Image Replacement Example Group Image
0%
About Leto
Contact
Membership
Sobre Leto
FAQ
About Leto
Contact
Membership
Sobre Leto
FAQ

Privacy Notice

How we protect, process, and respect your information

Last updated: September 2025

Who we are & scope

Leto App AI Services Ltd  (“we”, “us”, “our”) provides an AI-assisted concierge service delivered via our website and WhatsApp Business API, with human oversight.

We are incorporated in the Dubai International Financial Centre (DIFC) and our primary data protection regime is the DIFC Data Protection Law No. 5 of 2020 (“DIFC Law”). Where applicable, we also align with other laws (e.g., UAE Federal PDPL) when our processing takes place in those jurisdictions.

This Notice explains how we collect, use, share, transfer, and retain personal data for our services and website. It applies to:
- Clients and prospective clients using our service
- Visitors to our website
- Employees, Vendors, contractors, and other third parties we engage with

Depending on the context, we act as a controller (when we decide why and how data is processed) or as a processor (when providing services on behalf of third parties). In those cases, we process data only on documented instructions and under contract.

What data we collect

Identity & contact:
Name, email, phone, address.

Service & task data:
Task details, preferences, notes, scheduling info.

Communications:
Messages Exchanged via supported channels (e.g., WhatsApp).

Transaction data:  
Payment confirmations and amounts (card data handled by PCI-compliant processors; we don’t store full card numbers).

Device & usage data:
IP address, device/browser type, interaction logs (see Cookies).

Location data:  
Only when required to fulfil a request (e.g., delivery/booking).


Special categories (may arise incidentally)

We do not actively seek special category data (e.g., health, religion). However, in a concierge context it may appear (e.g., medical appointments, dietary info). When it does, we process only as necessary to fulfil the request and rely on explicit consent plus enhanced safeguards.

Sources of data

  • You (forms, messages, onboarding).
  • Your authorised integrations (e.g., calendar, communications, payments).
  • System-generated logs and analytics.

Why we use your data & legal bases

  • Service delivery & support (fulfilling tasks, reservations, reminders, customer support) contract necessity.
  • Personalisation (recommendations you ask for) legitimate interests or consent where required.
  • Payments (processing payments to third-party providers) contract necessity; card data handled by processors.
  • Security & fraud prevention –Security & fraud prevention. Legitimate interests and legal obligation.
  • Compliance & record-keeping (DIFC obligations, requests from authorities where lawful) Legal obligation.
  • Product analytics (aggregated/limited use to improve reliability and UX) Legitimate interests or consent where cookies apply.
  • Special category items (if provided) Explicit consent and strict necessity to perform your request.

Why we use your data & legal bases

We use your data for:

  • Service delivery & support (fulfilling tasks, reservations, reminders, customer support) contract necessity.
  • YPersonalisation (recommendations you ask for) legitimate interests or consent where required.
  • Payments (processing payments to third-party providers) contract necessity; card data handled by processors.
  • Security & fraud prevention –Security & fraud prevention. Legitimate interests and legal obligation.
  • Compliance & record-keeping (DIFC obligations, requests from authorities where lawful) Legal obligation.
  • Product analytics (aggregated/limited use to improve reliability and UX) Legitimate interests or consent where cookies apply.
  • Special category items (if provided) Explicit consent and strict necessity to perform your request.


We do not sell personal data or use it for third-party advertising.

Cookies & similar tech

We use cookies for essential operations and, with your consent, for analytics. At present, users can review our Cookies & Consent Policy [https://www.letoapp.com/cookies-policy] for full details of the types of cookies in use. Essential cookies run regardless, while analytics and other optional cookies only run with explicit consent. A cookie banner and cookie settings dashboard are being deployed shortly to make these choices directly accessible from every page. Until then, users can contact us at privacy@letoapp.com to exercise their preferences or ask questions about cookies.

Sharing your data

We share only what’s necessary with:

  • Service providers/processors (e.g., cloud hosting, communications, scheduling, payment processors, support tools)
  • Third parties you ask us to engage (e.g., restaurants, delivery, travel).
  • Professional advisers (legal/technical) under confidentiality.
  • Authorities were legally required.
  • All processors are bound by contracts that require confidentiality, security, and processing only on our instructions.

Sharing with Third Parties

We only share personal data with third parties where it is necessary to deliver our services, comply with the law, or support our operations. Categories of sharing include:

  • Service ProvidersPurpose:
    - To execute user requests such as reservations, deliveries, or other task-related services.
    - Data Shared: Name, contact details, address, and task-specific information.
    -Example: Providing your name and reservation details to a restaurant or your address to a delivery partner.
  • Payment ProcessingPurpose:
    - To pay third-party service providers on your behalf through approved withdrawals.
    - Data Shared: Credit card details (processed securely), transaction details, and payment amounts.
    - Process: You pre-authorize withdrawals, which allows Leto App AI Services Ltd. to process payments directly to service providers.Safeguards: All payment activities are conducted through
    - PCI DSS-compliant gateways to ensure security.
  • Technology PartnersPurpose:
    - To enable essential functionalities such as communication, scheduling, and task coordination.
    - Data Shared: Limited data required for integration (e.g., task information, communication details).


All third parties are bound by contracts requiring them to:

  • Use your data only for the stated purpose
  • Maintain security measures equivalent to ours
  • Comply with DIFC Data Protection Law

International transfers

Our primary hosting is currently in the United States (AWS US-East) and elements of AI development/operations are performed in Colombia. These locations are outside the DIFC adequacy list in some cases.

To protect your data when transferred internationally, we:

  • Use approved safeguards under DIFC Law (e.g., Standard Contractual Clauses or equivalent contractual mechanisms).
  • Perform transfer risk assessments and vendor due diligence.
  • Limit access to the minimum necessary and apply encryption, access controls, and logging.Details of our key transfer safeguards are available on request.

Security

We apply organisational and technical safeguards, including:

  • Encryption in transit and at rest
  • Audit logging and monitoring
  • Role-based access (“least privilege”)
  • Secure development practices, code review, and vulnerability remediation
  • Vendor risk assessment and contractual controls
  • No system is risk-free; we regularly assess and improve our posture


In the event of a personal data breach likely to result in high risk to individuals, we will notify the DIFC Commissioner of Data Protection within 72 hours, and affected individuals without undue delay.

Retention

We keep personal data only as long as needed for the purposes above, then delete or anonymise it. Illustrative periods:

  • Active users: for the life of the account.
  • Task/booking records: for the period needed to support the transaction, disputes or compliance
  • Support tickets/logs: limited retention for troubleshooting and security.
  • Payments/finance records: per legal/tax requirements. Specific periods by category are available on request.

Your rights

You can access, rectify, erase, restrict, object, and request portability of your data. You can also withdraw consent at any time (this won’t affect processing already performed). 

You also have the right not to be subject to a decision based solely on automated processing, unless it is necessary for a contract, authorised by law, or based on your explicit consent.

  • We respond without undue delay and within one month (extendable by two months for complex requests).
  • Support tickets/logs: limited retention for troubleshooting and security.

Automated decision-making & AI

Our service uses AI to assist with recommendations and task preparation. Actions with legal, financial, or other significant impact are reviewed by a human before execution. Some low-risk suggestions may be generated automatically. You can request human review of any AI-generated output at any time via the service or support@letoapp.com.

Children

Our service is not intended for individuals under 18. We do not knowingly collect their data.

Changes to this Notice

We may update this Notice to reflect changes in law or our operations. We will notify you of material changes and indicate the effective date above.

Contact

If you have questions, requests, or complaints about this Notice or our data practices, you can contact us at:



We have appointed an external Data Protection Officer (DPO) to oversee our compliance with DIFC Data Protection Law



The DPO is your main point of contact for privacy and data protection matters, including exercising your rights under DIFC Law.

MembershipAbout LetoContactPrivacy PolicyCookies Policy