Privacy Policy

This Privacy Policy ("Policy") describes how KEYBOOK A.I PORTAL (License No. 1294837), operating under the brand name "Advocate Box" ("Advocate Box", "we", "us", or "our"), based in Dubai, United Arab Emirates, collects, uses, stores, discloses, and protects personal data and information through our legal firm management platform accessible at www.advocatebox.legal, including all related websites, applications, and services (collectively, the "Platform"). By accessing or using the Platform, you ("User", "you", or "your") acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you are using the Platform on behalf of a law firm, legal department, or other organization, you represent that you have the authority to bind that entity to this Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform immediately. We are committed to protecting the privacy and confidentiality of all personal data processed through our Platform, with particular sensitivity to the privileged and confidential nature of legal information handled by our Users.

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to: names, identification numbers, contact details, online identifiers, location data, and any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person, as defined under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) ("PDPL"). "Sensitive Personal Data" means Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal records, biometric data, or health data, as well as any data classified as sensitive under the PDPL. "Client Data" means all data, files, documents, information, and content that Users upload, store, transmit, or process through the Platform in connection with their legal practice, including case files, client records, financial records, court documents, and all related metadata. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Legal Entity: KEYBOOK A.I PORTAL Trade License No.: 1294837 Brand Name: Advocate Box Registered Address: Dubai Silicon Oasis, Dubai, United Arab Emirates Email: support@advocatebox.com WhatsApp: +971 50 551 0883

4.1 Account Registration Data When you register for the Platform, we collect: full legal name, email address, phone number, law firm name and details, professional license or bar registration number (if applicable), billing address, and preferred language (English or Arabic). 4.2 Client Data and Case Information Users input and manage Client Data through the Platform, which may include: client names, identification details (passport, Emirates ID, trade license), contact information, case details, court documents, financial records (claims, collections, expenses), hearing schedules, judgment records, and correspondence. We process Client Data solely as a data processor acting on your instructions. You remain the data controller of all Client Data. 4.3 Usage and Technical Data We automatically collect: IP addresses, browser type and version, device identifiers, operating system, access times and dates, pages viewed, features used, click patterns, session duration, referral URLs, and system performance data. 4.4 Payment and Billing Data When you subscribe to a paid plan, we collect through our third-party payment processor: billing name, billing address, payment card details (last four digits only – full card numbers are never stored on our servers), transaction history, and invoice records. Full payment card information is processed and stored exclusively by our PCI DSS-compliant payment processor. 4.5 Communication Data We collect data from your communications with us, including: support tickets, emails, feedback submissions, survey responses, and any other correspondence. 4.6 AI Interaction Data When you use our AI-powered features (Chat Assistant, Smart Drafting), we process: your queries and prompts, context data from your cases necessary to generate responses, and AI-generated outputs. AI interaction data is processed solely to provide the requested AI service and is not used to train or improve any third-party AI models without your explicit consent.

We process your Personal Data on the following legal bases, in accordance with the UAE PDPL and applicable international data protection standards: a) Contractual Necessity: Processing necessary for the performance of our contract with you, including account creation, service delivery, payment processing, and customer support. b) Consent: Where you have provided explicit consent for specific processing activities, such as receiving marketing communications, participation in surveys, or optional AI feature usage. c) Legitimate Interests: Processing necessary for our legitimate business interests, including Platform security, fraud prevention, service improvement, and analytics, provided such interests are not overridden by your rights and freedoms. d) Legal Obligation: Processing necessary to comply with applicable laws, regulations, court orders, or governmental requests under UAE law or other applicable jurisdictions.

6.1 Service Delivery and Operations We use your data to: create and manage your account, provide and maintain the Platform and all its features, process subscriptions and payments, deliver customer support, send service-related notifications (hearing reminders, appeal deadlines, document expiry alerts), and generate reports and exports as requested. 6.2 Platform Improvement and Analytics We use aggregated and anonymized usage data to: analyze Platform performance and usage patterns, identify and fix technical issues, develop new features and improve existing functionality, and conduct internal research and statistical analysis. 6.3 Security and Fraud Prevention We use technical data to: detect and prevent unauthorized access, monitor for suspicious activity, protect against security threats, and maintain the integrity and availability of the Platform. 6.4 Communications We use your contact information to: send essential service notifications, respond to your inquiries and support requests, provide product updates and feature announcements, and send marketing communications .

7.1 Categories of Recipients We may share your Personal Data with the following categories of third parties, strictly as necessary for the purposes described in this Policy: • Cloud Infrastructure Provider: Amazon Web Services (AWS) or same kind of service provider for secure data hosting and storage. • Payment Processor: PCI DSS-compliant payment gateway for subscription billing. • AI Service Provider: For AI-powered features (chat assistant, smart drafting), query data is transmitted securely to our AI service provider under strict data processing agreements. • Analytics Providers: Anonymized usage data for Platform analytics and improvement. • Email/Communication Services: For sending transactional emails and notifications. 7.2 Data Processing Agreements All third-party processors are bound by written data processing agreements that require them to: process data only on our documented instructions, implement appropriate technical and organizational security measures, assist us in fulfilling data subject rights requests, delete or return all data upon termination, and submit to audits and inspections. 7.3 We Will Never We will never sell, rent, lease, or trade your Personal Data or Client Data to any third party for their own marketing or commercial purposes. We will never use Client Data to train AI models for purposes outside of your direct service requests without your explicit written consent. We will never disclose attorney-client privileged information except as required by a valid court order.

Your data may be transferred to, and processed in, countries outside the United Arab Emirates, including countries where our cloud infrastructure providers maintain data centers. Where such transfers occur, we ensure adequate protection through: UAE Data Office-approved standard contractual clauses, transfers to countries recognized as providing adequate data protection, binding corporate rules of our service providers, or your explicit consent for specific transfers. We prioritize storing data within the UAE or the Middle East/North Africa region where commercially feasible, and we will inform you if any significant change in data storage location occurs.

9.1 Active Account Data We retain your Personal Data and Client Data for as long as your account remains active and as necessary to fulfill the purposes for which it was collected. 9.2 Post-Termination Retention Upon account closure, subscription suspension or subscription cancellation, we will: retain your account data for thirty (30) days during which you may do by yourself data export or securely delete all Client Data within sixty (30) days after the 30-day retrieval period (60 days total from account closure, subscription suspension or subscription cancellation), and retain billing and transaction records for the period required by applicable UAE tax and commercial law (currently a minimum of five (10) years). 9.3 Legal Hold We may retain data beyond the standard retention periods where required by law, regulation, legal proceedings, or governmental investigation, or where necessary to establish, exercise, or defend legal claims. 9.4 Anonymized Data Anonymized and aggregated data that can no longer be linked to any identified or identifiable individual may be retained indefinitely for statistical and analytical purposes.

We implement comprehensive technical and organizational measures to protect your data, including: 10.1 Technical Measures • AES-256 encryption for data at rest • TLS 1.2/1.3 encryption for data in transit (SSL/HTTPS) • OAuth 2.0 authentication with multi-factor authentication options • Password-protection for sensitive cases • Role-based access controls and least-privilege principles • Automatic daily backups with secure offsite storage • Regular penetration testing and vulnerability assessments • Intrusion detection and prevention systems 10.2 Organizational Measures Employee background checks, mandatory data protection training, confidentiality agreements for all staff and contractors, documented incident response and breach notification procedures, periodic security audits and compliance reviews, and restricted physical access to infrastructure.

Under the UAE PDPL and applicable international data protection frameworks, you have the following rights: • Right of Access: You have the right to obtain confirmation of whether we process your Personal Data and to request a copy of such data. • Right to Rectification: You have the right to request correction of inaccurate or incomplete Personal Data. • Right to Erasure: You have the right to request deletion of your Personal Data, subject to legitimate retention requirements. • Right to Restriction: You have the right to request restriction of Processing of your Personal Data in certain circumstances. • Right to Object: You have the right to object to Processing based on legitimate interests or for direct marketing purposes. • Right to Withdraw Consent: Where Processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior Processing. To exercise any of these rights, please submit a written request to support@advocatebox.com. We will respond to verified requests within thirty (30) days. If we require additional time due to the complexity of the request, we will notify you of the extension within the initial 30-day period.

We use cookies and similar technologies to operate and improve the Platform. The categories of cookies we use include: Essential Cookies Strictly necessary for Platform functionality, including session management, authentication, and security. These cannot be disabled. Analytics Cookies Used to understand how Users interact with the Platform. These collect anonymized data about pages visited, features used, and session duration. Preference Cookies Store your language preference (English/Arabic), display settings, and other customizations. You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Platform functionality.

The Platform is designed exclusively for legal professionals and is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete such data and terminate the associated account.

The Platform may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to review the privacy policies of any third-party service before providing your data.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: notify affected Users without undue delay, provide details of the nature of the breach including the categories and approximate number of affected data subjects, describe the likely consequences of the breach, and outline the measures taken or proposed to address and mitigate the breach.

Our Platform includes AI-powered features, including the AI Chat Assistant and Smart Drafting tools. With respect to AI Processing: • AI queries are processed in real-time and are not persistently stored beyond the duration of your active session unless you choose to save outputs. • Client Data used as context for AI responses is transmitted securely and is not used to train, improve, or fine-tune any third-party AI models. • AI-generated outputs are provided for informational and drafting assistance only and do not constitute legal advice. • You retain full control over whether and how AI-generated content is used in your legal practice.

We reserve the right to modify this Privacy Policy at any time. Your continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the changes. If you do not agree with any modification, you must discontinue use of the Platform and close your account.

This Privacy Policy shall be governed by and construed in accordance with the laws of the United Arab Emirates, without regard to conflict of law principles. Any disputes arising from or relating to this Policy shall be subject to the exclusive jurisdiction of the competent courts in Dubai, United Arab Emirates.