Last updated: May 2026

This Privacy Policy explains how Vaival collects, uses, shares, and protects information when you visit our website, request information about our services, or engage with us under a paid engagement letter.

This policy covers Vaival's website (vaival.com) and the information flows that arise from interest, scoping, and inquiry. The handling of data inside a paid engagement is governed by the engagement letter and any associated data processing agreement, which take precedence over this policy where they conflict.

Vaival operates as one operating group across multiple legal entities:

• Vaival LLC, a Delaware limited liability company (United States). US contracting entity. Primary controller for personal information collected from buyers and visitors located in the United States and most of the world.
• Vaival FZ-LLC, a UAE free-zone limited liability company. GCC contracting entity. Primary controller for personal information collected from buyers and visitors located in the United Arab Emirates and other GCC countries.
• Vaival Technologies (Private) Limited, a Pakistan private limited company. Pakistan operating entity. Holds the ISO/IEC 42001:2023, ISO/IEC 27001:2022, and ISO 9001:2015 certifications under which Vaival's management systems operate, and acts as data processor for the other entities under intra-group data processing arrangements.

Which Vaival entity controls your data depends on where you are located when you interact with us. If you are unsure which entity applies, contact us using the details in Section 12.

We collect information in three ways: information you give us directly, information collected automatically when you visit the site, and information provided through a Vaival engagement letter once you become a client.

Information you give us directly includes your name, work email, company name, role, the workflow problem you describe, and any other information you choose to provide in a contact form, inquiry email, or scoping conversation.

Information collected automatically includes page-view events, the page URL you arrived at, your country at the IP level, the device type and browser you used, and the referring source. We use Plausible Analytics for this, which is privacy-respecting and does not set cookies, does not track you across sites, and does not collect any persistent identifier that could re-identify you. See our Cookie Policy for details.

Information provided through an engagement letter includes operating data, workflow process detail, sample artifacts, internal documents, screenshots, system access where required for delivery, and any other information you share with Vaival under the scope of a signed engagement. This information is governed by the engagement letter and any associated data processing agreement.

We do not knowingly collect special category personal data (health data, biometric data, race or ethnicity, religious belief, political opinion, or trade union membership) and we do not request it. If such data appears incidentally inside the operating data shared under an engagement, the engagement letter sets the handling rules.

We use the information described in Section 2 for the following purposes:

• To respond to your inquiry. If you contact us through the website, our team uses your information to understand the problem, propose a relevant engagement shape, and follow up.
• To deliver a paid engagement. If you become a client, we use information shared under the engagement letter to perform the Operating Leverage Audit, Workflow Leverage Sprint, 100-Day Operating Leverage Program, or Managed Operating Pod work you have engaged us for.
• To run the site and improve it. We use page-view analytics to understand which content lands and which does not. The data we collect for this purpose is aggregate and does not identify individuals.
• To send you communications that you have consented to. If you opt in to a newsletter or follow-up communications, we use your contact details to send what you asked for. You can unsubscribe at any time via the link in every email.
• To comply with law. We use information where necessary to satisfy a legal obligation, respond to a lawful regulatory or judicial request, or protect rights, property, and safety.

We do not use your information for advertising. We do not sell your personal information to any third party. We do not share your personal information with data brokers.

Vaival relies on a small set of vendors and sub-processors to operate the business and deliver client engagements. We share personal information with these vendors only as necessary for the purposes in Section 3, and only under contractual terms that require equivalent confidentiality, security, and data handling standards.

The categories of sub-processors we use include:

• Cloud hosting providers (for website hosting and engagement-related infrastructure)
• AI model providers (enterprise-tier configurations with training-on-customer-data disabled)
• Productivity and collaboration tools (for internal coordination, document handling, and engagement delivery)
• Communication tools (for email, scheduling, and meeting recording where consented)
• Analytics (Plausible, privacy-respecting and cookieless)

The specific named sub-processors used in any paid engagement are disclosed in the engagement letter at scope confirmation, with right of refusal on changes. This list is maintained at the engagement-letter level rather than published as a public list because the right disclosure surface for contractual sub-processor commitments is the contract itself. If you are evaluating Vaival as a vendor and need the named sub-processor list before signing, we will provide it under NDA.

Beyond these vendors, we share personal information only when required by law, to enforce our rights, to protect Vaival or any third party from harm, or with your explicit consent.

Vaival operates across the United States, United Arab Emirates, and Pakistan, with vendor and sub-processor relationships that may involve additional jurisdictions. Personal information may therefore be transferred internationally to support engagement delivery, vendor processing, and the day-to-day operation of the Vaival operating group.

Where personal information is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that does not have an adequacy decision under applicable data protection law, the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor) and any additional technical and organizational safeguards required for the receiving jurisdiction.

Where personal information is transferred from the United Arab Emirates to a third country, the transfer is conducted in accordance with Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the UAE PDPL) and its implementing regulations.

The contracting Vaival entity for any given engagement, and the legal basis for any cross-border transfer that arises from that engagement, are set out in the engagement letter.

Vaival operates an Information Security Management System certified to ISO/IEC 27001:2022 (certificate PK240016, issued by RICI US LLC, active to 15 August 2026), an AI Management System certified to ISO/IEC 42001:2023 (certificate 2026-00622-PK-42K, issued by MQA Certification UK Ltd., active to 22 February 2027), and a Quality Management System certified to ISO 9001:2015 (certificate PK240062, issued by RICI US LLC, active to 24 November 2026). These standards are independently audited by accredited certification bodies and certificate detail is verifiable at the issuing bodies and the International Accreditation Forum's CertSearch registry.

Operational controls include named human owners for every data category, role-based access, encryption in transit and at rest where supported by the underlying service, audit logging, and documented incident response procedures.

No security program eliminates risk entirely. If we become aware of a confirmed personal data breach that creates a risk to your rights and freedoms, we will notify you and applicable regulators within the timeframes required by applicable law, and within 72 hours of confirmation as our internal commitment, whichever is sooner. Trust and Governance carries the full procedure.

We retain personal information only for as long as we need it for the purposes set out in this policy, and in line with applicable legal, tax, and audit obligations.

Inquiry information from website forms and email is retained for up to 24 months from the last interaction, unless the inquiry converts to an engagement (in which case engagement-letter retention rules apply) or unless you ask us to delete it sooner.

Engagement information is retained under the terms of the relevant engagement letter, typically for the duration of the engagement plus the audit-and-warranty period that applies under the engagement letter and applicable law.

Aggregate website analytics that do not identify individuals are retained without time limit.

You have rights over the personal information Vaival holds about you. The exact rights depend on where you are located.

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) gives you the right to: access your personal information; ask us to correct inaccurate information; ask us to delete information where there is no overriding legal basis to retain it; object to or restrict certain processing; ask for your information in a portable format; and lodge a complaint with your local data protection authority. The legal basis for our processing is either your consent, the performance of a contract with you, our legitimate interests in operating and improving the business, or compliance with a legal obligation, as applicable.

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act (CCPA / CPRA) give you the right to: know the categories and specific pieces of personal information we have collected about you; delete personal information we hold about you; correct inaccurate personal information; opt out of the sale or sharing of personal information (Vaival does not sell or share personal information for cross-context behavioral advertising, but you may still exercise this right by submitting a request); limit the use of sensitive personal information (Vaival does not knowingly collect sensitive personal information); and be free from retaliation for exercising any of these rights.

If you are in the United Arab Emirates, Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the UAE PDPL) gives you the right to: access your personal information; correct inaccurate personal information; ask for deletion under the conditions set out in the law; restrict or object to certain processing; receive your personal information in a structured format; and complain to the UAE Data Office.

Residents of other jurisdictions may have similar rights under local law. Vaival honors verified data subject requests from any jurisdiction.

To exercise any of the rights described in Section 8, contact us at privacy@vaival.com or majid@vaival.com. Include enough information for us to identify you and verify the request. We will respond within the timeframes required by applicable law (typically 30 days under GDPR and 45 days under CCPA, extendable where reasonably necessary).

We will not discriminate against you for exercising any privacy right. We do not charge a fee for handling a verified request unless the request is manifestly unfounded or excessive, in which case we will tell you the fee and the reason before we proceed.

If you are not satisfied with our response, you have the right to complain to the data protection authority in your jurisdiction.

Vaival's website and services are not directed at children. We do not knowingly collect personal information from children under the age of 16. If you believe a child has provided us with personal information, contact us using the details in Section 12 and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of the page. Material changes will be highlighted at the top of the policy and, where required by law or where the change affects how we use personal information you have already provided, communicated directly to you.

Privacy inquiries: privacy@vaival.com or majid@vaival.com.

General inquiries: vaival.com/contact.

Vaival LLC, Delaware, United States. Vaival FZ-LLC, United Arab Emirates. Vaival Technologies (Private) Limited, Lahore, Pakistan.