Privacy Policy

1. Introduction

This Privacy Policy ("Policy") explains how OneClient Tech L.L.C-FZ, a free-zone limited liability company registered in the Maiden Free Zone, Dubai, United Arab Emirates ("OneClient", "we", "us", or "our"), collects, uses, shares, and protects Personal Data in connection with the OneClient platform — including our website at 1client.app, the booking pages served thereon, our mobile applications for iOS and Android, our application programming interfaces, and all related services and features (collectively, the "Service").

This Policy applies whether you access the Service as a Specialist (an independent service professional who uses the Service to manage a booking page) or as a Client (an end-customer who books an appointment with a Specialist through the Service). Certain provisions apply only to one role and are marked accordingly.

This Policy forms part of, and should be read alongside, our Terms of Service and Cookie Policy.

2. Defined Terms

Terms with initial capital letters used but not defined in this Policy have the meaning given in the Terms of Service. In addition, in this Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Controller" means the natural or legal person that determines the purposes and means of Processing of Personal Data.
• "Processor" means the natural or legal person that Processes Personal Data on behalf of a Controller.
• "Sub-processor" means a Processor engaged by us to assist in performing the Service.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is being Processed.
• "GDPR" means Regulation (EU) 2016/679, as applicable.
• "UK GDPR" means the Data Protection Act 2018 of the United Kingdom and the United Kingdom General Data Protection Regulation.
• "CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020.
• "PDPL" means UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations.

3. Roles and Responsibilities

3.1 OneClient as Controller

OneClient acts as a Controller for the following Personal Data:

• Specialist Account Personal Data (registration details, profile data, Subscription and billing details, login credentials, and Account preferences);
• Personal Data collected automatically through your use of the Service (such as device, browser, and usage information described in Section 4.2);
• Personal Data we receive from Sub-processors in connection with the operation, security, and improvement of the Service (such as fraud-prevention signals).

3.2 OneClient as Processor

When a Specialist uses the Service to manage Bookings with their Clients, the Specialist is the Controller of the Client Data and OneClient acts as a Processor on the Specialist's behalf. We Process Client Data only as necessary to provide the Service to the Specialist, as instructed by the Specialist, and as set out in this Policy and the Terms of Service. A separate data processing addendum ("DPA") is available on request from support@1client.app for Specialists who require formal terms of processor engagement.

3.3 Specialist responsibilities

Each Specialist is responsible, as Controller of their Client Data, for: (a) establishing a lawful basis to collect and Process their Client Data; (b) providing their Clients with the information required by applicable data-protection laws (typically through a privacy notice on the Specialist's own communications); (c) responding to data-subject requests made by their Clients in respect of Client Data; and (d) configuring the Service in a manner consistent with their Controller obligations. OneClient will assist Specialists in meeting these obligations to the extent reasonably required and as further described in the DPA.

4. Personal Data We Collect

4.1 Personal Data you provide

(a) Specialist Account Personal Data

• Identifying information: name (and/or business name), email address, phone number, professional handle/nickname, profile photograph, language preference, time zone, and country.
• Profile information: business description, list of services offered (titles, descriptions, durations, prices), portfolio photographs, working hours and availability, and cancellation policy.
• Subscription and billing data: Subscription plan, billing currency, taxpayer status, and (where applicable) tax-residency declarations submitted under Section 9.6 of the Terms of Service. Payment-card details are entered directly into and stored by our Merchant of Record (Lemon Squeezy) and not retained by OneClient.
• Account credentials: hashed password (managed by our authentication Sub-processor, Clerk), two-factor authentication settings (if enabled), and recovery codes.
• Communications: messages you send to us (e.g. support emails), feedback, and survey responses.

(b) Client Booking Personal Data

• Identifying information: name, email address, phone number, and (optionally) a time-zone derived from your browser.
• Booking information: the Specialist, the services selected, the booked date and time, any notes or special requests, and confirmation status.
• Verification data: short-lived one-time codes sent to verify the email address used for a Booking. Codes are stored for no longer than ten (10) minutes after issue.
• Communications: messages you exchange with a Specialist through the Service (if such functionality is enabled).

4.2 Personal Data collected automatically

When you access the Service, we (and our Sub-processors) automatically collect:

• Device and browser information (type, version, operating system, language);
• Network information (Internet Protocol address, approximate geographic location derived from it, connection type);
• Service-usage information (pages visited, features used, click-stream data, timestamps, referring URL, and error/crash logs);
• Cookies and similar technologies as described in our Cookie Policy.

4.3 Personal Data from third parties

We may receive limited Personal Data from third parties, for example: (a) from our authentication Sub-processor (Clerk) when you sign in via a federated provider such as Google or Apple — typically your name and email address; (b) from fraud- and bot-prevention Sub-processors (such as Google reCAPTCHA) — risk signals associated with your interaction; and (c) from the Merchant of Record (Lemon Squeezy) when you complete a Subscription purchase — limited billing metadata for our records (we do not receive your full payment-card details).

5. Purposes and Legal Bases for Processing

We Process Personal Data only where we have a lawful basis to do so. The table below summarises the main purposes for which we Process Personal Data and the legal basis on which we rely (under the GDPR and UK GDPR; equivalent bases apply under other applicable laws, including the PDPL).

Purpose	Data categories	Legal basis
Providing the Service (Booking flow, calendar, communications, reminders)	Account, Booking, and usage data	Contract performance (Article 6(1)(b))
Subscription billing and invoicing	Subscription, billing, and tax-residency data	Contract performance; legal obligation (Articles 6(1)(b) and 6(1)(c))
Service security, fraud-prevention, abuse detection	Device, network, usage, and risk-signal data	Legitimate interests (Article 6(1)(f))
Service analytics, debugging, and improvement	Aggregated usage and crash data	Legitimate interests (Article 6(1)(f))
Transactional communications (confirmations, reminders, security alerts)	Contact details	Contract performance (Article 6(1)(b))
Marketing communications (product updates, newsletters)	Contact details	Consent (Article 6(1)(a)); soft opt-in for existing customers where permitted
Compliance with legal obligations (tax, accounting, regulatory)	Account, Subscription, and Booking data	Legal obligation (Article 6(1)(c))
Establishing, exercising, or defending legal claims	As required	Legitimate interests; legal obligation (Articles 6(1)(f), 6(1)(c))

Where our processing is based on consent, you may withdraw that consent at any time by following the instructions in any marketing communication or by contacting support@1client.app. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

6. Sharing of Personal Data

We do not sell Personal Data, and we do not share it with third parties for their own marketing purposes. We share Personal Data in the following circumstances:

6.1 Between Specialists and Clients

When a Client makes a Booking, the Service shares with the Specialist the Client's name, email address, phone number, selected services, and any notes provided. This sharing is necessary to fulfil the Booking and to enable subsequent communications between the Specialist and the Client.

6.2 Sub-processors

We engage carefully selected third-party service providers to assist us in operating the Service. Each Sub-processor is bound by a written agreement that imposes data- protection obligations no less protective than those in this Policy. Our principal Sub-processors are:

Sub-processor	Purpose	Data categories	Location
Clerk Inc.	Authentication and Account management for Specialists	Account credentials, federated-identity data	United States
Lemon Squeezy LLC	Merchant of Record for web-based Subscription billing; tax calculation and remittance	Subscription, billing, and tax-residency data	United States
Resend, Inc.	Transactional email delivery (Booking confirmations, reminders, security alerts)	Recipient email address and message content	United States
Cloudflare, Inc. (R2 Object Storage)	Secure storage of uploaded photographs and other static assets	Uploaded files and associated metadata	European Union / United States
Vercel, Inc.	Hosting and content delivery for our web frontends; first-party Vercel Analytics and Speed Insights	Browser request data; aggregated and anonymised page-view data	Global edge network
Railway Corp.	Backend application hosting and managed PostgreSQL database	Account, Booking, and operational data	United States / European Union
Google LLC (reCAPTCHA)	Bot-protection during Booking and other sensitive flows	Device fingerprint, behavioural risk signals, IP address	United States
Functional Software, Inc. d/b/a Sentry	Application performance monitoring and error tracking	Error traces, device data, anonymised user identifiers	United States / European Union
Apple Inc. (App Store / In-App Purchase)	Subscription billing for iOS app purchases	Apple ID account data (handled by Apple per its policies)	Global
Google LLC (Play Store / Play Billing)	Subscription billing for Android app purchases	Google Account data (handled by Google per its policies)	Global

An up-to-date Sub-processor list is available on request from support@1client.app. We will give Specialists with a signed DPA reasonable advance notice of the engagement of any new Sub-processor.

6.3 Compliance with law and protection of rights

We may disclose Personal Data where we believe in good faith that disclosure is necessary to (a) comply with a legal obligation, court order, or lawful request from a public authority; (b) enforce our Terms of Service or other policies; (c) detect, prevent, or address fraud, security, or technical issues; (d) protect the rights, property, or safety of OneClient, our users, or others. Where we receive a request that we believe is overbroad or unlawful, we will challenge it to the extent permitted.

6.4 Business transfers

If we are involved in a merger, acquisition, financing due diligence, reorganisation, bankruptcy, receivership, or sale of all or part of our business or assets, Personal Data may be transferred as part of that transaction, subject to appropriate confidentiality safeguards. We will notify you (and where required, obtain your consent) before any such transfer.

6.5 Aggregated and de-identified data

We may share aggregated, anonymised, or de-identified information that cannot reasonably be used to identify a particular individual for any purpose, including publication of usage trends and product research.

7. International Data Transfers

OneClient is established in the United Arab Emirates, our principal hosting providers operate in the United States and the European Union, and many of our Sub-processors are headquartered in the United States. As a result, your Personal Data may be transferred to, stored in, and processed in countries outside the country in which it was collected (including (without limitation) jurisdictions whose data-protection laws differ from those of your home jurisdiction).

Where we transfer Personal Data from the EEA, the UK, Switzerland, or the UAE to a third country that has not been deemed to provide an adequate level of protection by the relevant authority, we rely on appropriate safeguards including (without limitation) the European Commission's Standard Contractual Clauses (or equivalent clauses under UK or Swiss law), supplemented by additional technical and organisational measures where required. A copy of the safeguards we use can be requested by contacting support@1client.app.

8. Data Retention

We retain Personal Data for no longer than is necessary for the purposes for which it was collected, including (without limitation) for the purposes of complying with our legal, accounting, tax, or reporting obligations. Specific retention periods are set out below.

Data category	Retention period
Specialist Account data	For the duration of the Account, plus up to thirty-six (36) months thereafter to handle disputes, comply with legal obligations, and prevent fraud. Backups follow our standard cycle and are deleted within ninety (90) days.
Client Booking data	For at least six (6) months following the Booking date to enable Specialist record-keeping, and for as long as the Specialist's Account remains active (subject to the Specialist's own retention obligations as Controller of Client Data).
Subscription and billing data	For the period required by applicable tax and accounting law (typically seven (7) years from the date of the relevant transaction).
Email verification codes	Ten (10) minutes from issue.
Marketing-communications preferences	For as long as we maintain a relationship with you, or until you withdraw consent.
Support communications	For up to thirty-six (36) months from the date of the most recent communication.
Server logs and security telemetry	Up to twelve (12) months from collection.

Where Personal Data is anonymised such that it can no longer be associated with an identified or identifiable individual, the anonymised data may be retained indefinitely for legitimate business purposes (e.g. product analytics).

9. Data Security

We implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage. These measures include (without limitation):

• encryption of Personal Data in transit using Transport Layer Security (TLS);
• encryption of Personal Data at rest in our managed database and object storage;
• secure authentication and access control through our authentication Sub-processor;
• role-based access controls and the principle of least privilege for our staff;
• regular software-dependency updates and security review of code changes;
• logical separation of production and non-production environments;
• retention of audit logs of administrative access;
• incident-response procedures, including the breach-notification process below.

No method of Internet transmission or electronic storage is one hundred percent secure. While we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee absolute security.

10. Data Breach Notification

If we become aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with applicable law. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify the affected Data Subjects without undue delay.

Where we Process Client Data as a Processor on behalf of a Specialist, we will notify the Specialist (as Controller) of any Personal Data breach affecting their Client Data without undue delay, with sufficient information to enable the Specialist to comply with its own breach-notification obligations.

11. Your Privacy Rights

Depending on your country of residence and the role in which you use the Service, you may have the rights set out below. We respond to verified data-subject requests within thirty (30) days (or such longer period as applicable law permits). To exercise any right, contact support@1client.app.

11.1 Rights under the GDPR (EEA) and UK GDPR (United Kingdom)

If you are located in the European Economic Area or the United Kingdom, you have:

• Right of access — to obtain confirmation as to whether we Process Personal Data about you and, if so, a copy of that data and information about the Processing.
• Right to rectification — to have inaccurate Personal Data corrected and incomplete Personal Data completed.
• Right to erasure ("right to be forgotten") — to have your Personal Data deleted where one of the grounds in Article 17 GDPR applies.
• Right to restriction — to require us to restrict Processing in certain circumstances.
• Right to portability — to receive Personal Data you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another Controller.
• Right to object — to object to Processing based on legitimate interests or for direct-marketing purposes.
• Rights in relation to automated decision-making — see Section 12.
• Right to withdraw consent — where Processing is based on your consent, you may withdraw it at any time.
• Right to lodge a complaint — with the supervisory authority of your country of residence. Without prejudice to other remedies, you may lodge a complaint with, for example, your national data-protection authority in the EEA, or the United Kingdom's Information Commissioner's Office (ICO).

11.2 Rights under the California Consumer Privacy Act (CCPA)

If you are a California resident, you have:

• Right to know — the categories and specific pieces of Personal Data we collect, the sources, the purposes, and the categories of third parties with whom we share Personal Data.
• Right to delete — subject to certain exceptions (such as data we must retain to comply with legal obligations or complete a transaction).
• Right to correct — inaccurate Personal Data we maintain about you.
• Right to opt-out of "sale" or "sharing" — we do not sell Personal Data and do not share it for cross-context behavioural advertising.
• Right to limit use of sensitive personal information — we do not Process sensitive personal information for purposes that would trigger this right.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

11.3 Rights under the UAE Personal Data Protection Law (PDPL)

If you are located in the United Arab Emirates, you have the rights set out in the PDPL, including (without limitation) the right to access, correct, and request deletion of your Personal Data; to request restriction of Processing; to object to automated decision-making; and to lodge a complaint with the UAE Data Office.

11.4 Rights under the Australian Privacy Act

If you are located in Australia, you have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, including the right to access and correct Personal Data, the right to make a complaint about how we have handled your Personal Data, and the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

11.5 Other jurisdictions

If you are located in another jurisdiction with applicable data-protection law, you may have additional rights. Contact us at support@1client.app with any questions.

11.6 Exercising your rights

To exercise any of the rights above, contact us at support@1client.app from the email address associated with your Account (where applicable), or in another way that enables us to verify your identity. We may ask for additional information necessary to verify your identity before responding. We will respond within the period required by applicable law (typically within thirty (30) days). If we are unable to act on a request, we will explain why and inform you of any further remedies.

12. Automated Decision-Making and Profiling

We do not use Personal Data for automated decision-making (including profiling) that produces legal effects or similarly significant effects on you. Certain anti-abuse systems used by our Sub-processors (such as Google reCAPTCHA) involve automated risk scoring, but those scores are used only to assist humans in security decisions and do not by themselves determine outcomes that have legal or significant effects on you.

13. Children's Privacy

The Service is intended for individuals aged eighteen (18) or older. We do not knowingly collect Personal Data from individuals under that age. If you believe a minor has provided Personal Data to us, please contact support@1client.app and we will take steps to delete that data.

14. Specialist Data-Processing Obligations

Where the Specialist is the Controller of Client Data (see Section 3.2), the Specialist is responsible for ensuring that its own Processing of Client Data complies with applicable data-protection law. This includes (without limitation): providing the Client with notice of the Specialist's Processing; obtaining consent where required; honouring Client requests to exercise data-subject rights; and (in the EEA, UK, and other applicable jurisdictions) appointing a data-protection officer or representative where required. OneClient provides a standard DPA to support Specialists in meeting these obligations.

15. Cookies and Tracking Technologies

We use cookies and similar technologies (including browser local storage) to operate the Service, to remember your preferences, to secure the Service against abuse, and to understand aggregate usage. A full description of the cookies and similar technologies we use, including the third-party services that set them, is in our Cookie Policy.

16. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party websites or services before providing them with Personal Data.

17. Marketing Communications

We will not send you marketing communications unless you have given us your consent, or where permitted under the "soft opt-in" rules of applicable law. You may withdraw consent or opt-out of marketing communications at any time by following the unsubscribe link in any marketing email, by updating your Account preferences, or by contacting support@1client.app. Withdrawal of consent does not affect transactional communications, which are part of the Service.

18. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the updated Policy on the Service and updating the "Last updated" date above and, where the change is significant, by sending notice to the email address associated with your Account or via an in-Service notification. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the updated Policy.

19. Contact and Complaints

19.1 How to contact us

If you have any question, concern, or complaint about this Policy or our Processing of your Personal Data, please contact us at:

• Privacy email: support@1client.app
• Postal address: OneClient Tech L.L.C-FZ, Maiden Free Zone, Dubai, United Arab Emirates

19.2 Supervisory authorities

You have the right to lodge a complaint with a competent supervisory authority, including (without limitation) the data-protection authority of your country of residence in the EEA, the United Kingdom's Information Commissioner's Office (ICO), the California Privacy Protection Agency, the Office of the Australian Information Commissioner (OAIC), and the UAE Data Office. We would, however, appreciate the opportunity to address your concerns directly before you approach the supervisory authority.