Privacy Policy

Last updated: 9 May 2026 · Effective date: 9 May 2026

This Privacy Policy explains how IAIC AI RESEARCH & TRADING - FZCO (“we”, “us”) collects, uses, and protects personal data when you use the ENIGMA.IST platform (the “Platform”). This policy is written to comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), and applicable global standards.

1. What data we collect

1.1 Information you provide

• Account data: name, email address, password (hashed), language, timezone.
• Profile data (optional): affiliation, country, position, ORCID, biography, avatar image.
• Payment data: billing name and address, country, postal code (collected by our payment processor).
• Author data (if you submit work): manuscript text, co-author names and emails, supplementary files.
• Communications: messages you send through the Platform’s messenger, comments, support requests.

1.2 Information collected automatically

• Usage data: pages viewed, actions performed, last-seen timestamp, session metadata.
• Device data: IP address, browser, operating system, screen size.
• Cookies and similar technologies: session cookies for authentication; analytics cookies (Yandex.Metrica) if you consent.

1.3 Information from third parties

If you sign in via a social provider (Google, GitHub, Telegram, etc.) or via Single Sign-On (SSO) from a sister site, we receive the basic profile data those providers share (typically email, name, profile picture).

2. How we use your data

We process personal data on the following lawful bases:

• Performance of contract — to operate the Platform, run accounts, deliver paid services, and process payments.
• Legitimate interest — to keep the Platform secure, prevent fraud, improve features, communicate operational updates.
• Consent — for analytics cookies and optional marketing communications. You may withdraw consent at any time.
• Legal obligation — for tax records, accounting, and compliance with UAE / EU regulators where required.

3. Sharing with third parties

We share personal data only with the following categories of recipients, and only as necessary:

• Payment processor: Paddle.com Market Limited (Merchant of Record) and affiliated entities, for billing, tax compliance, fraud prevention, and refund processing.
• Email infrastructure: our SMTP provider (Gmail SMTP relay) for transactional and notification emails.
• Hosting and analytics: our cloud hosting provider (Hetzner Online GmbH, Germany) and optional analytics provider (Yandex.Metrica) where you have consented.
• Co-authors and editors: when you submit a paper, your author details are visible to invited co-authors, editors, and assigned peer reviewers in line with editorial workflow.
• Legal authorities: when required by law, valid court order, or to protect the rights, safety, or property of users.

We do not sell or rent personal data to third parties for marketing purposes.

4. International transfers

The Platform is hosted in the European Union (Hetzner Online GmbH, Germany). When we transfer personal data outside the EU/UK (for example, to our headquarters in the UAE or to international service providers), we rely on Standard Contractual Clauses or equivalent legal mechanisms to ensure adequate protection.

5. Retention

We retain personal data only as long as necessary for the purposes described above:

• Account data: while your account is active, plus up to 12 months after closure;
• Published articles and authorship records: indefinitely (academic-record integrity);
• Payment and tax records: 7 years (UAE and EU tax-law minimum);
• Server logs: 90 days;
• Marketing-consent records: until you withdraw consent.

6. Your rights (GDPR / UK / UAE PDPL)

Subject to applicable law, you have the right to:

• Access — request a copy of personal data we hold about you;
• Rectification — correct inaccurate or incomplete data;
• Erasure — request deletion (subject to legal-retention obligations such as published-article integrity);
• Restriction — ask us to limit processing in certain circumstances;
• Portability — receive your data in a machine-readable format;
• Object — object to processing based on legitimate interest or for direct marketing;
• Withdraw consent — for processing based on consent (e.g. analytics cookies, marketing emails);
• Lodge a complaint — with your local data-protection authority (in the EU: your national DPA; in the UK: ICO; in the UAE: UAE Data Office).

To exercise any right, email legal@enigma.ist. We will respond within 30 days.

7. Cookies

The Platform uses three categories of cookies:

• Strictly necessary: session cookie for authentication (no consent required by law).
• Functional: language and timezone preferences (set only when you change them).
• Analytics: Yandex.Metrica counter to understand usage patterns — only loaded after you accept analytics cookies in our cookie banner.

You can clear cookies in your browser at any time. Disabling strictly-necessary cookies will prevent you from logging in.

8. Security

We protect personal data with appropriate technical and organisational measures, including TLS/HTTPS encryption in transit, password hashing (bcrypt), encrypted database backups, principle-of-least-privilege access controls, and regular security audits. No system is perfectly secure; if a personal-data breach occurs, we will notify affected users and the relevant supervisory authority within 72 hours where required by law.

9. Children

The Platform is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with data, please contact legal@enigma.ist and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy. Material changes will be notified to registered users by email at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

11. Contact

Questions or requests under this policy: legal@enigma.ist.
Postal: IAIC AI RESEARCH & TRADING - FZCO, IFZA Properties, DSO-IFZA, Dubai Silicon Oasis, Dubai, UAE.