Effective date: 31 August 2025
Last updated: 31 August 2025

This Privacy Policy explains how Apps Made Easy ("AME", "we", "our", "us") collects, uses, discloses, and protects personal data when you use our services. Our services include: custom-branded Virtual Agent apps (installable across devices), the Auto‑Invite lead system, buyer profiling & alerts (email/SMS/push), the AME Collaboration/Listing Network for multi‑agency inventory, AME websites/landing pages, dashboards/back‑offices, and related marketing and analytics tools (collectively, the "Services").

We operate globally and support agencies, brokers, developers, and their clients (buyers/sellers/tenants). We are committed to privacy by design, security by default, and transparency.

1) Who we are and how to contact us

Apps Made Easy (AME)
9th Floor, Concord Tower, Media City, Dubai
Email: info@madeeasy.app
Website: https://www.madeeasy.app

2) Scope & relationship roles (controller vs processor)

Our role depends on the feature and the parties involved:

• Processor to the Agency: For white‑label/brand apps and related lead handling where the Agency determines purposes/means (e.g., handling inquiries, CRM syncing, follow‑ups), AME acts as a data processor on the Agency’s behalf. We process according to the Agency’s instructions and a Data Processing Addendum (DPA).
• Controller (AME): For platform‑level operations such as network integrity, security, anti‑abuse, aggregated analytics, product improvement, service diagnostics, billing, fraud prevention, compliance, and where AME independently determines purposes/means (e.g., telemetry to improve the Services, measuring app delivery/opens). In limited cases (e.g., optional AME‑managed advertising inventory/sponsors), AME may be an independent controller.
• Joint/Independent controllers may exist between Agencies and AME for certain collaboration‑network features (e.g., cross‑agency exposure of listings and routing of buyer interest). When applicable, we will make roles transparent in product UIs, contracts, or supplemental notices.

If you are unsure which entity is responsible for your data in a given interaction, contact us at info@madeeasy.app and we will clarify.

3) Definitions (plain English)

• Agency: A real estate firm or broker using AME.
• Buyer/User: An individual using an Agency’s branded app or AME surfaces.
• Virtual Agent app: The Agency‑branded, cross‑platform property app powered by AME.
• Auto‑Invite: Automated invites (email/SMS) sent to leads so they can install the Agency app and access listings.
• Profiling & Alerts: Preference/activity‑based personalization and notifications (email/SMS/push) about properties.
• Collaboration/Listing Network: Opt‑in network where Agencies share listings and increase inventory/exposure.

4) What data we collect

We collect the following categories of data. Specific data elements may vary by feature, jurisdiction, and by Agency configuration.

A) Data you or your Agency provide

• Account & identity: name, email, phone, role/title, password hashes, authentication metadata.
• Business profile (Agencies): legal/entity data, billing contacts, logos/brand assets, XML/property feeds, commission terms presented within back‑office.
• Leads & inquiries: contact details, message content, property of interest, preferred language, time zone.
• Marketing preferences: opt‑in/opt‑out choices for email/SMS/push and categories of communications.

B) Data collected automatically

• Usage & telemetry: install/referral source, app opens, screens viewed, searches, filters, favorites, feature interactions, link clicks, timestamps, approximate region (derived from IP or device settings), device/OS/browser attributes, language, session IDs, crash/diagnostic logs.
• Notification events: deliverability (sent/bounced), opens, clicks, unsubscribe state, suppression list status.
• Network interactions: when a buyer views cross‑network listings, we log that interaction to route interest and provide analytics.

C) Data from third parties

• CRMs & lead portals: when integrated (e.g., via API/Zapier), lead/contact data that the Agency has collected elsewhere.
• Verification & anti‑fraud: signals from security tools and service providers to protect accounts and prevent abuse.
• Advertising/attribution (optional): campaign UTM tags, referrers, and attribution events tied to consented marketing.

We do not intentionally collect special category data (e.g., health, religion) or precise geolocation unless explicitly enabled for a feature and subject to consent/OS permission.

5) Purposes & legal bases (GDPR/UK GDPR)

We process personal data for the purposes and legal bases below. Some processing is undertaken as a processor for the Agency; some as controller by AME.

PurposeExamplesLegal basisDeliver the Servicesaccount creation, authentication, app delivery, routing inquiries to the Agency, push/SMS/email deliveryContract (Art. 6(1)(b)); Legitimate interests (service continuity); Processor role to Agency where applicableLead capture & Auto‑Invitesending invite links; reminders if not installed; tracking installation statusLegitimate interests (enable buyer‑initiated engagement); Consent where required for SMS/email (ePrivacy/PECR); Processor to AgencyBuyer profiling & alertssaving searches/favorites; tailored recommendations; new‑listing alertsLegitimate interests (relevant content); Consent for electronic marketing; Processor to AgencyCollaboration/Listing Networkenabling cross‑agency visibility; routing buyer interest; showing commissions in back‑officeLegitimate interests (expand inventory/choice); Contract; Processor/Controller mix depending on configurationProduct safety & integritysecurity monitoring, anti‑fraud, incident responseLegitimate interests; Legal obligationAnalytics & service improvementtelemetry, performance, feature usage, troubleshootingLegitimate interests (improve services)Marketing & sponsors (optional)in‑app placements, push/email campaigns for relevant services/developmentsConsent where required; Legitimate interests for B2B relationship marketing (opt‑out honored)Billing & account managementinvoices, payments, subscription managementContract; Legal obligationCompliance & disputeslegal requests, record‑keeping, defense of claimsLegal obligation; Legitimate interests

Where we rely on consent, you can withdraw it at any time via in‑app settings, unsubscribe links, or by contacting us.

6) Automated decision‑making & profiling

We use profiling (e.g., your saved searches, favorites, view history, language) to personalize results and alerts. We do not employ automated decision‑making that produces legal or similarly significant effects without human involvement. You may object to profiling at any time; you may still receive non‑personalized content.

7) Cookies, SDKs, and similar technologies

Our websites and apps (including progressive web app functionality) use cookies, local storage, device identifiers, and SDKs for:

• essential operations (login, session security);
• analytics/telemetry;
• preference storage;
• consent management;
• (optional) marketing/attribution.

You can manage preferences through our consent banner, browser settings, and OS‑level notification controls. If you enable "Do Not Track", we will make reasonable efforts to respect it for non‑essential tracking where feasible.

8) Communications: email, SMS, and push

• Operational messages (e.g., password resets, transactional alerts) are necessary for the Services.
• Auto‑Invite & reminders may be sent following an inquiry; frequency caps apply and you can opt out at any time.
• Marketing (Agency or AME) is sent only with appropriate consent or under applicable B2B soft‑opt‑in regimes; every message provides an unsubscribe method. Push notifications can be disabled in device/app settings.

Jurisdiction‑specific rules (e.g., EU ePrivacy/PECR) are honored. We maintain suppression lists to respect opt‑outs.

9) How we share information

We disclose data only as described:

• With the Agency you interact with: Your inquiries and relevant profile/interaction data are shared with the Agency operating the branded app you use, to respond to you and manage the relationship.
• Collaboration/Listing Network: When Agencies opt in, listings are shared across the network to expand buyer choice; buyer interactions with those listings are logged to route interest appropriately and for reporting.
• Service providers (processors/sub‑processors): Hosting, infrastructure, content delivery, email/SMS gateways, analytics/diagnostics, anti‑fraud, customer support tools, payment processors. These providers are bound by contracts and security/privacy obligations.
• Developers/advertisers (optional): If a branded app includes sponsored content/partner placements, we may facilitate delivery of relevant offers. Personalization for advertising is consent‑based where required.
• Corporate transactions: In connection with mergers, acquisitions, or asset sales with appropriate protections.
• Legal & safety: To comply with law, enforce terms, and protect rights, property, users, or the public.

We do not sell your personal data. If we engage in activities that are deemed a "sale" or "share" under certain U.S. state laws, we will provide opt‑out mechanisms.

10) International transfers

We operate globally. When transferring personal data outside your jurisdiction (e.g., from the EEA/UK to other countries), we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum and/or participation by U.S. vendors in the EU‑U.S. Data Privacy Framework. Copies of relevant SCCs can be requested.

11) Security

We use administrative, technical, and organizational measures aligned with industry standards:

• encryption in transit (TLS) and at rest (where supported);
• access controls (least privilege, MFA for staff);
• logging/audit trails; environment segregation; key management;
• secure development lifecycle, code review, vulnerability management;
• regular backups and disaster recovery planning;
• vendor risk management and confidentiality obligations;
• employee privacy/security training.

No system is perfectly secure. If we learn of a breach, we will notify affected parties and regulators as required by law.

12) Data retention

We retain personal data only as long as necessary for the purposes described or as required by law. Typical periods (subject to Agency configuration and legal requirements):

Data categoryTypical retentionAccount credentials & Agency admin dataWhile account is active + up to 24 monthsLeads & inquiries24 months from last activity (or as directed by Agency)Buyer profiles (favorites, searches)While user remains active; deleted or anonymized after 24 months of inactivityNotification logs (delivery/open events)18–24 months (aggregated after)Billing and tax records7–10 years (jurisdiction dependent)Security logs12–24 monthsSuppression/unsubscribe listsAs required to honor opt‑outs

Where a shorter/longer period is mandated by law or contract, we will apply it. Agencies may set custom retention in their DPA or admin settings.

13) Your rights

Depending on your location, you may have the right to:

• Access your data and obtain a copy.
• Correct inaccurate or incomplete data.
• Delete your data (erasure/"right to be forgotten").
• Restrict processing in certain cases.
• Object to processing based on legitimate interests and to direct marketing (including profiling for such marketing).
• Withdraw consent at any time (does not affect prior lawful processing).
• Data portability (receive your data in a structured, commonly used, machine‑readable format).

Exercising rights: use in‑app controls, unsubscribe links, or contact privacy@madeeasy.app (or info@madeeasy.app). We may request information to verify your identity. If we process your data on behalf of an Agency, we will forward your request to that Agency (the controller) to fulfill it.

If you believe your rights have been infringed, you may lodge a complaint with your local data protection authority.

14) Children’s data

Our Services are not directed to children under 16 (or under the minimum age required by your jurisdiction). We do not knowingly collect such data. If you believe a child has provided us data, contact us to delete it.

15) Accuracy & your responsibilities (Agencies)

Agencies are responsible for ensuring that lead data they upload or sync to AME has been collected lawfully with appropriate disclosures and consents (where required), and that privacy choices are respected. Agencies must not upload special category data or data unrelated to real‑estate purposes.

16) Changes to this Policy

We may update this Policy to reflect changes in law or our Services. We will post updates here and, where appropriate, notify you in‑app or by email. Please review periodically.

17) Contact & complaints

• General privacy queries: info@madeeasy.app
• Data subject rights: privacy@madeeasy.app

Annex A — Jurisdiction‑specific notices

EEA/UK (GDPR/UK GDPR)

• Controller/Processor: See Section 2. Where AME is a processor, our DPA (Annex C) applies. Where AME is a controller, the legal bases in Section 5 apply.
• Marketing: Direct electronic marketing requires consent unless a soft‑opt‑in applies. You may unsubscribe at any time.
• International transfers: SCCs/UK Addendum (see Section 10).

United States (CCPA/CPRA and similar state laws)

• We do not sell personal information as commonly understood. If any activity constitutes a sale or sharing for cross‑context behavioral advertising, you may opt out via “Do Not Sell or Share”/“Your Privacy Choices” links.
• Categories collected: identifiers, commercial info (interest in listings), internet/network activity, geolocation (approximate), inferences (preferences), and professional information (for Agency users). See Sections 4–5.
• Consumer rights: access, deletion, correction, portability, opt‑out of sale/share/targeted advertising, and non‑discrimination. Authorized agents may submit requests.

Canada (PIPEDA)

• We process your data with your consent or as otherwise permitted by law. You may request access/correction. Transfers to service providers may occur outside Canada with appropriate safeguards.

Australia (Privacy Act)

• We collect/use personal information for the purposes in Section 5. You may request access/correction and complain to the OAIC if unresolved.

Annex B — Summary of AME Data Processing Addendum (processor obligations)

When AME processes personal data on behalf of an Agency:

1. Instructions: Process only on documented instructions.
2. Confidentiality: Ensure personnel confidentiality.
3. Security: Implement appropriate technical/organizational measures (Section 11).
4. Sub‑processors: Engage only under written contracts; remain liable; provide notice of changes.
5. Assistance: Help the Agency respond to data subject requests and fulfill security/impact assessment obligations.
6. Incidents: Notify the Agency without undue delay of personal data breaches.
7. Return/Deletion: Upon termination, delete or return personal data as instructed.
8. Audits: Make information available for audits subject to confidentiality and reasonable limits.
9. Transfers: Use appropriate safeguards for international transfers (SCCs/UK Addendum).

A signed DPA is available upon request.

Annex C — Sub‑processors (illustrative categories)

We use reputable providers for: cloud hosting and storage; content delivery networks; database and queue services; email and SMS gateways; push notification delivery; analytics/telemetry; crash reporting; anti‑fraud/security; customer support tooling; payment processing; backups and disaster recovery.
A current list with legal entities, locations, and purposes can be provided upon request and/or published online. Agencies may subscribe to change notifications.

Annex D — Detailed retention schedule (illustrative)

• Lead/contact records: 24 months from last activity; Agency may shorten/extend.
• App telemetry & diagnostics: raw 6–12 months; aggregated thereafter.
• Attribution/marketing events: 12–24 months; aggregated thereafter.
• Contracts & billing: per statutory requirements (e.g., 7–10 years).
• Backup archives: rolling cycles (e.g., 30–90 days), then purged.

Annex E — Glossary

• Personal data: information relating to an identified or identifiable individual.
• Processing: any operation performed on personal data (collection, storage, use, disclosure, etc.).
• Controller: entity that determines purposes and means of processing.
• Processor: entity that processes personal data on behalf of the controller.
• SCCs: EU Standard Contractual Clauses for international data transfers.
• PECR: UK Privacy and Electronic Communications Regulations.

‍