Last Updated: 06 March 2026

This Privacy Policy (the “Policy”) describes how SOFIA KRALOW L.L.C – FZ, a company organized and operating under the laws of the United Arab Emirates, having its registered office at Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, UAE (the “Company”, “we”, “us”), acting as a data controller, collects, processes, stores, and protects personal data of individuals who access or use the Company’s websites, online platforms, digital programs, community environments, and related services (collectively, the “Service”).
The Service may include digital lifestyle coaching programs, online communities, informational materials, mentorship interactions, and other digital participation environments provided through websites, messaging platforms, and online communication channels.
By accessing, registering for a Program, creating an account, making a payment for a Program, contacting support, joining community platforms, or otherwise interacting with the Service, you acknowledge that you have read and understood this Policy.
If you do not agree to the terms of this Policy, please refrain from using the Service and do not submit personal data to us.

1. DEFINITIONS

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below, unless the context clearly indicates otherwise:
1.3 “User,” “you,” or “your” means any individual who accesses, uses, registers for, purchases, or otherwise interacts with the Service.
1.4 “Personal Data” means any information that identifies or may reasonably be used to identify an individual, directly or indirectly, including but not limited to name, email address, phone number, IP address, device identifiers, location data, online identifiers, social media identifiers, or other information considered personal data under applicable data protection laws.
1.5 “Processing” means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, storage, use, disclosure, transmission, organization, restriction, erasure, anonymization, or destruction.
1.6 “Account” means a personal user account or registration created by a User to access certain parts of the Service, including participation in Programs, community environments, or communication platforms.
1.7 “Program” means any digital lifestyle coaching program, course, mentorship environment, workshop, or other structured digital participation experience offered by the Company through the Service.
1.8 “User Content” means any data, materials, messages, comments, media, or other information voluntarily submitted or shared by a User within the Service, including within community chats, program environments, or communication channels.
1.9 “Community Environment” means any online space provided by the Company for interaction between Users and the Company, including private chats, Telegram channels, discussion platforms, or other digital community spaces related to the Programs.
1.10 “Technical Data” means information automatically collected when a User interacts with the Service, including IP address, device type, browser type, operating system, approximate location information, and usage-related interaction data.
1.11 “Third Parties” means any individuals or entities other than the User or the Company, including payment processors, hosting providers, analytics providers, communication platforms, and other service providers supporting the operation of the Service.
1.12 “Applicable Law” means all laws, regulations, rules, and regulatory requirements applicable to the Company, the Service, or the User, including data protection and privacy laws.

2. GENERAL PROVISIONS

2.1 This Privacy Policy applies to all processing of Personal Data carried out by the Company in connection with the use of the Service by Users, regardless of the device, operating system, interface, or platform through which the Service is accessed.
2.2 The Company acts as a data controller with respect to the Personal Data processed in connection with the Service, unless expressly stated otherwise in this Privacy Policy or required by applicable law.
2.3 This Privacy Policy forms an integral part of the Terms of Service and shall be interpreted consistently therewith. In the event of any conflict between this Privacy Policy and the Terms of Service, the provisions of this Privacy Policy shall prevail with respect to matters of personal data protection and privacy.
2.4 By accessing or using the Service, you acknowledge that your Personal Data may be processed in accordance with this Privacy Policy. The Company processes Personal Data based on the legal bases described in Section 5 (Legal Bases for Processing), including performance of a contract, legitimate interests, compliance with legal obligations, and, where required, your consent. Processing of Personal Data may include collection, storage, communication-related processing, analytics, and other operational activities necessary for the functioning of the Service.
2.5 The Company may update or modify this Privacy Policy from time to time to reflect changes in legal requirements, business practices, or the functionality of the Service. Where required by applicable law, the Company will provide appropriate notice of material changes prior to such changes becoming effective.
2.6 Your continued use of the Service after the effective date of an updated Privacy Policy constitutes acknowledgment of the revised Policy, except where applicable law requires renewed consent or additional user action.

3. DATA WE COLLECT

The Company collects categories of Personal Data that are reasonably necessary to operate the Service, comply with legal obligations, and achieve the purposes described in this Privacy Policy.
3.1 We collect Personal Data that you voluntarily provide when you:
(i) register for a Program or create an Account;
(ii) purchase access to a Program or other paid Service;
(iii) join community environments, communication channels, or messaging platforms related to the Programs;
(iv) contact customer support or otherwise communicate with us.
Such information may include:
(v) name or username;
(vi) email address;
(vii) phone number (where voluntarily provided);
(viii) social media identifiers (for example, Instagram username);
(ix) information contained in support requests or communications;
(x) Program participation information (such as enrollment status or participation history).
The Company may request certain information necessary to provide access to the Programs or communication channels. Users are not required to provide more personal information than reasonably necessary for participation in the Service.
3.2 When using the Service, you may submit User Content, including text messages, comments, media, feedback, or other information shared within the Service. User Content may include Personal Data where voluntarily provided by you in: community discussions; messaging platforms; program-related communications; support inquiries. You are solely responsible for ensuring that you do not submit Personal Data of third parties without proper legal authorization.
The Company does not intentionally request sensitive categories of Personal Data, and Users should avoid submitting such information unless necessary for communication with the Company.
3.3 When you access or use the Service, we automatically collect certain technical and usage information, including:
(i) IP address;
(ii) approximate location data (country and city level);
(iii) device information (device type, operating system, application version; desktop or mobile);
(iv) usage and interaction data within the Service;
(v) technical logs, crash reports, and performance diagnostics.
This information is used for analytics, security, troubleshooting, and Service improvement purposes.
3.4 Payments for Programs or other paid Services are processed by third-party payment providers and payment platforms. The Company does not collect or store full payment card details. We may receive limited transactional data from payment providers, including: payment confirmation; transaction identifiers; payment status; information necessary for accounting, fraud prevention, or access management.
3.5 We may receive limited information from third parties in connection with your use of the Service, including:
(i) application distribution platforms (Apple App Store, Google Play Store);
(ii) analytics providers (such as Amplitude);
(iii) infrastructure and hosting providers.
Such data is processed in accordance with this Privacy Policy and applicable law.

4. HOW WE USE PERSONAL DATA

The Company uses Personal Data solely for purposes that are necessary to operate the Service, fulfill contractual obligations, and comply with applicable laws. Specifically, we use Personal Data for the following purposes:
4.1. Provision and Operation of the Service. To create and manage User Accounts and Program registrations, provide access to the Service and digital Programs, manage community environments and communication channels, and ensure the proper technical operation, availability, and functionality of the Service.
4.2. Subscription Management and Payment Processing. To process payments, confirm transactions related to Program participation, maintain billing and accounting records, prevent fraudulent transactions, and ensure proper access to paid Programs or Services. Payment processing is performed by authorized third-party payment providers, which process payment information in accordance with their own terms and privacy policies.
4.3. Analytics and Service Improvement. To analyze usage patterns, device information, and interaction data in order to improve the quality, stability, security, and functionality of the Service. Such analysis may include evaluation of user interaction with the Service, Program participation metrics, and technical performance of the platforms used to deliver the Service.
4.4 AI Training Restriction. The Company does not use Personal Data provided by Users to train artificial intelligence models or machine learning systems for unrelated commercial purposes. Any automated processing performed within the Service is limited to providing the functionality of the Service itself.
4.5. Communications and Notifications. To send service-related communications, including transactional emails, Program-related notifications, technical notices, security alerts, community updates, and responses to support inquiries. Communication with Users may occur through email, messaging platforms, or other communication channels used for Program participation and support.
4.6. Security, Abuse Prevention, and Compliance. To detect, prevent, and respond to fraud, abuse, unauthorized access, or other misuse of the Service, and to comply with applicable legal obligations or enforce our agreements.

5. LEGAL GROUNDS FOR PROCESSING

The Company processes Personal Data in accordance with applicable data protection and privacy laws, including, where applicable, the General Data Protection Regulation (GDPR), the UK GDPR, relevant data protection laws of the United Arab Emirates, applicable United States federal and state privacy laws (such as the California Consumer Privacy Act and similar laws), Canadian privacy legislation, and other relevant regulations. Depending on the context and applicable law, the Company relies on one or more of the following legal bases for processing Personal Data:
5.1. Performance of a Contract. Processing is necessary to perform a contract with you, including providing access to the Service, creating and managing your Account, registering you for Programs, providing access to Program environments and community platforms, processing communications submitted through the Service, and managing payments related to Programs or other Services.
5.2. Legitimate Interests. Processing is necessary for the Company’s legitimate business interests, including operating, maintaining, securing, and improving the Service, analyzing usage and performance, managing Program participation, preventing fraud and abuse, and providing customer support, provided that such interests do not override your rights and freedoms under applicable law.
5.3. Legal Obligations. Processing is necessary to comply with applicable legal and regulatory obligations, including accounting, tax, recordkeeping, and responding to lawful requests from public authorities.
5.4. Consent. Where required by applicable law, the Company processes Personal Data based on your consent, including where certain features involve processing of Health Data or similar sensitive information voluntarily provided by you. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.

6. DATA RETENTION

The Company retains Personal Data only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, including operating the Service, maintaining Accounts and Program participation records, complying with legal obligations, resolving disputes, preventing fraud and abuse, and enforcing our agreements.
6.1. How we determine retention periods. Retention periods are determined based on:
(i) the nature, sensitivity, and purpose of the Personal Data;
(ii) applicable legal, tax, accounting, and regulatory requirements;
(iii) operational, security, and fraud-prevention needs;
(iv) whether the data is needed to establish, exercise, or defend legal claims.
6.2. Typical retention categories. For clarity, the Company generally retains the following categories of information as follows (unless a longer period is required or permitted by law):
(i) Account and contact information (e.g., email, account identifiers): retained for as long as your Account remains active, and for a reasonable period thereafter for compliance, security, and support purposes.
(ii) Subscription and transaction information (e.g., subscription status, billing identifiers, payment confirmation, refunds/chargebacks if any): retained as required for accounting, tax, and audit purposes and to address disputes or chargebacks.
(iii) Technical logs and security data (e.g., IP address logs, device information, fraud/abuse signals): retained for as long as reasonably necessary to maintain security, detect abuse, troubleshoot issues, and comply with legal obligations.
(iv) Analytics data (e.g., usage events and performance metrics): retained in aggregated or de-identified form where possible. Where retained in identifiable form, it is kept only for as long as necessary for analytics and improvement purposes.
(v) User Input and AI-generated outputs (e.g., food images, analysis results, reports, or content stored within your account): retained to provide the Service to you and enable Service functionality. If you delete such content within the Service (where available), we will take reasonable steps to delete or de-identify it, subject to technical limitations, legal requirements, and backup retention cycles.
6.3. Deletion and anonymization. When Personal Data is no longer required for the purposes described above, we take commercially reasonable steps to delete it or anonymize/de-identify it in accordance with applicable standards. Please note that deletion may not be immediate and may occur in accordance with our routine backup, logging, and security retention cycles.
6.4. Legal claims and compliance holds. We may retain Personal Data for longer periods where required by applicable law, or where necessary to establish, exercise, or defend legal claims, respond to lawful requests, or enforce our agreements.

7. COOKIES AND SIMILAR TECHNOLOGIES

7.1. What cookies are. Cookies are small text files placed on your device by a website or service. Similar technologies (such as SDKs, pixels, tags, and local storage) may also be used to collect technical and usage information. In this Privacy Policy, we refer to these collectively as “Cookies” unless stated otherwise.
7.2. What technologies we use in the Service. Depending on how you access the Service (for example, through our websites or online platforms), we may use the following technologies:
(i) Essential cookies used to enable core functionality of the Service (such as session management, authentication, and security);
(ii) analytics technologies used to measure website and platform usage, interaction patterns, and technical performance;
(iii) Local storage or browser storage used to save preferences, session data, or technical settings required for the functioning of the Service;
(iv) Log files and similar diagnostic tools used to monitor technical performance, detect errors, and ensure system security.
7.3. Why we use Cookies. We use Cookies only for the following purposes:
(i) Strictly necessary purposes: to operate the Service, maintain secure sessions, prevent abuse, and ensure proper functionality of websites and platforms;
(ii) Analytics and performance purposes: to understand how Users interact with the Service, measure usage patterns, evaluate platform stability, and improve functionality and user experience.
(iii) The Company does not use Cookies for third-party advertising, behavioral targeting, or cross-site advertising tracking.
7.4. Categories of Cookies we use
(a) Strictly Necessary Cookies / Essential Technologies
These are required to operate the Service and provide basic features. Without them, the Service may not function properly. These may include:
(i) security-related cookies and anti-abuse mechanisms;
(ii) session identifiers (where applicable);
(iii) load balancing and infrastructure-related cookies;
(iv) preferences required for core operation (e.g., language or basic settings).
(b) Analytics Cookies / Analytics Technologies
These help us understand aggregated usage of the Service (e.g., which features are used, how often crashes occur, performance latency, and general interaction events). We use analytics primarily to improve:
(i) reliability and stability;
(ii) feature usability;
(iii) bug detection and troubleshooting.
Analytics data may be collected through tools such as Amplitude and processed using analytics infrastructure (including services such as BigQuery) for aggregated statistical analysis and Service improvement purposes only, in accordance with this Privacy Policy.
7.5. What data Cookies may collect
Depending on the technology and your device settings, Cookies and similar technologies may collect:
(i) device and application information (device type, OS, app version);
(ii) network information (such as IP address);
(iii) approximate location information (country and city level derived from IP or device settings, where available);
(iv) event-based usage data (e.g., feature clicks, navigation patterns, error events);
(v) performance data (crash logs, diagnostics).
The Company does not intentionally use Cookies to collect sensitive categories of Personal Data.
7.6. Your choices and controls
You can control cookies and similar technologies in several ways:
(i) Browser controls (website): most browsers allow you to delete or block cookies and manage preferences.
(ii) Device controls (mobile app): you may manage or limit the use of Cookies and similar technologies through your device or browser settings, where applicable. Please note that the Service does not use advertising cookies or advertising identifiers for marketing or behavioral advertising purposes.
(iii) In-app settings: where the Service provides settings related to analytics or privacy, you can manage them within the Service.
Please note: If you disable essential cookies or core technologies, some features of the Service may not function properly.
7.7. Do Not Track signals
Some browsers transmit “Do Not Track” signals. The Service is not designed to respond to such signals in a uniform way, because there is no common industry standard for interpreting them. However, you can still manage cookie preferences through your browser or device settings as described above.
7.8. Updates to this section
We may update this Cookies section from time to time as technologies and legal requirements evolve. Updates become effective when posted within the Service.

8. SHARING AND DISCLOSURE OF PERSONAL DATA

The Company does not sell, rent, or trade Personal Data. We disclose Personal Data only where necessary to operate the Service, comply with legal obligations, or protect our rights, and solely in accordance with this Privacy Policy.
8.1. Service Providers and Infrastructure Partners. We may share Personal Data with trusted third-party service providers that assist us in operating, maintaining, and improving the Service. These may include providers of:
(i) cloud infrastructure and hosting services;
(ii) analytics and performance monitoring tools;
(iii) customer support and communication systems;
(iv) security, fraud prevention, and abuse detection services.
(v) communication platforms and community infrastructure used for Program delivery and interaction.
Such service providers process Personal Data only on our behalf and under contractual obligations that require confidentiality, appropriate security measures, and use of data solely for the purposes specified by the Company. Where applicable, processing is performed under data processing agreements consistent with applicable data protection laws.
8.2. Payment Processing. Payments for Programs or other paid Services are processed by third-party payment providers or payment platforms. These providers may include payment processors, payment gateways, or financial service providers used to facilitate transactions for Program participation.
The Company does not collect or store full payment card details. Payment providers process payment information independently and in accordance with their own privacy policies and security standards. We may receive limited transactional information (such as payment status, subscription type, and billing identifiers) for accounting, support, and fraud prevention purposes.
8.3. Analytics and Aggregated Data. We may share anonymized or aggregated data that does not identify individual users with service providers or partners for analytics, performance optimization, and service improvement purposes. Such data cannot reasonably be used to identify you.
8.4. Legal and Regulatory Disclosure. We may disclose Personal Data if we believe in good faith that such disclosure is necessary to:
(i) comply with applicable laws, regulations, legal processes, or governmental requests;
(ii) enforce our Terms of Use or other agreements;
(iii) protect the rights, property, or safety of the Company, our users, or third parties;
(iv) prevent fraud, abuse, or other unlawful activity.
8.5. Business Transfers. In the event of a merger, acquisition, reorganization, sale of assets, or similar corporate transaction, Personal Data may be transferred as part of such transaction, subject to continued protection consistent with this Privacy Policy and applicable law, and appropriate confidentiality and data protection safeguards.

9. USER RIGHTS AND CHOICES

The Company respects your privacy rights and provides mechanisms to exercise them in accordance with applicable data protection laws. Your rights may vary depending on your location and the laws that apply to you.
You may exercise your rights by contacting us using the details provided in this Privacy Policy. We may request reasonable verification of your identity before responding.
9.1. Rights of EEA and UK Residents. If you are located in the European Economic Area (EEA) or the United Kingdom, you may have the following rights under the GDPR or UK GDPR, subject to legal limitations:
(i) Right of access – to request confirmation of whether we process your Personal Data and to obtain a copy of such data;
(ii) Right to rectification – to request correction of inaccurate or incomplete Personal Data;
(iii) Right to erasure – to request deletion of your Personal Data where processing is no longer necessary or lawful;
(iv) Right to restriction of processing – to request limitation of processing in certain circumstances;
(v) Right to data portability – to receive Personal Data in a structured, commonly used, and machine-readable format;
(vi) Right to object – to object to processing based on legitimate interests;
(vii) Right to withdraw consent – where processing is based on consent, at any time without affecting prior lawful processing;
In certain circumstances, individuals may also have the right to request information regarding automated processing where such processing produces legal or similarly significant effects.
Please note that some rights may be limited where processing is required to comply with legal obligations or to establish, exercise, or defend legal claims.
9.2. Rights of U.S. Residents. If you are a resident of certain U.S. states with applicable privacy laws (such as California), you may have the right to:
(i) request access to the categories and specific pieces of Personal Data we have collected about you;
(ii) request correction of inaccurate Personal Data;
(iii) request deletion of Personal Data, subject to applicable exceptions;
(iv) opt out of certain data processing practices where required by law.
The Company does not sell Personal Data and does not engage in cross-context behavioral advertising. You will not be discriminated against for exercising any applicable privacy rights.
9.3. Rights of Canadian Residents. If you are a resident of Canada, your Personal Data is processed in accordance with applicable Canadian privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Subject to applicable legal limitations, you may have the right to:
(i) request access to the Personal Data we hold about you;
(ii) request correction of inaccurate or incomplete Personal Data;
(iii) request information about how your Personal Data is used and disclosed;
(iv) withdraw consent to the processing of your Personal Data, where such processing is based on consent and where withdrawal is permitted by law.
Please note that certain requests may be limited or refused where permitted or required by applicable law, including where the information is subject to legal privilege, required to be retained for legal or regulatory purposes, or where disclosure would reveal confidential commercial information.
9.4. Exercising Your Rights. To exercise any applicable privacy rights, you may submit a request by contacting the Company using the contact details provided in this Privacy Policy.
In order to protect your privacy and security, we may require reasonable verification of your identity before processing your request. We will respond to your request within the timeframes required by applicable law.
In certain circumstances, we may deny or partially fulfill a request where permitted by law, including where fulfilling the request would:
(i) conflict with legal or regulatory obligations;
(ii) affect the rights and freedoms of other individuals;
(iii) compromise security, fraud prevention, or abuse detection measures;
(iv) require disproportionate technical effort.
Where applicable, you may designate an authorized representative to submit a request on your behalf, subject to verification of such authorization. We may retain minimal information necessary to document and demonstrate compliance with privacy requests, as required by applicable law.

10. INTERNATIONAL DATA TRANSFERS

The Company is established in the United Arab Emirates, and the Service may be operated and supported using infrastructure and service providers located in multiple jurisdictions, including the United Arab Emirates, the European Economic Area, the United States, and other countries. As a result, your Personal Data may be transferred to, stored in, and processed outside of your country of residence, including jurisdictions that may have data protection laws that differ from those in your jurisdiction. Where required by applicable law, the Company implements appropriate safeguards to protect Personal Data during international transfers. Such safeguards may include: Standard Contractual Clauses (SCCs); contractual protections with service providers; technical and organizational security measures; or other legally recognized transfer mechanisms under applicable data protection laws. Where applicable, the Company assesses international data transfers and implements supplementary safeguards where required to ensure an adequate level of data protection. By using the Service and providing Personal Data, you acknowledge and understand that your Personal Data may be transferred to and processed in countries outside of your jurisdiction for the purposes described in this Privacy Policy.

11. SECURITY MEASURES

The Company implements reasonable and appropriate technical, organizational, and administrative measures designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. Such measures may include, where appropriate:
(i) access controls and authentication mechanisms;
(ii) encryption and secure transmission protocols;
(iii) monitoring, logging, and incident detection procedures;
(iv) internal policies and employee access limitations;
(v) periodic review and improvement of security practices.
However, no method of transmission over the Internet or method of electronic storage is completely secure. Nothing in this Privacy Policy shall be interpreted as a guarantee of absolute security. The Company takes reasonable steps to maintain the security of Personal Data and to prevent unauthorized access, loss, misuse, or disclosure. In the event of a security incident involving Personal Data, the Company will take appropriate steps to investigate, mitigate, and respond to the incident in accordance with applicable law and regulatory requirements. You are responsible for maintaining the confidentiality of your account credentials and for limiting access to your devices. The Company is not responsible for unauthorized access resulting from your failure to safeguard your credentials.

12. CHANGES TO THIS PRIVACY POLICY

We reserve the right to amend this Privacy Policy from time to time to reflect changes in legal, regulatory, or operational requirements, or to update our data practices. Any modifications will take effect upon publication of the updated version within the Service or on the relevant website, unless otherwise specified. The “Last Updated” date at the top of this document will indicate the date of the most recent revision. Where required by applicable law, we will provide prior notice of material changes and, where necessary, obtain renewed consent. We may, but are not obliged to, notify you separately of material changes via email or through other communication channels used in connection with the Service. By continuing to use the Service after such updates are published, you acknowledge and accept the revised terms. If you do not agree to any changes, you must cease using the Service. If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your Personal Data, you may contact us using the information provided below.

Contact Details
SOFIA KRALOW L.L.C – FZ
Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates
Email:: info@sofiakralow.com