Privacy Policy

Learn about Lahez privacy policy, data protection measures, user rights under GDPR, CCPA, UAE PDPL, Saudi PDPR, and how we keep your information secure.

Effective Date: June 2, 2025. Last updated: May 22, 2026 (Google user data disclosure).

The Lahez service is owned and operated by WHIKS Ltd (company number 17189817), registered in England and Wales, with its registered office at 128 City Road, London, EC1V 2NX. This Privacy Policy describes how we ("WHIKS", "we", "us") collect, use, protect, and share your personal information when you use Lahez and related services. We are committed to protecting your privacy and handling personal information responsibly, including where the EU GDPR, UK GDPR, and the California Consumer Privacy Act (CCPA) and its amendments (CPRA) apply. We also describe how privacy rights may arise for residents of the United Arab Emirates under the Personal Data Protection Law (Federal Law No. 45 of 2021, "PDPL") and for residents of the Kingdom of Saudi Arabia under the Personal Data Protection Law (Royal Decree No. M/19 of 2022, "PDPR").

1. Information We Collect

We collect various types of information to provide and improve our services. This information is collected either directly from you, automatically when you use our platform, or from third parties.

Personal information you provide directly:

Account and profile information: Name, email address, phone number, profile picture.
Business information: Company name, position, business address, and commercial contact information.
Contact and support information: Any information you provide when contacting us for technical support or inquiries.

Information we collect automatically when you use our platform:

Usage data: Information about how you interact with our platform, including features you use, pages you visit, preferences, activity history, and time spent on the platform.
Technical information: Internet Protocol (IP) address, browser type, operating system, device identifiers (such as advertising IDs or mobile device identifiers), click data, and information about how you access and use our services. For signed-in sessions we may also derive a **hashed device fingerprint** in the browser (cached briefly in localStorage) to help detect misuse; it is not used for advertising.
Geolocation data: We collect approximate location information (city and country) derived from your IP address for security, fraud prevention, and session management purposes. This data is stored only during your active session and is automatically deleted when your session expires. We do not collect precise GPS coordinates or exact location data.

Information from third-party sources:

We may receive information about you from our service, advertising, or analytics partners, such as ad interaction data or demographic analytics, in accordance with their privacy policies.

2. How We Use Your Information (Purposes and Legal Bases)

We use your personal information for specific and legitimate purposes, and rely on clear legal bases for processing it, in accordance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA). Where the UAE PDPL or the Saudi PDPR applies, we align our purposes and transparency commitments with those frameworks in addition to GDPR and CCPA/CPRA.

Processing Purpose	Data Categories Used	Legal Basis (GDPR)	Purpose Justification (CCPA/CPRA)

Important notes about data use:

Data minimization: We adhere to the principle of data minimization, meaning we collect and process only the minimum personal information necessary for the stated purpose.
Purpose limitation: We will not use your personal information for purposes incompatible with those for which it was collected, or that exceed your reasonable expectations, without notifying you and obtaining your consent where required by law.

3. Information Sharing and Disclosure

We do not sell or rent your personal information to third parties. However, we may share your personal information with certain categories of third parties for the purposes outlined below, ensuring appropriate contractual safeguards are in place to protect your data.

Trusted service providers: We share information with third-party service providers who help us operate our platform and provide our services. These categories include:

Cloud hosting and infrastructure providers: To host our data and applications (such as AWS, Google Cloud services).
Analytics and product telemetry: We use PostHog to understand how the platform is used. **Browser analytics** (cookies/local storage) is loaded only if you opt in via our cookie banner. **Server-side** events may also be sent to PostHog for operational or security purposes under a separate lawful basis described in this policy.
Advertising and marketing partners: To personalize ads and measure their effectiveness, based on your consent (such as Google Ads, Microsoft Advertising).
Payment processors: To securely process financial transactions.
Customer support providers: To provide technical support and assistance.
Cybersecurity providers: To enhance the security of our platform.
AI tool providers: For training AI models and data analytics (data is usually anonymized or pseudonymized).

We enter into Data Processing Agreements (DPAs) or similar contracts with all third-party service providers to ensure they comply with strict data protection standards and protect your personal information.

Sharing for cross-context behavioral advertising purposes (CCPA):

If we use your personal information (such as browsing activity or preferences) to deliver targeted ads to you across different websites or apps (known as cross-context behavioral advertising), this constitutes "sharing" under the California Consumer Privacy Act (CCPA/CPRA), even if there is no direct financial exchange. You have the right to opt out of this "sharing" as outlined in the "Your Rights" section.

When required by law:

We may disclose your personal information when required by law, court order, or government regulation, or to protect our legal rights, property, safety, or the safety of others.

In case of merger, acquisition, or business transfer:

In the event of a merger, acquisition, reorganization, or sale of all or part of our assets, your personal information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal information.

Google Services and User Data

Lahez uses certain Google services. This section explains how we access, use, store, and share **Google user data** (information from your Google account when you use Google Sign-In) and how other Google services interact with data you provide on Lahez. It supplements the rest of this Privacy Policy and is intended to meet the transparency requirements of the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy) and the Google APIs Terms of Service.

Google Sign-In (Google OAuth 2.0 / OpenID Connect)

What we access: If you choose Continue with Google, Google authenticates you and shares with Lahez: your email address, name, profile picture URL, and a Google account identifier (subject ID). We request standard sign-in scopes only (`openid`, `email`, `profile`). We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, Google Sheets, YouTube, or other Google products.
How we use it (purpose): To create and sign you into your Lahez account, link your Google account for future sign-in, display your name and photo in the product, prevent duplicate or fraudulent accounts, provide customer support when you contact us about your account, and meet security and legal obligations. We do not use Google user data for advertising, sale, cross-context behavioral advertising, creditworthiness, or unrelated profiling.
How we store it: Your email, name, and profile picture URL are stored in our user database. A link to your Google provider account (provider ID and Google subject ID) is stored to enable sign-in. OAuth access and refresh tokens may be stored encrypted at rest while needed to maintain your session or linked sign-in; they are not included in self-service data exports.
How we share it: We do not sell or rent Google user data. We do not share it with advertising networks. We may process it on our behalf using infrastructure and security subprocessors bound by data processing agreements (hosting, database, email delivery). Those providers may not use Google user data for their own purposes.
Retention: Google account fields and the provider link are kept while your account is active or as needed to provide the service. When you delete your account, we anonymize or delete associated personal data and revoke sessions within the timelines in Section 5. OAuth tokens are removed or invalidated when no longer required.
How to revoke access: You can revoke Lahez’s access to your Google account at [Google Account permissions](https://myaccount.google.com/permissions). You may continue using Lahez with email one-time-code sign-in. To delete data we hold, use in-app account deletion (Settings) or contact privacy@whiks.com / dsar@whiks.com.
Limited Use: Our use of information received from Google APIs adheres to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements: we use Google user data only to provide or improve user-facing features you request (authentication and account management), for security and abuse prevention, and for compliance with applicable law—not for serving ads or reselling data.

Google Maps Platform (Maps JavaScript API, Embed API, Geocoding)

When you enter or select a business location (for example on a digital business card or organization profile), we may load Google Maps in your browser using our **API key**. **Data sent to Google** can include addresses or coordinates you type, map interactions, and technical data (such as IP address and browser information) as described in [Google’s Privacy Policy](https://policies.google.com/privacy). This does **not** use your Google Sign-In account or OAuth tokens; it is separate from Google user data above.

Google Analytics (marketing site, if enabled)

We may load **Google Analytics** (`gtag.js`) on public marketing pages when a measurement ID is configured. Where required, this runs only after you opt in to non-essential cookies via our cookie banner. Google Analytics may collect usage and device information under Google’s terms. It is **not** linked to Google Sign-In credentials.

What we do not access via Google APIs

Lahez does **not** connect to your Google Drive, Gmail, Google Calendar, or Google Sheets account through Google APIs. Organization **CRM export** (where included in your plan) provides **CSV downloads** of lead data that **you** may import into Google Sheets yourself; that step does not grant Lahez access to your Google account.

4. Data Security

We implement appropriate technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, damage, or accidental or unlawful loss. These measures include:

Encryption: We use encryption (such as TLS/SSL) to protect data in transit, and encrypt stored data (data at rest).
Firewalls and access control: We implement firewalls and strict access controls to restrict access to your personal information to authorized personnel only, based on the need-to-know principle (role-based access control).
Strong authentication: For many accounts, signing in to Lahez uses an email one-time code as a second step. We use role-based access controls and multi-factor authentication for privileged systems where enforced. Additional verification options for end-user accounts may be introduced as our security programme evolves.
Security by design and default: We integrate privacy and security safeguards into the design and development of our systems and processes from the beginning.
Regular risk assessments: We conduct regular security risk assessments and Data Protection Impact Assessments (DPIAs) to identify and address potential vulnerabilities, especially for high-risk processing such as AI systems.
Incident monitoring and response: We handle personal data breaches through documented security procedures, including assessment and notification of users and supervisory authorities where applicable law requires.
Employee training: We provide regular training to our employees on data privacy and security best practices to ensure their compliance with our policies and procedures.

While we take reasonable measures to protect your information, absolute security cannot be guaranteed for any online system.

5. Data Retention

We retain your personal information as long as your account is active or as needed to provide our services and for the purposes outlined in this policy, and to comply with our legal and regulatory obligations.

Specific retention periods:

Account and profile data: We retain it throughout the duration of your active account.
Usage and analytics data: We may retain it for up to 24 months for improvement and analysis purposes, or longer if effectively anonymized.
Transaction data: We retain it for up to 7 years where required to comply with legal and tax requirements.
Consumer request records (CCPA): We retain records of consumer requests related to privacy rights (such as access and deletion requests) for at least 24 months.
Legally required data: We may retain some information for longer periods if required by law or for legitimate record-keeping purposes.
Data deletion: When you delete your account, we will delete your personal information or make it permanently anonymous within 30 days, except for information we are required to retain legally or for legitimate purposes. We use secure disposal methods (such as encryption-based deletion and automated data purging) to prevent unauthorized recovery.
Anonymization: For data we need to retain for longer periods (such as scientific research or analytics), we strive to anonymize it or use pseudonyms to reduce privacy risks.

6. Your Data Privacy Rights

You have important rights regarding your personal information. We are committed to facilitating the exercise of these rights.

6.1. Your rights under the General Data Protection Regulation (GDPR):

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have the following rights:

Right to be informed: About how your personal data is processed.
Right of access: To your personal information and obtain a copy of it.
Right to rectification: Or update your inaccurate or incomplete information.
Right to erasure ("right to be forgotten"): Request deletion of your personal information under certain circumstances (such as when the data is no longer necessary for the purpose it was collected for, or when you withdraw your consent).
Right to restrict processing: Request restriction of how your data is processed under certain circumstances (such as when the accuracy of the data is disputed, or when processing is unlawful).
Right to data portability: Transfer your information to another service in a structured, commonly used, and machine-readable format.
Right to object: To processing of your personal data under certain circumstances, especially when processing is based on legitimate interest or for direct marketing purposes.
Right not to be subject to automated decision-making: The right not to be subject to a decision based solely on automated processing (including profiling) that significantly affects you, unless it is necessary for a contract or authorized by law or with your explicit consent.

6.2. Your rights under the California Consumer Privacy Act (CCPA/CPRA):

If you are a California resident, you have the following rights:

Right to know: Know the categories of personal information we collect about you, their sources, the purpose of collecting, selling, or sharing them, and the categories of third parties we share information with.
Right to delete: Request deletion of your personal information we have collected about you, with some exceptions (such as completing transactions, or complying with legal obligation).
Right to opt out of sale or sharing: The right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising purposes.
Right to limit use and disclosure of sensitive personal information: The right to limit the use and disclosure of your sensitive personal information (such as precise geolocation, health information) for certain purposes.
Right to correction: Correct inaccurate personal information we maintain about you.
Right to data portability: Obtain a copy of your data in a portable format.
Right to non-discrimination: We may not discriminate against you for exercising any of your rights under the California Consumer Privacy Act (such as denying goods or services, or charging different prices).

6.3. United Arab Emirates (PDPL) and Kingdom of Saudi Arabia (PDPR)

If you reside in the United Arab Emirates or the Kingdom of Saudi Arabia, applicable local data protection laws may grant you privacy rights in addition to those described for other regions. We take into account the UAE Personal Data Protection Law (Federal Law No. 45 of 2021) and the Saudi Arabia Personal Data Protection Law (Royal Decree No. M/19 of 2022) where those laws apply to our processing.

United Arab Emirates — Federal Law No. 45 of 2021 (PDPL)

Where the PDPL applies, you may have rights including access to your personal data, correction, deletion, and objection to certain processing, subject to the statute and its implementing regulations. For UAE-specific inquiries, contact privacy@whiks.com and include your country of residence.

Kingdom of Saudi Arabia — Royal Decree No. M/19 of 2022 (PDPR)

Where the PDPR applies, you may have rights including access, correction, erasure, and restriction of processing, subject to the statute and its implementing regulations. For Saudi-specific inquiries, contact privacy@whiks.com and include your country of residence.

Other countries in the Middle East and Gulf region

Data protection rules outside the UAE and Saudi Arabia continue to evolve. We monitor material developments and update this policy and our Trust Center from time to time. Submit privacy requests through the same channels listed below so we can route and respond consistently.

6.4. How to exercise your rights (Data Subject Access Requests - DSAR):

To exercise any of the rights mentioned above, please contact us using the contact information provided below. We have established a dedicated Data Subject Access Request (DSAR) process to handle your requests efficiently and in compliance with applicable laws.

DSAR Process Overview:

Contact Methods for DSAR Requests:

Primary Email: dsar@whiks.com (preferred method)
Alternative Email: privacy@whiks.com
Trust Center (Data requests): Start on our Trust Center → Data requests page for instructions and contact details. We currently process requests by email; we do not host a separate interactive web form.
Postal Mail: WHIKS Ltd, 128 City Road, London, EC1V 2NX, United Kingdom (company number 17189817)

Required Information for DSAR Requests:

Response Timelines:

Confirmation: We will confirm receipt of your request within 10 business days.
GDPR Requests: We will respond within 30 days (extendable to 60 days with justification).
CCPA Requests: We will respond within 45 days (extendable to 90 days with notification).
Complex Cases: For complex requests, we may extend the response period and will notify you of the extension and reasons.

Identity Verification:

We will verify your identity before processing requests to protect your personal information. This may include:

Fees:

Most DSAR requests are free. However, we may charge a reasonable fee for:

Appeal Process:

If your DSAR request is denied or you are unsatisfied with our response, you may:

Third-Party Notification: When you request deletion of your information, we will notify service providers we have shared your data with to delete it as well, unless it is impossible or requires disproportionate effort.

Handling Data in AI Models: Please note that deleting your personal data from AI models that have been trained on it may be technically challenging or impossible in some cases, as data can become inseparably embedded within the model parameters. However, we will apply best practices for anonymization or retraining where possible, and will clarify any limitations.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to run the service, keep accounts secure, remember preferences, and—if you opt in—measure product usage. See our Cookie Policy for categories, storage keys, and subprocessors such as PostHog and Paddle.

Types of cookies we use:

Essential (necessary) cookies: Necessary to operate the platform and provide basic functionality (such as login, session management). Do not require your consent.
Analytical cookies / SDK: When you opt in to Analytics in our cookie banner, we load PostHog in the browser; it may use cookies or local storage to collect usage information (such as pages visited) to improve Lahez. If you do not opt in, that client-side analytics bundle is not loaded.
Functional cookies: Enable the platform to remember your choices (such as language, preferences) to provide a more personalized experience.
Advertising/marketing cookies: Used to deliver ads relevant to your interests, measure advertising campaign effectiveness, and track you across other websites and apps. These may be placed by third-party advertising partners.

Managing cookie preferences and consent:

Cookie banner (consent): For non-essential browser storage and client-side analytics (PostHog), we collect your choice through the cookie banner (accept, reject non-essential, or customize). Essential cookies and similar storage needed to operate and secure the service may be used without that consent where legally permitted.
California opt-out (CCPA/CPRA): California residents may exercise applicable rights—including limiting certain sharing for cross-context behavioral advertising—via the Trust Center → Data requests page and the contact emails in this policy. You can also disable non-essential Analytics and Marketing in our cookie banner. We do not operate a separate "Do Not Sell or Share My Personal Information" homepage link today; if our processing triggers a requirement to provide one under CCPA/CPRA, we will add a clearly labeled link (for example in the site footer or Trust Center) and update this policy.
Sensitive personal information (CPRA): Where we collect sensitive personal information and CPRA applies, you may request limitations on use or disclosure using the same Trust Center and email channels in this policy. We do not publish a dedicated "Limit the Use of My Sensitive Personal Information" homepage link today; if required, we will add it in a clear, conspicuous location and update this policy.
Browser and device settings: You can also manage cookie preferences through your browser settings, or reset/delete advertising identifiers on your mobile device. However, disabling some cookies may affect platform functionality and your experience.

8. Age Restrictions and Children's Privacy

Our services are intended for users aged 16 and above. We do not knowingly collect personal information from users under 16 years of age.

Minimum Age Requirement:

16+ Age Requirement: All users must be at least 16 years old to use our services. This requirement applies regardless of jurisdiction and ensures compliance with international data protection standards.
No Underage Users: We do not knowingly collect, use, or disclose personal information from users under 16 years of age.
Parental Reporting: If you are a parent or legal guardian and believe your child under 16 has provided personal information to us, please contact us immediately at privacy@whiks.com. We will promptly investigate and delete any such information.

Age Verification Process:

We may implement age verification mechanisms during registration, including:

Immediate Deletion: If we discover that we have collected personal information from a user under 16, we will delete this information immediately and terminate the account.

Legal Compliance: This age restriction ensures compliance with:

9. International Data Transfers

Your personal information may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA) or California, where data protection laws may differ from those in your jurisdiction. If you are in the UAE or Saudi Arabia, local transfer and localisation rules under the PDPL or PDPR may also apply alongside the safeguards described below; contact privacy@whiks.com if you need more detail for your situation.

To ensure your personal information is protected when transferred internationally, we implement appropriate legal mechanisms:

Adequacy decisions: We transfer data to countries for which the European Commission has issued an adequacy decision, meaning they provide an adequate level of data protection.
Standard Contractual Clauses (SCCs): In the absence of an adequacy decision, we enter into standard contractual clauses with data recipients, which are contracts approved by the European Commission that provide appropriate safeguards for personal data protection.
Binding Corporate Rules (BCRs): Some multinational organizations use BCRs—internal data protection rules approved by regulators—for transfers within a corporate group. WHIKS Ltd does not rely on BCRs for Lahez today; if that changes, we will update this policy.
Specific exceptions: In limited circumstances, we may rely on specific exceptions for international data transfers, such as your explicit consent or necessity for contract performance.

We notify you of international data transfers and applicable safeguards *before* the transfer, to ensure full transparency.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technological developments.

Annual review: We commit to reviewing and updating this Privacy Policy at least annually to ensure continued compliance.
Notification of material changes: We will notify you of any material changes to this policy via email or through a prominent notice on our platform before the changes become effective.
Consent to changes: For material changes that affect how your personal data is processed (especially those that rely on your consent as a legal basis), we will seek your new explicit consent where required by law, and will not rely on continued use as implicit indication of consent.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, or to exercise any of your rights, please contact us:

Email: privacy@whiks.com

Address: WHIKS Ltd, 128 City Road, London, EC1V 2NX, United Kingdom. Registered in England and Wales, company number 17189817. Tel: +44 7988580234.

Privacy Policy

Learn about Lahez privacy policy, data protection measures, user rights under GDPR, CCPA, UAE PDPL, Saudi PDPR, and how we keep your information secure.

Effective Date: June 2, 2025. Last updated: May 22, 2026 (Google user data disclosure).

1. Information We Collect

We collect various types of information to provide and improve our services. This information is collected either directly from you, automatically when you use our platform, or from third parties.

Personal information you provide directly:

Account and profile information: Name, email address, phone number, profile picture.
Business information: Company name, position, business address, and commercial contact information.
Contact and support information: Any information you provide when contacting us for technical support or inquiries.

Information we collect automatically when you use our platform:

Usage data: Information about how you interact with our platform, including features you use, pages you visit, preferences, activity history, and time spent on the platform.
Technical information: Internet Protocol (IP) address, browser type, operating system, device identifiers (such as advertising IDs or mobile device identifiers), click data, and information about how you access and use our services. For signed-in sessions we may also derive a **hashed device fingerprint** in the browser (cached briefly in localStorage) to help detect misuse; it is not used for advertising.
Geolocation data: We collect approximate location information (city and country) derived from your IP address for security, fraud prevention, and session management purposes. This data is stored only during your active session and is automatically deleted when your session expires. We do not collect precise GPS coordinates or exact location data.

Information from third-party sources:

We may receive information about you from our service, advertising, or analytics partners, such as ad interaction data or demographic analytics, in accordance with their privacy policies.

2. How We Use Your Information (Purposes and Legal Bases)

Processing Purpose	Data Categories Used	Legal Basis (GDPR)	Purpose Justification (CCPA/CPRA)

Important notes about data use:

Data minimization: We adhere to the principle of data minimization, meaning we collect and process only the minimum personal information necessary for the stated purpose.
Purpose limitation: We will not use your personal information for purposes incompatible with those for which it was collected, or that exceed your reasonable expectations, without notifying you and obtaining your consent where required by law.

3. Information Sharing and Disclosure

Trusted service providers: We share information with third-party service providers who help us operate our platform and provide our services. These categories include:

Cloud hosting and infrastructure providers: To host our data and applications (such as AWS, Google Cloud services).
Analytics and product telemetry: We use PostHog to understand how the platform is used. **Browser analytics** (cookies/local storage) is loaded only if you opt in via our cookie banner. **Server-side** events may also be sent to PostHog for operational or security purposes under a separate lawful basis described in this policy.
Advertising and marketing partners: To personalize ads and measure their effectiveness, based on your consent (such as Google Ads, Microsoft Advertising).
Payment processors: To securely process financial transactions.
Customer support providers: To provide technical support and assistance.
Cybersecurity providers: To enhance the security of our platform.
AI tool providers: For training AI models and data analytics (data is usually anonymized or pseudonymized).

Sharing for cross-context behavioral advertising purposes (CCPA):

When required by law:

We may disclose your personal information when required by law, court order, or government regulation, or to protect our legal rights, property, safety, or the safety of others.

In case of merger, acquisition, or business transfer:

Google Services and User Data

Google Sign-In (Google OAuth 2.0 / OpenID Connect)

What we access: If you choose Continue with Google, Google authenticates you and shares with Lahez: your email address, name, profile picture URL, and a Google account identifier (subject ID). We request standard sign-in scopes only (`openid`, `email`, `profile`). We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, Google Sheets, YouTube, or other Google products.
How we use it (purpose): To create and sign you into your Lahez account, link your Google account for future sign-in, display your name and photo in the product, prevent duplicate or fraudulent accounts, provide customer support when you contact us about your account, and meet security and legal obligations. We do not use Google user data for advertising, sale, cross-context behavioral advertising, creditworthiness, or unrelated profiling.
How we store it: Your email, name, and profile picture URL are stored in our user database. A link to your Google provider account (provider ID and Google subject ID) is stored to enable sign-in. OAuth access and refresh tokens may be stored encrypted at rest while needed to maintain your session or linked sign-in; they are not included in self-service data exports.
How we share it: We do not sell or rent Google user data. We do not share it with advertising networks. We may process it on our behalf using infrastructure and security subprocessors bound by data processing agreements (hosting, database, email delivery). Those providers may not use Google user data for their own purposes.
Retention: Google account fields and the provider link are kept while your account is active or as needed to provide the service. When you delete your account, we anonymize or delete associated personal data and revoke sessions within the timelines in Section 5. OAuth tokens are removed or invalidated when no longer required.
How to revoke access: You can revoke Lahez’s access to your Google account at [Google Account permissions](https://myaccount.google.com/permissions). You may continue using Lahez with email one-time-code sign-in. To delete data we hold, use in-app account deletion (Settings) or contact privacy@whiks.com / dsar@whiks.com.
Limited Use: Our use of information received from Google APIs adheres to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements: we use Google user data only to provide or improve user-facing features you request (authentication and account management), for security and abuse prevention, and for compliance with applicable law—not for serving ads or reselling data.

Google Maps Platform (Maps JavaScript API, Embed API, Geocoding)

Google Analytics (marketing site, if enabled)

What we do not access via Google APIs

4. Data Security

Encryption: We use encryption (such as TLS/SSL) to protect data in transit, and encrypt stored data (data at rest).
Firewalls and access control: We implement firewalls and strict access controls to restrict access to your personal information to authorized personnel only, based on the need-to-know principle (role-based access control).
Strong authentication: For many accounts, signing in to Lahez uses an email one-time code as a second step. We use role-based access controls and multi-factor authentication for privileged systems where enforced. Additional verification options for end-user accounts may be introduced as our security programme evolves.
Security by design and default: We integrate privacy and security safeguards into the design and development of our systems and processes from the beginning.
Regular risk assessments: We conduct regular security risk assessments and Data Protection Impact Assessments (DPIAs) to identify and address potential vulnerabilities, especially for high-risk processing such as AI systems.
Incident monitoring and response: We handle personal data breaches through documented security procedures, including assessment and notification of users and supervisory authorities where applicable law requires.
Employee training: We provide regular training to our employees on data privacy and security best practices to ensure their compliance with our policies and procedures.

While we take reasonable measures to protect your information, absolute security cannot be guaranteed for any online system.

5. Data Retention

Specific retention periods:

Account and profile data: We retain it throughout the duration of your active account.
Usage and analytics data: We may retain it for up to 24 months for improvement and analysis purposes, or longer if effectively anonymized.
Transaction data: We retain it for up to 7 years where required to comply with legal and tax requirements.
Consumer request records (CCPA): We retain records of consumer requests related to privacy rights (such as access and deletion requests) for at least 24 months.
Legally required data: We may retain some information for longer periods if required by law or for legitimate record-keeping purposes.
Data deletion: When you delete your account, we will delete your personal information or make it permanently anonymous within 30 days, except for information we are required to retain legally or for legitimate purposes. We use secure disposal methods (such as encryption-based deletion and automated data purging) to prevent unauthorized recovery.
Anonymization: For data we need to retain for longer periods (such as scientific research or analytics), we strive to anonymize it or use pseudonyms to reduce privacy risks.

6. Your Data Privacy Rights

You have important rights regarding your personal information. We are committed to facilitating the exercise of these rights.

6.1. Your rights under the General Data Protection Regulation (GDPR):

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have the following rights:

Right to be informed: About how your personal data is processed.
Right of access: To your personal information and obtain a copy of it.
Right to rectification: Or update your inaccurate or incomplete information.
Right to erasure ("right to be forgotten"): Request deletion of your personal information under certain circumstances (such as when the data is no longer necessary for the purpose it was collected for, or when you withdraw your consent).
Right to restrict processing: Request restriction of how your data is processed under certain circumstances (such as when the accuracy of the data is disputed, or when processing is unlawful).
Right to data portability: Transfer your information to another service in a structured, commonly used, and machine-readable format.
Right to object: To processing of your personal data under certain circumstances, especially when processing is based on legitimate interest or for direct marketing purposes.
Right not to be subject to automated decision-making: The right not to be subject to a decision based solely on automated processing (including profiling) that significantly affects you, unless it is necessary for a contract or authorized by law or with your explicit consent.

6.2. Your rights under the California Consumer Privacy Act (CCPA/CPRA):

If you are a California resident, you have the following rights:

Right to know: Know the categories of personal information we collect about you, their sources, the purpose of collecting, selling, or sharing them, and the categories of third parties we share information with.
Right to delete: Request deletion of your personal information we have collected about you, with some exceptions (such as completing transactions, or complying with legal obligation).
Right to opt out of sale or sharing: The right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising purposes.
Right to limit use and disclosure of sensitive personal information: The right to limit the use and disclosure of your sensitive personal information (such as precise geolocation, health information) for certain purposes.
Right to correction: Correct inaccurate personal information we maintain about you.
Right to data portability: Obtain a copy of your data in a portable format.
Right to non-discrimination: We may not discriminate against you for exercising any of your rights under the California Consumer Privacy Act (such as denying goods or services, or charging different prices).

6.3. United Arab Emirates (PDPL) and Kingdom of Saudi Arabia (PDPR)

United Arab Emirates — Federal Law No. 45 of 2021 (PDPL)

Kingdom of Saudi Arabia — Royal Decree No. M/19 of 2022 (PDPR)

Other countries in the Middle East and Gulf region

6.4. How to exercise your rights (Data Subject Access Requests - DSAR):

DSAR Process Overview:

Contact Methods for DSAR Requests:

Primary Email: dsar@whiks.com (preferred method)
Alternative Email: privacy@whiks.com
Trust Center (Data requests): Start on our Trust Center → Data requests page for instructions and contact details. We currently process requests by email; we do not host a separate interactive web form.
Postal Mail: WHIKS Ltd, 128 City Road, London, EC1V 2NX, United Kingdom (company number 17189817)

Required Information for DSAR Requests:

Response Timelines:

Confirmation: We will confirm receipt of your request within 10 business days.
GDPR Requests: We will respond within 30 days (extendable to 60 days with justification).
CCPA Requests: We will respond within 45 days (extendable to 90 days with notification).
Complex Cases: For complex requests, we may extend the response period and will notify you of the extension and reasons.

Identity Verification:

We will verify your identity before processing requests to protect your personal information. This may include:

Fees:

Most DSAR requests are free. However, we may charge a reasonable fee for:

Appeal Process:

If your DSAR request is denied or you are unsatisfied with our response, you may:

7. Cookies and Tracking Technologies

Types of cookies we use:

Essential (necessary) cookies: Necessary to operate the platform and provide basic functionality (such as login, session management). Do not require your consent.
Analytical cookies / SDK: When you opt in to Analytics in our cookie banner, we load PostHog in the browser; it may use cookies or local storage to collect usage information (such as pages visited) to improve Lahez. If you do not opt in, that client-side analytics bundle is not loaded.
Functional cookies: Enable the platform to remember your choices (such as language, preferences) to provide a more personalized experience.
Advertising/marketing cookies: Used to deliver ads relevant to your interests, measure advertising campaign effectiveness, and track you across other websites and apps. These may be placed by third-party advertising partners.

Managing cookie preferences and consent:

Cookie banner (consent): For non-essential browser storage and client-side analytics (PostHog), we collect your choice through the cookie banner (accept, reject non-essential, or customize). Essential cookies and similar storage needed to operate and secure the service may be used without that consent where legally permitted.
California opt-out (CCPA/CPRA): California residents may exercise applicable rights—including limiting certain sharing for cross-context behavioral advertising—via the Trust Center → Data requests page and the contact emails in this policy. You can also disable non-essential Analytics and Marketing in our cookie banner. We do not operate a separate "Do Not Sell or Share My Personal Information" homepage link today; if our processing triggers a requirement to provide one under CCPA/CPRA, we will add a clearly labeled link (for example in the site footer or Trust Center) and update this policy.
Sensitive personal information (CPRA): Where we collect sensitive personal information and CPRA applies, you may request limitations on use or disclosure using the same Trust Center and email channels in this policy. We do not publish a dedicated "Limit the Use of My Sensitive Personal Information" homepage link today; if required, we will add it in a clear, conspicuous location and update this policy.
Browser and device settings: You can also manage cookie preferences through your browser settings, or reset/delete advertising identifiers on your mobile device. However, disabling some cookies may affect platform functionality and your experience.

8. Age Restrictions and Children's Privacy

Our services are intended for users aged 16 and above. We do not knowingly collect personal information from users under 16 years of age.

Minimum Age Requirement:

16+ Age Requirement: All users must be at least 16 years old to use our services. This requirement applies regardless of jurisdiction and ensures compliance with international data protection standards.
No Underage Users: We do not knowingly collect, use, or disclose personal information from users under 16 years of age.
Parental Reporting: If you are a parent or legal guardian and believe your child under 16 has provided personal information to us, please contact us immediately at privacy@whiks.com. We will promptly investigate and delete any such information.

Age Verification Process:

We may implement age verification mechanisms during registration, including:

Immediate Deletion: If we discover that we have collected personal information from a user under 16, we will delete this information immediately and terminate the account.

Legal Compliance: This age restriction ensures compliance with:

9. International Data Transfers

To ensure your personal information is protected when transferred internationally, we implement appropriate legal mechanisms:

Adequacy decisions: We transfer data to countries for which the European Commission has issued an adequacy decision, meaning they provide an adequate level of data protection.
Standard Contractual Clauses (SCCs): In the absence of an adequacy decision, we enter into standard contractual clauses with data recipients, which are contracts approved by the European Commission that provide appropriate safeguards for personal data protection.
Binding Corporate Rules (BCRs): Some multinational organizations use BCRs—internal data protection rules approved by regulators—for transfers within a corporate group. WHIKS Ltd does not rely on BCRs for Lahez today; if that changes, we will update this policy.
Specific exceptions: In limited circumstances, we may rely on specific exceptions for international data transfers, such as your explicit consent or necessity for contract performance.

We notify you of international data transfers and applicable safeguards *before* the transfer, to ensure full transparency.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technological developments.

Annual review: We commit to reviewing and updating this Privacy Policy at least annually to ensure continued compliance.
Notification of material changes: We will notify you of any material changes to this policy via email or through a prominent notice on our platform before the changes become effective.
Consent to changes: For material changes that affect how your personal data is processed (especially those that rely on your consent as a legal basis), we will seek your new explicit consent where required by law, and will not rely on continued use as implicit indication of consent.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, or to exercise any of your rights, please contact us:

Email: privacy@whiks.com

Address: WHIKS Ltd, 128 City Road, London, EC1V 2NX, United Kingdom. Registered in England and Wales, company number 17189817. Tel: +44 7988580234.

Privacy Policy

Privacy Policy — Document sections

Table of Contents

1. Information We Collect

Personal information you provide directly:

Information we collect automatically when you use our platform:

Information from third-party sources:

2. How We Use Your Information (Purposes and Legal Bases)

Important notes about data use:

3. Information Sharing and Disclosure

Trusted service providers: We share information with third-party service providers who help us operate our platform and provide our services. These categories include:

When required by law:

In case of merger, acquisition, or business transfer:

Google Services and User Data

Google Sign-In (Google OAuth 2.0 / OpenID Connect)

Google Maps Platform (Maps JavaScript API, Embed API, Geocoding)

Google Analytics (marketing site, if enabled)

What we do not access via Google APIs

4. Data Security

5. Data Retention

Specific retention periods:

6. Your Data Privacy Rights

6.1. Your rights under the General Data Protection Regulation (GDPR):

6.2. Your rights under the California Consumer Privacy Act (CCPA/CPRA):

6.3. United Arab Emirates (PDPL) and Kingdom of Saudi Arabia (PDPR)

United Arab Emirates — Federal Law No. 45 of 2021 (PDPL)

Kingdom of Saudi Arabia — Royal Decree No. M/19 of 2022 (PDPR)

Other countries in the Middle East and Gulf region

6.4. How to exercise your rights (Data Subject Access Requests - DSAR):

7. Cookies and Tracking Technologies

Types of cookies we use:

Managing cookie preferences and consent:

8. Age Restrictions and Children's Privacy

Minimum Age Requirement:

Age Verification Process:

9. International Data Transfers

To ensure your personal information is protected when transferred internationally, we implement appropriate legal mechanisms:

10. Changes to This Privacy Policy

11. Contact Us

Privacy Policy

Privacy Policy — Document sections

Table of Contents

1. Information We Collect

Personal information you provide directly:

Information we collect automatically when you use our platform:

Information from third-party sources:

2. How We Use Your Information (Purposes and Legal Bases)

Important notes about data use:

3. Information Sharing and Disclosure

Trusted service providers: We share information with third-party service providers who help us operate our platform and provide our services. These categories include:

When required by law:

In case of merger, acquisition, or business transfer:

Google Services and User Data

Google Sign-In (Google OAuth 2.0 / OpenID Connect)

Google Maps Platform (Maps JavaScript API, Embed API, Geocoding)

Google Analytics (marketing site, if enabled)

What we do not access via Google APIs

4. Data Security

5. Data Retention

Specific retention periods:

6. Your Data Privacy Rights

6.1. Your rights under the General Data Protection Regulation (GDPR):

6.2. Your rights under the California Consumer Privacy Act (CCPA/CPRA):

6.3. United Arab Emirates (PDPL) and Kingdom of Saudi Arabia (PDPR)

United Arab Emirates — Federal Law No. 45 of 2021 (PDPL)

Kingdom of Saudi Arabia — Royal Decree No. M/19 of 2022 (PDPR)

Other countries in the Middle East and Gulf region

6.4. How to exercise your rights (Data Subject Access Requests - DSAR):

7. Cookies and Tracking Technologies

Types of cookies we use:

Managing cookie preferences and consent:

8. Age Restrictions and Children's Privacy

Minimum Age Requirement:

Age Verification Process:

9. International Data Transfers

To ensure your personal information is protected when transferred internationally, we implement appropriate legal mechanisms:

10. Changes to This Privacy Policy

11. Contact Us