Privacy Policy

1. What we collect

When you book with Innovex Studios we collect:

• Contact info: name, email, phone number, company (if applicable).
• Booking info:dates, times, use case, crew size, product (studio / podcast / equipment), tier selection, podcast set preference (where applicable — for podcast bookings you can pick which set / backdrop you’d like), any notes you add.
• Payment info: handled by Stripe — our PCI-DSS-validated payment processor. Your full card number and CVV never touch our servers — we receive only the last 4 digits and a tokenized reference for future balance payments and refunds.
• ID verification (equipment rentals):Emirates ID, passport, or driver’s license. Stored encrypted in our rental records, accessible only to the studio operator and finance staff, retained for the duration of the rental and automatically deleted within 30 days of safe return. Collected as a contractual necessity for equipment damage liability.
• Minors on set: where children are present during a shoot, their image may be captured by CCTV under the terms of our House Rules. Parents or guardians are responsible for acknowledging this before entry. We do not collect names or identifying information for under-16 guests through the booking flow; if a production requires it (e.g., minor model release), the producer handles consent directly with the guardian.
• Loyalty & credit history:we track cumulative booking spend and studio-credit balances against your email to calculate your loyalty tier (Regular / Pro / Elite) and the credits you’ve earned. This includes a rolling 6-month spend total used for tier transitions. The tier affects your credits-back percentage and perk eligibility — see the Loyalty page for how it works.
• Referral attribution:if you entered a referral code or a friend’s email in the booking form, we capture that reference to credit both parties after your shoot completes. Before any credit posts to the referrer, we email them a one-click confirmation so no one is linked to you without their consent. See the Referralpage for the full mechanics. If you are the referrer and you receive such a confirmation email, you can ignore or decline it — the referral simply won’t post.
• Referral fraud-control checks:to protect programme integrity we cross-check the referee’s email against our booking history to confirm they have not booked with us before. We also enforce a minimum qualifying booking size (currently 4 hours or AED 1,000) and a soft cap on referrals per account per rolling 90 days. These checks are processing activities tied to the referral programme; no data from them is shared with the referrer.

When you use the website we collect minimal technical data:

• Technical info: browser type, device category, and approximate city-level location for performance diagnostics. Logged in aggregate only.
• Equipment rental cart (browser local storage): when you add items to the rental cart on /rent, your selections — item slugs, quantities, pickup and return dates, and delivery preference — are saved to your browser’s localStorage under the key innovex.rentalCart.v2. This persists across pages and reloads so you don’t lose your cart between visits. The data stays on your device only — it is never transmitted to us until you submit a rental request. It contains no name, email, phone, or payment data. Clearing your browser storage removes it.
• AI chat history (browser session storage):when you use the “Ask Innovex” chat assistant, your conversation (your messages and the AI’s replies) is saved to your browser’s sessionStorage under the key innovex.chat.v1 so it persists while your tab is open. It is automatically cleared when you close the tab. The chat is intended for users 18 and over; if you are under 18 please do not send personal information through it. Each message you type is transmitted to Anthropic, Inc.(USA) — our AI model provider — to generate a reply (see Section 3). You can clear the local copy at any time using the “Clear” button in the chat panel or by closing your browser tab.
• Analytics: anonymised pageviews and navigation paths are planned (Google Analytics 4 with IP anonymisation, launching with the backend). When analytics go live, we will add a cookie consent banner and update this section. At the time of this policy revision, no analytics scripts run on the site.

2. Why we collect it — and our lawful basis

Every piece of data above maps to a specific lawful basis under UAE Federal Decree-Law No. 45 of 2021 (PDPL) and, where applicable, EU GDPR:

• Booking fulfilment, payments, balance collection — contractual necessity. We cannot run your shoot without knowing who you are, when you want the studio, and how to reach you if something changes.
• Tax records, VAT invoicing, legal compliance — legal obligation (UAE Federal Tax Authority requires retention of financial records for 7 years).
• Equipment damage liability (ID verification) — contractual necessity. Holding a refundable damage deposit against a verifiable ID is how we insure against loss or damage.
• CCTV in common areas (premises safety) — legitimate interest balanced against customer privacy. Cameras cover entry, corridors, and the studio floor; never private areas (changing rooms, bathrooms, prep room). Footage is retained 30 days, then automatically deleted.
• Marketing updates (availability, promotions, new services) — explicit consent. We only send marketing email if you tick the opt-in checkbox on the booking or tour form. You can unsubscribe at any time via the link in every marketing email.
• Loyalty programme (credits-back + tier tracking) — contractual necessity. Being an Innovex customer includes the benefit of loyalty credits on every completed booking. We need to track your spend history to calculate your tier (Regular / Pro / Elite) and post the correct credit amount after each shoot. Credit balances and tier changes are accessible to you on request.
• Referral attribution — contractual necessity for you (the referee) because you entered a reference to unlock your first-booking credit. For the third party (the referrer), processing of their email to issue credit is gated on their explicit consent via a one-click confirmation email. We do not post any credit to their account without that confirmation.
• Referral fraud-control (never-booked-before email check, qualifying booking thresholds, velocity cap) — legitimate interest balanced against customer privacy. The check is the minimum needed to keep the programme economically viable; results are not shared with referrers and are never used for marketing.
• AI chat assistant messages— legitimate interest. We operate an on-site chatbot to answer common questions about pricing, gear, packages, and policies. Messages you type are transmitted to Anthropic’s API to generate a reply, and the conversation is stored only in your browser’s sessionStorage (we don’t persist it on our servers). You can avoid this processing entirely by using email or WhatsApp instead — both are linked from the chat panel and the contact page.
• Website analytics (when active) — consent via a cookie banner. Essential cookies (booking session, authentication) run without consent; all other cookies wait for the banner.

3. Who we share it with

We share your data with the minimum number of third parties needed to run your booking. Each has a written data-processing agreement (DPA) with Innovex:

• Stripe: payment processing. Receives only the data needed to authorise a charge (card token, amount, currency, customer email).
• Hostinger Titan Email: transactional email (booking confirmations, cancellation links, password resets, newsletter signups). Receives recipient name and email only. Hostinger acts as the SMTP relay for our self-hosted email delivery.
• Anthropic, Inc. (USA):AI model provider for the on-site “Ask Innovex” chat. When you send a message via the chat, your message text and the recent conversation history for that session are sent to Anthropic’s API to generate a reply. Anthropic processes this under a Data Processing Agreement and may retain inputs/outputs for up to 30 days for safety monitoring before deletion. Anthropic does not use your chat data to train models by default.
• WhatsApp / Meta Platforms Ireland Ltd.:when you submit a booking enquiry or rental cart via our WhatsApp deep-link (the green “WhatsApp us” buttons across the site), the message you send — including any contact details, booking dates, and rental cart contents you chose to type or paste — is delivered through WhatsApp’s end-to-end encrypted infrastructure. Meta acts as the message-transit processor for that exchange under WhatsApp’s own privacy policy. We do not push your data into WhatsApp on your behalf; the data flow only starts when you tap a WhatsApp button and choose to send the pre-filled message.
• Google Analytics (planned, not yet active): anonymised traffic measurement.
• UAE Federal Tax Authority: aggregate VAT reporting as required by law.

We do not sell, rent, or trade personal data with advertisers, marketers, or unrelated third parties.

4. Cross-border data transfers

Jurisdiction.Innovex Studios operates under a UAE Mainland trade licence (Dubai Department of Economy & Tourism / DET) and is not registered in the DIFC or ADGM. The federal UAE Personal Data Protection Law (Decree-Law 45/2021) applies. The DIFC PDPL Amendment 2023 — including its Transfer Impact Assessment regime that took effect post-July 2025 — does not apply to us by jurisdiction. If our entity ever moves into a free zone, we will update this section and complete the relevant TIAs.

Some of the vendors below process data outside the UAE:

• Stripe (Ireland / US):payment processing transfers minimal data (card token, amount, currency) under Stripe’s Data Processing Agreement and Standard Contractual Clauses (SCCs).
• Hostinger (non-EU, email relay), Google Analytics (US), Anthropic (US): limited personal data (email, anonymised usage, chat message text) transferred under each vendor’s published DPA and Standard Contractual Clauses (SCCs) where applicable. These vendors maintain EU/UK adequacy mechanisms.

You can request the list of our active sub-processors at any time by emailing the address in section 9. If you object to a specific cross-border transfer, contact us and we will explain your options (including deletion of your record where the transfer is not legally required).

5. How long we keep it

• Active bookings: until 90 days after your booking is completed.
• Payment and tax records: 7 years (UAE Federal Tax Authority requirement).
• Marketing contacts (opted in): until you unsubscribe.
• ID scans for equipment rentals: deleted within 30 days of safe return of the equipment.
• CCTV footage (common areas): 30 days, then auto-deleted. Never shared except with law enforcement on formal request or in response to an insurance claim.
• Loyalty credits + tier history: credit balances and the rolling 6-month spend window used for tier calculation are retained for the life of your customer relationship. Individual credit-earn records expire 12 months after the originating booking; tier transitions are logged for audit.
• Referral records: retained for 24 months after the qualifying booking so we can reconcile disputes and fraud checks. Third-party referrer emails that never confirm (i.e., never click the confirmation link) are deleted within 30 days.
• Add-to-calendar exports (.ics files):once you click “Add to calendar” from a confirmation page, the booking details (date, time, total, address) are embedded in the ICS file and stored in your own calendar application — its retention rules apply from that point. We have no ability to revoke or delete an ICS entry once it’s in your calendar.
• Website analytics (when active): 14 months (Google Analytics default retention).

6. Your rights

Under UAE PDPL (and, if applicable, EU GDPR / UK GDPR / California CCPA), you can request at any time:

• Access — a copy of the personal data we hold about you.
• Correction — we fix inaccurate or outdated information.
• Deletion— we remove your data, subject to legal retention requirements (e.g., tax records held 7 years). Note: chat messages transmitted to Anthropic may be retained by Anthropic for up to 30 days under their data-processing agreement for safety monitoring, after which Anthropic deletes them. We cannot action earlier deletion of data inside Anthropic’s systems.
• Portability — a machine-readable copy of your data in a standard format.
• Objection / restriction — you can object to specific processing (e.g., marketing) or ask us to restrict processing while we investigate a concern.
• Withdraw consent — for any processing based on consent (marketing, analytics cookies) at any time.

Email your request to the address in section 9 — we reply within 14 days. No charge for a standard request.

7. Marketing communication

• We only send marketing email if you explicitly opt in on the booking or tour form. Opt-in is captured with a timestamp.
• Every marketing email includes an unsubscribe link. One click, you’re out.
• Booking-related email (confirmations, reminders, balance due, receipts) is transactional — you receive this as part of running your booking, independent of marketing consent.

8. Cookies

• We use essential cookies for booking sessions and authentication — these run without consent as they are strictly necessary for the site to function.
• When analytics launch (Google Analytics 4 with IP anonymisation), we will add a cookie consent banner and update this section. No analytics cookies run until then.
• We do not use advertising or behaviour-tracking cookies, now or in any planned rollout.

9. Contact for privacy matters

Email info@innovexstudios.comwith “Privacy” in the subject line. We respond within 14 days. For urgent data-protection concerns, WhatsApp the number on our Contact page.

10. Changes to this policy

Material changes to this privacy policy will be announced on the website and, where appropriate, emailed to customers with active bookings at least 14 days before they take effect.