Privacy Policy – 5dmaty.ai and 5dmaty (Operated by Mofawada E-Commerce W.L.L)

1. Introduction

This Privacy Policy (“Policy”) governs the collection, use, processing, storage, and disclosure of personal information (“Personal Data”) by 5dmaty.ai or 5dmaty, digital platforms operated by Mofawada E-Commerce W.L.L, a company registered in the Kingdom of Bahrain under CR No. 177421-1, with its registered office at Al Nuwaidrat, Block 646, Road 4629, Building G 1390, Shop 12.

This Policy applies to all users of the 5dmaty mobile applications (iOS and Android) and websites (www.5dmaty.ai and www.mofawada.com), including Clients, Vendors, Insurance Company Representatives, and Visitors, as well as any services accessed or transactions facilitated through these applications.

Scope of Governance

This Privacy Policy is drafted and implemented in full compliance with:

  • Bahrain’s Personal Data Protection Law (Law No. 30 of 2018)

  • Electronic Transactions Law (Law No. 54 of 2018)

  • Combating Money Laundering and Terrorism Financing Law (Law No. 4 of 2001)

Key Disclaimer

5dmaty and 5dmaty.ai function exclusively as e-commerce mediation platforms. Operated by Mofawada E-Commerce W.L.L, these platforms do not directly provide or deliver any services, medical opinions, consultations, healthcare products, or wellness treatments.

All services listed or transacted through 5dmaty or 5dmaty.ai, whether in-person or virtual, medical or wellness-related, are fully the legal and operational responsibility of independent Vendors.

As such, Mofawada E-Commerce W.L.L assumes no liability whatsoever in connection with the outcome, accuracy, timeliness, ethics, safety, or legality of any service or product offered by a Vendor. This limitation of liability extends to disputes, claims, misdiagnoses, malpractice, misrepresentation, delivery issues, or any breach by a Vendor.

All disputes, service issues, or refund requests must be handled directly with the relevant Vendor. 5dmaty and 5dmaty.ai may facilitate communication but are not responsible for enforcement.

This principle is prominently communicated throughout the platforms: during registration, login, provider search, checkout, review submissions, and all transactional flows.

2. Definitions

Personal Data

For the purpose of this Policy, "Personal Data" shall include any data which can directly or indirectly identify a natural person. This includes, but is not limited to:

  • Full name, contact details (email, phone number)

  • CPR card data including full name, photo, date of birth, CPR number, nationality, and address

  • Insurance Company details provided by users for quote matching, reimbursement verification, or eligibility screening

  • Medical service interest or preferences

  • Device identifiers and usage logs

Users

"Users" includes but is not limited to:

  • Clients using the platform to search, compare, or book medical and wellness services

  • Vendors offering services via the platform

  • Visitors accessing the app or site without registration

Vendors

Entities or individuals listing services on 5dmaty or 5dmaty.ai. These may include licensed healthcare providers, wellness professionals, clinics, labs, imaging centers, or medical retail suppliers.

Insurance Data

Collected for the purpose of assisting Users in:

  • Uploading or entering their insurer name, insurance class/plan, member number, and co-pay details

  • Getting matched with eligible services that offer partial/full insurance reimbursements

  • Comparing cash price versus insurance-supported price This data is treated with the same level of protection as Personal Data under Law No. 30 of 2018.

3. Data Collection and Processing Practices

3.1 Overview of Data Collection Streams

The platforms 5dmaty and 5dmaty.ai collect data through the following streams:

  • User Registration Forms (client, vendor, insurance rep)

  • Transactional Flows (booking, negotiations, reviews, cancellations)

  • Quote Requests for Insured Services

  • User Profile Management

  • Chat/Support Interactions

  • Search Engine or Pricing Engine Interactions

  • Location and Device-Based Data Capture

3.2 Types of Personal Data Collected

The following types of data may be collected and processed:

  • Identification Information: Name, gender, nationality, date of birth

  • Contact Information: Email, phone number, physical address

  • CPR ID Scan Data: Validated Bahraini ID details where applicable

  • Insurance Information: Insurer name, member ID, plan class, claims details if provided

  • Search & Booking History: Services viewed, filters used, bookings made, cancellations

  • Health-Interest Categories: Chosen by user for targeted service display (e.g., dental, skin, wellness, pediatrics)

  • Device & Technical Data: IP address, app version, OS, device model, screen resolution

  • Vendor-Uploaded Service Descriptions: Including medical or therapeutic details

3.3 Processing Purpose and Legal Basis

  • To facilitate bookings or quotes (Contractual Necessity under Bahraini Law)

  • To validate user identity, age, or insurance eligibility (Legal Obligation)

  • To personalize recommendations and listings (Legitimate Interest / Consent)

  • To detect fraud or abuse (Legal Obligation and Public Interest)

  • To improve platform performance (Legitimate Interest)

  • To enable regulatory reporting if required by MOH or PDPA (Legal Obligation)

4. Consent, Data Sharing, and Vendor Accountability

4.1 Explicit User Consent

By using the platform, Users explicitly consent to:

  • Collection and processing of their Personal Data

  • Sharing of booking-related data with selected Vendors

  • Internal analysis and improvement of services

  • Storage of insurance details for quote matching

Consent is obtained during account creation, quote submissions, and when explicitly required for new features (e.g., location access).

4.2 Vendor Access and Responsibilities

Vendors only receive access to data necessary for fulfilling their services. For example:

  • Client name, phone, insurance info (if provided), service interest, booking time

  • They may not retain data beyond the service window

Vendors are contractually obligated to:

  • Treat all data as confidential

  • Not reuse it for unrelated marketing

  • Implement Bahrain Law No. 30 of 2018 data protection safeguards

Violations may lead to Vendor delisting, financial penalties, and/or referral to authorities.

4.3 5dmaty.ai as an Intermediary

As an e-commerce intermediary, Mofawada E-Commerce W.L.L does NOT:

  • Determine medical appropriateness of services

  • Interfere with Vendor-client diagnosis or counseling

  • Assume risk or liability for Vendor malpractice

Users acknowledge this by digital acceptance at multiple transaction points.

5. Data Retention and Deletion

5.1 General Retention Principle

Personal Data is retained only for as long as necessary to:

  • Fulfill the purpose for which it was collected

  • Comply with applicable Bahraini laws

  • Satisfy regulatory, accounting, or audit requirements

  • Defend or resolve legal claims

  • Enforce contractual rights under the Terms and Conditions

Retention periods are determined based on statutory obligations, risk exposure, and operational necessity.

5.2 Specific Retention Periods

A. User Account Data

  • Retained while the account remains active.

  • Upon deactivation, retained for 6 months to allow reactivation.

  • After 6 months, personal profile data is permanently deleted unless legal retention applies.

B. CPR / Identity Verification Data (KYC/AML)

  • Retained for 5 years in accordance with Anti-Money Laundering Law No. 4 of 2001.

  • Cannot be deleted upon request before expiration of the statutory retention period.

C. Transaction & Booking Records

  • Retained for 10 years for accounting, legal auditability, and dispute defense.

  • Includes invoices, booking confirmations, payment references, and settlement records.

D. Vendor Financial & Settlement Records

  • Retained for 10 years in accordance with Bahraini commercial and financial record-keeping obligations.

E. Chat & Support Communications

  • Retained for 3 years unless linked to an active dispute.

  • If part of litigation or investigation, retained until final resolution.

F. Technical Logs & Analytics

  • Retained for up to 24 months.

  • Anonymized where technically feasible.

  • Extended retention permitted only for fraud prevention or security investigations.

5.3 Deletion Requests

Users may request deletion of their Personal Data by contacting:

📩 services@5dmaty.ai

Upon receipt of a deletion request:

  1. Identity verification is performed.

  2. Account access is disabled immediately.

  3. Eligible data is deleted within 30 days.

  4. Confirmation of deletion is provided to the requester.

5.4 Deletion Limitations

Deletion may be denied or restricted where data is:

  • Required under AML Law No. 4 of 2001

  • Required under accounting or commercial laws

  • Necessary to resolve disputes or enforce agreements

  • Subject to court order or regulatory request

  • Required for fraud prevention or platform integrity

In such cases:

  • Data will be restricted from active processing.

  • Marked as archived for legal retention.

  • Not used for marketing or profiling.

5.5 Secure Deletion Protocols

When data becomes eligible for deletion:

  • Cryptographic erasure is applied where encryption exists.

  • Database-level permanent deletion is executed.

  • Backup copies are purged automatically during standard backup rotation cycles.

  • Physical storage media, if applicable, is securely destroyed.

Deletion procedures comply with Article 14 of Bahrain’s Personal Data Protection Law (Law No. 30 of 2018).

5.6 Backup Systems

Deleted Personal Data may temporarily remain in encrypted backup archives.

  • Backups are retained only for disaster recovery.

  • Backup retention follows automated lifecycle policies.

  • Data is permanently removed once backup cycles expire.

Backups are not reactivated except in system recovery scenarios.

5.7 Restriction of Processing

Where deletion is not legally permissible, Personal Data may be:

  • Restricted from active use

  • Removed from marketing systems

  • Isolated from operational databases

Such restriction remains in effect until lawful deletion becomes possible.

6. User Rights

In accordance with Bahrain’s Personal Data Protection Law (Law No. 30 of 2018), all users of the 5dmaty app and 5dmaty.ai are entitled to the following rights:

6.1 Right of Access Users may request a copy of all personal data held by the platform. This includes:

  • Registration data

  • CPR identification details

  • Usage and behavioral analytics Requests must be sent to services@5dmaty.ai with proof of identity.

6.2 Right to Rectification If any stored personal data is inaccurate, users have the right to request corrections. This includes outdated CPR info, address changes, or typo corrections.

6.3 Right to Object Users may object to:

  • Direct marketing communications

  • Automated profiling based on usage behavior

  • Processing of data without explicit consent unless legally necessary

6.4 Right to Erasure ("Right to Be Forgotten") Subject to retention limitations in Section 5, users may request full erasure of their account and associated personal data.

6.5 Right to Restriction of Processing Users can request that their data be locked from further processing while accuracy or legal objections are being investigated.

6.6 Right to Data Portability Where applicable, users may request their personal data in a machine-readable format for transfer to another controller (e.g., another app or service).

6.7 Right to Lodge a Complaint Users may file complaints with the Personal Data Protection Authority of Bahrain (PDPA) if they believe their rights are being violated.

Exercising These Rights: To exercise any right listed above, users should contact:

7. Marketing & Analytics Consent

Marketing Communications: Users may opt-in to receive newsletters, promotional campaigns, or new service alerts via email, push notifications, or SMS. Explicit opt-in is required for each communication channel in accordance with Law No. 30 of 2018.

Analytics Consent: Usage data collected through analytics tools (e.g., screens visited, time spent, conversion paths) is anonymized where possible. Users may opt out of non-essential analytics via app settings or browser preferences. This data is used to improve the app, not to profile individual behavior without consent.

8. Third-Party Service Providers

Scope: We may share Personal Data with third parties for:

  • Payment processing (PCI-DSS compliant)

  • Cloud hosting and app infrastructure (with data centers in compliance with Bahrain’s cross-border data protection rules)

  • Customer support tools

  • Marketing or usage analytics (e.g., Firebase, Mixpanel)

Obligations: All third-party providers must sign data processing agreements (DPAs) ensuring:

  • Compliance with Law No. 30 of 2018

  • Confidentiality of data

  • Use of data only for specified platform-related purposes

Users can request a list of third-party processors upon reasonable notice.

9. Vendor and Insurance Liability

Vendor Accountability: Vendors are fully responsible for:

  • Accuracy of service descriptions

  • Licensure and regulatory compliance

  • Delivery of services booked through the platform

  • Any claims, refunds, or liabilities arising from failed services

Disclaimer of Liability:Mofawada E-Commerce W.L.L is not a party to any medical or insurance transaction. It serves only as a conduit between the user and listed providers.

10. Legal Obligations

We process data in compliance with the following Bahraini laws:

  • Personal Data Protection Law No. 30 of 2018 (data handling, access, correction, and deletion)

  • Electronic Transactions Law No. 54 of 2018 (validity of digital records)

  • Anti-Money Laundering and Terrorism Financing Law No. 4 of 2001 (identity verification, suspicious activity flagging)

In some cases, 5dmaty may be required to:

  • Retain user identity data for government audits

  • Share data with regulators upon lawful request

  • Comply with court orders or subpoenas

11. Cookie Policy

Cookies and Tracking Tools: 5dmaty and 5dmaty.ai use cookies to remember user preferences, enhance session security, and support behavioral analytics. Types include:

  • Session Cookies (deleted on logout)

  • Persistent Cookies (used for login or language preferences)

  • Third-party Tracking Tools (like Google Analytics or Hotjar)

User Control:

  • Users are notified upon first use

  • Consent is obtained for non-essential cookies

  • Settings can be modified via browser or in-app

12. Changes and Updates

Mofawada E-Commerce W.L.L reserves the right to amend this Privacy Policy at any time. Updates will be posted with revision dates. For significant changes, users may be notified via email or in-app notification.

Continued use of the platform after updates constitutes acceptance. Users are encouraged to revisit this policy regularly.

13. Contact Information

Data Controller: Mofawada E-Commerce W.L.L CR No. 177421-1 Building G 1390, Shop 12, Road 4629, Block 646, Al Nuwaidrat Email: services@5dmaty.ai Phone: +973 66935121

For data access, deletion, objections, or complaints, users may contact the above address. Regulatory complaints may be filed with the Personal Data Protection Authority of Bahrain (PDPA).

Effective Date: This policy is effective as of February, 2026.