Privacy & Compliance
Regulatory Framework
- GDPR — lawful basis tracking, consent management, DSAR, erasure, data minimization
- UAE Data Protection Law — data residency, consent, cross-border restrictions
- GSMA Guidelines — anonymization, de-identification, consent for monetization
Consent Management
| Purpose | Required For |
|---|---|
| MARKETING | Campaign execution (CEP) |
| ANALYTICS | Trait computation |
| MONETIZATION | Marketplace, DCR |
| AI_PROCESSING | Score computation |
| MCP_ACCESS | AI agent profile queries |
Enforcement: GRANTED → process | DENIED → block/log | SOFT_OVERRIDE → process with audit.
Data Subject Rights
Right to Access (DSAR): Resolve identity → compile all data → export JSON → deliver.
Right to Erasure: Cascade to profile store, event store, identity graph, segment memberships, vector store. Audit log retained without PII.
Right to Portability: Standard JSON export including profile, events, consent history, segments.
Audit Logging
All significant events logged immutably: profile access/updates, segment queries, consent changes, pipeline changes, DSAR processing, MCP tool calls. 7-year retention. Tamper evidence via signed entries, append-only storage.