Issued by: Smart City Systems Software Services FZCO (“Smart City Systems”, “SCS”, “we”, “us”)
Applies to: the SmartHR platform, SmartHR mobile application, managed services and related websites (the “Service”)
Last updated: June 2026  •  Version: 2.0

Scope and Our Role

This Privacy Policy describes how Smart City Systems collects, uses, stores and protects personal data in connection with the Service. SmartHR operates under two roles:

  • As a Processor — for personal data that our customers (employers, the “Data Controllers”) submit to or generate within the Service about their employees, contractors and candidates. We process this data only on the customer’s documented instructions.
  • As a Controller — for limited data we determine ourselves, such as website-visitor, account, billing and support data.

If you are an employee or candidate of one of our customers, please direct privacy requests to your employer (your Data Controller) in the first instance; we will assist them in responding.

SmartHR Mobile App

If you choose to use our Service, you agree to the collection and use of information in relation to this Policy. The personal information that we collect is used for providing and improving the Service. We will not use or share your information with anyone except as described in this Privacy Policy. Data, documents, pictures and GPS location collected through the application are owned and used by your company, and Smart City Systems has no control over the data collected through the application. If you have any concerns about the use of the SmartHR Mobile App, please contact your company’s HR Department.

Information Collection and Use

For a better experience, while using our Service we may require you to provide certain personally identifiable information, including but not limited to your pictures, location and use of the application. The information we request is retained by us and used as described in this Privacy Policy. The app may use third-party services that collect information used to identify you, including Google Play Services and Apple App Store Services, which have their own privacy policies.

Log Data

Whenever you use our Service, in the case of an error in the app we collect data and information (through third-party products) called Log Data. This Log Data may include your device Internet Protocol (“IP”) address, device name, operating-system version, the configuration of the app, the time and date of your use, and other statistics.

SmartHR SaaS & Managed Service — Data Protection

At Smart City Systems, we are committed to protecting the privacy and confidentiality of personal data entrusted to us. As a provider of HR Software-as-a-Service (SaaS), we strive to ensure compliance with applicable data-protection laws, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and applicable free-zone regimes.

3.1 Collection of Personal Data

We collect personal data from our customers, who are the Data Controllers, for the purpose of providing HR SaaS services. The types of personal data we may collect include but are not limited to:

  • Employee information (e.g. name, contact details, employment history)
  • Financial information (e.g. salary, benefits, bank details)
  • Attendance and leave records
  • Performance evaluations and training records
  • Identity documents processed through the Service (e.g. Emirates ID, Qatar ID, passports)
  • Log data (e.g. IP address, browser details, operating-system version)

3.2 Use of Personal Data

We use personal data solely for the purpose of providing HR SaaS services to our customers, processed in accordance with the instructions provided by the Data Controllers. We do not use personal data for any other purpose without the explicit consent of the Data Controller or as required by law. We do not sell, rent or lease personal data.

By submitting personal data to SmartHR, the Customer agrees that SCS and its affiliates may process, transmit and/or store personal data only to the extent necessary for, and for the sole purpose of, enabling SCS to perform its obligations under the SaaS Agreement. The Customer is responsible as the sole Data Controller for complying with all applicable data-protection laws, including the UAE PDPL that regulate the processing of personal data and special categories of data. The Customer agrees to obtain all necessary consents and make all necessary disclosures before including personal data in Content and using the Service, will inform SCS of any special categories of data and any processing restrictions (including cross-border restrictions) prior to processing, and is responsible for ensuring the Service meets such requirements.

3.3 Data Security

We employ industry-standard security measures to safeguard personal data against unauthorised access, loss or alteration, including encryption of data in transit and at rest, access controls and user authentication, regular backups and disaster-recovery procedures, and ongoing monitoring and testing for vulnerabilities. 

3.4 Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Upon termination of the customer’s subscription, we securely delete or anonymise personal data in accordance with our data-retention policy, including any AI-derived artefacts such as embeddings and AI processing logs, unless retention is required by law.

3.5. Data Sharing and Transfers

We do not sell, rent, or lease personal data to third parties. We may share personal data with our service providers who assist us in delivering HR SAAS services, subject to strict confidentiality obligations. For detail information on the delivery model for SmartHR SAAS refer the documentation provided in the link www.smartcitysystems.com/download/SN_DC_SPEC_2019.pdf . The SmartHR delivery model is subject to change at SCS’s discretion; however, SCS changes will not result in a material reduction in the level of protection provided for Customer data. In certain cases, personal data may be transferred to countries outside the jurisdiction of the data controller, subject to appropriate safeguards as required by applicable data protection laws or agreement shared with the SmartHR SAAS sign-up data controller.

3.6 Individual Rights

Data subjects have the right to access, rectify, erase and restrict the processing of their personal data, to object to processing (including direct marketing and certain automated processing), to withdraw consent, and to data portability where applicable. In relation to significant automated decisions, individuals may request human review or an explanation. To exercise these rights, individuals should contact their respective Data Controller (employer), who will work with us to address their requests.

3.7 Updates to this Section

We may update this Data-Protection section from time to time to reflect changes in our practices or legal requirements, and encourage customers and individuals to review it periodically.

Artificial Intelligence and Automated Processing

The Service includes AI-assisted features built on Microsoft Azure AI services, including Azure AI Document Intelligence (extracting structured data from uploaded documents such as Emirates ID, Qatar ID, passports and certificates), Azure Foundry Service, Azure OpenAI Service, and Azure AI / Cognitive Services. Use of these features by customers is governed by the SmartHR AI Features Addendum. We use AI responsibly on the following basis:

  • No model training on your data. Your data, employee personal data, prompts, completions, embeddings and uploaded documents are not used to train, retrain, fine-tune or improve any AI model — ours, Microsoft’s or any model provider’s. This reflects Microsoft’s contractual commitments for the Azure AI services we use.
  • Processing location. AI processing is performed within the Microsoft Azure region(s) configured for the customer’s tenancy, primarily Azure UAE North for Middle East customers, with data at rest remaining in the designated geography. The location would vary based on the service availability.
  • Abuse monitoring. To prevent misuse, Microsoft may temporarily retain prompts and outputs for up to 30 days in an isolated, secured store used solely for abuse monitoring, accessible only to authorised Microsoft personnel and not used to train models.
  • Automated decision-making. SmartHR’s AI features are designed to assist human decision-makers, not to replace them. No employment decision is made by the platform without human review. Where AI substantially assists a decision that significantly affects an individual, a human-review path is available through the individual’s employer, consistent with the automated-processing provisions of the UAE PDPL 
  • Accuracy. AI outputs may be inaccurate or incomplete and must be verified by a human before being relied upon.

Service Providers

We may employ third-party companies and individuals due to the following reasons:

  • To facilitate our Service;
  • To provide the Service on our behalf;
  • To perform Service-related services; or
  • To assist us in analyzing how our Service is used.

We want to inform users of this Service that these third parties have access to your Personal Information. The reason is to perform the tasks assigned to them on our behalf.

Cookies

Cookies are files with a small amount of data commonly used as an anonymous unique identifier, sent to your browser from the websites you visit. The SmartHR application does not use cookies explicitly; however, it may use third-party code and libraries that use cookies to collect information and improve their services. You can accept or refuse these cookies; if you refuse, you may not be able to use some portions of the Service.

Security

We value your trust and protect your personal information using the controls described in www.smartcitysystems.com/download/SN_DC_SPEC_2019.pdf, including TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access control and tenant isolation. However, no method of transmission over the internet or method of electronic storage is 100% secure, and we cannot guarantee its absolute security.

Links to Other Sites

The Service may contain links to other sites that are not operated by us. We strongly advise you to review the privacy policy of those websites. We have no control over, and assume no responsibility for, the content, privacy policies or practices of any third-party sites or services.

Children’s Privacy

The Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from children under 18. If we discover that a child under 18 has provided us with personal information, we immediately delete it from our servers. If you are a parent or guardian and aware that your child has provided us with personal information, please contact us so that we can take the necessary action.

Breach Notification

If a personal-data breach occurs, we will notify affected customers / Data Controllers without undue delay and assist them in meeting their notification obligations to the relevant supervisory authority and to affected individuals, within the timeframes required by applicable law.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page, and material changes may be notified through the Service or by email. You are advised to review this page periodically.

Contact Us

Data Protection / Compliance Officer — Smart City Systems Software Services FZCO
Email: legal@smartcitysystems.com  •  Tel (UAE): +971 4 2588814
Or reach us via our contact page.