moi vault is operated by Shrine Global FZE LLC, a Free Zone Entity - FZE LLC registered in Ajman, United Arab Emirates (License / Registration No. 2627212489888). We are committed to complying with the General Data Protection Regulation (GDPR) where it applies and with other applicable data protection laws.
This document outlines how we process personal data, the safeguards we implement, and your rights as a data subject when using our document vault and AI-powered document management services.
Key Fact: moi vault uses zero-knowledge encryption. Your documents are encrypted on your device before they ever leave it. We cannot read, access, or view your stored documents under any circumstances.
Data Controller
Company Details
Name: Shrine Global FZE LLC
License / Registration No.: 2627212489888
Jurisdiction: Ajman, United Arab Emirates
Address: Office CWS-1V-225806, 26th Floor, Amber Gem Tower, Sheikh Khalifa Street, Ajman, United Arab Emirates
Data Protection Contact
Email: support@arc.moi
For GDPR-related inquiries, data subject requests, or complaints, please contact us at the email address above.
1.Legal Basis for Processing
We process personal data under the following legal bases as defined in Article 6 of the GDPR:
Contract Performance (Art. 6(1)(b))
Processing necessary to provide you with moi vault services, including account creation, document storage and sync, AI-powered extraction, subscription management, and customer support.
Legitimate Interests (Art. 6(1)(f))
Processing for fraud prevention, security monitoring, and service improvement, where our interests do not override your fundamental rights.
Consent (Art. 6(1)(a))
Where you have given explicit consent, such as enabling family sharing features or subscribing to marketing communications. You may withdraw consent at any time.
Legal Obligation (Art. 6(1)(c))
Processing required to comply with applicable laws, such as tax regulations and anti-money laundering requirements.
2.Categories of Personal Data
We categorize the data we process as follows:
| Data Category | Examples | GDPR Classification |
|---|---|---|
| Account Data | Email, name, phone number | PII |
| Document Metadata | AI-extracted fields (document type, dates, names), tags | User Content |
| Encrypted Documents | Zero-knowledge encrypted files (unreadable by us) | Encrypted Content |
| Subscription Data | Plan type, billing history, usage quotas | Financial |
| Technical Data | IP address, device info, crash logs | Operational |
Note: Due to our zero-knowledge encryption architecture, the actual contents of your documents are never accessible to us. We only process encrypted data that we cannot decrypt.
3.Sub-Processors
We use the following third-party sub-processors to deliver our services. Each sub-processor has been vetted for GDPR compliance and appropriate data processing agreements are in place.
Convex
United StatesPurpose: Database & Backend Services
Safeguards: SOC 2 Type II certified. Standard Contractual Clauses (SCCs) in place.
AI Model Providers
United StatesPurpose: On-Device Document Extraction & Classification
Safeguards: Data Processing Agreements in place. AI extraction processes documents locally on-device before encryption.
Apple / Google
United StatesPurpose: App Distribution & Subscription Payment Processing
Safeguards: EU-US Data Privacy Framework certified. Payment data handled entirely by platform.
4.International Data Transfers
As a UAE company serving users globally, we apply GDPR safeguards where GDPR applies. When personal data is transferred internationally, we ensure appropriate safeguards are in place:
EU-US Data Privacy Framework (DPF)
Our US-based sub-processors are certified under the DPF, allowing lawful data transfers.
Standard Contractual Clauses (SCCs)
Where DPF is not applicable, we rely on EU-approved SCCs to ensure adequate protection.
Zero-Knowledge Protection
Even when encrypted data is transferred, it remains unreadable without your device-held keys — providing an additional layer of protection beyond legal safeguards.
5.Your Rights Under GDPR
As a data subject, you have the following rights under the General Data Protection Regulation. To exercise any of these rights, please contact us at support@arc.moi.
Right of Access (Art. 15)
Request a copy of the personal data we hold about you and information about how it is processed.
Right to Rectification (Art. 16)
Request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure (Art. 17)
Request deletion of your personal data ('right to be forgotten') under certain circumstances.
Right to Restriction (Art. 18)
Request restriction of processing while we verify accuracy or assess objections.
Right to Portability (Art. 20)
Receive your personal data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including profiling.
Response Time: We will respond to your request within 30 days. If the request is complex, we may extend this by an additional 60 days, in which case we will notify you of the extension.
For account and data deletion instructions, see our Delete Account page.
6.Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Account Data | Duration of account + 30 days | Account deletion request |
| Encrypted Documents | Duration of account | Account deletion or manual removal |
| Document Metadata | Duration of account + 30 days | Account deletion request |
| Subscription Records | 7 years (legal requirement) | Statutory period expiry |
| Technical Logs | 90 days | Automatic rotation |
7.Security Measures
In accordance with GDPR Article 32, we implement appropriate technical and organizational measures:
Zero-Knowledge Encryption
Documents encrypted on-device using AES-256 before upload — we never hold your keys
Encryption in Transit
TLS 1.3 for all data transmission between your device and our servers
Encryption at Rest
All stored data encrypted using industry-standard encryption on our servers
Access Controls
Role-based access with principle of least privilege for all team members
Data Minimization
Only collect and process data necessary for service delivery
Regular Audits
Periodic security assessments, vulnerability scanning, and code review
8.Data Breach Procedures
In the event of a personal data breach, we follow strict procedures in accordance with GDPR Articles 33 and 34:
Detection & Assessment
Immediate assessment of the breach scope, affected data, and potential impact.
Authority Notification
Notify the applicable supervisory authority within the required statutory timeframe if required.
User Notification
Direct notification to affected users without undue delay if there is high risk to rights and freedoms.
Remediation
Implementation of measures to mitigate harm and prevent recurrence.
Note: Due to our zero-knowledge encryption, even in the event of a data breach, the contents of your documents remain encrypted and unreadable without your device-held keys.
9.Cookies & Tracking
As a mobile application, moi vault does not use browser cookies. We use minimal device-level storage necessary for the operation of our services:
- Authentication tokens: To keep you signed in securely
- Encryption keys: Stored locally on your device for zero-knowledge encryption
- App preferences: To remember your settings and vault configuration
We do not use: Advertising trackers, third-party tracking pixels, or any form of cross-app tracking. We do not sell your data or share it with advertisers.
10.Supervisory Authority
You have the right to lodge a complaint with an applicable supervisory authority if you believe your data protection rights have been violated.
Applicable Data Protection Authority
EU and EEA users may lodge a complaint with the supervisory authority in their member state of residence, place of work, or place of the alleged infringement.
Users in other jurisdictions may contact the relevant local data protection or consumer protection authority.
11.Changes to This Policy
We may update this GDPR & Data Protection page from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page and, where appropriate, by email notification. The "Last updated" date at the top of this page indicates when this policy was last revised.
12.Contact Us
For any questions regarding this GDPR policy, to exercise your data subject rights, or to report a data protection concern:
Shrine Global FZE LLC
License / Registration No. 2627212489888
Office CWS-1V-225806, 26th Floor, Amber Gem Tower
Sheikh Khalifa Street, Ajman, United Arab Emirates