Last updated: 3 April 2026
ProsperityLab Technology Ltd
Registered in the Dubai International Financial Centre (DIFC)
DIFC, Dubai, United Arab Emirates
Contact: privacy@thinkingwealth.ai
ProsperityLab Technology Ltd (“we”, “us”, “our”) operates the ThinkingWealth Adviser platform (“Platform”). This policy explains how we collect, use, store, and protect personal data when you use the Platform, whether as an adviser or as an end investor accessing the Platform through an adviser’s white-labelled portal.
We are the data controller for adviser account data. For end-investor data processed on behalf of advisers, we act as a data processor and the adviser is the data controller.
This policy is governed by DIFC Data Protection Law No. 5 of 2020 (“DIFC DP Law”) and its implementing regulations. Where we process data of individuals in jurisdictions with their own data protection laws (including India’s Digital Personal Data Protection Act 2023 and the UK GDPR), we comply with the applicable requirements of those laws in addition to the DIFC DP Law.
| Category | Data | Purpose |
|---|---|---|
| Account data | Name, email, phone, firm name, jurisdiction | Account creation, billing, support |
| Identity verification | Government ID, proof of address (advisers only when required by regulation) | Regulatory compliance, KYC |
| Financial data | Portfolio holdings, transaction history, fee records | Platform functionality, reporting |
| Risk profile data | Risk questionnaire responses, risk scores | Suitability assessment, portfolio mapping |
| Usage data | Page views, feature usage, IP address, device type, browser | Analytics, performance, security |
| Payment data | Billing address, payment method (processed by Stripe — we do not store card numbers) | Subscription billing |
| Communications | Support tickets, emails | Customer support, service improvement |
We do not collect special category data (health, biometric, racial/ethnic origin) unless explicitly required by a regulatory obligation, in which case we will notify you separately and obtain explicit consent.
We process personal data on the following grounds under the DIFC DP Law: performance of a contract (providing the Platform services you signed up for), compliance with legal obligations (regulatory requirements, anti-money laundering), legitimate interests (security, fraud prevention, service improvement — balanced against your rights), and consent (where required, such as marketing communications). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
We use your data to operate and improve the Platform, process transactions and calculate fees, generate portfolio analytics and performance reports, send service-critical communications (downtime, security, billing), comply with applicable financial regulations, prevent fraud and unauthorised access, and, with your consent, send product updates and marketing materials.
We share personal data only where necessary and with appropriate safeguards.
| Recipient | Purpose | Safeguard |
|---|---|---|
| Brokerage partners | Trade execution, account opening | Data processing agreement, regulated entity |
| Stripe | Payment processing | PCI-DSS Level 1 certified |
| Cloud infrastructure (Azure) | Hosting, storage, compute | DPA, ISO 27001, SOC 2 |
| Analytics providers | Aggregated usage analytics | Anonymised/pseudonymised data only |
| Regulatory authorities | Legal/regulatory obligation | As required by law |
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
Your data may be processed in the UAE, India, and the European Economic Area depending on the brokerage and infrastructure involved. Where data is transferred outside the DIFC, we ensure adequate protections are in place through standard contractual clauses, adequacy decisions, or other mechanisms recognised under the DIFC DP Law.
We retain account and financial data for the duration of your active account plus 7 years to meet regulatory retention requirements. Usage and analytics data is retained for 24 months in identifiable form and indefinitely in aggregated/anonymised form. You may request earlier deletion of non-regulatory data at any time (see Section 10).
We implement technical and organisational measures proportionate to the risk, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls with multi-tenant isolation, audit logging of all data access, secrets management via Azure Key Vault (no hardcoded credentials), and regular security assessments. No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with the DIFC DP Law.
Under the DIFC DP Law, you have the right to access your personal data, rectify inaccurate data, erase data (subject to regulatory retention obligations), restrict or object to processing, data portability (receive your data in a structured, machine-readable format), and withdraw consent. To exercise any right, email privacy@thinkingwealth.ai. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the DIFC Commissioner of Data Protection.
We use strictly necessary cookies for authentication and session management. We use analytics cookies only with your consent, which you can manage through our cookie banner. We do not use advertising or tracking cookies.
The Platform is not directed at individuals under 18. We do not knowingly collect data from minors. If you believe a minor’s data has been submitted to us, contact privacy@thinkingwealth.ai and we will delete it promptly.
We may update this policy to reflect changes in law or our practices. Material changes will be notified via email or an in-platform notice at least 30 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance.
Data Protection Officer
ProsperityLab Technology Ltd
DIFC, Dubai, UAE
privacy@thinkingwealth.ai