7 for full details.
Section 05
How We Use Your Data
We use your personal data solely to provide and improve the Reya service. Specifically:
- To create and manage your household account
- To process messages and extract spending information
- To generate your weekly household spending summary
- To send mid-week spending confirmations as your household submits messages
- To send reminders you have set up through the service
- To invite household members you have requested to add
- To provide customer support if you contact us
We will never:
- Sell your personal data to any third party
- Share your personal data with advertisers
- Use your data to serve you advertising of any kind
- Share your individual household data with other businesses without your explicit consent
- Use your data for any purpose beyond those stated in this policy
Section 06
AI Processing and Third-Party Services
Reya uses artificial intelligence to process messages you send to our service. It is important that you understand what this means for your personal data.
Message intent classification
Every message you send to Reya — whether text, voice note, or receipt image — is processed by an AI system (Anthropic Claude API) to understand what you are asking or reporting.
Voice note transcription
If you send a voice note, it is transcribed to text before being processed. The audio content is processed solely to produce the transcription and is not retained beyond what is necessary for service delivery.
Receipt image processing
Receipt images are processed by the Anthropic Claude API to extract merchant name, transaction amount, date, and individual line items.
Anthropic data handling
We use Anthropic's API under terms that prohibit Anthropic from using your data to train their AI models. Your message content is processed to generate a response and is not retained by Anthropic for model training purposes.
Third-party processors
To deliver our service, we use the following third-party data processors. Each is contractually bound to protect your data and may not use it for their own purposes:
| Processor | Purpose | Data processed |
|---|---|---|
| Airtable | Database storage — your household data is stored on Airtable's servers | All household data |
| Anthropic Claude API | AI message classification, receipt image processing, voice note transcription | Message content, receipt images |
| Meta WhatsApp Business API | Messaging infrastructure — all communications are delivered through WhatsApp | Phone numbers, message delivery |
| n8n | Workflow automation — orchestrates our service workflows | All data in transit between services |
| 360dialog (or Meta direct) | WhatsApp Business API provider — manages message routing | Phone numbers, message metadata |
Please note that Meta's own privacy policy and terms govern the WhatsApp infrastructure layer. By using WhatsApp to communicate with Reya, you are also subject to Meta's terms for WhatsApp users.
Section 07
Anonymised and Aggregated Data
With your separate and explicit consent, we may use anonymised, aggregated spending patterns for market research purposes. This means:
- Data is stripped of all personal identifiers before any analysis
- No individual household is ever identifiable from research outputs
- Research outputs take the form of aggregate trends only
- Individual transaction records, household names, or phone numbers are never shared with any third party
This consent is requested during registration as a separate, optional question. You can opt out at any time without affecting your access to the Reya service.
Section 08
Data Storage and Security
Isolated data environments
Each household's data is stored in a dedicated, isolated database environment. No household's data is co-mingled with another household's data.
Technical safeguards
- Encryption of data at rest and in transit
- Access controls limiting data access to authorised personnel only
- Phone number-based routing ensuring only your registered household members can interact with your household data
- Duplicate message detection to prevent unintended processing of repeated messages
- No storage of WhatsApp message content beyond what is necessary for service delivery
Section 09
Cross-Border Data Transfers
Some of our third-party processors including Airtable, Anthropic, and n8n operate servers outside the UAE. This means your personal data may be transferred to and processed in countries outside the UAE.
In accordance with the UAE PDPL's requirements on cross-border data transfers, we ensure that:
- All third-party processors we use maintain appropriate data protection standards equivalent to those required under the UAE PDPL
- Transfers occur only to the extent necessary to deliver the service you have requested
- By registering with Reya, you explicitly consent to these transfers as necessary for the provision of the service
We will update this section as the UAE Data Office issues further guidance on cross-border transfer mechanisms under the PDPL's executive regulations.
Section 10
Data Retention
We retain your personal data for as long as your household account is active. Specifically:
- Account data (phone number, household name, member roles) — retained for the duration of your account
- Transaction data (spending records) — retained for 24 months to enable year-on-year comparisons, then deleted
- Message logs — retained for 90 days for service quality and duplicate detection, then deleted
- Invitation tokens — deleted immediately upon use or expiry (7 days)
- Voice note audio — not retained after transcription is complete
Upon account deletion, all personal data associated with your household is permanently deleted within 30 days, except where retention is required by UAE law.
Section 11
Your Rights Under the UAE PDPL
Under Federal Decree-Law No. 45 of 2021, you have the following rights regarding your personal data:
Right to access
You may request a copy of the personal data we hold about you and your household at any time.
Right to rectification
You may request correction of any inaccurate or incomplete personal data we hold about you.
Right to erasure
You may request deletion of your personal data. Upon such a request, we will delete all your household data within 30 days. Note that deletion of your account will result in permanent loss of your spending history.
Right to withdraw consent
You may withdraw your consent to data processing at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to data portability
You may request a copy of your personal data in a structured, machine-readable format.
Right to object
You may object to specific processing activities, including your consent to anonymised data research (see Section 7).
Right to lodge a complaint
If you believe your rights under the UAE PDPL have been violated, you have the right to lodge a complaint with the UAE Data Office.
To exercise any of these rights, contact us at privacy@onereya.com. We will respond to all requests within 30 days. We may ask you to verify your identity before processing your request.
Section 12
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the UAE Data Office without undue delay and no later than 72 hours after becoming aware of the breach, where feasible
- Notify affected households via WhatsApp message to their registered number as soon as reasonably practicable
- Provide clear information about the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it
Where a breach is unlikely to result in a risk to your rights and freedoms, we will document the breach internally but notification may not be required. We will always err on the side of transparency.
Section 13
Children's Privacy
Reya is a service for household administrators aged 18 and above. We do not knowingly collect personal data directly from children under the age of 18.
Household data may reference children — for example, in schedule or reminder features — but children do not interact with our service directly and do not have their own accounts. References to children within your household data are governed by this policy and are subject to the same protections as all other household data.
Section 14
Website Visitors and Cookies
When you visit onereya.com, we collect basic analytics data to understand how people find and use our website. This data is collected using Google Analytics and includes:
- Pages visited and time spent on each page
- General geographic location (country or city level — not precise location)
- Device type and browser used
- How you arrived at our site (search engine, direct link, social media)
This data is anonymised and aggregated. We do not use cookies to track individual visitors across other websites, and we do not use advertising cookies of any kind.
By visiting onereya.com you consent to this basic analytics collection. You may opt out by using a browser extension that blocks Google Analytics.
Section 15
Data Protection Officer
As a small business operating at pilot scale, SecondShift FZ-LLC has assessed its processing activities and determined that formal appointment of a Data Protection Officer (DPO) is not required at this stage under the UAE PDPL's provisions for smaller operators.
The founder, Karim Mohamad Ali Naja, acts as the primary privacy contact and is responsible for all data protection matters. All privacy requests and concerns should be directed to privacy@onereya.com.
We will reassess the requirement to appoint a formal DPO as our scale of processing grows.
Section 16
Changes to This Policy
We may update this Privacy Policy from time to time, including to reflect changes in the UAE PDPL's executive regulations as they are issued by the UAE Data Office.
If we make material changes to this policy, we will notify you via WhatsApp message to your registered number at least 14 days before the changes take effect. Continued use of the Reya service after that date constitutes acceptance of the updated policy.
The current version of this policy is always available at onereya.com/privacy.
Section 17
Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to withdraw your consent, please contact us:
- Email: privacy@onereya.com
- WhatsApp: Message your registered Reya number and type PRIVACY
- Response time: We aim to respond to all privacy requests within 5 business days and no later than 30 days
Have a question about your data?
privacy@onereya.comWe respond to all privacy requests within 5 business days.
Reya Privacy Policy · SecondShift FZ-LLC · RAKEZ Licence 47030872 · Effective 25 April 2026