Home
Products
nst Family Bankingnst ConnectnstAcceptnstCaaS
BlogLegal
← Back to Legal Documents
⚖️ 🇦🇪 United Arab Emirates

nst Family Banking — Privacy Policy

Effective Date: 1 January 2025 · nstFi L.L.C-FZ, Dubai, UAE

Quick Links:

  • Section 3 — What data we collect
  • Section 7 — Special protections for children's data
  • Section 10 — How long we keep your data
  • Section 13 — Your rights under UAE law
  • Section 14 — Parental rights over children's data
  • Section 16 — How to contact us

1. About This Privacy Policy

This Privacy Policy applies to the nst Family Banking service, including the nstFi mobile application ("App"), all associated accounts (Parent Account and Family Member Sub-Accounts), cards, features, and communications.

nstFi L.L.C - FZ ("nstFi", "we", "us", "our") is the data controller responsible for your personal data in connection with the Service. Our registered address is: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, UAE.

This Policy is drafted in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and applicable CBUAE regulations. Where nstFi processes data as a processor on behalf of Mawarid Finance PJSC (BIN Sponsor and Card Issuer), this will be noted.

2. Key Definitions

3. Personal Data We Collect

3.1 Data Collected from the Primary Account Holder

3.2 Data Collected for Family Member Sub-Accounts

3.3 Data We Do Not Collect

We do not collect the following categories of data:

  • Social security numbers or tax identification numbers (other than where required by UAE regulations for certain high-value transactions).
  • Full, unmasked card numbers are never stored by nstFi — this is handled exclusively by our PCI-DSS compliant processor, areeba.
  • Children's school records, medical records, or social media data.
  • Precise geolocation data beyond IP-based country identification, unless you explicitly enable location services.

4. How We Collect Your Data

4.1 Directly from You

  • When you register for the Service and complete KYC.
  • When you add a Family Member Sub-Account.
  • When you contact our Customer Support team.
  • When you respond to surveys, promotions, or in-App prompts.
  • When you use the AI Companion feature.

4.2 Automatically

  • Via the App as you use the Service (transaction data, feature usage, device information).
  • Via cookies and analytics SDKs embedded in the App — see Section 12.
  • Via push notification tokens when you enable notifications.

4.3 From Third Parties

  • Identity verification providers — to validate KYC documents and biometric data.
  • Mawarid Finance PJSC (Card Issuer) — card programme and transaction data.
  • areeba (Card Processor) — transaction processing records.
  • Mastercard — scheme-level transaction data required for dispute resolution and fraud monitoring.
  • Credit reference or fraud prevention agencies — where applicable and permitted by UAE law.

5. Legal Bases for Processing

Under UAE Federal Decree-Law No. 45 of 2021 (PDPL), we process personal data on the following legal bases:

You have the right to withdraw consent at any time for processing based on consent. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal, and will not affect processing on other legal bases.

6. How We Use Your Personal Data

6.1 To Provide & Operate the Service

  • Verifying your identity and opening your Account and Family Member Sub-Accounts.
  • Issuing and managing prepaid cards in partnership with Mawarid Finance PJSC.
  • Processing transactions, top-ups, and card controls.
  • Enabling parental control features, allowance schedules, and task-based rewards.
  • Managing account transitions when a Family Member reaches age 18.
  • Delivering the AI Companion features (financial goal forecasting, spending analysis, virtual support).

6.2 To Comply with Legal Obligations

  • Conducting AML/CFT customer due diligence (CDD) and enhanced due diligence where required.
  • Transaction monitoring for suspicious activity in accordance with Federal Decree-Law No. 20 of 2018.
  • Reporting to the UAE Financial Intelligence Unit (FIU) where legally required.
  • Responding to regulatory enquiries and audit requirements from CBUAE.
  • Retaining records for the mandatory minimum period required by UAE law.

6.3 To Protect You and Our Service

  • Detecting and preventing fraud, unauthorised access, and financial crime.
  • Monitoring for technical security threats and vulnerabilities.
  • Verifying that transaction activity is consistent with your stated account purpose.

6.4 To Communicate with You

  • Sending real-time transaction alerts and account notifications.
  • Notifying the PAH of Family Member activity and age-based milestones.
  • Responding to Customer Support requests and complaints.
  • Sending marketing communications where you have given explicit consent (opt-out available at any time).
  • Sending service and policy updates where required by regulation or contract.

6.5 AI Companion Features

Where you use the AI Companion feature, your interaction data (financial queries, goal inputs, spending context) is processed to generate personalised insights and recommendations. This data is:

  • Used only to generate responses within your session and to improve the AI model's accuracy over time (in anonymised, aggregated form).
  • Never shared with third parties for commercial purposes.
  • Not used to make automated decisions that have legal or similarly significant effects on you, without human oversight.

7. Children's Data — Enhanced Protections

7.1 Legal Basis for Processing Children's Data

The Primary Account Holder, as the parent or legal guardian of the Family Member, provides consent for the collection and processing of the Family Member's personal data on the minor's behalf. This consent:

  • Is given explicitly during the Sub-Account setup process.
  • Covers only the data necessary to provide the Sub-Account features and age-appropriate controls.
  • Does not extend to any optional processing activities not necessary for the Service.

Where a Family Member is aged 16 or over and UAE law requires or permits the minor to provide their own consent for specific processing activities, we will seek the minor's consent directly for those activities.

7.2 Data Minimisation — What We Collect for Children

We collect the minimum data necessary for Family Member accounts. We do not collect:

  • School records, medical records, or health data of Family Members.
  • Social media identifiers or online behavioural profiles of Family Members.
  • Precise location data of Family Members.
  • Biometric data of Family Members (biometric KYC applies to the PAH only).

7.3 Strict Use Limitations for Children's Data

Data relating to Family Members is used exclusively for:

  • Operating the Sub-Account and card features.
  • Enabling the PAH's parental control and monitoring functions.
  • Processing transactions and task-based rewards.
  • Age milestone management (e.g., transition notifications at age 18).
  • Complying with AML/CFT legal obligations where applicable to the Sub-Account.

Data relating to Family Members is strictly NOT used for:

  • Marketing or advertising of any kind.
  • Third-party profiling or behavioural advertising.
  • Sale or commercial sharing with any third party.
  • AI model training in any identifiable form.

7.4 Parental Visibility & Control

The Primary Account Holder has full visibility of all Family Member account data through the App, including: transaction history, balance, task activity, and spending patterns. The PAH may review, update, or request deletion of Family Member data at any time — subject to our legal retention obligations. See Section 14 for parental data rights.

7.5 Third-Party Data Sharing for Children's Data

Family Member data is shared with third parties only to the extent strictly necessary to provide the Service:

  • Mawarid Finance PJSC — card issuance and regulatory compliance.
  • areeba — card and transaction processing.
  • Mastercard — scheme-level transaction data.
  • KYC/identity verification providers — only for PAH verification (not child biometric data).
  • CBUAE / UAE FIU — where required by law.

Family Member data is not shared with any other third party under any circumstances.

7.6 Data Deletion at Age 18 Transition

When a Family Member turns 18 and their Sub-Account transitions:

  • If the former Family Member opens an independent nstFi account, their Sub-Account data is transferred to their new account with their consent.
  • If they do not open an independent account, Sub-Account data is retained for the mandatory minimum period required by UAE CBUAE regulations (minimum 5 years from account closure) and then deleted.
  • The PAH's visibility of the former Family Member's data ceases on their 18th birthday.

8. Data Sharing & Third-Party Recipients

8.1 Service Partners (Data Processors)

We share data with the following categories of third parties who process data on our behalf as data processors, under contractual data processing agreements:

8.2 Group Companies

nstFi L.L.C - FZ is part of the LC50X group of companies. We may share data within the LC50X group for the following purposes:

  • Group-level compliance, risk management, and internal audit.
  • Technical and infrastructure support.
  • Strategic business planning (in anonymised, aggregated form only).

We do not share individually identifiable personal data with other LC50X group companies for commercial or marketing purposes.

8.3 Legal Disclosures

We may disclose personal data to regulatory authorities, law enforcement, or courts where we are legally required to do so, including:

  • Central Bank of the UAE (CBUAE) — as part of regulatory supervision and examination.
  • UAE Financial Intelligence Unit (FIU) — suspicious activity reporting.
  • Courts and law enforcement — in response to valid legal process (subpoena, court order).

8.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of nstFi's business, personal data may be transferred to the acquiring entity. We will notify you in advance of any such transfer and ensure the acquiring entity provides equivalent data protection.

8.5 What We Never Do

  • We never sell your personal data to any third party.
  • We never share children's data for marketing, profiling, or commercial purposes.
  • We never use your personal data to train third-party AI models in identifiable form.

9. International Data Transfers

nstFi operates primarily from the UAE. Some of our service partners and infrastructure providers may process data outside the UAE. Where personal data is transferred outside the UAE, we ensure that:

  • The destination country provides an adequate level of data protection, as recognised under UAE PDPL.
  • Appropriate contractual safeguards are in place (including standard contractual clauses or equivalent mechanisms).
  • The transfer is limited to what is necessary for the specific processing purpose.

Children's data is not transferred outside the UAE or to third parties in other jurisdictions except where strictly required for card scheme operations (Mastercard) or cloud infrastructure, subject to the safeguards above. You may request details of international transfer safeguards by contacting [email protected].

10. Data Retention

We retain personal data for the periods set out below, after which data is securely deleted or irreversibly anonymised:

These retention periods reflect the minimum required by UAE law. Where a longer retention period is required by law, regulation, or legal proceedings, we will retain data for that longer period.

11. Data Security

11.1 Technical Safeguards

  • End-to-end encryption for all data transmitted between the App and our servers.
  • AES-256 encryption for all personal data stored at rest.
  • PCI-DSS Level 1 compliant card data handling via areeba (no card data stored by nstFi).
  • Multi-factor authentication (MFA) for all App access.
  • Penetration testing and vulnerability assessments conducted [quarterly / annually — INSERT].
  • Automatic session timeout and device binding for App security.

11.2 Organisational Safeguards

  • Role-based access controls — only authorised nstFi staff can access personal data on a need-to-know basis.
  • Data processing agreements in place with all third-party processors.
  • Staff trained on data protection and information security annually.
  • Dedicated Data Protection function within nstFi reporting to senior management.

11.3 Security Incident Response

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the UAE Data Office within 72 hours of becoming aware of the breach, where required by UAE PDPL.
  • Notify affected individuals promptly where the breach is likely to result in a high risk to their rights and freedoms.
  • Take immediate steps to contain and remediate the breach.

12. Cookies, Analytics & Tracking

12.1 App Analytics

The nst Family Banking App uses analytics software development kits (SDKs) to collect non-personally-identifiable usage data, including: screens viewed, features used, session duration, and error reports. This data helps us improve the App experience.

12.2 Push Notifications

With your permission, we send push notifications to your device for transaction alerts, account notifications, and marketing communications. You may withdraw push notification permission at any time via your device settings.

12.3 No Third-Party Advertising Trackers

We do not embed third-party advertising trackers or allow advertising networks to track your behaviour within the App. The nst Family Banking App is not used as an advertising data source.

12.4 Children's Data in Analytics

Family Member usage data collected via analytics is pseudonymised before processing and is never used for advertising, profiling, or sharing with third-party analytics platforms in individually identifiable form.

13. Your Rights Under UAE Law

Under UAE Federal Decree-Law No. 45 of 2021 (PDPL) and applicable CBUAE consumer protection regulations, you have the following rights in relation to your personal data:

To exercise any of these rights, contact us at: [email protected]. We will respond within 30 calendar days. Identity verification will be required before fulfilling requests. We do not charge a fee for exercising your rights, except where requests are manifestly unfounded or excessive.

14. Parental Rights over Family Member Data

As the Primary Account Holder and parent or legal guardian, you hold the following rights in relation to your Family Member's personal data:

14.1 Rights You Hold on the Family Member's Behalf

  • Right of Access — request a copy of all data held in relation to the Family Member's Sub-Account.
  • Right of Correction — correct inaccurate information about the Family Member.
  • Right of Deletion — request deletion of the Family Member's data, subject to our legal retention obligations. Note: deletion of essential Sub-Account data will require closure of the Sub-Account.
  • Right to Restrict Processing — request limitation of processing of the Family Member's data.

14.2 Transition of Rights at Age 18

When a Family Member reaches 18 years of age:

  • Your rights to access and control the Family Member's data cease on their 18th birthday.
  • The former Family Member acquires full data rights as an independent adult data subject.
  • nstFi will seek the former Family Member's own consent for any continued processing of their data.

14.3 How to Exercise Parental Data Rights

Submit your request to: [email protected], clearly stating that the request relates to a Family Member Sub-Account and providing the Family Member's name and your Account details for verification.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. We will notify you of material changes by:

  • In-App notification at least 30 days before the change takes effect.
  • Email to your registered address.

We will clearly indicate the effective date of any revision. The current version of this Policy is always available within the App (Settings > Privacy Policy) and on our website. Continued use of the Service after the effective date constitutes acceptance of the revised Policy. If you do not accept the changes, you must discontinue use of the Service.

For material changes that affect how we process children's data, we will seek fresh parental consent where required by UAE PDPL.

16. Contact Us & Supervisory Authority

16.1 Privacy Enquiries & Rights Requests

For any questions about this Privacy Policy, to exercise your data rights, or to make a privacy complaint, contact us at:

16.2 Supervisory Authority

If you are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with the UAE Data Office (the supervisory authority under UAE PDPL):

  • UAE Data Office — www.uaedataoffice.gov.ae
  • CBUAE Consumer Protection — www.centralbank.ae/en/consumer-protection (for data issues related to financial services)

© 2025 nstFi L.L.C - FZ. All rights reserved.

© 2025 nstFi L.L.C-FZ · [email protected] · All Legal Documents →