Privacy policy

Privacy Policy

Last updated: June 2026

GarajOS ("we", "us", or "our") respects your privacy and is committed to handling personal data responsibly. This Privacy Policy explains how we collect, use, store, and protect information when you visit our platform, create an account, or use our workshop management software (the "Service").

This policy applies to platform operators, tenant administrators, and end users who access GarajOS on behalf of a workshop or garage customer. It should be read together with our Terms and Conditions.

1. Who we are

GarajOS provides cloud-based automotive workshop management software for businesses in the UAE and wider Gulf region. For the purposes of applicable data protection laws, GarajOS typically acts as a data processor for personal data that workshop customers enter about their staff, customers, and vehicles. Workshop customers remain the data controllers for that information and are responsible for lawful collection and use.

2. Information we collect

We may collect and process the following categories of information:

• Account and identity data: name, email address, phone number, job title, login credentials, and authentication logs for platform and tenant users.

• Business and billing data: company name, subscription plan, billing contact details, payment-related references processed by our payment providers, and correspondence with support.

• Workshop operational data: customer names and contact details, vehicle identifiers (such as make, model, VIN, registration), job cards, inspection notes, quotations, invoices, inventory records, and files uploaded to the Service.

• Technical and usage data: IP address, browser type, device information, session identifiers, pages viewed, feature usage, error reports, and security event logs.

• Communications: messages you send to us, feedback, and support tickets.

We do not intentionally collect special categories of personal data unless you choose to include such information in free-text fields within the Service.

3. How we use information

We use personal data to:

• provide, operate, and maintain the Service, including tenant provisioning and user authentication;

• process subscriptions, invoices, and account administration;

• provide customer support and respond to enquiries;

• monitor performance, troubleshoot issues, and improve reliability and security;

• detect, prevent, and investigate fraud, abuse, or unauthorised access;

• comply with legal obligations and enforce our Terms;

• send service-related notices such as security alerts, billing updates, or material changes to our policies.

We do not sell personal data. We do not use workshop customer records for unrelated marketing without appropriate authority from the data controller.

4. Legal bases for processing

Where GDPR or similar frameworks apply to our processing, we rely on one or more of the following bases: performance of a contract with you; legitimate interests in operating a secure SaaS platform; compliance with legal obligations; and, where required, consent. Workshop customers are responsible for establishing a lawful basis for personal data they control within their tenant.

In the UAE and wider GCC, we process personal data in accordance with applicable local requirements, including principles of fairness, purpose limitation, and security appropriate to the nature of the data processed.

5. Tenant isolation and data sharing

GarajOS is designed as a multi-tenant platform. Each workshop customer's data is logically separated within our infrastructure and is accessible only to authorised users associated with that tenant, subject to role permissions configured by the customer.

We may share information with:

• Service providers who assist with hosting, email delivery, monitoring, analytics, payment processing, or customer support, under contractual confidentiality and security obligations;

• Professional advisers where reasonably necessary;

• Authorities when required by law, court order, or to protect rights, safety, and security.

We may disclose aggregated or de-identified statistics that do not identify individuals or specific tenants.

6. International transfers

Your data may be processed in the United Arab Emirates and in other countries where we or our subprocessors maintain facilities. Where personal data is transferred internationally, we implement appropriate safeguards consistent with applicable law, such as contractual protections and security controls.

7. Data retention

We retain personal data for as long as necessary to provide the Service, fulfil the purposes described in this policy, resolve disputes, enforce agreements, and meet legal, tax, and accounting requirements. Retention periods may vary by data type and customer configuration.

When a subscription ends, we may retain certain data for a limited period to allow export where available and to satisfy backup, audit, or legal retention obligations, after which data is deleted or anonymised in accordance with our practices.

8. Security

We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include access controls, encryption in transit where supported, monitoring, and tenant separation. No method of transmission or storage is completely secure; you should protect credentials and configure user permissions appropriately.

9. Cookies and sessions

We use cookies and similar technologies to maintain authenticated sessions, remember preferences, protect against abuse, and understand how the platform is used. Session cookies are essential for login and security. Where non-essential analytics or preference cookies are used, we will provide appropriate notice and choices where required by law.

You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

10. Your rights and choices

Depending on your location and role, you may have rights to access, correct, delete, restrict, or object to certain processing of your personal data, and to data portability where applicable. Requests relating to data controlled by a workshop customer should generally be directed to that customer in the first instance; we will assist controllers where required.

Platform account holders may update certain profile information within the Service or contact us using the details below. You may opt out of non-essential marketing communications at any time.

11. Children

The Service is intended for business use and is not directed at children. We do not knowingly collect personal data from individuals under the age of 18.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on the GarajOS platform and update the "Last updated" date. Material changes will be communicated with reasonable notice where practicable.

13. Contact us

For privacy questions, data subject requests, or security concerns, contact us at [email protected].