Privacy Policy

DONE MENAT FZCO
Privacy Policy
Effective Date: 4 May 2026

1. Introduction

This Privacy Policy explains how DONE MENAT FZCO ("DONE", "we", "us", or "our") collects, uses, processes, stores, shares, and protects your personal information when you access or use our website at www.done.fyi, our cloud-based learning management platform, and our associated iOS and Android applications (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and processing of your information as described herein. If you do not agree, you must not use the Service.

This Privacy Policy should be read in conjunction with our Terms and Conditions and Data Processing Addendum, all of which are publicly available at www.done.fyi.

2. Company Information

Legal Entity: DONE MENAT FZCO
Registration Number: DSO-FZCO-6511
Registered Address: Dubai Silicon Oasis, DDP, Building A2, Dubai, UAE
Website: www.done.fyi
Data Protection Contact: info@done.fyi
Telephone: +971 52 452 3339

3. Scope of This Policy

This Privacy Policy applies to:

• Visitors to the DONE website (www.done.fyi);
• Individuals who register for or use the DONE platform directly;
• Business clients and their authorised representatives;
• Marketing contacts and prospective clients;
• Affiliate partners.

This Policy also explains how data is handled within client-operated academies and white-labelled applications built on DONE infrastructure.

This Policy does not apply to third-party websites or services linked from the DONE platform. DONE is not responsible for the privacy practices of third parties.

4. Roles and Responsibilities

DONE operates in two distinct data protection roles, and it is important that users understand the distinction:

4.1 DONE as Data Controller

DONE acts as the Data Controller for personal data it collects directly, including: data collected from website visitors; data provided by clients during account registration and billing; marketing and communications data; affiliate partner data; and support and correspondence records. In this capacity, DONE determines the purposes and means of processing and is responsible for compliance with applicable data protection law.

4.2 DONE as Data Processor

When Clients deploy DONE's platform within their own branded academies or white-labelled applications, DONE acts solely as a Data Processor on behalf of the Client. In this capacity, DONE processes personal data strictly in accordance with the Client's documented instructions. The Client is the Data Controller and bears full responsibility for ensuring a lawful basis for processing, obtaining end-user consent, and providing appropriate privacy notices to its users. DONE's obligations in this capacity are governed by the Data Processing Addendum.

4.3 No Direct Relationship with White-Label End Users

Where a user interacts with a white-labelled application operating on DONE infrastructure, that user's primary legal relationship with respect to their personal data is with the Client organisation operating that application. DONE has no direct data relationship with such end users and processes their data solely as infrastructure provider under the Client's instruction.

5. Information We Collect

5.1 Personal Data — Directly Collected by DONE as Controller

When you interact with DONE directly, we may collect:

• Identity data: full name, job title, company name;
• Contact data: email address, telephone number, postal address;
• Account credentials: username, encrypted password;
• Billing and financial data: payment method details (processed by our payment provider), invoice history, subscription tier;
• Marketing preferences: communication opt-in/out status;
• Support and correspondence: content of communications with DONE's support team.

5.2 Usage and Technical Data

When you use the platform or visit our website, we automatically collect:

• IP address and approximate geographic location;
• Browser type, version, and operating system;
• Device identifiers and screen resolution;
• Pages visited, features accessed, and time spent;
• Referring URL and navigation path;
• System error and performance logs.

5.3 Client Data (Processed as Processor)

Data hosted within Client-operated academies — including learner profiles, course completion records, assessment results, uploaded training content, and user activity logs — is Client Data. DONE processes Client Data on behalf of the Client as Data Processor. DONE does not independently control, access, or use Client Data except as necessary to deliver the platform service. Clients are solely responsible for all Client Data within their academies.

5.4 Cookies and Tracking Technologies

DONE uses cookies and similar technologies as described in Section 11 of this Policy.

6. Legal Basis for Processing

Where DONE acts as Data Controller, we process personal data on the following legal bases:

• Contractual necessity: to perform our obligations under the Terms and Conditions, including delivering the platform, managing accounts, processing payments, and providing support;
• Legitimate interests: to improve our platform and services, ensure security, detect fraud, conduct analytics, and manage our commercial operations, where such interests are not overridden by your data protection rights;
• Legal obligation: to comply with applicable UAE law and other legal obligations, including financial record-keeping requirements;
• Consent: for marketing communications and non-essential cookies, where we rely on your freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

7. How We Use Personal Data

Where DONE acts as Data Controller, we use personal data to:

• Provide, operate, and maintain the platform and associated services;
• Manage your account, process payments, and send billing communications;
• Respond to enquiries, support requests, and complaints;
• Send service-related notifications and updates;
• Send marketing communications where you have provided consent or where we have a legitimate interest and you have not opted out;
• Conduct analytics and product improvement activities;
• Ensure platform security, detect fraud, and investigate misuse;
• Comply with applicable legal and regulatory obligations;
• Manage affiliate relationships and commission arrangements;
• Enforce our Terms and Conditions and exercise our legal rights.

8. Data Sharing

DONE does not sell personal data. DONE may share personal data with:

• Service providers and sub-processors: third-party companies that assist us in delivering the platform, including cloud hosting providers, payment processors, email service providers, and analytics tools. All such providers are bound by contractual data protection obligations. A current list of our sub-processors is maintained at www.done.fyi/sub-processors;
• Professional advisors: solicitors, accountants, auditors, and insurers bound by confidentiality obligations;
• Regulatory and law enforcement authorities: where required by applicable law, court order, or regulatory obligation;
• Business successors: in connection with a merger, acquisition, reorganisation, or sale of assets, subject to the acquiror assuming obligations under this Policy;
• Affiliates: members of the DONE corporate group, where relevant to platform delivery.

DONE does not share personal data with third parties for their own independent marketing purposes.

9. International Data Transfers

9.1 DONE is based in the United Arab Emirates. As a cloud-based SaaS provider, personal data may be processed or stored in data centres outside the UAE, including within the European Economic Area, the United Kingdom, or other jurisdictions.

9.2 Where personal data is transferred internationally, DONE implements appropriate safeguards to ensure that such data receives a level of protection consistent with applicable data protection law, including:

• For transfers from the EU/EEA: the European Commission's Standard Contractual Clauses (SCCs) as adopted in June 2021 (Commission Implementing Decision 2021/914), specifically the Controller-to-Processor module where applicable, which are incorporated into the Data Processing Addendum;
• For transfers from the United Kingdom: the UK International Data Transfer Addendum (IDTA) as issued by the UK Information Commissioner's Office, incorporated by reference into the Data Processing Addendum for UK-established clients;
• For transfers from other jurisdictions: such other mechanisms as are recognised under applicable local law.

9.3 By using the Service, you acknowledge that your data may be transferred internationally as described above and that DONE has implemented appropriate safeguards in respect of such transfers.

9.4 Further information about the specific transfer mechanisms used and copies of the applicable SCCs can be obtained by contacting DONE at info@done.fyi.

10. Data Retention

DONE retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying legal, accounting, or reporting requirements. The following retention periods apply:

• Account and profile data: retained for the duration of the active subscription and for ninety (90) days following termination or expiry of the subscription, after which it is securely deleted or irreversibly anonymised;
• Learning activity and completion data within Client academies: retained for ninety (90) days following termination of the Client's subscription, subject to any earlier deletion request from the Client;
• User-generated content within academies: retained for ninety (90) days following subscription termination;
• Financial, billing, and contractual records: retained for seven (7) years from the date of the relevant transaction, in accordance with UAE commercial and tax law requirements;
• Marketing and communications records: retained for twenty-four (24) months from the date of last meaningful interaction or until withdrawal of consent, whichever is earlier;
• Support and correspondence records: retained for three (3) years from the date of the last communication;
• Security, access, and system logs: retained on a rolling twelve (12) month basis;
• Cookie consent records: retained for thirty-six (36) months from the date of consent, or until consent is withdrawn.

DONE may retain anonymised, aggregated data derived from platform usage for statistical analysis and product improvement purposes without time limitation, as such data cannot be used to identify any individual.

Upon written request, DONE will delete personal data before the expiry of the applicable retention period unless retention is required by law. Requests should be sent to info@done.fyi.

11. Cookies and Tracking Technologies

11.1 What Are Cookies. Cookies are small text files stored on your device when you visit a website. DONE uses cookies and similar technologies (including web beacons and session storage) on its website and platform.

11.2 Categories of Cookies Used: … (All sub-points as provided by you)

12. Data Security

12.1 Security Measures. DONE implements commercially reasonable technical and organisational measures to protect personal data against accidental loss, destruction, alteration, unauthorised disclosure, and unauthorised access. …

22. Contact and Data Requests

For all privacy-related enquiries, data subject access requests, or complaints, please contact:

Email: info@done.fyi
Website: www.done.fyi
Address: DONE MENAT FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, UAE

DONE aims to respond to all privacy-related enquiries within thirty (30) days of receipt.