Privacy
Last updated: 13 May 2026
Who we are
Vision SaaS FZ-LLC is a UAE-incorporated company headquartered in Dubai Silicon Oasis. We provide multi-tenant SaaS software for optical retail. For privacy enquiries, contact our Data Protection Officer at privacy@vision.tools.
What we collect
We collect the information you provide when creating an account (name, email, shop details) and the information your shop's authorized users enter into the application (customer records, prescriptions, inventory, sales). We also collect anonymised request logs for security and uptime, product-analytics events under explicit consent, and Web-Vitals telemetry (LCP, CLS, INP) under the same consent gate.
Lawful basis for processing
Under Article 6 GDPR and Article 4 of the UAE PDPL, our processing relies on the following lawful bases. Contract: account, billing, and core product operations — necessary to deliver the service you signed up for. Legitimate interests: security event logging, fraud-prevention, and aggregate service-improvement metrics. Consent: product analytics, Web-Vitals telemetry, and any marketing communications — gated by the cookie-consent banner and withdrawable at any time. Legal obligation: tax-record retention and lawful-disclosure requests from competent authorities.
Cookies and analytics
We use strictly-functional cookies (a session cookie for authentication and a NEXT_LOCALE cookie for language preference) that do not require consent. Under explicit consent we additionally run PostHog for product analytics (see /sub-processors for the full list and regions) and capture Web-Vitals/RUM telemetry — Largest Contentful Paint, Cumulative Layout Shift, Interaction-to-Next-Paint — to detect performance regressions. Both are gated by the cookie-consent banner; declining keeps the product fully functional and disables both.
Where it is stored
Customer data is stored in PostgreSQL with encryption at rest configured at the hosting layer. Vision's reference deployment runs in a UAE region with daily backups retained for thirty days; self-deployed installations may choose a different region and retention to match their buyer's data-protection regime. We are explicit about this on the /security page so a procurement form can be answered honestly.
International data transfers
Some of our sub-processors are based outside the UAE — see /sub-processors for the full list (Neon in Singapore, Vercel in the United States, Resend in the United States, HubSpot in the United States, PostHog in the EU/US). For these transfers we rely on Standard Contractual Clauses (SCCs) under Article 46 GDPR and on equivalent contractual safeguards under Article 22 of the UAE PDPL. We do not transfer data to a third country that lacks either an adequacy decision or these contractual safeguards.
Retention periods
We keep different categories of data for different periods. Account and customer records (name, email, prescriptions, sales): for the lifetime of your subscription plus a 90-day deletion window after termination, after which data is permanently erased. Visit records: same as customer records. Audit log (security and compliance trail): retained for 7 years to satisfy UAE tax and corporate-record retention obligations. Web-Vitals telemetry: 30 days, then aggregated. Anonymised request logs: 90 days. After your stated retention window we erase the underlying rows; aggregated, non-identifying metrics may persist indefinitely.
Your rights
Under GDPR, PDPL, and the California Consumer Privacy Act (CCPA), you have the following rights: (a) right of access — request a copy of the data we hold about you; (b) right to rectification — correct inaccurate data; (c) right to erasure (right to be forgotten); (d) right to data portability — receive your data in a machine-readable format; (e) right to restriction of processing; (f) right to object to processing relying on legitimate interests; (g) right to withdraw consent at any time; (h) right not to be subject to solely-automated decision-making. You can exercise (a), (b), (c), and (d) directly from your account settings (/settings/data) and the rest by writing to privacy@vision.tools. We will respond within 30 days.
Data breach notification
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Article 33 GDPR / Article 9 PDPL equivalent), and we will notify affected account owners without undue delay where the breach is likely to result in a high risk to them.
Contact and complaints
Our Data Protection Officer can be reached at privacy@vision.tools. You also have the right to lodge a complaint with a competent supervisory authority — in the UAE, the UAE Data Office; in the EU, your national data-protection authority; in California, the California Privacy Protection Agency.
Changes
We will post any changes to this policy here and notify account owners by email at least thirty days before the changes take effect.