Privacy Policy

Last updated: 28 May 2026

Ask Horas (“Horas”, “we”, “us”) is a free fraud-detection service for UAE residents. This policy explains what data we collect, why we collect it, how long we keep it, and the rights you have over it.

Who runs this service

Horas is operated as an independent fraud-protection tool focused on UAE residents and visitors. For privacy inquiries, data-access requests, or to exercise any of the rights described below, use our contact form.

Channels where Horas operates

This policy applies to every way you can interact with Horas:

• The web chat at askhoras.ae and askhoras.com.
• Our official Telegram bot. Telegram messages are received via Telegram's servers and forwarded to Horas; Telegram's own privacy policy also applies to those messages.

What we collect

When you use Ask Horas, we collect:

• The content you submit for analysis (links, messages, phone numbers, emails, screenshots).
• Your IP address and the chain of forwarding proxies, plus reverse-DNS hostname and Autonomous System Number (ASN) associated with that IP.
• Coarse geographic information derived from your IP: country, region, city, postal code, timezone, and approximate coordinates.
• Whether your IP is on the public Tor exit-node list or known to be a datacenter/hosting-provider network (computed locally).
• Your preferred languages, browser and operating-system name and version, device type, and Chrome Client Hints (when sent).
• Standard request headers your browser sends automatically — preferred languages and encoding, your “Do Not Track” and Global Privacy Control settings, the page that referred you (if any), and a per-request identifier.
• A coarse TLS-handshake fingerprint (JA4 digest) and continent code provided by our hosting layer, used to flag automation and obvious geographic anomalies.
• Browser-side context that you provide on first load: timezone, viewport and full screen geometry (including available area and orientation), device pixel ratio, hardware concurrency, device memory, network connection type, accessibility preferences (prefers-color-scheme, prefers-reduced-motion, prefers-contrast), and a hash of a small canvas/WebGL drawing as a stability signal.
• Browser self-reports useful for distinguishing real devices from automation: navigator.webdriver (the standard automation flag), maximum touch points, vendor and platform strings, plugin count, and your storage estimate (used as an incognito-mode signal — we do not access actual stored data).
• Permission states for notifications, geolocation, camera, and microphone — only the state (granted/denied/prompt). We never request these permissions.
• Behavioral metadata per submission: whether the text was pasted versus typed, time since the previous submission, whether the chat tab was focused.
• A first-party cookie (horas_cfp) carrying a random UUID, used solely to recognise repeat visits over a 30-day window. You can clear it from your browser at any time.

We do not use third-party fingerprinting services, advertising trackers, analytics platforms, or commercial data brokers. We do not share any of this information with advertisers. The canvas and WebGL hashes are stored in our own database for fraud-pattern analysis and are never transmitted to external services. Beyond the single horas_cfp cookie above, we do not set any non-essential cookies, which is why you will not see a cookie-consent banner.

How we use it

Submitted content is analysed by AI to generate fraud risk assessments. Session metadata (IP, coarse geographic location, ASN, browser, device type) is used for security, rate limiting, abuse and bot detection, and to improve fraud-detection accuracy by identifying campaign patterns — many scams target many people at once, so being able to correlate signals across sessions helps us spot a campaign earlier. We never use this data for advertising or share it with advertisers.

Legal bases for processing

For users in the UAE, we process your personal data under UAE Federal Decree-Law No. 45 of 2021(Personal Data Protection Law, “PDPL”), relying on the lawful basis of necessity for fraud prevention, security, and the legitimate purpose of protecting users from scams.

For users in the European Union or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

• Legitimate interest(Article 6(1)(f)) for the collection of session metadata and browser fingerprint data — the legitimate interest is to protect you and other users from fraud, abuse, and automated attacks. We have weighed this against your privacy interests and limited the data we collect to what is necessary for that purpose.
• Performance of a service you requested(Article 6(1)(b)) for processing the content you submit for fraud analysis — we cannot generate a risk assessment without it.
• Consent (Article 6(1)(a)) where required, for example when you upload a screenshot containing third-party information.

Data retention

We retain different categories of data for different periods:

• Submission content and chat messages: up to 24 months, then deleted or anonymised. We may keep summary risk classifications longer to refine the fraud knowledge base.
• Session metadata (IP, browser, device, geographic coarse-location): up to 12 months, then aggregated or deleted.
• Fraud-knowledge-base entries derived from a submission (e.g. “this phone number is a known scammer”): retained indefinitely as anonymised reference data, with no link back to your session.
• Test sessions and analyst-archived sessions: may be deleted sooner during routine cleanup.

You can request earlier deletion at any time (see “Your rights” below).

Your rights

Under UAE PDPL, and under GDPR / UK GDPR where applicable, you have the right to:

• Access the personal data we hold about you.
• Correct data that is inaccurate or incomplete.
• Eraseyour data (“right to be forgotten”) where there is no legal basis for us to keep it.
• Restrict how we process your data in certain cases.
• Object to processing based on legitimate interest, including by asking us to stop processing your fingerprint data for fraud detection.
• Withdraw consent at any time where we relied on consent.
• Data portability for data you provided directly to us.
• Lodge a complaint with the UAE Data Office, or with the data protection authority in your jurisdiction (e.g. your local DPA in the EU).

To exercise any of these rights, use our contact form. We will respond within 30 days. If you contact us via the chat, please include enough detail for us to identify your data (the approximate date of your session and the type of content you submitted is usually sufficient).

Third parties we share data with

We rely on the following processors to operate the service:

• AI providers (OpenAI and Anthropic): submitted content is sent to them solely for the purpose of generating the fraud risk assessment. They process the content under their own privacy terms and do not train models on Horas submissions.
• Supabase: hosts our database (sessions, messages, knowledge base).
• Vercel: hosts the web application and serverless functions.
• Tavily: when a domain, sender, or phone number we don't recognise is part of a submission, we may send the bare domain or phone-number string to a public web-search service to verify whether it's a real, well-known entity. We never send personal content (the message body, your IP, or anything tied to your session) to the search service.
• Telegram: only for users who interact via the Telegram bot channel.

International transfers

Our hosting providers (Supabase, Vercel) and AI providers (OpenAI, Anthropic) operate data centres outside the UAE, including in the European Union and the United States. Where data is transferred outside its country of origin, we rely on the appropriate legal safeguards required by UAE PDPL and, for EU / UK users, on Standard Contractual Clauses or adequacy decisions as published by the European Commission.

Security

We use industry-standard measures to protect your data: encryption in transit (HTTPS), encryption at rest at the database layer, role-based access controls on the admin portal, row-level security on sensitive tables, and audit logging of administrative actions. No system is perfectly secure; we will notify users of any incident that materially affects their data, as required by UAE PDPL.

Children

Horas is intended for users aged 18 and over. We do not knowingly collect data from children. If you believe a child has used the service, contact us and we will delete the associated data.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be flagged at the top of the page for at least 30 days after they take effect.

Contact

For privacy inquiries, data-access requests, or any other question about how we handle your data, use our contact form.