Privacy Policy
1. Who we are
This Privacy Policy describes how SHUYA rev.A L.L.C-FZ ("SHUYA", "we", "us", or "our") collects, uses, and protects your personal data when you use the SHUYA.CAPITAL mobile application (the "App").
SHUYA is a UAE Free Zone limited liability company licensed by Meydan Free
Zone under license number 2643539.01 for the following activities:
- Investments Consultancy (UAE Activity Code 6619.11)
- Activities Auxiliary to Financial Services (UAE Activity Code 6610.00)
- Own Account Investment Activities (UAE Activity Code 6499.02)
The App is offered exclusively to limited partners and authorized counterparties of the SHUYA Capital fund. The App is not available to the general public.
2. Information we collect
We collect only the information necessary to authenticate you and operate the App. We do not collect data for advertising, tracking, profiling, or any commercial purpose outside the App's stated function.
2.1 Information you provide
- Email address — required for sign-in. Stored in our authentication database (Supabase Auth, hosted by SHUYA in Germany).
- Password — stored only as a salted bcrypt hash; we never see or store your password in clear text.
- Display name (optional) — for personalized greetings.
- Access request details — if you submit the "Request access" form: name, email, organization, and message text.
2.2 Information generated automatically
- Session tokens (JWT) — issued by Supabase Auth on each sign-in, stored locally on your device in the iOS Keychain (Secure Enclave).
- Device biometric preference — a single flag indicating whether you have opted in to Face ID / Touch ID unlock. Stored locally on your device only; never transmitted.
- Crash and diagnostic data — anonymized stack traces, OS version, and app version, sent to Sentry. Used solely to fix defects.
2.3 Information we do NOT collect
- Geographic location
- Contacts, calendar, photos, microphone, or camera data
- Health, fitness, or biometric measurements
- Advertising Identifier (IDFA) or other tracking identifiers
- Browsing or search history outside the App
- Payment card numbers, bank account details, or credentials
- Government identification numbers (KYC documents are collected through offline channels separately, not through the App)
3. How we use your information
We use your information only to:
- Authenticate you and protect your account from unauthorized access
- Display data about your participation in the SHUYA Capital fund
- Communicate with you about your account and material fund events
- Fix bugs reported through anonymous crash logs
- Comply with applicable legal obligations
We do not:
- Sell or rent your data to third parties
- Use your data for marketing, advertising, or profiling
- Share your data with data brokers
- Use your data to train AI models
4. Where your data lives
- Authentication & application data — stored on servers operated by SHUYA in Germany, in a self-hosted Supabase instance. Access is restricted to authorized SHUYA operators.
- Session credentials on your device — stored in the iOS Keychain, protected by the Secure Enclave. Only the App can read them.
- Crash diagnostics — stored by Sentry GmbH (EU region) for a retention period of 30 days, then deleted.
- OTA app updates — delivered by Expo (a service of 650 Industries, Inc., United States). Expo receives only the runtime version of your device and the App's update channel; it does not receive your account data.
All transit is protected by TLS 1.2 or higher.
5. Your rights
Depending on where you live, you may have the following rights:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to update inaccurate or incomplete data
- Deletion — ask us to delete your account and associated data (also available in the App at Settings → Account → Delete account)
- Portability — receive your data in a machine-readable format
- Objection / restriction — ask us to stop or limit processing
- Complaint — lodge a complaint with your local data protection authority (UAE: Ministry of Justice; EU: your national DPA)
To exercise any of these rights, email privacy@shuya.capital. We respond within 30 days.
6. Account deletion
You can delete your account at any time:
- In the App: Settings → Account → Delete account. Confirmation required. Deletion is irreversible.
- By email: send a request to privacy@shuya.capital from the email address associated with your account.
Account deletion removes your sign-in credentials, display name, biometric preference, push notification token (if any), and access-request history.
Fund-side data (positions, statements, K-1s) that we are legally required to retain is preserved in our books for the retention period required by UAE law, but de-linked from your identity within the App.
7. Children
The App is intended for adult limited partners of the SHUYA Capital fund only. We do not knowingly collect data from anyone under 18.
8. Cookies and similar technologies
The App does not use cookies, web beacons, pixel tags, fingerprinting, or any tracking technology.
9. Third-party services
The App relies on the following third-party processors. Each acts as our data processor under our instructions:
| Processor | Purpose | Location | Data shared |
|---|---|---|---|
| Apple Inc. | App distribution (App Store, TestFlight) | Worldwide | Device ID for app delivery only |
| 650 Industries, Inc. (Expo) | OTA update delivery | United States | Runtime version, update channel |
| Sentry GmbH | Crash reporting | EU (Germany / Netherlands) | Stack traces, OS / app version |
| Supabase (self-hosted) | Authentication, application database | Germany (our server) | All app data |
We do not share data with advertising networks, analytics providers (other than crash diagnostics), or any third parties not listed above.
10. Security
- Passwords are hashed with bcrypt (cost factor 10) — clear text never stored or transmitted after initial sign-in
- All transit between your device and our servers uses TLS 1.2+
- Session tokens are stored in iOS Keychain, accessible only to the App
- The App requires Face ID or device passcode to unlock when biometric unlock is enabled
- No financial credentials (bank, broker) are stored, transmitted, or requested by the App
If we discover a data breach affecting your data, we will notify you without undue delay and at the latest within 72 hours of discovery.
11. Data retention
| Data type | Retention period |
|---|---|
| Authentication credentials | While your account is active, deleted on account deletion |
| Access requests (pending) | 12 months from submission, then deleted |
| Access requests (approved / rejected) | 7 years for audit trail (UAE accounting record requirements) |
| Crash diagnostics | 30 days from event, then deleted |
| Push notification token | While valid; refreshed by iOS; deleted on uninstall |
12. International transfers
Data may be processed in Germany (our primary servers), the European Union (Sentry), and the United States (Expo, Apple). Where data leaves the UAE, we rely on contractual safeguards equivalent to the EU Standard Contractual Clauses.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to you via an in-app notification on next launch and via email to your account email address. The "Last updated" date at the top reflects the most recent revision. Continued use of the App after a material change constitutes acceptance of the updated Policy.
14. Governing law and contact
This Policy is governed by the laws of the Emirate of Dubai and the applicable federal laws of the United Arab Emirates.
For questions, requests, or complaints, contact:
SHUYA rev.A L.L.C-FZ
Privacy contact: privacy@shuya.capital
Postal address: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.