MIFTAH — PRIVACY POLICY

Effective Date: [INSERT DATE] Last Updated: [INSERT DATE] Version: 1.0

INTRODUCTION

This Privacy Policy ("Policy") describes how Miftah ("Miftah", "we", "us", "our") collects, uses, processes, stores, discloses, retains, and otherwise handles personal data and other information of users ("you", "your", "User") of the Miftah mobile application, web application, broker dashboard, and any related websites, APIs, or services (collectively, the "Services" or "Platform").

This Policy forms part of, and must be read together with, the Miftah Terms and Conditions of Use ("Terms"). Capitalised terms not defined herein bear the meanings given in the Terms.

BY ACCESSING, REGISTERING FOR, OR OTHERWISE USING THE SERVICES, YOU EXPRESSLY ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS POLICY AND CONSENT TO THE COLLECTION, USE, PROCESSING, STORAGE, AND DISCLOSURE OF YOUR PERSONAL DATA AS DESCRIBED HEREIN. IF YOU DO NOT AGREE WITH ANY PART OF THIS POLICY, YOU MUST NOT USE THE SERVICES.

1. SCOPE AND APPLICABILITY

1.1 This Policy applies to all personal data and other information collected by Miftah in connection with your use of the Services, regardless of the device, platform, or channel through which the data is collected.

1.2 This Policy applies to ordinary Users, Brokers, real estate agency representatives, prospective Users, visitors, and any other party interacting with the Services.

1.3 This Policy does not apply to the data practices of third-party websites, applications, services, or platforms that may be linked from, integrated with, or referenced within the Services. We strongly encourage you to review the privacy policies of any such third parties.

2. DEFINITIONS

2.1 "Personal Data" means any information relating to an identified or identifiable natural person, including without limitation name, contact details, identification numbers, location data, online identifiers, biometric data, and identifiers specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

2.2 "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

2.3 "KYC Data" means data collected during Miftah's third-party Identity Verification process, including government-issued identification documents, facial biometric data, liveness data, and any derived verification results.

2.4 "Aggregated Data" means data that has been combined, anonymised, or otherwise processed such that it can no longer be associated with an identifiable individual.

3. INFORMATION WE COLLECT

We collect the following categories of information:

3.1 Information You Provide Directly

(a) Account Information: full name, username, email address, mobile telephone number, password (hashed), profile photo, country and city of residence, language preference, role (User / Broker), and any other registration data.

(b) Identity Verification (KYC) Data: government-issued identification document images (front and back), document number, document type, document expiry, date of birth, nationality, facial biometric data (facial image, facial template, and biometric vectors), liveness verification data, and the verification result returned by our third-party KYC provider.

(c) Broker-Specific Information: trade name, commercial registration number, office address, professional licence details and supporting documentation, signing authorities, payment and banking information, and tax identification numbers.

(d) Listing Content: photographs, videos, floor plans, descriptions, property addresses, GPS coordinates, prices, contact details, and any other content you upload in connection with a Listing.

(e) Communications: messages, calls (where conducted in-app), inquiries, support tickets, feedback, ratings, and reviews.

(f) Payment Information: where you make payments to Miftah, payment-instrument metadata processed by our payment provider (we do not store full card numbers ourselves).

(g) Other Submitted Data: any other information you voluntarily provide via forms, surveys, contests, promotions, or other interactions.

3.2 Information Collected Automatically

(a) Device Information: device model, operating system and version, unique device identifiers (e.g., advertising ID, IDFA, GAID), application version, screen resolution, language and time-zone settings, mobile network and carrier, and browser type and version.

(b) Log and Usage Data: pages and screens accessed, features used, search queries, filters applied, listings viewed, time and duration of sessions, clicks, scrolls, taps, and other interactions, referring and exit URLs, and crash and performance logs.

(c) Location Data: approximate location (derived from IP) by default; precise GPS location only where you grant the relevant permission, to power location-based search, listing display, and Property location features.

(d) Cookies, SDKs, and Similar Technologies: cookies, web beacons, pixels, mobile analytics SDKs, and similar tracking technologies, as further described in Section 12.

(e) Network Information: IP address, network provider, and connection type.

3.3 Information From Third Parties

(a) KYC Provider Data: verification results, document validation outcomes, biometric match scores, and risk assessments from our third-party KYC provider.

(b) Analytics and Crash Reporting Providers: e.g., Firebase, Google Analytics, and similar providers.

(c) Authentication Providers: where you sign in using a third-party identity provider (e.g., Google, Apple), the data such provider passes to us (typically name, email, and a unique identifier).

(d) Publicly Available Sources: where we aggregate Listings from third-party real estate websites, applications, and platforms (as described in the Terms), we may collect publicly available metadata associated with such Listings, including contact information disclosed by the original poster, source URL, and other publicly displayed details.

(e) Service Providers and Partners: marketing partners, advertising networks, fraud-prevention providers, and similar partners.

3.4 Information About Other Persons

If you provide Personal Data about another person (e.g., naming a co-owner, agent, or contact), you represent and warrant that you have obtained their informed consent or have another lawful basis to share their data with us.

4. HOW WE USE YOUR INFORMATION

We process Personal Data for the following purposes:

4.1 To Provide and Operate the Services

(a) Creating and maintaining your Account;

(b) Authenticating you and securing access;

(d) Facilitating communications between Users and Brokers;

(e) Processing payments and managing subscriptions;

(f) Providing customer support.

4.2 To Verify Identity and Combat Fraud

(a) Conducting KYC checks and applying Verified Badges and Licensed Broker Badges;

(b) Detecting, preventing, investigating, and prosecuting fraud, impersonation, fake listings, money laundering, sanctions evasion, and other illegal or harmful activity;

(c) Confirming the identity of Users in connection with disputes, complaints, law-enforcement requests, or legal proceedings.

4.3 To Improve, Personalise, and Develop the Services

(a) Understanding how Users interact with the Services;

(b) Conducting research and analytics, including the use of Aggregated Data and Personal Data to derive insights about real estate trends, user behaviour, and product performance;

(d) Testing, developing, and rolling out new features and products.

4.4 To Develop, Enhance, Improve, and Promote the Services

Information collected through the Services — including Listing content, photographs, descriptions, and other materials provided by Users — may be used by Miftah to develop, enhance, refine, evaluate, and improve the Services and any related products or offerings, including through such analytical, research, technical, and computational methods as Miftah may from time to time deem appropriate. This includes the ongoing improvement of features such as listing categorisation, translation, search functionality, fraud prevention, moderation, recommendations, personalisation, and any other current or future functionality of the Platform.

Miftah may also use Listings, images, descriptions, and other Content provided by Users to market, advertise, and promote the Platform and individual Listings, including by featuring them on social media channels, in advertising campaigns, in organic or sponsored posts, in newsletters, in press and PR materials, in case studies, and in any other marketing context Miftah considers appropriate, whether online or offline.

For the avoidance of doubt: such use is intended to promote the Listings, the Platform, and Miftah's business generally. Miftah does not claim ownership of any User's Property, does not act as the seller or vendor of any Listed Property, and does not hold itself out as the commercial offeror of a Property listed by another.

4.5 To Communicate With You

(a) Sending transactional notifications (e.g., listing approvals, messages, security alerts);

(b) Sending administrative notifications (e.g., policy changes);

(c) Sending marketing communications, newsletters, and promotional material (subject to your consent and right to opt out);

(d) Responding to inquiries and support requests;

(e) Inviting you to participate in surveys, research, or testing.

4.6 To Comply With Legal Obligations

(a) Complying with applicable laws, regulations, court orders, and regulatory requests;

(b) Enforcing the Terms and our other policies;

(d) Cooperating with law-enforcement, governmental, and regulatory authorities (see Section 6).

4.7 To Protect Rights and Safety

Protecting the rights, property, and safety of Miftah, Users, and the public.

4.8 For Other Purposes With Your Consent

Where required by law, we will obtain your specific consent before processing your data for purposes not described in this Policy.

5. IDENTITY VERIFICATION (KYC) DATA — SPECIAL HANDLING

5.1 Third-Party KYC Provider. Miftah uses a specialised third-party Identity Verification provider to conduct KYC, including ID document capture and facial biometric matching. The provider acts as a processor / sub-processor under Miftah's instructions for the verification process, while also processing certain data under its own terms and privacy policy.

5.2 Data Collected During KYC. KYC Data includes:

(a) Images of government-issued identification documents (front and back);

(b) Extracted data fields (name, document number, date of birth, nationality, expiry);

(d) Liveness verification data;

(e) Verification outcomes, scores, and risk indicators.

5.3 Use of KYC Data. KYC Data may be used for purposes including, without limitation:

(a) Verifying your identity at registration;

(b) Assigning the Verified Badge;

(d) Investigating complaints, abuse, or suspected illegal activity;

(e) Complying with applicable laws;

(f) Responding to lawful requests from courts, law-enforcement, or governmental authorities (see Section 6);

(g) Any other purpose related to the operation, security, development, and improvement of the Services and Miftah's business, through such methods and technologies as Miftah may consider appropriate from time to time.

5.4 Miftah Access to KYC Data. Miftah has access to KYC Data collected through the verification process and reserves the right to access, review, and use such data for the purposes described in this Policy.

5.5 No Sale, No Direct Leak. Miftah will not sell KYC Data directly to third parties, and will not deliberately leak or publicly disclose KYC Data. KYC Data is treated as confidential information, protected by reasonable technical and organisational security measures (see Section 9).

5.6 Use in Mergers, Acquisitions, and Corporate Transactions. You expressly acknowledge and consent that, in the event of any merger, acquisition, sale of assets, corporate reorganisation, financing, due-diligence process, bankruptcy, insolvency, or similar transaction involving Miftah, all KYC Data and other Personal Data may be transferred to, accessed by, or assigned to the relevant counterparty, successor entity, acquirer, investor, lender, or their advisors, subject to commercially reasonable confidentiality undertakings. Miftah will give notice of such transfer where required by applicable law.

5.7 Disclosure to Governments and in Legal Proceedings. You expressly acknowledge and consent that Miftah reserves the right to share KYC Data and any other Personal Data with governmental authorities, law-enforcement agencies, regulators, courts, and other competent bodies where:

(a) Required by applicable law, regulation, court order, subpoena, search warrant, or other lawful process;

(b) Reasonably necessary to assist in investigations or legal proceedings;

(c) Reasonably necessary to identify, locate, or confirm the identity of a User who is subject to a legal proceeding, criminal investigation, or civil claim;

(d) Reasonably necessary to protect the rights, property, or safety of Miftah, Users, or the public;

(e) Reasonably necessary to enforce the Terms or this Policy.

Such disclosure may be made with or without notice to you, depending on the legal circumstances. Miftah will, where lawful and reasonably practicable, give notice to affected Users.

5.8 Justification. Such use of KYC Data is intended to make the Platform safer for all Users by enabling identification of bad actors, deterring fraud, and supporting legitimate legal processes. Your acceptance of this Policy constitutes informed and explicit consent to such use.

5.9 Retention. KYC Data is retained for the duration of your Account plus an additional period (typically seven (7) years) for legal, regulatory, audit, fraud-prevention, and dispute-resolution purposes, or longer where required by applicable law. After expiry of the retention period, KYC Data will be deleted or anonymised, subject to legal hold.

6. SHARING AND DISCLOSURE OF INFORMATION

We may share Personal Data with the following categories of recipients:

6.1 Service Providers and Processors

Third parties that provide services on our behalf, including:

(a) Cloud hosting and database providers (e.g., Firebase / Google Cloud);

(b) Identity Verification (KYC) providers;

(d) Payment processors;

(e) Email, SMS, and push-notification providers;

(f) Customer support and CRM platforms;

(g) Marketing, advertising, and attribution providers;

(h) Anti-fraud and security providers;

(i) Professional advisors (lawyers, accountants, auditors).

Such providers are contractually bound to process Personal Data only on Miftah's instructions and to maintain appropriate confidentiality and security measures.

6.2 Brokers and Other Users

(a) When you make a Listing, certain information (name, profile photo, badges, contact details you choose to display, Listing content) is made visible to other Users.

(b) When you contact a Broker or another User through the Platform, your contact details and message content are shared with that party.

6.3 Governmental and Legal Authorities

As described in Section 5.7, we may disclose Personal Data (including KYC Data) to governmental, regulatory, judicial, and law-enforcement authorities where lawfully required or where we deem it reasonably necessary.

6.4 Business Transfers

As described in Section 5.6, Personal Data may be transferred in the context of mergers, acquisitions, asset sales, financings, or similar corporate transactions.

6.5 Affiliates

We may share Personal Data with affiliated companies under common control with Miftah, subject to this Policy.

6.6 Aggregated and De-identified Data

We may share Aggregated Data or de-identified data (which cannot reasonably be used to identify you) for any purpose, including market research, industry reporting, advertising, and commercial partnerships.

6.7 With Your Consent

We may share Personal Data with other parties where you have given specific consent.

6.8 No Sale of Personal Data

Miftah does not sell Personal Data in the traditional sense of monetary exchange for identifiable data. The sharing described above is conducted for the operational, legal, security, and analytical purposes set out in this Policy, and any commercial use of data takes place in Aggregated or de-identified form.

7. AI ENHANCEMENT OF AGGREGATED LISTINGS

7.1 Public Source Data. Aggregated Listings are surfaced from third-party sources where they have been publicly posted. Miftah indexes and references such Listings, attributing them to their original source.

7.2 AI Processing. As further described in the Terms, Miftah uses artificial intelligence to enhance Aggregated Listings — including by translating, interpreting, categorising, structuring, and completing missing fields. The processing of personal data appearing within publicly available Aggregated Listings (e.g., contact details displayed by the original poster) is conducted in a manner that, where reasonably practicable, respects applicable data-protection principles and the contextual integrity of the public source.

7.3 Takedown. If you are the original poster of an Aggregated Listing or the subject of personal data appearing therein and wish for it to be removed, please follow the takedown process described in Section 14 of the Terms.

8. DATA RETENTION

8.1 Retention Principle. We retain Personal Data only for as long as necessary to fulfil the purposes set out in this Policy, including to comply with legal, regulatory, accounting, audit, dispute-resolution, security, and fraud-prevention requirements.

8.2 Specific Retention Periods (Indicative).

(a) Account Data: for the lifetime of the Account, plus up to two (2) years after deletion;

(b) KYC Data: as set out in Section 5.9 (typically seven (7) years after Account closure);

(d) Communications: up to three (3) years from last interaction;

(e) Transaction and Payment Records: as required by applicable accounting, tax, and AML laws (typically ten (10) years);

(f) Log and Analytics Data: typically eighteen (18) to twenty-four (24) months, then aggregated;

(g) Marketing Data: until you withdraw consent or are otherwise removed from marketing lists.

8.3 Legal Hold. Notwithstanding the above, we may retain data for longer periods where required by applicable law, court order, or legitimate dispute, investigation, or legal proceeding.

8.4 Backups. Data residing in routine backups may persist for a limited additional period until overwritten in the ordinary course.

9. DATA SECURITY

9.1 We implement reasonable technical and organisational measures designed to protect Personal Data against unauthorised access, alteration, disclosure, destruction, or loss, including without limitation:

(a) Encryption in transit (TLS/HTTPS) and at rest for sensitive data;

(b) Hashed and salted passwords;

(d) Multi-factor authentication for administrative accounts;

(e) Logging, monitoring, and intrusion detection;

(f) Vendor due diligence and contractual safeguards;

(g) Internal data-protection policies and staff training;

(h) Regular security reviews and updates.

9.2 No Absolute Security. Notwithstanding our efforts, no system or method of transmission or storage is 100% secure, and Miftah cannot and does not guarantee absolute security. You acknowledge and accept the inherent risks of providing data over the internet and use the Services at your own risk.

9.3 Breach Notification. In the event of a personal data breach that is likely to result in significant risk to your rights and freedoms, we will notify you and, where required, the competent authorities, in accordance with applicable law.

9.4 Your Responsibility. You are responsible for safeguarding your password, login credentials, and devices, and for any activity conducted under your Account.

10. INTERNATIONAL DATA TRANSFERS

10.1 Personal Data may be transferred to, stored in, and processed in countries outside the Syrian Arab Republic, including in jurisdictions where our service providers (e.g., Firebase / Google Cloud, KYC provider, analytics providers) operate.

10.2 By using the Services, you expressly consent to such international transfers, processing, and storage. Where required by applicable law, we will implement appropriate safeguards for such transfers.

11. CHILDREN'S PRIVACY

11.1 The Services are not directed at, intended for, or designed for use by children under the age of eighteen (18). We do not knowingly collect Personal Data from children under 18.

11.2 If we become aware that we have collected Personal Data from a child under 18 without verifiable parental consent (and absent any narrower age threshold under applicable law), we will take prompt steps to delete such data.

11.3 If you believe a child has provided us with Personal Data, please contact us at [INSERT EMAIL].

12. COOKIES AND SIMILAR TECHNOLOGIES

12.1 Use of Cookies and Trackers. We and our service providers use cookies, web beacons, pixels, mobile SDKs, and similar tracking technologies to:

(a) Authenticate Users and remember preferences;

(b) Analyse traffic and usage;

(d) Detect and prevent fraud;

(e) Improve the Services.

12.2 Categories of Trackers.

(a) Strictly Necessary: required for basic functionality;

(b) Functional: remember settings and preferences;

(d) Advertising and Marketing: deliver and measure advertising;

(e) Third-Party: set by integrated service providers.

12.3 Choices. Most browsers and mobile operating systems allow you to control or block cookies, advertising identifiers, and similar trackers through their settings. Doing so may, however, impair certain features of the Services.

13. THIRD-PARTY PLATFORMS, PROVIDERS, AND LINKS

13.1 The Services may contain links to, embeds of, or integrations with third-party platforms (e.g., Google Maps, Firebase, payment providers, KYC provider, social media). Such third parties have their own privacy policies, over which Miftah has no control. We are not responsible for the privacy practices or content of such third parties.

13.2 You are encouraged to review the privacy notices of all third parties whose services you use via the Platform.

14. YOUR RIGHTS

14.1 Available Rights. Subject to applicable law, you may have rights with respect to your Personal Data, including:

(a) Right of Access: to request a copy of Personal Data we hold about you;

(b) Right to Rectification: to request correction of inaccurate or incomplete data;

(c) Right to Erasure: to request deletion of Personal Data (subject to legal retention requirements and Miftah's legitimate interests);

(d) Right to Object or Restrict: to object to or restrict certain processing;

(e) Right to Withdraw Consent: to withdraw consent (where processing is based on consent), without affecting the lawfulness of prior processing;

(f) Right to Data Portability (where applicable);

(g) Right to Lodge a Complaint with the competent supervisory authority.

14.2 Limitations. Certain rights may be subject to exceptions, limitations, or conditions under applicable law. Notably:

(a) We may refuse or limit requests where compliance would violate a legal obligation, infringe the rights of others, or undermine fraud prevention, security, or legal processes;

(b) KYC Data and certain transaction records must be retained for the periods set out in Section 8 to comply with anti-fraud, anti-money-laundering, and other legal obligations;

14.3 Exercising Your Rights. To exercise any right, please contact us at [INSERT EMAIL] with sufficient information to verify your identity. We will respond within the timeframe required by applicable law.

14.4 Identity Verification of Requesters. To protect your data, we may require additional identity verification before fulfilling a rights request.

14.5 Account Deletion (In-App Deletion Flow).

(a) In-App Availability. You may initiate deletion of your Account at any time directly within the Miftah mobile application via Settings → Account → Delete Account. The Services do not require you to email support, place a telephone call, or visit a separate website in order to delete your Account.

(b) Confirmation and Re-Authentication. To prevent accidental or unauthorised deletion, you will be required to confirm your intent and to re-authenticate (for example, by re-entering your password, completing a one-time password (OTP) challenge, or re-confirming biometric authentication) before the deletion is processed.

(c) What Is Deleted Immediately. Upon successful confirmation, the following data is permanently deleted, ordinarily within a few seconds and in all cases within thirty (30) days of your request:

(i) Your authentication credentials (you will no longer be able to log in);

(ii) Your profile information (name, email address, telephone number, profile photo, display name, language and country preferences);

(iii) Your push-notification tokens and registered devices;

(iv) Your presence, last-active, and heartbeat data;

(v) Listings you created that have not been the subject of any User-to-User contact, transaction, complaint, report, or moderation action, together with any associated media files held in our object storage;

(vi) Profile photos and other personal media held in our object storage.

(d) What Is Retained, Pseudonymised, and For How Long. Certain categories of data associated with your Account will be retained in pseudonymised form following deletion — meaning that direct personal identifiers (name, email address, telephone number, profile photo) are removed or nullified, while the underlying record is preserved for the legitimate purposes set out in paragraph (e) below. Retention periods follow Section 8 of this Policy:

(i) Conversations (chats, messages, photographs, voice notes, and other in-app communications) exchanged with other Users: retained in pseudonymised form for up to three (3) years from the date of last interaction, per Section 8.2(d), after which they are permanently deleted;

(ii) Listings that have been the subject of inquiries, transactions, complaints, reports, or moderation action: hidden from public view and retained in pseudonymised archival form for up to five (5) years, per Section 8.2(c);

(iii) KYC and identity-verification records: retained for seven (7) years after Account closure, per Sections 5.9 and 8.2(b), for anti-fraud, anti-money-laundering, audit, and regulatory purposes;

(iv) Transaction and payment records (including in-app purchases, Boost purchases, broker subscription fees, and any other monetary transactions): retained for ten (10) years, per Section 8.2(e), to comply with applicable accounting, tax, and anti-money-laundering laws;

(v) Reports filed by or against you (including abuse reports, safety reports, and complaints): retained in pseudonymised form for up to five (5) years, for safety, fraud-prevention, and dispute-resolution purposes;

(vi) Aggregated and anonymised data derived from your use of the Services: retained indefinitely as permitted by Section 14.2(c);

(vii) Routine backup copies: persist for a limited period until overwritten in the ordinary course, as set out in Section 8.4.

(e) Legal Bases for Retention. The retention described in paragraph (d) is necessary for: (i) the establishment, exercise, or defence of legal claims arising on or in connection with the Platform (including, without limitation, disputes between buyers, sellers, lessees, lessors, Brokers, and other Users); (ii) compliance with our legal, tax, accounting, anti-fraud, and anti-money-laundering obligations under applicable law; (iii) the protection of the rights, property, and safety of other Users, third parties, and the public; and (iv) cooperation with lawful requests from courts, regulators, and law-enforcement authorities, as further described in Sections 4.6, 5.7, and 6.3.

(f) Appearance to Other Users. Conversations, reviews, ratings, reports, and other Content that you created in interaction with other Users will continue to be visible to those Users from within their own accounts, on the basis that those Users have independent rights and legitimate interests in retaining their own copies of their interactions with you. Within such conversations and interactions, your name and profile photo will be replaced with a neutral placeholder (for example, "Deleted user") and your direct personal identifiers will not be displayed.

(g) Irreversibility. Account deletion is permanent and irreversible. Once your Account is deleted, you cannot recover it, reactivate it, or restore any associated data. If you wish to use the Services again, you must create a new Account, which will be subject to fresh registration and (where applicable) KYC verification.

(h) Timeline. Deletion of the data listed in paragraph (c) ordinarily completes immediately upon your confirmation and in all cases within thirty (30) days of your request. Pseudonymisation of the data listed in paragraph (d) is applied at the same time. Time-bounded deletion of pseudonymised data occurs automatically upon expiry of the applicable retention period set out in paragraph (d).

(i) Notification of Third Parties. Where required by applicable law, we may notify relevant third parties (including processors and, where appropriate, regulators) of your deletion request.

(j) No Mere Deactivation. Deletion under this Section 14.5 is a true deletion of the Account record in accordance with paragraphs (c) and (d), and is not a mere deactivation or suspension. We do not offer "soft deletion" disguised as deletion: once you delete your Account, you cannot log back in.

15. MARKETING COMMUNICATIONS

15.1 Where you have consented (or where permitted by applicable law on a soft-opt-in basis), we may send you marketing communications by email, SMS, push notification, or in-app messaging.

15.2 You may opt out at any time by following unsubscribe instructions in any marketing communication, adjusting your in-app preferences, or contacting us. Opt-out applies to marketing only and does not affect operational, security, or legal notifications.

16. AUTOMATED DECISION-MAKING AND PROFILING

16.1 We may use automated systems (including AI-driven moderation, fraud-detection, listing categorisation, search ranking, and recommendation algorithms) that involve automated processing of Personal Data.

16.2 Such automated processing may, in limited circumstances, result in decisions that affect you (e.g., refusal of KYC, suspension of a Listing, ranking of a Listing). Where required by applicable law, you have the right to request human review of such decisions; contact us at [INSERT EMAIL].

17. DATA OF DECEASED PERSONS

17.1 We may retain or process Personal Data of deceased Users for as long as necessary to fulfil legal obligations and protect legitimate interests, including managing inheritance-related disputes and Listings.

18. CHANGES TO THIS POLICY

18.1 We may amend this Policy at any time. The amended Policy will be posted on the Platform with an updated "Last Updated" date.

18.2 For material changes, we will provide reasonable additional notice (e.g., in-app banner, email).

18.3 Your continued use of the Services after the effective date of amendments constitutes acceptance of the amended Policy.

19. JURISDICTION-SPECIFIC PROVISIONS

[Reserved — to be populated by counsel where Miftah expands into or serves Users in jurisdictions with specific data-protection regimes (e.g., GDPR (EU/EEA), UK GDPR, KSA PDPL, UAE PDPL, Turkey KVKK). Until then, this Policy is drafted on the basis of Syrian law plus best-practice protective principles.]

20. CONTACT — DATA PROTECTION ENQUIRIES

For any questions, requests, or complaints relating to this Privacy Policy or the processing of your Personal Data, please contact:

Miftah — Data Protection Email: [INSERT PRIVACY EMAIL] Address: [INSERT REGISTERED ADDRESS] Phone: [INSERT PHONE]

21. CONSENT, ACKNOWLEDGEMENT AND ACCEPTANCE

BY CREATING AN ACCOUNT, COMPLETING IDENTITY VERIFICATION, POSTING A LISTING, OR OTHERWISE USING THE SERVICES, YOU EXPRESSLY AND UNCONDITIONALLY:

(a) CONFIRM THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY IN ITS ENTIRETY;

(b) CONSENT TO THE COLLECTION, USE, PROCESSING, STORAGE, AND DISCLOSURE OF YOUR PERSONAL DATA, INCLUDING KYC DATA AND BIOMETRIC DATA, AS DESCRIBED HEREIN;

(c) CONSENT TO THE USE OF YOUR DATA — INCLUDING LISTINGS, IMAGES, AND ANY CONTENT YOU PROVIDE — FOR THE OPERATION, DEVELOPMENT, IMPROVEMENT, MARKETING, AND PROMOTION OF THE SERVICES AS DESCRIBED IN SECTION 4.4, THROUGH SUCH METHODS, TECHNOLOGIES, AND CHANNELS AS MIFTAH MAY CONSIDER APPROPRIATE;

(d) CONSENT TO THE TRANSFER OF YOUR DATA IN CONNECTION WITH MERGERS, ACQUISITIONS, AND OTHER CORPORATE TRANSACTIONS AS DESCRIBED IN SECTION 5.6;

(e) CONSENT TO THE DISCLOSURE OF YOUR DATA (INCLUDING KYC DATA) TO GOVERNMENTAL, REGULATORY, AND LAW-ENFORCEMENT AUTHORITIES AND IN LEGAL PROCEEDINGS AS DESCRIBED IN SECTION 5.7;

(f) ACKNOWLEDGE THAT THE VERIFIED BADGE IS NOT A GUARANTEE OF THE TRUTHFULNESS OF ANY LISTING OR THE TRUSTWORTHINESS OF ANY USER, AND MIFTAH BEARS NO LIABILITY FOR FALSE OR FRAUDULENT LISTINGS OR USER CONDUCT;

(g) ACKNOWLEDGE AND ACCEPT THAT AI-ENHANCED CONTENT MAY CONTAIN ERRORS OR MISINFORMATION;

(h) ACKNOWLEDGE AND ACCEPT THAT THE INTERNET IS NOT 100% SECURE AND THAT MIFTAH IS NOT LIABLE FOR LOSSES ARISING FROM SECURITY INCIDENTS DESPITE REASONABLE PROTECTIVE MEASURES;

(i) CLAIM FULL PERSONAL RESPONSIBILITY FOR YOUR USE OF THE SERVICES AND ALL ASSOCIATED CONSEQUENCES.

IF YOU DO NOT AGREE WITH ANY PROVISION OF THIS POLICY, YOU MUST IMMEDIATELY DISCONTINUE USE OF THE SERVICES AND DELETE YOUR ACCOUNT.