Политика конфиденциальности
Этот документ предоставляется на английском языке — он является официальной версией.
Last updated: 6 June 2026Version: 1.0 (Beta)
1. Introduction and Who We Are
1.1 This Privacy Policy ("Policy") explains how Xmail ("Xmail", "we", "us", or "our") collects, uses, discloses, transfers, retains, and protects Personal Data when you access or use the Xmail email platform and related websites, applications, and services (together, the "Service"). "Xmail" is the brand and trading name under which the Service is provided; the operator's full legal entity name and registered office are set out in our Legal Notice (Imprint) at /legal-notice. Xmail is licensed by the Sharjah Media City Free Zone (SHAMS), Sharjah, United Arab Emirates (licence No. 6312.01).
1.2 Xmail is an AI-powered email platform that provides a smart inbox, automated email classification, AI research and "portrait" features, custom and vanity domains, and webmail together with IMAP/SMTP access. The Service is delivered through our primary production domain xmail.com and a number of secondary and vanity domains that we operate.
1.3 For the purposes of the European Union General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the United Kingdom General Data Protection Regulation as incorporated into UK law ("UK GDPR"), and United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data together with its implementing regulations as in force from time to time (the "UAE PDPL" or "PDPL"), Xmail acts as the Controller of the Personal Data described in this Policy, except where we act as a Processor on your behalf (see Section 5.3).
1.4 Applicable UAE data-protection regime. SHAMS (Sharjah Media City Free Zone) is not a common-law financial free zone such as the DIFC or ADGM. Accordingly, the data-protection regime that applies to Xmail is the federal UAE PDPL (Federal Decree-Law No. 45 of 2021) and its implementing regulations — not the DIFC Data Protection Law or the ADGM Data Protection Regulations. References in this Policy to "PDPL" are to that federal regime.
1.5 Developing regulatory regime. As of the date of this Policy, the UAE PDPL's implementing/executive regulations have not yet been issued or entered into force, and there is no confirmed statutory compliance deadline. We process personal data in accordance with the UAE PDPL (Federal Decree-Law No. 45 of 2021) and its implementing regulations and any UAE Data Office guidance, in each case as in force and amended from time to time; where implementing regulations are not yet in force, we apply the PDPL's principles together with recognised good practice. Where this Policy refers to PDPL obligations, mechanics, transfer conditions, breach-notification timing, or the competent authority's procedures, those references describe the regime in general terms and will be updated as the regime settles. We do not assert specific PDPL article numbers as settled law.
1.6 Beta notice. The Service is currently provided in beta, on an "as-is" and "as-available" basis. Features — particularly AI features — are being rolled out gradually through the end of 2026 and may not be available now or at all. The Service may change, break, or be discontinued at any time. This Policy describes data practices for features as they become available; not all processing described here is necessarily active for every user at any given time.
1.7 Capitalised terms used in this Policy have the meaning given to them where they are defined. Cross-references are made by section number.
2. Scope of This Policy
2.1 This Policy applies to all individuals who create an Xmail account, send or receive email through the Service, visit our websites, or otherwise interact with us ("you", "User", or "Data Subject").
2.2 This Policy covers Personal Data we process as Controller. It does not cover:
(a) the practices of third-party websites, services, or senders/recipients of email that are not operated by us, even where you reach them through the Service; or
(b) Personal Data contained in email that we host on behalf of an organisation that is itself the controller of that data, in which case that organisation's privacy notice governs and we act as Processor (see Section 5.3).
2.3 If you are using Xmail as part of an account administered by an organisation (for example, on a custom domain), that organisation may have its own policies that apply in addition to this Policy.
3. Categories of Personal Data We Collect
We collect and process the following categories of Personal Data.
3.1 Account Data. Information you provide when you register and manage your account, including your name or chosen identifier, email address(es), chosen username and any vanity/custom domain details, authentication credentials (stored in hashed/derived form), account settings and preferences, and language/region.
3.2 Email Content and Metadata. The Service is an email service, and it necessarily processes the content of your email in order to function. This includes:
(a) the content of messages you send, receive, draft, or store — including subject lines, message bodies, and attachments; and
(b) metadata — including sender and recipient addresses, timestamps, routing and transport headers, message size, folder/label information, read/unread state, IP addresses involved in delivery, and anti-spam scoring data.
You should understand that operating an inbox, delivering mail, applying anti-spam filtering, and providing the AI features described in Section 5 cannot be done without processing email content and metadata. If you do not wish your email content to be processed in this way, you should not use the Service.
3.3 Usage, Log, and Device Data. Information generated automatically when you use the Service, including IP address, device and browser type, operating system, access times, pages and features used, IMAP/SMTP/webmail session data, diagnostic and crash logs, and approximate location derived from IP address.
3.4 Payment Data. When you purchase Points or other paid features, payment is processed by third-party payment providers (for example, Stripe). We do not store full card numbers. We receive limited transaction information such as the fact and amount of a payment, a transaction reference, the payment method type, billing country, and your Point balance and ledger. Where we accept crypto or stablecoin payments (now or in the future), any such payment is converted by a licensed third-party payment provider, and Xmail is settled in fiat (AED) or in a CBUAE-licensed AED payment token — Xmail is not a virtual asset service provider (VASP) and does not itself custody, exchange, or transmit virtual assets. We may process associated wallet/transaction identifiers necessary to record and reconcile the payment.
3.5 Support and Communications Data. Information you provide when you contact us for support or otherwise communicate with us, including the content of your messages, your contact details, and records of correspondence.
3.6 Derived and Inferred Data (AI "Portrait" and Classifications). Data that our automated systems generate about you or your mail, including spam/abuse scores, message type and intent classifications, extracted entities and contacts, embeddings/vector representations, research outputs, and the user "Portrait" — an evolving, AI-generated summary of inferred interests, relationships, and context derived from your email. Derived data is described in detail in Sections 5 and 6.
3.7 Special-category / sensitive personal data. Because email content is open-ended, your messages may contain special-category data within the meaning of GDPR/UK GDPR Article 9 (for example, data revealing health, religious or philosophical beliefs, political opinions, trade-union membership, sexual orientation, or biometric/genetic data) and "Sensitive Personal Data" under the PDPL. We do not actively solicit such data, but our AI Features (Section 5) process the content of your email and may therefore process special-category data that it contains. This may include special-category data about third parties (for example, senders and recipients of your incoming and outgoing email who have not themselves consented). Our lawful basis for processing your own and third parties' special-category data is set out in Section 4.3, and your controls are set out in Sections 5 and 6.
4. Purposes of Processing and Lawful Bases
4.1 We process Personal Data for the purposes set out below. The applicable lawful basis under GDPR/UK GDPR Article 6 is identified for each purpose. The corresponding lawful basis under the UAE PDPL (Federal Decree-Law No. 45 of 2021) and its implementing regulations (as in force from time to time) is the equivalent ground — for example, performance of a contract, our legitimate interest, your consent, or compliance with a legal obligation. We do not cite specific PDPL articles, because the implementing regulations and the UAE Data Office's procedures are still developing (see Section 1.5).
| # | Purpose | Categories used | GDPR/UK GDPR lawful basis |
|---|---|---|---|
| (a) | Creating and administering your account; authenticating you | Account, Usage | Art. 6(1)(b) — contract |
| (b) | Delivering, sending, receiving, storing, and synchronising email (webmail, IMAP, SMTP) | Email Content & Metadata, Usage | Art. 6(1)(b) — contract |
| (c) | Anti-spam, anti-abuse, and security filtering (scoring, quarantine, blocking) — essential, cannot be disabled | Email Content & Metadata, Usage | Art. 6(1)(b) — contract (necessary to provide and secure the Service); Art. 6(1)(f) — legitimate interests; Art. 6(1)(c) where legally required |
| (d) | Providing optional AI features — Portrait, research, and assistant | Email Content & Metadata, Derived | Art. 6(1)(a) — consent (and, for any special-category content, Art. 9(2)(a) explicit consent — see 4.3) |
| (e) | Providing essential AI processing — classification and summarisation needed to operate the inbox and protect the Service | Email Content & Metadata, Derived | Art. 6(1)(b) — contract |
| (f) | Processing payments, managing Points balances, and preventing payment fraud | Payment, Account | Art. 6(1)(b) — contract; Art. 6(1)(f) — fraud prevention |
| (g) | Providing customer support | Support, Account | Art. 6(1)(b) — contract; Art. 6(1)(f) |
| (h) | Maintaining, securing, monitoring, and improving the Service | Usage, Log, Derived (aggregated) | Art. 6(1)(f) — legitimate interests |
| (i) | Optional analytics and marketing communications | Usage, Account | Art. 6(1)(a) — consent |
| (j) | Complying with legal obligations and responding to lawful requests | Any, as required | Art. 6(1)(c) — legal obligation |
| (k) | Establishing, exercising, or defending legal claims | Any, as required | Art. 6(1)(f) — legitimate interests |
4.2 Legitimate interests balancing. Where we rely on legitimate interests (Article 6(1)(f)), we have assessed that our interests — operating a secure, functional, spam-resistant email service and protecting our users and infrastructure — are not overridden by your interests or fundamental rights and freedoms, taking into account your reasonable expectations as a user of an email service. You may object to processing based on legitimate interests as described in Section 11. You may request further information about our balancing assessments using the contact details in Section 16.
4.3 Special-category data — lawful basis (GDPR/UK GDPR Article 9). Your email may contain special-category data (Section 3.7), which may relate to you or to third parties. For users in the EEA and the UK:
(a) Your own special-category data within your mailbox, processed by optional AI Features. Where our optional AI Features (Portrait, research, assistant) process special-category data within your own mailbox, we rely on your explicit consent under GDPR/UK GDPR Article 9(2)(a), paired with the relevant Article 6 basis (Section 4.1). This consent is obtained when you enable the AI Features. Because core email delivery, storage, and security work without any AI Features, this consent is freely given and you can withdraw it at any time; withdrawal disables the optional AI Features without affecting the delivery, storage, or security of your mail (Sections 4.4, 5 and 6).
(b) Third-party special-category data in incoming email. Incoming and outgoing email may contain special-category data about senders, recipients, or other third parties who have not consented. The Article 9(2)(e) "manifestly made public by the data subject" condition does not apply to private correspondence. We therefore process such third-party special-category data only as necessary to operate your mailbox and to provide the features you have enabled (relying on Article 6(1)(f) legitimate interests and/or Article 6(1)(b) performance of contract), and we apply strict data minimization and purpose limitation. In particular, we do not infer or build profiles of special-category data about third parties, we process such data only to serve your mailbox, and we do not use email content to train foundation or AI models. We conduct a Data Protection Impact Assessment (DPIA) in respect of these high-risk processing activities.
4.4 Essential vs optional processing. Essential processing — including delivery, storage, security, and spam/abuse filtering — is necessary to provide and secure the Service and cannot be disabled while you use the Service. Optional AI Features (Portrait, research, assistant) are presented to you and can be enabled or disabled; disabling them stops the associated processing of your email content for those features (see Sections 5 and 6).
4.5 Consent and withdrawal. Where we rely on your consent (including explicit consent for optional AI Features, and consent for non-essential analytics or marketing), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawing consent means the relevant optional feature is no longer available to you.
5. How We Use AI and Automated Systems
5.1 AI processing. Functions of the Service process the content of your email using automated systems and large language models ("LLMs") in order to:
(a) classify messages by type, intent, and priority;
(b) detect and score spam, phishing, and abuse;
(c) summarise messages and threads;
(d) extract entities and contacts and build an intelligence graph;
(e) generate and maintain your Portrait; and
(f) power research and assistant features.
Of these, anti-spam/anti-abuse filtering and the classification/summarisation needed to operate and secure your inbox are essential and cannot be disabled. The Portrait, research, and assistant are optional AI Features that you can enable or disable (Sections 4.4 and 6).
5.2 Use of third-party AI subprocessors. Some AI processing is performed by third-party AI subprocessors (for example, Anthropic and OpenAI) under data-processing terms that restrict their use of the data. In those cases:
(a) email content (or the relevant portion of it) may be transmitted to the subprocessor solely to provide the requested feature for you;
(b) we contractually require that your content is processed only to provide the feature and is not used by the subprocessor to train its own foundation or general-purpose models;
(c) we do not use your email content to train our own foundation models, and none of our spam classification, Portrait, or other AI processing is used to train Xmail's own foundation models. We may use limited, internal signals (such as your own corrections and feedback, and aggregated or de-identified operational metrics) to tune and improve our own classification and filtering systems for the Service; and
(d) a current list of AI and other subprocessors is maintained as described in Section 7.
5.3 Controller / Processor and hosted mail. Where we transmit email on your behalf to or from third parties, or host mailboxes for an organisation (for example, on a custom domain or for an organisation account), the organisation is the Controller of that mail and Xmail acts as Processor with respect to that content, processing it only as needed to provide the Service and in accordance with applicable terms. We make a Data Processing Addendum (DPA) available to organisation/business customers. This allocation is consistent with our Terms of Service; see also Section 2.2(b).
5.4 Accuracy and no reliance. AI output is probabilistic and may be wrong, incomplete, or out of date. AI features (including classification, Portrait, summaries, and research) are provided for convenience only and must not be relied upon for important decisions. You remain responsible for reviewing your mail.
5.5 Automated decision-making and profiling (GDPR/UK GDPR Article 22).
(a) We use automated processing — including profiling — for (i) anti-spam and anti-abuse filtering, which may automatically score, quarantine, or block messages; and (ii) generation of your Portrait and classifications. The equivalent automated-decision protections under the PDPL and its implementing regulations apply as that regime settles (Section 1.5).
(b) Advisory, human-overridable, not solely automated. The AI Features — including spam/abuse classification and the Portrait — are advisory and human-overridable. They are not solely-automated decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22: you retain control over your mailbox, can review and override classification outcomes, and can correct, reset, or disable the Portrait. Anti-spam filtering is necessary for entering into and performing our contract with you and for providing a usable, secure email service. We provide the safeguards in paragraph (d) below.
(c) Meaningful information. Spam/abuse classification scores messages against rules, reputation signals, and machine-learning models to decide whether a message reaches your inbox, is quarantined as junk, or is blocked, subject to your override. The Portrait builds an evolving summary from your mail to personalise and assist your use of the Service. None of this profiling is used to train Xmail's own foundation models.
(d) Your safeguards. If any AI Feature ever becomes a solely-automated decision that produces legal effects concerning you or similarly significantly affects you, the Article 22 safeguards and the conditions in Article 22(4) apply: you have the right to obtain human intervention (review), to express your point of view, and to contest the decision. In any event, if a message has been wrongly filtered, classified, or reflected in your Portrait, you can report it, correct it, or request human review using the contact details in Section 16. You can also adjust certain filter and feature settings within the Service.
(e) Profiling for the Portrait does not, by itself, produce legal or similarly significant effects on you within the meaning of Article 22; it is advisory, human-overridable, and used to personalise and assist your use of the Service. You may object to it, disable it, and request its deletion as described in Sections 4.4, 6, and 11.
(f) Organisation customers. For organisation/business (Controller) customers, we make a Data Processing Addendum (DPA) available under Article 28 (Section 5.3).
6. Derived Data and the Portrait — Your Controls
6.1 The Portrait and related derived data (classifications, extracted entities, embeddings) are generated from your email content. They are stored as part of your account.
6.2 You may, subject to technical feasibility and the continued functioning of the Service:
(a) view information we hold about your Portrait and classifications;
(b) request correction of inaccurate inferences;
(c) request deletion or reset of your Portrait and derived data; and
(d) disable the optional AI Features (Portrait, research, and assistant).
6.3 Disabling optional AI Features or deleting derived data may reduce the functionality of the Service (for example, weaker prioritisation or assistant quality). Anti-spam and anti-abuse processing, and the essential classification needed to operate and secure your inbox, cannot be disabled, as they are necessary to provide and secure the Service.
7. Recipients and Subprocessors
7.1 We share Personal Data with the following categories of recipients, only as necessary for the purposes in Section 4:
(a) Third-party AI subprocessors — for example, Anthropic and OpenAI — for the AI features described in Section 5;
(b) Payment providers — for example, Stripe — and, where applicable, licensed crypto/stablecoin payment providers, to process top-ups and prevent fraud. Any crypto/stablecoin payment is converted by the licensed third-party provider and Xmail is settled in fiat (AED) or a CBUAE-licensed AED payment token (see Section 3.4 — Xmail is not a VASP);
(c) Deliverability and anti-abuse vendors — email-deliverability, reputation, and anti-abuse/spam-intelligence providers used to send, route, and protect mail. Xmail operates primarily on its own self-hosted infrastructure (own Proxmox/CEPH clusters), so third-party infrastructure exposure is limited;
(d) Professional advisers — lawyers, auditors, and accountants, bound by duties of confidentiality;
(e) Authorities and other parties — where required to comply with law, enforce our terms, or protect rights, property, or safety; and
(f) Successors — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
7.2 We do not sell your Personal Data.
7.3 A current list of our subprocessors, including their function and location, is available at /legal-notice. We will take reasonable steps to notify Users of material changes to the subprocessor list where required.
7.4 All subprocessors are engaged under written terms that require appropriate technical and organisational measures and restrict use of Personal Data to providing services to us.
8. International Data Transfers
8.1 Primary processing of your Personal Data takes place on our self-hosted infrastructure located in the United Arab Emirates.
8.2 Because some subprocessors (including AI and payment providers) operate in other jurisdictions, your Personal Data may be transferred to and processed in countries outside the UAE, the EEA, and the UK, including countries that may not provide the same level of data protection as your home jurisdiction.
8.3 Where such transfers occur, we implement appropriate safeguards, which may include:
(a) for transfers from the EEA/UK: reliance on an adequacy decision where one exists, or the use of the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Agreement / Addendum) together with supplementary measures as appropriate; and
(b) for transfers from the UAE under the PDPL: transfer to a jurisdiction recognised as providing an adequate level of protection, or, in the absence of adequacy, reliance on appropriate contractual safeguards, your explicit consent, or another lawful transfer condition available under the PDPL and its implementing regulations as in force from time to time. We do not specify a PDPL transfer article, because the implementing regulations are still developing (Section 1.5).
8.4 You may request a copy of, or more information about, the safeguards we use by contacting us as set out in Section 16.
9. Retention
9.1 We retain Personal Data only for as long as necessary for the purposes for which it was collected, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.
9.2 Indicative retention periods:
(a) Account Data — for the life of your account and for **90 days after closure, then deleted or anonymised, subject to legal holds;
(b) Email Content and Metadata — stored while your account is active and you keep the mail. After termination or closure of your account, you have an export window of 30 days, after which your mailbox/email content is deleted within 30 days of the end of that window (i.e. deletion occurs up to approximately 60 days** after termination), subject to short-term backups and legal holds. This is consistent with the post-termination export window in our Terms of Service;
(c) Trash / deleted mail — items in your trash or marked for deletion are removed within **30 days ;
(d) Derived Data / Portrait — for the life of your account or until you delete, reset, or disable it (Sections 4.4 and 6);
(e) Backups — retained on a rolling basis and **overwritten within 90 days ;
(f) Server / access logs and security data — typically **12 months , longer where needed to investigate abuse or for legal reasons;
(g) Payment and transaction records — retained for **5 years (UAE tax / AML record-keeping); and
(h) Support communications — typically **24 months after resolution.
9.3 Backups are retained on a rolling basis and are overwritten in the ordinary cycle (within 90 days ); data in backups is deleted in line with the backup rotation schedule after deletion from live systems.
10. Security
10.1 We operate the Service primarily on self-hosted infrastructure under our own control (Proxmox/CEPH clusters), which limits exposure to third-party hosting environments. We implement technical and organisational measures designed to protect Personal Data, including:
(a) encryption of data in transit (TLS) and encryption of sensitive stored secrets and credentials;
(b) access controls, authentication, and the principle of least privilege for staff and systems;
(c) network hardening, restricted service exposure, and monitoring;
(d) anti-spam, anti-abuse, and intrusion-detection measures; and
(e) logging and incident-response processes.
10.2 Honest limitations. No method of transmission or storage is completely secure, and the Service is provided in beta. We cannot guarantee absolute security, and email delivery itself is not guaranteed (messages may be filtered, delayed, lost, or rejected). You are responsible for using a strong, unique password, keeping your credentials confidential, and not relying on the Service for critical or time-sensitive needs.
11. Your Rights
11.1 Subject to applicable law (GDPR/UK GDPR and the PDPL), you have the following rights in respect of your Personal Data:
(a) Access — to obtain confirmation of, and a copy of, the Personal Data we hold about you;
(b) Rectification — to have inaccurate or incomplete data corrected (including inferred/Portrait data, per Section 6);
(c) Erasure — to request deletion of your data in certain circumstances ("right to be forgotten");
(d) Restriction — to request that we limit processing in certain circumstances;
(e) Portability — to receive certain data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible (note: standard email protocols such as IMAP also allow you to export your mail directly);
(f) Objection — to object to processing based on legitimate interests, and to object at any time to processing for direct marketing;
(g) Withdraw consent — where processing is based on consent, including explicit consent for optional AI Features (Sections 4.3–4.5);
(h) Not to be subject to certain automated decisions — and the safeguards set out in Section 5.5; and
(i) Complain — to a supervisory authority (see Section 11.4).
11.2 How to exercise your rights. You may exercise your rights by contacting us at [email protected] or through in-product account controls where available. We may need to verify your identity before acting on a request.
11.3 We will respond within the timeframes required by applicable law (generally one month under the GDPR/UK GDPR, extendable where permitted; and the period prescribed by the PDPL and its implementing regulations). Our services are generally provided free of charge, though we may charge a reasonable fee or refuse manifestly unfounded or excessive requests as permitted by law.
11.4 Right to complain.
(a) EEA users may lodge a complaint with the data protection authority of their EU Member State.
(b) UK users may complain to the UK Information Commissioner's Office (ICO).
(c) UAE users may complain to the UAE Data Office (the competent authority under the PDPL), whose exact name and procedures are still being established under the developing federal regime (Section 1.5).
We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority.
12. Cookies and Similar Technologies
12.1 We use cookies and similar technologies (such as local storage and tokens) to operate the Service, keep you signed in, remember preferences, maintain security, and — with your consent where required — measure usage.
12.2 Strictly necessary cookies are used without consent because they are essential to provide the Service you request. Non-essential cookies (such as optional analytics) are used only with your consent, which you can manage through our cookie controls or your browser settings.
12.3 Further detail is provided in our /privacy, where applicable.
13. Children
13.1 The Service is not intended for children. You must be at least 18 years old to create an account or use the Service. This minimum age is consistent with our Terms of Service and Acceptable Use Policy.
13.2 Where a child between 16 and 18 is permitted to use a comparable service under applicable local law and we elect to permit such use, processing that relies on consent will, for users below the age at which they can consent on their own behalf, require the consent or authorisation of a person holding parental responsibility. In the EEA, where Member State law sets the digital-consent age at 16, that age is the relevant threshold for consent-based processing in that Member State.
13.3 We do not knowingly collect Personal Data from a person below the applicable minimum age. If we learn that we have done so without appropriate consent, we will take steps to delete the data and close the account. If you believe a child has provided us Personal Data, please contact us as set out in Section 16.
14. Breach Notification
14.1 We maintain procedures to detect, investigate, and respond to Personal Data breaches.
14.2 Where a breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority:
(a) for the EEA/UK, without undue delay and, where feasible, within 72 hours of becoming aware (GDPR/UK GDPR Article 33); and
(b) for the UAE, we will notify the UAE Data Office and affected Data Subjects without undue delay and within any period required by the PDPL and its implementing regulations as in force from time to time. We do not assert a specific PDPL hour or day count, because that timing is still being settled under the developing federal regime (Section 1.5).
14.3 Where the breach is likely to result in a high risk to you, we will also notify you without undue delay, with information about the breach and the measures you can take.
15. Changes to This Policy
15.1 We may update this Policy from time to time, including as features (especially AI features) are released or changed through the end of 2026 and beyond, and as the UAE PDPL's implementing regulations settle. The "Last updated" date at the top indicates when the Policy was last revised.
15.2 Where changes are material, we will provide reasonable notice — for example, by email or an in-product notice — before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy, except where additional consent is required by law, which we will obtain.
16. Contact Us
16.1 Controller: Xmail. Our full legal entity name and registered address are set out in our Legal Notice (Imprint) at /legal-notice (Xmail is licensed by the Sharjah Media City Free Zone (SHAMS), Sharjah, UAE, licence No. 6312.01).
16.2 Privacy / Data Protection contact: [email protected].
16.3 Data Protection Officer: available on request ([email protected]).
16.4 EU Representative (GDPR Art. 27): available on request.
16.5 UK Representative (UK GDPR Art. 27): available on request.
16.6 This Policy is governed by the laws of the United Arab Emirates as applicable to Xmail under its SHAMS licence. It forms part of, and should be read together with, our Terms of Service.