Privacy notice

Holla is an AI assistant for real-estate brokers. During the current period it is operated by Hydrologic Electronics Trading L.L.C, a company licensed in Dubai, United Arab Emirates, which holds the platform’s messaging accounts and customer contracts. Holla Technologies FZ-LLC is being established and will take over operation once its licence is issued; we will update this notice when it does. Contact: privacy@holla.ae.

Holla processes the following categories of personal data, only to the extent needed to provide the service:

• Tenant-side users. Name, email address, Supabase user ID, mobile number, RERA Broker Registration Number (BRN) or Office Registration Number (ORN), role, languages, business hours, brokerage profile, calendar OAuth tokens (when connected).
• End customers. WhatsApp / Instagram identifier (phone number or handle), display name, conversation history, voice notes, and qualification data the assistant captures during conversation (budget, timeline, financing intent, language preference, neighbourhoods of interest).
• Listings. Property records sourced from the Tenant’s feeds, CRM, manual entry, or public-portal ingestion. Listings can carry photos and descriptions originating with the Tenant or their data providers.
• Operational metadata. Audit logs of who took what action and when, IP address at signup for PDPL consent records, message-delivery receipts from Meta and Twilio, model usage for cost telemetry.
• Calendar data (when connected). Free/busy windows on the broker’s primary calendar and events Holla creates on behalf of the broker for property viewings and discovery calls. Holla does not read or transmit event titles, attendees, or descriptions from calendar entries Holla did not create.

Strictly to operate the service. Specifically:

• Reply to end customers on the Tenant’s behalf via WhatsApp, Instagram, and the website widget.
• Look up the right listing for a conversation, retrieve tenant-authored knowledge, and quote facts with the freshness hedges the system requires.
• Detect handoff moments (hot lead, frustration, identity probe, out-of-knowledge, stuck loop) so the broker is paged at the right time.
• Propose and book property-viewing slots against the broker’s calendar when connected.
• Maintain an audit log so the Tenant can answer regulatory questions about what was said in their name.
• Bill Tenants for usage, monitor service costs, and detect abuse.

We do not sell personal data. We do not use end-customer conversation content to train general-purpose machine-learning models. Anonymised aggregates and explicit human-curated eval fixtures may be used to evaluate and improve Holla itself; tenant- and end-customer-identifying data is stripped before any such use.

Holla’s primary database, authentication, file storage, and realtime layer are operated on Supabase EU-West-1 (Ireland), per ADR-0009. Cross-border transfer between the UAE and the European Union is covered by SCC-style clauses in the Tenant DPA, meeting UAE PDPL Article 22.

We have committed to revisit hosting region every 6 months and to migrate to UAE-region hosting when a stable Big-Three offering or Supabase UAE region becomes available. The migration path is real and reversible; we don’t pre-pay its cost in V1.

Holla shares the minimum data needed to deliver the service with:

• Supabase (Ireland / EU-West-1) — Postgres, auth, storage, realtime, pgvector embeddings.
• Anthropic (United States) — large-language-model inference for the assistant.
• Meta (WhatsApp Cloud API) and Twilio (Business Solution Provider) — WhatsApp message delivery.
• Deepgram and Speechmatics — voice-note transcription (audio is sent for transcription only; the audio file itself is retained per the policy below).
• Google — when a broker connects their Google Calendar, OAuth tokens and calendar-event reads / writes flow to Google’s APIs.
• Sentry — error monitoring with PII scrubbing enabled.
• Vercel — hosting of marketing and product front-ends.

We notify Tenants of new sub-processors in line with the DPA. Each sub-processor is contractually bound to use data only for the service we instruct.

When a broker authorises Holla to access their Google Calendar, we ask for the minimum scopes required:

• calendar.readonly — to read free/busy windows so the assistant can propose viewing slots that don’t conflict with existing events.
• calendar.events — to write discovery-call and viewing events onto the broker’s calendar after a booking is confirmed.

Holla’s use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google Calendar data for advertising and never transfer it to third parties for advertising purposes.
• We do not use Google Calendar data to train general-purpose machine-learning models.
• We do not read titles, attendees, or descriptions of calendar events that Holla did not create.
• Brokers can revoke Holla’s access at any time from their Google Account permissions page or from Holla’s Settings. Revocation immediately stops all calendar reads and writes.
• OAuth refresh tokens are stored encrypted at rest in Supabase.

• Conversation messages. Retained for the lifetime of the Tenant’s account, unless the Tenant requests earlier deletion of specific conversations or end customers.
• Voice-note audio files. Purged automatically 90 days after upload, unless the Tenant has explicitly flagged a conversation for extended retention.
• Audit logs. Retained for a minimum of 12 months for security and regulatory traceability.
• Calendar OAuth tokens. Retained until the broker disconnects calendar integration or deletes their account.
• End-customer rows on opt-out. An end customer who replies STOP, UNSUBSCRIBE, or إلغاء is moved to contact_status = opt_out; no further outbound is sent. The conversation record is retained for audit traceability but excluded from any outbound path.
• Closed Tenant accounts. Personal data is purged within 90 days of account closure, except where retention is required by applicable UAE law (e.g. tax records).

If you are an end customer of a Holla Tenant, your primary point of contact for data-subject requests is the Tenant (typically the brokerage or broker you’ve been speaking with). If you cannot reach them or need an escalation path, you can also write to privacy@holla.ae; we will forward the request to the controlling Tenant and help them respond.

If you are a Tenant-side user (a broker, sales manager, or owner), you can exercise the following rights directly with Holla under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021):

• Access to your personal data.
• Correction of inaccurate or incomplete data.
• Erasure where one of the lawful grounds applies.
• Restriction of processing in defined circumstances.
• Portability of data you provided to us, in a structured format.
• Objection to processing on specific grounds.
• Withdrawal of consent for processing based on consent.
• Lodging a complaint with the UAE Data Office or, where applicable to the data’s residency, the supervisory authority in your jurisdiction.

Requests should be sent to privacy@holla.ae. We aim to respond within 30 days and will explain any extension in writing.

We follow industry-standard practices: encryption in transit (TLS 1.2+) and at rest, row-level security in Postgres so each Tenant’s data is isolated by default, secrets management via Doppler, least-privilege access controls for Holla staff, audit-logged administrative actions, and regular dependency review. We will publish a security overview document in line with the DPA.

The marketing site at holla.ae uses essential cookies and a small set of analytics measurements with PII stripping. Our authenticated product surface stores a session token in localStorage issued by Supabase auth so that you stay signed in. We do not run third-party advertising trackers on the product surface.

We will post material changes here with a new “last updated” date and notify Tenant owners by email when the change affects how their data or their end customers’ data is handled. Continued use of Holla after a change indicates acceptance of the updated notice; if a Tenant disagrees with a material change, the route is to terminate the subscription and request deletion under the rights above.

Questions about this notice or about how your data is handled: privacy@holla.ae. Time-sensitive security disclosures: security@holla.ae.