Privacy Policy

Who We Are

For the purposes of the PDPL, the entity responsible for determining the purposes and means of processing your personal data is:

The Platform and Relevant Domains

homeBY is a real estate Agent personal branding platform operating in the Emirate of Dubai (the "Platform"). We operate across two domains that together form the Platform:

• homeby.com — our primary company website, where we present our services, provide information for prospective Agents, manage waitlist applications, and handle Agent account creation, subscription management and billing
• homeby.estate — our Agent profile environment, where each RERA-licensed Agent is given a personal subdomain (e.g. yourname.homeby.estate) to host their professional profile, biography, track record, listings and contact details

Unless stated otherwise, references in this Policy to the "Platform" include both of these domains, any related subdomains, and any online services, features, content, interfaces or tools that we operate in connection with them (including Agent dashboards, waitlist forms and profile enquiry forms).

Role as Data Controller and Agent Responsibilities

For personal data processed in connection with operating, administering and securing the Platform, homeBY acts as the data controller.

When a Buyer submits an enquiry through an Agent's profile page or contact form, homeBY collects that enquiry on the Platform and then makes it available to the relevant RERA-licensed Agent. From the point at which the enquiry is accessed, downloaded or otherwise used in the Agent's own systems, the Agent acts as the independent data controller for their subsequent use of that personal data.

Agents are individually responsible for complying with applicable real estate and data protection regulations in relation to their own activities. Additional detail on the allocation of responsibilities between homeBY and Agents (including real estate advertising and Trakheesi compliance) is set out in our Terms of Use, which should be read together with this Policy.

Data We Collect

We collect the following categories of personal data from Users when they apply for access to the Platform, create or manage an Agent account, submit enquiries as a Buyer, or otherwise interact with our services. The specific types of data we collect will depend on your role and how you use the Platform.

Agent Data (collected from Agents)

When you apply to join the Platform or create and manage your Agent profile, we collect:

• Identity data: Your full name, professional title, and profile photograph.
• Contact data: Email address, phone number, WhatsApp number, and social media handles (where provided).
• Professional data: Years of experience, RERA licence number and status, agency affiliation, professional title and specialisation, geographical areas served, and languages spoken.
• Profile content data: Biography, specialities, availability information, performance claims, and any other information you choose to display on your public profile page at yourname.homeby.estate.
• Performance data: A combination of Agent-entered data (e.g. properties sold, transaction history) and Platform-generated data (e.g. profile views, enquiry counts, lead conversion metrics) used to populate your profile statistics and performance indicators.

Buyer and Visitor Data (collected from Buyers and general visitors)

When you submit an enquiry through an Agent's profile page or contact form on homeby.estate, or otherwise interact with the Platform, we collect:

• Enquiry and communications data: Your name, email address, phone number, preferred contact method, property preferences (such as type, location, budget range), and any information you include in free-text message fields.
• Usage data: Information about your interaction with the Platform, including pages visited, time spent on site, device type, browser type, operating system, IP address, and approximate location derived from your IP address.

User-Submitted Data (testimonials)

• Testimonials and ratings: Star ratings and written testimonials submitted directly by Users through the Platform. Agents do not author, edit or approve this content. By submitting a testimonial, the submitting User consents to it being publicly displayed on the relevant Agent's profile page.

Marketing and Account Data

• Marketing preferences: Whether you have opted in to receive marketing communications, newsletters, tips or industry updates from homeBY.
• Account data: Subscription details, billing information, payment method details (processed via third-party payment providers), and login credentials for Agent accounts.

Publicly Displayed Data — Important Notice: Information entered into Agent profiles on homeby.estate is intentionally made publicly accessible to anyone on the internet. This includes your name, profile photo, contact details, biography, performance statistics, property listings, and User-submitted testimonials and ratings. You should only publish information on your profile that you are comfortable sharing publicly with an unrestricted global audience. homeBY has no control over, and accepts no responsibility for, how search engines, social media platforms, data aggregators or other third parties may index, cache, scrape, republish or otherwise use your publicly displayed profile data. Their use of such information is governed by their own terms and privacy policies.

User Testimonials — Data Subject Rights: Testimonials and star ratings are submitted by Users and published on Agent profiles. homeBY collects, stores and displays this data to support transparency in the real estate market.

Users who submit testimonials remain data subjects under the PDPL and may contact us using the details in Section 14 to request access to, correction of factual inaccuracies in, or removal of their personal data contained in a testimonial. We will action such requests in accordance with applicable law, but:

• We may retain non-personal or aggregated elements of feedback (such as star ratings without accompanying text)
• We may limit or refuse removal requests where we have legitimate grounds to retain the information (for example, to resolve disputes, comply with legal obligations, or protect the rights of other Users)
• Agents cannot edit, delete or suppress User-authored testimonial content — any requests relating to testimonials should be directed to homeBY

Special Categories of Personal Data: We do not intentionally request or require any special categories of personal data (such as health information, religious beliefs or biometric identifiers) through the Platform. However, users may occasionally choose to include such information in free-text fields (e.g. in enquiry messages). Where this happens, we will process that information only as necessary for the relevant purpose and in line with applicable law, and we ask Users not to include more sensitive details than are reasonably needed.

How We Collect Your Data

We collect personal data through the following methods:

Directly from You

Agents:

• Account registration and profile setup on homeby.com
• Uploading professional details, photos, biography and performance claims to create your yourname.homeby.estate profile
• Managing subscription preferences, billing information and payment details
• Submitting waitlist applications or support requests
• Updating contact preferences and marketing opt-ins

Buyers:

• Completing enquiry forms on Agent profiles (homeby.estate) with name, contact details, property preferences and messages
• Submitting testimonials and star ratings for display on Agent profiles

Website Visitors:

• Browsing homeby.com (captures usage data)
• Submitting "Join Waitlist" forms or contact requests
• Signing up for newsletters or requesting demos

Automatically Through Technology

• Cookies and tracking technologies (see Section 8 for details and consent management)
• Server logs: IP address, device/browser type, pages visited, time on site, referral sources
• Analytics tools: Aggregated usage patterns, error rates, performance metrics
• Security monitoring: Login attempts, access patterns, anomaly detection

From Third-Party Services and Integrations

• Payment processors (e.g. Stripe): Billing and transaction details for Agent subscriptions
• Identity providers: Email verification, authentication during account creation
• RERA/DLD APIs: Automated licence status verification for Agents
• Email/SMS providers: Delivery and open/click tracking for service communications
• Hosting/CDN providers (e.g. Cloudflare): Traffic routing, caching, DDoS protection
• Analytics services (e.g. Google Analytics, Plausible): Usage measurement (pseudonymised)

How We Use Your Data

We process your personal data only for specified, legitimate purposes and on lawful bases under the PDPL. Below we have set out the main purposes for which we process data, the relevant categories of data involved, and the legal basis that applies in each case.

Contractual Necessity

Necessary to perform our agreement with Agents or take steps at their request, e.g.:

• Reviewing applications, managing accounts, subscriptions, billing and support
• Hosting profiles on homeby.estate, generating performance stats, routing Buyer enquiries
• Essential service communications (account confirmations, billing receipts, security alerts)

Legitimate Interests

Necessary for our legitimate interests (not overridden by your rights), e.g.:

• Operating, maintaining and improving the Platform (including troubleshooting, testing and analytics), detecting and preventing fraud, abuse, security incidents and unauthorised access, enforcing our Terms of Use, and protecting our legal rights

Consent

We process personal data where you have given clear, specific and informed consent, e.g.:

• Marketing emails, product updates, industry news, tips, special offers or event invitations, where you have explicitly opted in. You may withdraw your consent at any time using the "unsubscribe" link in individual marketing emails, your account preferences page on homeby.com, or the contact details in Section 14. Withdrawal of consent will not affect the lawfulness of processing that occurred before you withdrew it.

Legal Obligation

We process personal data where this is necessary to comply with our legal obligations under UAE law, e.g.:

• Verifying RERA licence status with RERA/DLD, complying with UAE laws (including anti-money laundering, tax and commercial record-keeping requirements), responding to lawful requests from courts or regulators, and maintaining audit trails

We do not carry out any automated decision-making (including profiling) that produces legal effects or similarly significantly affects Users.

We will only use your personal data for new purposes that are compatible with the original purpose for which it was collected, or where we have a new lawful basis and have informed you of the change in accordance with this Policy.

Data Sharing & Disclosure

We do not sell, rent or trade your personal data. We only disclose it where necessary and on lawful bases under the PDPL.

Service Providers (Processors)

We share data with trusted third-party service providers acting as processors under written data processing agreements. These include:

• Cloud hosting and infrastructure providers
• Analytics and monitoring tools
• Email/SMS delivery services
• Customer support platforms
• Payment processors (for Agent subscriptions)

These providers are contractually required to: process data only on our documented instructions; implement appropriate technical and organisational security measures; maintain confidentiality; and assist us with PDPL obligations (including data subject rights and breach notification). A list or description of key sub-processors may be made available to Users upon request or through our website or contractual documentation.

We reserve the right to engage new sub-processors or replace existing ones as needed to operate and improve our Platform, and Users will be notified of material changes to our sub-processor list.

Agents (Independent Controllers)

Buyer enquiries from profile contact forms are shared with the relevant RERA-licensed Agent and, where applicable, their employing brokerage. These recipients act as independent controllers for their subsequent use of the data and are responsible for their own PDPL and real estate regulatory compliance.

Regulatory Authorities

We disclose data to RERA/DLD to verify Agent licence status and as required by Dubai real estate regulations, or to other UAE authorities where necessary to comply with legal obligations.

Legal Authorities

We may disclose data to courts, law enforcement, government agencies or other public authorities where required by UAE law, court order, regulatory request, or to establish, exercise or defend legal claims.

Business Transfers

In the event of a merger, acquisition, reorganisation or sale of all or part of our business, your data may be transferred to the acquiring entity as an asset of the business. We will notify affected Users and ensure continuity of PDPL-equivalent protections.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Retention periods vary by data category and purpose.

After retention periods expire, data is securely deleted or irreversibly anonymised unless longer retention is required for legal claims, disputes or regulatory purposes. Backup copies may be retained for disaster recovery (typically overwritten within 30–90 days).

You may request earlier deletion under Section 7, subject to our legal retention obligations and legitimate interests. We respond to deletion requests within 30 days per PDPL requirements.

Your Rights

Under the PDPL, you have the following rights regarding your personal data. These rights help ensure fair, transparent and accountable processing by homeBY as a data controller.

• Right to access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your data, subject to legal retention obligations
• Right to restriction: Request that we limit how we process your data in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to withdraw consent: Withdraw marketing consent at any time without affecting prior processing
• Right to object: Object to processing based on legitimate interests
• Rights relating to automated decision-making and profiling: Not applicable in our case

How to Exercise Your Rights

Submit requests to our privacy contact:

Email: support@homeby.com

Include your name, contact details and a clear description of your request. We may verify your identity for security.

We aim to respond within 30 days. Complex requests may take longer (up to 60 days total), and we will explain any extension. Requests are free unless manifestly unfounded, repetitive or excessive.

If your data is also held by an Agent (e.g. Buyer enquiries), we may direct you to them or notify them to coordinate responses.

Cookies & Tracking

We use cookies and similar tracking technologies on the Platform to enable core functionality, improve user experience, understand usage patterns and ensure security. Cookies are small text files stored on your device by our websites. They allow us to remember your actions and preferences over time, and to recognize you when you return. Similar technologies include web beacons, pixels, local storage objects and device identifiers.

Types of Cookies We Use

How and Why We Use Cookies

We and our third-party service providers use cookies to:

• operate and maintain the core functionality of the Platform
• authenticate users and protect against fraud or unauthorised access
• remember user preferences and improve user experience
• analyse usage patterns and improve performance and features
• (where applicable) deliver and measure marketing and advertising

Third-Party Cookies

Some cookies are placed by third-party service providers that we use for analytics, communications, infrastructure, or marketing purposes. These third parties may collect and process information in accordance with their own privacy policies. We encourage you to review those policies before consenting to such cookies.

Cookie Consent and Control

On your first visit to the Platform, you will be presented with a cookie consent banner that allows you to:

• Accept all (sets all cookies)
• Reject non-essential (essential only)
• Customise (choose categories)

Your preferences are stored as a first-party preference cookie (valid 12 months) and respected across sessions. You can revisit choices anytime via the Cookie Settings link in the site footer. You can also manage cookies via browser settings (delete all, block third parties, etc.), but please note that disabling certain cookies — particularly essential cookies — may affect the functionality and performance of the Platform.

Where cookies are used based on your consent (such as analytics or marketing cookies), you may withdraw that consent at any time through the Cookie Settings tool or your browser controls. Withdrawal of consent will not affect the lawfulness of processing carried out prior to such withdrawal.

Data Security

homeBY implements appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with PDPL requirements. These measures are designed based on the nature, scope, context, purposes and risks of our processing activities.

We use access controls including role-based permissions, multi-factor authentication for all accounts, and the principle of least privilege. Access is restricted to employees, contractors and service providers who need it for specific business purposes only. Encryption protects data both in transit (TLS 1.3 or higher) and at rest (AES-256). Network security includes Web Application Firewalls, DDoS protection, intrusion detection systems, continuous monitoring, and comprehensive logging of all access and changes to personal data.

Additional safeguards include regular vulnerability scanning, penetration testing, timely patching, encrypted backups with disaster recovery procedures, and secure physical data centres. All staff undergo background checks, annual data protection and cybersecurity training, and sign confidentiality agreements. We periodically review and audit these measures to maintain state-of-the-art protection, aligning with industry standards such as ISO 27001 and SOC 2 principles.

We embed data protection by design and default through data minimisation, privacy-friendly defaults, pseudonymisation where possible (e.g., analytics), and Data Protection Impact Assessments for high-risk features. All processors (Section 5) must demonstrate equivalent security via written agreements, and we maintain a sub-processor register with audit rights.

Data Breaches

In the event of a personal data breach, we follow a structured response: immediate containment and forensic investigation; UAE Data Office notification as soon as aware if likely to prejudice privacy or security; individual notification without undue delay where high risk to rights exists, explaining the breach, impacts and mitigation; and full remediation with root cause analysis. Processors must notify us within 24–72 hours. Agents receive notification if their data/users are affected.

Data Protection and International Data Transfers

homeBY is committed to protecting personal data in accordance with applicable data protection laws in the UAE, including the PDPL and any applicable implementing regulations, decisions, or guidance issued by the competent authorities from time to time.

Some of our service providers and technical infrastructure may process your personal data outside the UAE. This can occur when using cloud hosting, analytics tools, content delivery networks, or other processors with data centres or operations in jurisdictions such as the United States, European Union, or other regions.

Under the PDPL, we ensure that personal data transferred outside the UAE receives an adequate level of protection through one or more of the following mechanisms:

• Adequacy: Where the destination jurisdiction is recognised as providing an adequate level of data protection (pending UAE Data Office designations).
• Permitted grounds (where adequacy is unavailable):
  • Your explicit consent to the specific transfer
  • Necessary for the execution of a contract between homeBY and you, or to perform a contract in your interest
  • Necessary to establish, exercise or defend legal claims
  • Necessary for international judicial cooperation
  • Necessary to protect the public interest

These safeguards may include, where appropriate, contractual commitments with our service providers, access controls, data minimisation measures, encryption, secure hosting arrangements, and restrictions on onward transfers.

By using the Platform, you acknowledge that your personal data may be transferred to and processed in jurisdictions outside the UAE in accordance with this Policy.

Third-Party Services

The Platform may incorporate, integrate with, or provide links or access to third-party websites, applications, products, or services that are not operated or controlled by homeBY.

If you choose to access or use such third-party services, including where you interact directly with an Agent through external channels (such as messaging platforms, social media, or third-party websites), any information you provide to those third parties, or that is collected by them, will be subject to their own terms, privacy policies, and practices.

homeBY does not control and is not responsible for the content, security, or privacy practices of such third-party services, and we encourage you to review their applicable terms and privacy policies before providing them with any information.

In addition, we may engage third-party service providers to support the operation of the Platform, including for hosting, analytics, communications, payment processing, and other technical or operational functions. Where such providers process personal data on our behalf, they do so under contractual arrangements and are required to implement appropriate safeguards in accordance with applicable law.

Children's Privacy

The Platform is not intended for use by children, and we do not knowingly collect or solicit personal data from individuals under the age of 18.

If we become aware that we have collected personal data from a person under the age of 18 without a lawful basis or appropriate authorisation, we may delete that personal data and take reasonable steps to disable or restrict the relevant submission, account, or interaction, subject to any applicable legal or record-keeping obligations.

If you believe that a child or minor has provided us with personal data, please contact us using the details set out in Section 14 so that we can review and take appropriate action.

Changes to This Policy

We may update this Policy from time to time to reflect changes to the Platform, our data processing practices, applicable laws or regulatory requirements, or for other operational, legal, or business reasons.

Where we make material changes to this Policy, we will take reasonable steps to bring those changes to your attention, which may include updating the "Last Updated" date above and, where appropriate, providing notice by email, through your account, or by posting a prominent notice on the Platform.

Your continued access to or use of the Platform after the updated Policy becomes effective will constitute your acknowledgment of the updated Policy to the extent permitted by applicable law.

Contact Us

If you have any questions about this Policy, our processing of your information, or if you wish to exercise any of your rights under applicable data protection law, you may contact us at: