Privacy Policy

This Privacy Policy explains how WhatWins FZ-LLC (“WhatWins”, “we”, “us”, or “our”), a company registered in the United Arab Emirates, collects, uses, stores, and protects personal data in connection with the WhatWins platform (“Service”). This policy is governed primarily by UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”) and complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR where they apply to our processing.

1. Our role under data-protection law

WhatWins operates a multi-tenant B2B platform. Our role under the UAE PDPL and the GDPR depends on the data being processed:

• Controller, for personal data relating to the account owner, team members, and other authenticated users of the Service (account registration, billing data, support communications, authentication, security logs, and product analytics).
• Processor, for personal data that an organization (our customer) uploads, generates, or processes in the Service relating to its talents, models, and third parties (collectively, “Customer Content”). The organization is the controller of that data. Our processing is governed by our Data Processing Agreement (DPA) at /dpa, which is automatically incorporated into the Terms of Service for every customer.
• Controller (tracked data), for the publicly available data we collect about the social accounts, advertisers, and online stores a customer chooses to track, which powers the Service's competitive-intelligence features (see Section 2.7).

This Privacy Policy describes our practices as a controller. For our obligations as a processor, see the DPA.

2. Data we collect

2.1 Account data

Name, email address, profile image, password hash (when email/password is used), or the identifier returned by your federated identity provider (when magic-link or SSO is used). We never receive or store your federated provider password.

2.2 Organization data

Agency name, slug, logo, timezone, billing plan, team members and their roles, invitations issued and accepted.

2.3 Billing data

Billing email, country, VAT number (if applicable), invoice history, Stripe customer and subscription identifiers, last 4 digits and expiration of the payment card (held by Stripe). We do not store full card numbers or CVV.

2.4 Usage and technical data

IP address, browser type, device characteristics, pages visited, actions taken in the Service, error reports, and access logs. Captured for security, fraud detection, performance monitoring, and product analytics. Where this data is combined with an account, it is personal data under the GDPR and PDPL.

2.5 Two-factor authentication data

If you enable 2FA, we store the TOTP secret and a set of one-time backup codes, encrypted at rest. These are used solely to verify sign-in attempts.

2.6 Customer Content (we are processor)

Includes media files (images, videos), file metadata (filename, size, type, EXIF where present), creator and account profiles created in the Service, planning items, calendar events, attachments, saved external links, comments, and notes. Our processing of Customer Content is governed by the DPA and not by this Policy.

2.7 Publicly available competitive data (we are controller)

Core features of the Service let a customer track the competitors and creators in their niche. To power these, we collect and process publicly available information about the social accounts, advertisers, and online stores a customer chooses to track, including public profile details, public posts and ads (for example, ads disclosed in public ad libraries), engagement and performance metrics, and public store and product data. We obtain this through third-party data providers and our own retrieval infrastructure. When a customer saves a public post or ad to their library, we may store a cached copy of that public content so their team has it on hand for reference. Where this information relates to an identifiable person, it is personal data and we act as the controller for it. Our lawful basis is the legitimate interest of our customers and us in competitive research and benchmarking, balanced against the rights of the individuals concerned. We do not seek special-category data for this purpose, and any individual can object to or request erasure of their data as described in Section 11.

2.8 Link tracking and link-in-bio (we are processor)

Customers can create trackable short links and a public “link-in-bio” page through the Service. When a person clicks one of those links or visits a customer's link-in-bio page, we process limited technical data about the visit, such as IP address, the approximate location derived from it, device and browser type, referring URL, and the time of the click, to produce click and visit analytics for the customer. The customer is the controller of this data and we process it as their processor under the DPA. We do not use it for advertising or to build cross-site profiles.

3. Lawful bases for processing

We rely on the following lawful bases under GDPR Article 6 and the equivalent grounds under UAE PDPL Article 5:

• Performance of a contract, to provide the Service you subscribed to, including account creation, authentication, billing, hosting, and support.
• Legitimate interests, for security monitoring, abuse and fraud prevention, defending and pursuing legal claims, product analytics in aggregated form, and providing the Service's competitive-intelligence features by processing publicly available data about the accounts, advertisers, and stores our customers track. We balance these interests against the rights and freedoms of the individuals concerned; you have the right to object (see Section 11).
• Consent, for non-essential cookies, optional marketing communications, and where required by local law. You may withdraw consent at any time without affecting prior processing.
• Legal obligation, to comply with applicable law-enforcement requests, financial record-keeping under UAE Commercial Transactions Law, sanctions screening, and tax law.

4. How we use your data

• Service delivery. Provision your account, host your organization, authenticate sign-in, deliver in-app and transactional notifications, and enable collaboration.
• Billing. Create your Stripe customer, process subscription payments, send invoices, and detect billing fraud.
• Security. Detect suspicious activity, throttle abusive requests, investigate incidents, and enforce our Acceptable Use Policy.
• Product improvement. Analyze aggregated usage, investigate bugs (we may capture stack traces that include your user ID), and improve features.
• Communications. Send service announcements, security alerts, and changes to legal terms. Marketing emails are sent only with your consent and you can unsubscribe at any time.
• Legal and compliance. Respond to lawful requests, enforce our Terms, defend our rights, and meet record-keeping obligations.

5. Sub-processors

We use a vetted set of sub-processors to operate the Service (infrastructure, storage, email delivery, payment processing, analytics, AI, affiliate tracking, and retrieval of publicly available social and commerce data). Each sub-processor is bound by a written contract with confidentiality and security obligations equivalent to those in our DPA. The current list, including each provider's purpose, processing location, and transfer mechanism, is available on written request to [email protected]. We give customers prior notice of new sub-processors and the right to object as set out in the DPA.

6. Artificial intelligence features

Some features of the Service (for example, AI-generated content briefs and breakdowns of public posts) send the inputs you supply to a third-party large language model provider. The following applies:

• We send only the inputs you submit to the feature (typically a short brief and metadata about the planning item) and not your full account history or media library.
• Under our agreement with the provider, the data we send is not used to train or fine-tune models and is retained only for the period required to return a response and meet legal obligations of the provider.
• AI outputs are drafts. You remain responsible for reviewing, editing, and using them in compliance with applicable law.
• You can disable AI features for your organization in agency settings. AI features are gated to paid plans.

7. Cookies and similar technologies

We use first-party cookies and tokens that are strictly necessary to operate the Service (session management, CSRF protection, billing flow, load balancing). These do not require consent.

We use product analytics (first-party hosted, with IP truncation) to understand how the Service is used. Where this analytics activity uses non-essential cookies or similar identifiers and you are subject to the EU ePrivacy Directive, we obtain your consent before setting them and you can withdraw it at any time from the in-app cookie preferences.

If you arrive through an affiliate referral link, our third-party affiliate platform sets a cookie that lasts up to 60 days so a later subscription can be attributed to the referring partner for commission purposes. It is used solely for referral attribution, not for advertising or to build a profile of you.

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral profiling.

8. Adult content and age verification

WhatWins is designed for talent and content-agency workflows that may include adult content. The following rules apply and are enforced by our Terms of Service and Acceptable Use Policy:

• The Service is restricted to users aged 18 or older. We do not knowingly collect personal data from anyone under 18.
• Customers (agencies) must verify and warrant that every talent or model whose data they upload is at least 18 years old at the time of recording or capture, hold valid records of that verification, and retain them for at least the period required by applicable law (including U.S. 18 U.S.C. § 2257 record-keeping requirements where applicable).
• Any content that depicts, describes, or facilitates the abuse or sexualization of minors is strictly prohibited. We report suspected child sexual abuse material (“CSAM”) to competent authorities and remove it without notice.
• To report a suspected violation, contact [email protected]. We respond to credible reports without delay.

9. International data transfers

WhatWins is based in the United Arab Emirates and uses sub-processors located outside the UAE (notably in the EU, the United States, and the United Kingdom). Where personal data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the transfer is protected by Standard Contractual Clauses (SCCs) Module 2 or Module 3 (as appropriate), supplemented by additional safeguards described in our DPA. For transfers under the UAE PDPL, we rely on adequacy where available or on equivalent contractual and technical safeguards consistent with Article 23 PDPL.

10. Retention

11. Your rights

Under the UAE PDPL and, where applicable, the GDPR and UK GDPR, you have the right to:

• Access, request a copy of personal data we hold.
• Rectification, request correction of inaccurate data.
• Erasure, request deletion, subject to legal retention duties.
• Restriction, request that we limit processing.
• Portability, receive your data in a structured, commonly used, machine-readable format.
• Objection, object to processing based on legitimate interests.
• Withdraw consent, at any time, without affecting prior lawful processing.
• Lodge a complaint, with the UAE Data Office, or, for EEA residents, with a supervisory authority in your country of residence.

If you are a model, talent, or other person whose data has been uploaded by an agency, please contact the agency directly to exercise your rights, they are the controller of that data. We will support the agency in responding within the required timeframe.

For all other requests, contact [email protected]. We respond within one month and may request identity verification before acting.

12. Security

We implement commercially reasonable technical and organizational measures designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest, role-based access control, optional two-factor authentication, audit logging, and secrets isolation. A non-exhaustive description of our security program is available at /security. No system is fully secure; we encourage the use of strong passwords and 2FA.

13. Personal data breaches

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the competent supervisory authority (the UAE Data Office, and, for breaches affecting EEA residents, the relevant EEA supervisory authority) without undue delay and, where feasible, no later than 72 hours after we become aware of it. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

14. Children's data

The Service is not directed at, and may not be used by, anyone under the age of 18. We do not knowingly collect personal data from minors. If we learn we have collected data from someone under 18, we will delete it and terminate the responsible account. See Section 8 for rules regarding talent data.

15. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email and through the Service at least 15 days before they take effect. The “Last updated” date above reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

16. Governing law

This Policy is governed by the laws of the United Arab Emirates and the UAE PDPL. Where you are located in the EEA, the UK, or Switzerland, the GDPR or UK GDPR (as applicable) governs our processing of your personal data in addition to the UAE PDPL.

17. Contact

Email: [email protected]
Trust & safety: [email protected]
Entity: WhatWins FZ-LLC, Dubai, United Arab Emirates