APPLICATION PRIVACY POLICY
Version of June 26, 2026
1. Introduction
This Application Privacy Policy (“Privacy Policy”) explains how Mal Digital Ltd (“we”, “us”, “our” or “Mal”), an entity incorporated in the Abu Dhabi Global Market (“ADGM”), collects, uses, processes, discloses, and protects your Personal Data when a user (“you” or “your”) uses our mobile application (the “App”) and the related services we make available through it (the “Services”). For the purposes of this Privacy Policy, “Personal Data” means any information relating to you, which may include certain sensitive data such as biometric data (see Section 4 for details).
This Privacy Policy reflects the features currently available in the App in one of the countries in which the App is currently available (the “Supported Jurisdictions”). The current list of Supported Jurisdictions is shown in the App [mal.ai/legal/app/privacy (http://mal.ai/legal/app/privacy)] and may change from time to time.
This Policy is the general notice you see when you create your account. Since some processing is more sensitive or specific, we may provide additional, shorter notices at the moment they become relevant for certain Services and/or features of the App.
As the App develops (for example, where regulated activity is introduced into the App) the way we handle your Personal Data may change, and the provisions of this Privacy Policy may be revised accordingly.
Where we revise this Privacy Policy, we will notify you the next time you log in to the App. Where the applicable law requires us to notify you before the next time you log in to the App (including when the applicable law will require us to give you an advance notice, or where a new purpose of processing will require your explicit consent), we will do so separately using the contact details we then hold for you.
The App is not intended for anyone under the age of 18, and we do not knowingly collect Personal Data from children. If we become aware that a person under 18 is using the App, we will disable their access and delete their Mal App account and the associated Personal Data as soon as reasonably practicable, except where we are required to retain certain data by law. If you believe we hold Personal Data relating to a child, please contact us using the details in Section 12.
By accessing or using the Services, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy and Application Terms and Conditions (the “Terms”), which can be found here
2. Scope of this Privacy Policy and the Role of Other Parties
The App brings together the Services that are provided by Mal and by a number of third parties (partners), including other entities of the Mal group. It is important to understand who is responsible for your Personal Data in each case. You can ask us how your Personal Data is used, and ask us to restrict its use, at any time (see Section 11 and Section 12 for details).
Mal Group Entities
Within the Mal group, Mal is the designated group controller for the App. Some features of the App can only be provided with the involvement of another entity within the Mal group that processes your personal data as its own controller. Where you choose to use such a feature in the App, Mal will collect the Personal Data specifically to pass on to another controller within Mal group for that controller’s purposes. Unless the Privacy Policy says otherwise, Mal is responsible for the processing carried out through the App for the data controllers of Mal group.
The Services for which Mal is data controller:
•
Creating and managing your Mal App account.
•
The Personal Financial Manager (“PFM”) features, which may let you connect external bank accounts and credit card accounts and view analysis of your spending depending upon your location.
•
The in-App AI assistant and related features for shopping, travel and eSIM discovery provided by third parties and for checkout facilitation.
•
Collecting and verifying your identity information and screening you for financial-crime purposes as part of onboarding to a banking or financial services product.
Third-Party Services
Where the App refers to, or gives you access to, the Services provided by third party partners (including where those Services are embedded within the App), the processing of your Personal Data in connection with those third-party services, including the lawful basis for collecting it, the terms on which it is shared onward and how long it is retained, is governed by the privacy policies of those third parties and is the responsibility of those third parties, not of Mal. To the extent allowed by applicable law, Mal is not responsible for the direct arrangements that you have with such third-party merchants or providers in the App.
As described in the Terms, for each third-party partner service, Mal acts as a technical facilitator, while respective products and services are provided directly by the partner (and not by Mal).
The Services where a third-party is data controller:
•
Purchases you make are with the underlying merchant or provider. Mal is not a party to those transactions and does not collect payment from you for them though facilitates your engagement with them through the App.
•
Opening a bank account with a third-party bank and its management. Your contractual and regulatory relationship for that account is with such a bank, not Mal.
•
Linking your bank account or credit card accounts to the PFM.
3. Governing Data Protection Regime
Mal is committed to processing your Personal Data in compliance with the ADGM Data Protection Regulations 2021 (“DPR 2021”).
In certain cases, where your Personal Data is collected in one of the Supported Jurisdictions, or is transferred to another jurisdiction (as described in Section 8), the data protection laws of those jurisdictions may also apply to its processing, and we comply with those requirements where we are required to do so.
Regardless of where your Personal Data is processed, Mal applies DPR 2021 as its baseline standard: built on the principles of the EU General Data Protection Regulation (GDPR), it reflects internationally recognised good practice in the protection of personal data, and we treat it as the minimum level of protection we extend to you wherever you are.
4. Personal Data We Collect and Process
The Personal Data we collect depends on which part or feature of the App you use. Since the App brings together several Services, the information you provide when you first start using the App may also be used to provide other Services within the App.
We will use the Personal Data we have already collected to provide you with other features of the App where this is compatible with the purpose for which it was originally collected and is covered by a lawful basis set out in Section 6. Where using your Personal Data for a new purpose requires a separate lawful basis (for example, where the law requires your separate explicit consent) we will obtain that basis before using your data for that purpose. You can ask us how your data is used, and ask us to restrict its use, at any time (see Section 11 and Section 12 for details).
When you create a Mal App account, we collect the following Personal Data:
•
Your mobile phone number, and the one-time passcode used to verify it;
•
Your declared country of residence in the Supported Jurisdictions;
•
A mobile PIN (mPIN) you set (which is stored only in hashed format) and any device biometrics (Face ID / fingerprint) you use to unlock the App;
•
A preferred name / nickname, and
•
Other data for the account (see Section 6 for details).
When you use the PFM features
As described in the Terms, if you connect external bank accounts or credit card accounts, we receive, through our open-banking provider, information about those accounts and the transactions on them (for example account identifiers, balances, incoming and outgoing payments, salary credits, merchant and category information, and recurring subscriptions) in order to produce the spending analysis, statistics and recommendations shown to you in the App.
When you use the in-App AI assistant and related features
•
The questions and instructions you enter, and the App activity needed to answer them (for example, a request such as “what did I spend this month”).
•
Shopping, travel and eSIM preferences and search criteria, and the details needed to pass you through to the relevant provider (merchant) checkout.
When you use the in-App AI assistant, your request is processed to work out what you are asking for and to retrieve the answer from within the App. Some of this processing uses a large-language-model (“LLM”) service provided by third-party providers (for example, OpenAI). To categorize your transactions, limited transaction details such as the transaction description, amount and merchant are processed by a third-party LLM. We do not send direct identifiers such as your name, account number, IBAN or user ID to that provider.
When you onboard to a banking product
5. Sources of Personal Data
We collect most of the Personal Data directly from you through the App. Depending on the Services and the particular feature of the App you intend to use, we also obtain personal data from:
•
Your connected banks and credit card providers, through our open-banking provider, for the PFM features.
•
Our partner merchants/providers.
•
Our identity-verification providers, which extract data from your identity document and perform a limited check confirming that an ID with that number exists against your name in the relevant ecosystem of the respective Supported Jurisdiction. This process will generate additional data, which we store, such as the verification reference, the match/no-match result, the facial-similarity and liveness results, the provider’s persistent customer ID and any duplicate-account flag.
•
Our screening provider and the sanctions, PEP, watchlist and adverse-media sources it draws on.
•
Publicly available resources.
Sometimes this data is provided by you, sometimes it is produced as a result of another process carried out on the App at your request or as otherwise needed to provide you with the Services, and sometimes as the result of the use of “cookies” and “SDKs”.
•
Cookies are small text files placed on your device by a website or web-view within our app. They help the system recognize your device and remember information about your visit (like your preferred language or login status).
•
Software Development Kits (“SDKs”) and unique device IDs that act like cookies for apps. They are blocks of code provided by us or our partners that allow data to be processed to analyze app performance, fix crashes or deliver relevant features.
6. Purposes for Personal Data Processing
Under the ADGM Data Protection Regulations 2021 we must have a lawful basis for each use of your personal data.
Mal collects and uses your Personal Data for the purposes set out below (both for its own purposes and for the purposes of other companies within the Mal group) relying in each case on one or more of the following lawful bases under DPR 2021:
•
To provide and manage the Services (account setup, transactions, customer support) – performance of a contract (the Terms) with you or taking steps at your request to enter into such a contract.
•
To meet our legal and regulatory obligations (KYC, AML, sanctions screening, financial crime prevention, reporting requirements under any laws or regulations applicable with respect to the product you are using on the App) – compliance with a legal obligation to which Mal, Mal group entities or a third-party controller is subject.
•
To improve the App and the user experience (analytics, troubleshooting, security monitoring) – our legitimate interests in keeping the App and Services running efficiently and securely.
•
To send you marketing communications about the Services, if permitted by you – your consent, where required; or, where permitted by law, our legitimate interests (existing customers / soft opt-in)
•
To ensure the security of our systems (fraud prevention, system protection) – our legitimate interests in protecting our business and customers from harm, and, where applicable, compliance with a legal obligation.
The table below sets out the main purposes for processing Personal Data and the basis we rely on for each.
Purpose
Personal data used
Lawful basis (ADGM DPR 2021)
Creating your account and giving you access to the App
Mobile number; OTP; mPIN (stored in hash format); your preferred name; country of residence; date of birth; nationality; gender; email address; device location/geolocation
Performance of a contract (the Terms) or steps prior to entering a contract; legitimate interests in securing the App
Providing the PFM spending analysis
Connected account and transaction data including bank account details, payment card information, transaction history; sources of wealth/funds
Your consent to connect accounts via open banking; performance of contract (the Terms)
Providing AI assistant, shopping, travel and eSIM features
Your queries, preferences and the data needed to route you to a provider
Performance of a contract (the Terms)
Verifying your identity, onboarding you to a banking product and providing you the related account services
Your government-issued identity document(s) (national ID, passport or residence permit as applicable in your country) and the data extracted from them (such as type, number, dates, issuing authority, document images and the photo they contain, and any other information listed on such documents); your name in the original script and any transliteration; your credit score reports; your KYC account, which includes any of the documents we require you to upload and the information contained in them, your source of wealth and source of funds, and your answers to any of the KYC questions; facial-match result; tax data, which includes any tax identification numbers, tax residence and related information; country of birth; information that you provide regarding people to whom you send money
Compliance with a legal obligation (AML / CFT and KYC); performance of a contract (the Terms)
Screening you for financial crime
Screening inputs and results (sanctions, PEP, adverse media, watchlists)
Compliance with a legal obligation; legitimate interests in preventing financial crime
Using your facial image to confirm your identity
Facial image and biometric comparison result
Your explicit consent
Preventing fraud and securing our systems
Device, usage and transaction metadata
Legitimate interests; legal obligation
Sending you marketing or rewards (e.g. welcome bonus)
Contact details (email address, mobile number) and account data, as well as your preferences in receiving marketing from us
Your explicit consent (where required), or legitimate interest
Managing the App and improving user experience
IP address, device type, operating system, app usage statistics, log-in data, cookies, and other tracking technologies, and customer support data (including information you provide when contacting our support team, for example, in a request, email, or communication feature in the App)
Legitimate interests
Where Mal relies on consent as the lawful basis, you have the right to withdraw your consent at any time, but this will not affect the lawfulness of processing carried out before you withdraw your consent.
As part of banking onboarding, our identity-verification provider compares a facial image of you against the photograph in your identity document to confirm that you are the person shown on it. This involves processing biometric data, which is a special category of personal data under DPR 2021 and is given extra protection.
We process this biometric data only to verify your identity for onboarding and fraud-prevention purposes, and we rely on your explicit consent to do so. You can choose not to provide it, but we will not be able to open a banking product for you without verifying your identity.
Certain Services entail activities that may involve automated decision-making or profiling:
•
Financial-crime screening: the screening result feeds into whether a banking product can be opened for you. Where this produces a decision with a legal or similarly significant effect, you have the right not to be subject to a solely automated decision, to obtain human review, to express your point of view and to contest the outcome.
•
PFM analysis: we categorize your transactions and spending to produce the insights shown to you. This is profiling, but it does not produce legal or similarly significant effects.
7. Disclosure and Sharing of Personal Data
Mal may share your Personal Data with the following parties, and when doing so, Mal will verify and screen third parties (both controllers/merchants and processors/providers), to the extent required by DPR 2021:
Recipient
Role
Why/Purpose
Third-party merchants
Controllers per arrangements with them
Providing and operating the Services embedded in the App
Third-party providers (vendors)
Processors per arrangements with them
Processing of your Personal Data at the instruction of Mal / independent controllers, as detailed in the respective written data processing terms
Mal group entities
Controllers / processors per intra-group arrangements
Providing and operating the Services you use; intra-group management and statistics; management of the App and improving of your user experience
Regulators, authorities, law enforcement and professional advisers
As required
Where we must disclose to comply with law or to establish, exercise or defend legal claims
8. International Data Transfers
In compliance with DPR 2021, we may transfer your Personal Data to a jurisdiction deemed adequate by the ADGM Commissioner of Data Protection. Where we transfer your Personal Data outside the ADGM to a jurisdiction that is not recognised as providing an adequate level of protection under DPR 2021, we put in place an appropriate safeguard, or rely on a permitted derogation, as required by DPR 2021, including the following:
•
Implementing Standard Contractual Clauses (SCCs) approved by the ADGM Commissioner of Data Protection.
•
Relying on a specific derogation (e.g., the transfer is necessary for the performance of a contract with you or with your explicit consent).
9. Data Security
In accordance with DPR 2021, Mal has implemented appropriate technical and organisational security measures, including encryption in transit and at rest, access controls, and regular audits, to protect your Personal Data and to prevent it from being accidentally lost, used, or accessed in an unauthorized way.
Where we share or transfer your Personal Data to others (whether on a controller-to-controller basis or otherwise) we require recipients to protect it to a standard consistent with this Policy and applicable law. Where a recipient acts as our processor, we require it by written contract to apply security measures at least equivalent to our own. Where we transfer your Personal Data to an independent controller, we contract for appropriate security and confidentiality safeguards; that controller then remains responsible for protecting the Personal Data while it processes it under its own responsibility
10. Data Retention
Mal will retain your Personal Data only for as long as necessary to fulfil the purposes for which Mal collected it as described in this Privacy Policy and the Terms, and for any period we are required to keep it by law.
•
If you start but do not complete account creation, or you decline this Policy, we delete the data we hold within 30 days.
•
PFM and AI-feature data: retained for as long as you use the relevant feature or, if required by any applicable law or regulations, for such longer period.
•
Data held by our partners (including those offering you any banking services) and providers (for example the identity-verification and screening providers) is retained under their own retention schedules set out in our agreements with them or applicable to such partner or provider under law.
11. Your Data Protection Rights
Under DPR 2021, you have the following rights regarding your Personal Data:
•
Right to be Informed: The right to be provided with clear, transparent, and easily understandable information about how Mal uses your data (which this Privacy Policy does).
•
Right of Access: The right to obtain a copy of the Personal Data Mal holds about you.
•
Right to Rectification: The right to have inaccurate Personal Data corrected.
•
Right to Erasure: The right to request the deletion or removal of your Personal Data in certain circumstances.
•
Right to Restriction of Processing: The right to block or suppress further use of your Personal Data in certain circumstances.
•
Right to Data Portability: The right to receive your Personal Data in a structured, commonly used, and machine-readable format.
•
Right to Object to Processing: The right to object to processing where it is based on our legitimate interests or for direct marketing purposes.
•
Rights in Relation to Automated Decision Making and Profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
You can exercise these rights by contacting us using the details in Section 12. Mal may need to verify your identity before responding to your request. Where the processing of your Personal Data and request is carried out by an independent third-party controller (as explained in this Privacy Policy), Mal may refer you to that controller.
Nothing in this Privacy Policy reduces or limits any rights you may have under the law of a Supported Jurisdiction, where that law applies to you. Where it does, those rights apply in addition to the position set out in this Policy. Please contact us if you have any questions about how your Personal Data is processed, or if you believe you have rights that are not described in this Privacy Policy.
12. Contact Information and Complaints
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or wish to make a complaint, please contact us at contact@mal.ai
Email for Privacy Matters: privacy@mal.ai
Supervisory Authority: You also have the right to lodge a complaint with the ADGM Commissioner of Data Protection (ODP) if you believe your rights under DPR 2021 have been infringed. Contact email: data.protection@adgm.com, contact telephone: +971 23338888.