Our commitment: Cedrus is built with privacy and data protection at its core. We do not monetise user data, we do not sell personal information, and we operate transparently about how data flows through our systems.
1. Compliance Overview
Cedrus is a UAE-focused personal wealth tracking application. Our compliance framework is built around protecting the personal and financial data of users across the UAE and GCC region.
Active
UAE PDPL
Federal Decree-Law No. 45 of 2021
Active
HTTPS / TLS
All data encrypted in transit
Active
Password Hashing
bcrypt β never plain text
Active
Row-Level Security
Database-enforced access control
Active
No Data Selling
User data is never sold or rented
Active
Right to Deletion
Full account deletion on request
2. UAE Data Protection Law (PDPL)
The UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) is the primary data protection legislation applicable to Cedrus. It came into force on 2 January 2022 and is enforced by the UAE Data Office.
Our obligations under the UAE PDPL
- Lawful basis for processing: We process personal data based on your consent (provided at account creation) and contractual necessity (to deliver the Service)
- Purpose limitation: Data is collected only for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes
- Data minimisation: We collect only the data necessary to provide the Service β no excess collection
- Accuracy: We provide tools within the app for you to update your personal data at any time
- Storage limitation: Data is retained only as long as necessary (see Privacy Policy for retention periods)
- Integrity & confidentiality: Appropriate technical and organisational security measures are in place
- Accountability: We maintain records of data processing activities and can demonstrate compliance
Cross-border data transfers
Your data may be stored in data centres outside the UAE (currently US/EU via Supabase). Under the UAE PDPL, cross-border transfers are permitted when the receiving country provides adequate protection or when appropriate safeguards are in place. Supabase is SOC 2 Type II certified and maintains appropriate safeguards for international data transfers.
We are actively working toward offering UAE-region data storage options and will update this page when available.
3. GCC Regulatory Landscape
The table below outlines the key data protection legislation applicable to users in each GCC country and our compliance position.
| Country |
Law |
Status |
| π¦πͺ UAE |
Federal Decree-Law No. 45 of 2021 (PDPL) |
β Compliant |
| πΈπ¦ Saudi Arabia |
Personal Data Protection Law (PDPL) β Royal Decree M/19 of 1443H |
β Compliant |
| πΆπ¦ Qatar |
Law No. 13 of 2016 on Personal Data Protection |
β Compliant |
| π§π Bahrain |
Personal Data Protection Law No. 30 of 2018 |
β Compliant |
| π°πΌ Kuwait |
No dedicated PDPL β general consumer protection applies |
~ Best Efforts |
| π΄π² Oman |
Cyber Crime Law β Royal Decree No. 12/2011 |
~ Best Efforts |
For users in the Dubai International Financial Centre (DIFC), we acknowledge the DIFC Data Protection Law No. 5 of 2020. For users in Abu Dhabi Global Market (ADGM), we acknowledge the ADGM Data Protection Regulations 2021. Users in these free zones may have additional rights under their respective frameworks.
4. Security Standards
4.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced on all endpoints)
- Passwords are hashed using bcrypt with a salt β plain-text passwords are never stored or accessible
- App PIN codes are hashed using SHA-256 and stored locally on the user's device only β they never leave the device
4.2 Authentication & Access Control
- Authentication is handled by Supabase Auth β an industry-standard, SOC 2 certified authentication system
- Row-Level Security (RLS) is enforced at the database layer β each user can only read and write their own data, enforced by Postgres policies
- Optional biometric authentication (Face ID / Touch ID) is available β all biometric processing occurs on-device via the operating system; no biometric data is transmitted to or stored by Cedrus
- JWT (JSON Web Token) based sessions with automatic expiry
4.3 Infrastructure Security
- Application hosted on Vercel β a SOC 2 Type II certified cloud platform
- Database hosted on Supabase β SOC 2 Type II certified, with encryption at rest
- Payment processing via Stripe β PCI DSS Level 1 certified
- No payment card data is stored by Cedrus at any point
4.4 Application Security
- Automatic app lock when device screen is turned off or app is backgrounded (when PIN is enabled)
- Inactivity auto-lock after user-configured time period
- Balance hiding feature to prevent visual data exposure in public
- 5-attempt PIN lockout with 30-second delay to prevent brute force attacks
5. Data Processing & Subprocessors
We work with the following third-party subprocessors to deliver the Service. Each is bound by appropriate data processing agreements and security certifications.
Supabase Inc.
- Purpose: Database storage, user authentication, and real-time data synchronisation
- Data processed: Account information, portfolio data, all app data
- Location: United States (with EU options available)
- Certification: SOC 2 Type II
Stripe Inc.
- Purpose: Subscription billing and payment processing
- Data processed: Email address, subscription status, payment method (card data handled entirely by Stripe)
- Location: United States
- Certification: PCI DSS Level 1
Anthropic PBC
- Purpose: AI Advisor feature β generating personalised financial insights
- Data processed: Anonymised portfolio summary data (no personally identifiable information) sent per session
- Data retention by Anthropic: Not used to train models; processed in-session only (subject to Anthropic's API policy)
- Location: United States
Vercel Inc.
- Purpose: Application hosting and global content delivery
- Data processed: IP addresses, HTTP request logs (standard web server logs)
- Location: Global CDN (data centres in US, Europe, Asia)
- Certification: SOC 2 Type II
Market Data Providers (Binance API, others)
- Purpose: Real-time cryptocurrency and commodity price data
- Data processed: No personal data is shared with market data providers
6. Data Residency
Currently, user data is stored in cloud infrastructure operated by Supabase, with data centres primarily located in the United States. We recognise that UAE and GCC users may prefer or require local data residency.
Our roadmap includes:
- Evaluating UAE-based or GCC-based data centre options as our user base grows
- Providing data residency choices for enterprise or institutional users in the future
Until UAE-local storage is available, cross-border data transfers are covered by Supabase's international data transfer agreements and security certifications, consistent with UAE PDPL requirements for adequate protection.
7. Financial Regulation Scope
Cedrus is a personal finance tracking and visualisation tool. We are not regulated as a financial services provider and do not hold any financial services licence. Specifically:
- Cedrus is not licensed by the UAE Central Bank
- Cedrus is not licensed by the UAE Securities and Commodities Authority (SCA)
- Cedrus is not regulated by the Dubai Financial Services Authority (DFSA)
- Cedrus is not regulated by the Financial Services Regulatory Authority (FSRA) of ADGM
- Cedrus does not hold, manage, or transmit user funds
- Cedrus does not execute trades or transactions on behalf of users
- Cedrus does not provide licensed investment advice
Cedrus functions solely as a personal organisation and portfolio tracking tool. All financial data is entered manually by users. We do not connect to banking systems, brokerage accounts, or payment networks.
The AI Advisor feature provides general financial information for educational purposes only and does not constitute regulated financial advice.
8. User Rights & Requests
Under applicable UAE and GCC data protection laws, you have the right to:
- Access your data: Request a complete export of all personal data we hold about you
- Correct your data: Update inaccurate or outdated information via app settings or by contacting us
- Delete your data: Request full account and data deletion β completed within 30 days
- Restrict processing: Request that we limit how we use your data in certain circumstances
- Data portability: Request your data in a machine-readable format (JSON)
- Withdraw consent: Withdraw consent for non-essential data processing at any time
To submit any data rights request, email privacy@cedrus.finance with the subject line "Data Rights Request" and your registered email address. We will respond within 30 days.
9. Incident Response
In the event of a data security incident that affects your personal data, Cedrus will:
- Contain and assess the incident within 24 hours of discovery
- Notify affected users via email within 72 hours of confirmed breach, consistent with UAE PDPL notification requirements
- Report to the UAE Data Office as required by law
- Provide a clear description of what data was affected, the likely consequences, and measures taken
- Take corrective action to prevent recurrence
To report a suspected security vulnerability or incident, contact security@cedrus.finance. We take all reports seriously and respond within 24 hours.