PLATFORM PRIVACY POLICY
Version of July 2, 2026
1. Introduction
This Platform Privacy Policy (“Privacy Policy”) explains how Mal Digital Ltd (“we”, “us”, “our” or “Mal”), an entity incorporated in the Abu Dhabi Global Market (“ADGM”), collects, uses, processes, discloses, and protects your Personal Data when a user (“you” or “your”) uses our mobile platform (the “Mal Platform” or “Platform”) and the related services we make available through it (the “Services”). For the purposes of this Privacy Policy, “Personal Data” means any information relating to you, which may include certain sensitive data such as biometric data (see Section 4 for details).
This Privacy Policy reflects the features currently available in the Mal Platform in one of the countries in which the Mal Platform is currently available (the “Supported Jurisdictions”).
This Policy is the general notice you see when you create your account. Since some processing is more sensitive or specific, we may provide additional, shorter notices at the moment they become relevant for certain Services and/or features of the Platform.
As the Platform develops (for example, where regulated activity is introduced into the Mal Platform) the way we handle your Personal Data may change, and the provisions of this Privacy Policy may be revised accordingly.
Where we revise this Privacy Policy, we will notify you the next time you log in to the Mal Platform. Where the applicable law requires us to notify you before the next time you log in to the Mal Platform (including when the applicable law will require us to give you an advance notice, or where a new purpose of processing will require your explicit consent), we will do so separately using the contact details we then hold for you.
The Mal Platform is not intended for anyone under the age of 18, and we do not knowingly collect Personal Data from children. If we become aware that a person under 18 is using the Mal Platform, we will disable their access and delete their Mal Platform account and the associated Personal Data as soon as reasonably practicable, except where we are required to retain certain data by law. If you believe we hold Personal Data relating to a child, please contact us using the details in Section 12.
By accessing or using the Services, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy and Platform Terms and Conditions (the “Terms”), which can be found here
2. Scope of this Privacy Policy and the Role of Other Parties
The Mal Platform brings together the Services that are provided by Mal and by a number of third parties (partners), including other entities of the Mal group. It is important to understand who is responsible for your Personal Data in each case. You can ask us how your Personal Data is used, and ask us to restrict its use, at any time (see Section 11 and Section 12 for details).
Mal Group Entities
Within the Mal group, Mal is the designated group controller for the Mal Platform. Some features of the Platform can only be provided with the involvement of another entity within Mal group that processes your personal data as its own controller. Where you choose to use such a feature in the Mal Platform, Mal will collect the Personal Data specifically to pass on to another controller within Mal group for that controller’s purposes. Unless the Privacy Policy says otherwise, Mal is responsible for the processing carried out through the Mal Platform for the data controllers of Mal group.
The Services for which Mal is data controller:
• Creating and managing your Mal Platform account.
• Collecting and verifying your identity information and screening you for financial-crime purposes as part of onboarding to a banking or financial services product.
Third-Party Services
Where the Mal Platform refers to, or gives you access to, the Services provided by third party partners (including where those Services are embedded within the Mal Platform), the processing of your Personal Data in connection with those third-party services, including the lawful basis for collecting it, the terms on which it is shared onward and how long it is retained, is governed by the privacy policies of those third parties and is the responsibility of those third parties, not of Mal. To the extent allowed by applicable law, Mal is not responsible for the direct arrangements that you have with such third-party providers in the Mal Platform.
As described in the Terms, for each third-party partner service, Mal acts as a technical facilitator, while respective products and services are provided directly by the partner (and not by Mal).
The Services where a third-party is data controller:
• Opening a bank account with a third-party bank and its management on behalf of an entity for which you are authorized to make such request and share such data. Your and that entity’s contractual and regulatory relationship for that account is with such bank, not Mal.
• Requesting a financing product or other banking or financial product with a third-party bank or financing company and its management on behalf of an entity for which you are authorized to make such request and share such data. Your and that entity’s contractual and regulatory relationship for that account is with such bank or financing company, not Mal.
3. Governing Data Protection Regime
Mal is committed to processing your Personal Data in compliance with the ADGM Data Protection Regulations 2021 (“DPR 2021”).
In certain cases, where your Personal Data is collected in one of the Supported Jurisdictions or is transferred to another jurisdiction (as described in Section 8), the data protection laws of those jurisdictions may also apply to its processing, and we comply with those requirements where we are required to do so.
Regardless of where your Personal Data is processed, Mal applies DPR 2021 as its baseline standard: built on the principles of the EU General Data Protection Regulation (GDPR), it reflects internationally recognized good practice in the protection of personal data, and we treat it as the minimum level of protection we extend to you wherever you are.
4. Personal Data We Collect and Process
The Personal Data we collect depends on which part or feature of the Mal Platform you use. Since the Mal Platform brings together several Services, the information you provide when you first start using the Mal Platform may also be used to provide other Services within the Platform.
Sometimes this data is provided by you, sometimes it is produced as a result of another process carried out on the Mal Platform at your request or as otherwise needed to provide you with the Services, and sometimes as the result of the use of “cookies”. Cookies are small text files placed on your device by a website or web-view. They help the system recognize your device and remember information about your visit (like your preferred language or login status).
We will use the Personal Data we have already collected to provide you with other features of the Mal Platform where this is compatible with the purpose for which it was originally collected and is covered by a lawful basis set out in Section 6. Where using your Personal Data for a new purpose requires a separate lawful basis (for example, where the law requires your separate explicit consent) we will obtain that basis before using your data for that purpose. You can ask us how your data is used, and ask us to restrict its use, at any time (see Section 11 and Section 12 for details).
When you create a Mal Platform account, we collect the following Personal Data:
• Your mobile phone number, and the one-time passcode used to verify it;
• Your declared country of residence in the Supported Jurisdictions;
• A mobile PIN (mPIN) you set and any device biometrics (Face ID / fingerprint) you use to unlock the Platform;
• A preferred name / nickname, and
• Other data for the account (see Section 6 for details).
When you use the in-Platform AI assistant
When you use the in-Platform AI assistant, your request is processed to work out what you are asking for and to retrieve the answer from within the Platform. Some of this processing uses a large-language-model (“LLM”) service provided by third-party providers (for example, OpenAI). Your personally identifiable information in always masked and never passed to the LLM.
When you onboard to a banking product
5. Sources of Personal Data
We collect most of the Personal Data directly from you regarding you, the entity on whose behalf you are applying for such service or product including personal information of other designated persons connected to such entity that you share with us, through the Platform. Depending on the Services and the particular feature of the Platform you intend to use, we also obtain personal data from:
• Our partner merchants/providers.
• Our identity-verification provider, which extracts data from your identity document and performs a limited check confirming that an ID with that number exists against your name in the relevant ecosystem of the respective Supported Jurisdiction.
• Our screening provider and the sanctions, PEP, watchlist and adverse-media sources it draws on.
• Publicly available resources.
6. Purposes for Personal Data Processing
Under the ADGM Data Protection Regulations 2021 we must have a lawful basis for each use of your personal data.
Mal collects and uses your Personal Data for the purposes set out below (both for its own purposes and for the purposes of other companies within the Mal group) relying in each case on one or more of the following lawful bases under DPR 2021:
• To provide and manage the Services (account setup, transactions, customer support) – performance of a contract (the Terms) with you or taking steps at your request to enter into such a contract.
• To meet our legal and regulatory obligations (KYC, AML, sanctions screening, financial crime prevention) – compliance with a legal obligation to which Mal or Mal group entities or third-party controller is subject.
• To improve the Mal Platform and the user experience (analytics, troubleshooting, security monitoring) – our legitimate interests in keeping the Platform and Services running efficiently and securely.
• To send you marketing communications about the Services, if permitted by you – your consent, where required; or, where permitted by law, our legitimate interests (existing customers / soft opt-in)
• To ensure the security of our systems (fraud prevention, system protection) – our legitimate interests in protecting our business and customers from harm, and, where applicable, compliance with a legal obligation.
The table below sets out the main purposes for processing Personal Data and the basis we rely on for each.
Purpose
Personal data used
Lawful basis (ADGM DPR 2021\)
Creating your account and giving you access to the Platform
Mobile number, OTP, mPIN, preferred name, country of residence (of the Supported Jurisdictions), date of birth, nationality, gender, national ID (or equivalent) details, passport details, email address of you and any of the other persons connected to the entity on behalf of whom you are applying, whose information you share with us
Performance of a contract (the Terms) or steps prior to entering a contract; legitimate interests in securing the Platform
Providing AI assistant features
Your queries, preferences and the data needed to route you to a provider
Performance of a contract (the Terms)
Verifying your identity and onboarding you to a banking product
Identity document data, address, KYC account, facial-match result, tax data, entity details such as trade license, registers of directors, officers, shareholders and ultimate beneficial owners (or equivalent), and the above listed personal information of those persons
Compliance with a legal obligation (AML / CFT and KYC); performance of a contract (the Terms)
Screening you for financial crime
Screening inputs and results (sanctions, PEP, adverse media, watchlists)
Compliance with a legal obligation; legitimate interests in preventing financial crime
Using your facial image to confirm your identity
Facial image and biometric comparison result
Your explicit consent
Preventing fraud and securing our systems
Device, usage and transaction metadata
Legitimate interests; legal obligation
Sending you marketing or rewards (e.g. welcome bonus)
Contact details (email address, mobile number) and account data, as well as your preferences in receiving marketing from us
Your explicit consent (where required), or legitimate interest
Managing the Mal Platform and improving user experience
IP address, device type, operating system, platform usage statistics, log-in data, cookies, and other tracking technologies, and customer support data (including information you provide when contacting our support team, for example, in a request, email, or communication feature in the Platform)
Legitimate interests
Where Mal relies on consent as the lawful basis, you have the right to withdraw your consent at any time, but this will not affect the lawfulness of processing carried out before you withdraw your consent.
As part of banking onboarding, our identity-verification provider compares a facial image of you against the photograph in your identity document to confirm that you are the person shown on it. This involves processing biometric data, which is a special category of personal data under DPR 2021 and is given extra protection.
We process this biometric data only to verify your identity for onboarding and fraud-prevention purposes, and we rely on your explicit consent to do so. You can choose not to provide it, but we will not be able to open a banking product for you without verifying your identity.
Certain Services entail activities that may involve automated decision-making or profiling:
• Financial-crime screening: the screening result feeds into whether a banking product can be opened for you. Where this produces a decision with a legal or similarly significant effect, you have the right not to be subject to a solely automated decision, to obtain human review, to express your point of view and to contest the outcome.
7. Disclosure and Sharing of Personal Data
Mal may share your Personal Data with the following parties, and when doing so, Mal will verify and screen third parties (both controllers/merchants and processors/providers), to the extent required by DPR 2021:
Recipient
Role
Why/Purpose
Third-party providers (vendors)
Processors per arrangements with them
Processing of your Personal Data at the instruction of Mal / independent controllers, as detailed in the respective written data processing terms
Mal group entities
Controllers / processors per intra-group arrangements
Providing and operating the Services you use; intra-group management and statistics; management of the Mal Platform and improving of your user experience
Regulators, authorities, law enforcement and professional advisers
As required
Where we must disclose to comply with law or to establish, exercise or defend legal claims
8. International Data Transfers
In compliance with DPR 2021, we may transfer your Personal Data to a jurisdiction deemed adequate by the ADGM Commissioner of Data Protection. Where we transfer your Personal Data outside the ADGM to a jurisdiction that is not recognized as providing an adequate level of protection under DPR 2021, we put in place an appropriate safeguard, or rely on a permitted derogation, as required by DPR 2021, including the following:
• Implementing Standard Contractual Clauses (SCCs) approved by the ADGM Commissioner of Data Protection.
• Relying on a specific derogation (e.g., the transfer is necessary for the performance of a contract with you or with your explicit consent).
9. Data Security
In accordance with DPR 2021, Mal has implemented appropriate technical and organizational security measures, including encryption in transit and at rest, access controls, and regular audits, to protect your Personal Data and to prevent it from being accidentally lost, used, or accessed in an unauthorized way.
Where we share or transfer your Personal Data to others (whether on a controller-to-controller basis or otherwise) we require recipients to protect it to a standard consistent with this Policy and applicable law. Where a recipient acts as our processor, we require it by written contract to apply security measures at least equivalent to our own. Where we transfer your Personal Data to an independent controller, we contract for appropriate security and confidentiality safeguards; that controller then remains responsible for protecting the Personal Data while it processes it under its own responsibility
10. Data Retention
Mal will retain your Personal Data only for as long as necessary to fulfil the purposes for which Mal collected it as described in this Privacy Policy and the Terms, and for any period we are required to keep it by law.
• If you start but do not complete account creation, or you decline this Policy, we delete the data we hold within thirty (30) days.
• KYC, identity and screening records: retained by the applicable regulated entity in line with applicable AML record-keeping requirements.
• Data held by our providers (for example the identity-verification and screening providers) is retained under their own retention schedules set out in our agreements with them.
11. Your Data Protection Rights
Under DPR 2021, you have the following rights regarding your Personal Data:
• Right to be Informed: The right to be provided with clear, transparent, and easily understandable information about how Mal uses your data (which this Privacy Policy does).
• Right of Access: The right to obtain a copy of the Personal Data Mal holds about you.
• Right to Rectification: The right to have inaccurate Personal Data corrected.
• Right to Erasure: The right to request the deletion or removal of your Personal Data in certain circumstances.
• Right to Restriction of Processing: The right to block or suppress further use of your Personal Data in certain circumstances.
• Right to Data Portability: The right to receive your Personal Data in a structured, commonly used, and machine-readable format.
• Right to Object to Processing: The right to object to processing where it is based on our legitimate interests or for direct marketing purposes.
• Rights in Relation to Automated Decision Making and Profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
You can exercise these rights by contacting us using the details in Section 12. Mal may need to verify your identity before responding to your request. Where the processing of your Personal Data and request is carried out by an independent third-party controller (as explained in this Privacy Policy), Mal may refer you to that controller.
Nothing in this Privacy Policy reduces or limits any rights you may have under the law of a Supported Jurisdiction, where that law applies to you. Where it does, those rights apply in addition to the position set out in this Policy. Please contact us if you have any questions about how your Personal Data is processed, or if you believe you have rights that are not described in this Privacy Policy.
12. Contact Information and Complaints
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or wish to make a complaint, please contact us at contact@mal.ai
Email for Privacy Matters: privacy@mal.ai
Supervisory Authority: You also have the right to lodge a complaint with the ADGM Commissioner of Data Protection (ODP) if you believe your rights under DPR 2021 have been infringed. Contact email: data.protection@adgm.com, contact telephone: +971 23338888.
Get in touch
Mal HQ
21st floor, Sky Tower
Al Reem Island
Abu Dhabi, UAE
contact@mal.ai
