Privacy Policy

Last updated: 4 May 2026

1. About Aman and VDR Tech

Aman is a digital safety platform designed for schools, school groups, and families. Aman is developed and operated by VDR Tech Limited, a Limited Liability Company incorporated in the United Arab Emirates under Registration No. MC 14332.

Registered Address: Smart Station, First Floor, Incubator Building, Masdar City, Abu Dhabi, United Arab Emirates.

For the purposes of applicable data protection legislation, VDR Tech Limited is the Data Controller responsible for your personal data collected through the Aman platform.

2. Legal Framework

This Privacy Policy is governed by and complies with:

  • UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), effective 2 January 2022, and its implementing regulations.
  • UAE Federal Law No. 3 of 2016 (Wadeema's Law) concerning the Rights of the Child, which mandates the protection of children in digital environments.
  • Abu Dhabi Department of Education and Knowledge (ADEK) guidelines on student data privacy and educational technology use in Abu Dhabi schools.
  • Knowledge and Human Development Authority (KHDA) guidelines on student data handling in Dubai schools.
  • UAE Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime, as relevant to data security obligations.

3. Information We Collect

3.1 Account and Identity Data

  • Full name, email address, and encrypted password.
  • Account type: parent, school administrator, teacher, or principal.
  • Organisation name and type (family or school).
  • Phone number (if provided voluntarily via contact form).

3.2 Organisation Data

  • School or family group name and member roster.
  • KHDA ID or ADEK licence reference (for school organisations, if provided).
  • Subscription plan and billing status.

3.3 Device Data

  • Device name, model, manufacturer, and operating system version.
  • Network status (whether the school VPN tunnel is connected).
  • For devices enrolled through a Mobile Device Management (MDM) provider integrated with Aman, the additional identifiers and configuration profiles that the school's MDM exposes — governed by the school's MDM agreement.

3.4 Safety and Monitoring Data

The following data is generated by the school's Aman edge server (not by the mobile applications) when an enrolled device routes its traffic through the school's VPN tunnel:

  • Web request metadata captured by the school's gateway: hostnames, URL paths, search-query strings, and the time of each request.
  • Content-filter trigger logs and AI behaviour-scanner verdicts.
  • Safety alerts generated by lexicon and AI analysis.

This data is processed and stored on the school's edge server in the UAE; it is not transmitted to third parties.

3.5 Location Data

The AmaniOS and Android applications do not access device location and do not request the corresponding system permissions. If your school operates an MDM solution that integrates with Aman, location data managed by that MDM may be visible to authorised school administrators; that visibility is governed by the school's own MDM policy and applicable agreements with the MDM provider.

3.6 Mobile Application — On-Device Data

The Amanmobile applications are thin VPN clients. The data the apps themselves handle on the device is deliberately minimal:

  • Account session: school slug, student display name and identifier, the device identifier issued by the school's edge server, and the WireGuard credentials needed to connect to the school VPN — all stored using the platform's encrypted secure storage (iOS Keychain / Android EncryptedSharedPreferences).
  • Heartbeat fingerprint (every 15 minutes while signed in): device model (e.g. “iPhone 17 Pro”), operating system version, current VPN tunnel state, and a battery indicator. No advertising identifier, no serial number, no contacts, no photos, no SMS, no location.
  • Camera (one-time, optional): used solely to scan the QR code presented by a school administrator during initial enrollment. The image is processed in memory and discarded; no photos are uploaded or saved.
  • Push-notification token (optional): when the user opts into notifications, the platform-issued APNs (Apple) or FCM (Google) token is stored to deliver safety alerts.

The apps do not access or collect: location data of any kind; contacts, calendars, photos, files, microphone audio, or screen contents; keystrokes or accessibility-service events; browsing history, bookmarks, or DNS queries on the device. The apps contain no advertising or analytics SDKs and no third-party SDKs other than the open-source WireGuard client.

Web-traffic filtering, content scanning, alert generation, and DNS blocking happen on the school's edge server (described in §3.4), not inside the apps.

4. Lawful Basis for Processing

  • Consent: You provide explicit consent when you create an account, enroll a device, or enable specific features.
  • Contractual Necessity: Processing is necessary to deliver the Aman service you have subscribed to.
  • Legitimate Interest: We process data to improve service quality and ensure the safety of children.
  • Legal Obligation: We may process data to comply with UAE law, including court orders and regulatory requirements.

5. How We Use Your Information

  • Provide, operate, and maintain the Aman digital safety platform.
  • Process device enrollment and enforce content policies.
  • Generate safety alerts and reports for parents and school administrators.
  • Run AI-powered content analysis to detect harmful content, cyberbullying, self-harm indicators, and predatory behaviour.
  • Send notifications about device status, safety alerts, and service updates.
  • Respond to your inquiries and support requests.
  • Comply with legal obligations under UAE regulations.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We may share data with:

  • School Administrators: Authorised administrators may access device data, safety alerts, and reports.
  • Parents / Legal Guardians: Parents can view device activity and safety alerts for devices they have enrolled.
  • AI Processing: Content flagged by safety filters is analysed by AI hosted on infrastructure controlled by VDR Tech. We do not send personal data to third-party AI providers.
  • Law Enforcement: We may disclose data when required by UAE law or to protect the safety of a child.
  • Service Providers: Essential infrastructure providers process data solely on our behalf under data processing agreements.

7. Data Residency

All primary Aman data is stored on servers located within the United Arab Emirates. We do not transfer personal data outside the UAE except where strictly necessary for platform operation.

8. Data Retention

  • Account Data: Retained for the duration of your active account plus 12 months after closure.
  • Device Data: Retained for 12 months after a device is unenrolled.
  • Safety Alerts and Reports: Retained for 24 months for safeguarding purposes.
  • Contact Form Submissions: Retained for 12 months.

9. Data Security

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Passwords are hashed using bcrypt and never stored in plaintext.
  • Authentication uses signed JSON Web Tokens with automatic expiry.
  • Role-based access control ensures users only access appropriate data.

10. Your Rights Under the UAE PDPL

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of your personal data.
  • Right to Data Portability: Request your data in a machine-readable format.
  • Right to Withdraw Consent: Withdraw previously given consent at any time.

To exercise any of these rights, contact our Data Protection Officer at dpo@vdrtech.net.

11. Children's Privacy

Aman is designed to protect children in digital environments, in alignment with Wadeema's Law. We do not collect personal data directly from children. All data collection is initiated by the parent or authorised school administrator.

12. Contact

Data Controller: VDR Tech Limited (Registration No. MC 14332)

Address: Smart Station, First Floor, Incubator Building, Masdar City, Abu Dhabi, UAE

Data Protection Officer: dpo@vdrtech.net

Privacy Inquiries: privacy@aman-ai.app