Privacy Policy

Effective date: [EFFECTIVE DATE]

Advanced Design Technologies Ltd. operates Onfly and is responsible for the processing of personal data described in this Privacy Policy.

1. Contact details

Advanced Design Technologies Ltd.
Innovation One, Level 3, DIFC
Dubai, United Arab Emirates

Email: hello@onfly.design

Privacy requests may be submitted by email or sent to our registered office.

2. Information we collect

We may collect:

Contact information

  • name;

  • email address;

  • company name;

  • role;

  • contact details.

Project information

  • brief answers;

  • project descriptions;

  • website requirements;

  • references and links;

  • uploaded text, images, logos and files;

  • correspondence and project instructions.

Transaction information

  • order number;

  • chosen payment plan;

  • payment status;

  • transaction identifiers;

  • billing country;

  • invoice and tax information.

Complete card details are processed by the payment provider and are not stored directly by Onfly.

Technical information

  • IP address;

  • browser and device information;

  • approximate location;

  • referral source;

  • UTM parameters;

  • pages and actions;

  • cookie identifiers;

  • error and security logs.

3. How we use personal data

We use personal data to:

  • save and process project briefs;

  • provide payment links;

  • perform and deliver projects;

  • send project and payment notifications;

  • recover an unfinished brief where requested;

  • provide customer support;

  • prevent fraud and abuse;

  • secure and improve the service;

  • measure website performance;

  • comply with accounting, tax and legal obligations;

  • establish or defend legal claims.

4. Legal bases

Depending on the circumstances, we process personal data because:

  • processing is necessary to take requested steps before a contract;

  • processing is necessary to perform a contract;

  • processing is required by law;

  • processing supports our legitimate business interests;

  • you have provided consent.

Where processing relies on consent, you may withdraw it at any time.
Withdrawal does not affect processing that occurred before consent was withdrawn.

5. Project reminders

When you provide an email address while preparing a brief, we may send:

  • a secure resume link;

  • a limited number of brief reminders;

  • payment reminders after submission;

  • essential project-status messages.

You may opt out of abandoned-brief reminders through the link provided in those emails.

Essential messages relating to an active order cannot always be disabled because they are necessary to perform the service.

6. Service providers

We may share relevant data with providers supporting the service, including:

  • Framer for website hosting;

  • Supabase for database and file infrastructure;

  • Stripe for payment processing;

  • Resend for transactional email;

  • Google Analytics or PostHog for analytics, where enabled;

  • Cloudflare for security and traffic protection;

  • Sentry or similar providers for error monitoring;

  • creative and AI-assisted production tools where necessary;

  • professional advisers, accountants and legal providers.

Each provider receives only the information reasonably required for its role.

7. International transfers

Our providers may process information in countries outside the DIFC or your country of residence.

Where required, we use recognised transfer mechanisms, contractual safeguards or providers located in jurisdictions recognised as offering adequate protection.

8. Data retention

We retain information only for as long as reasonably necessary.

Typical periods are:

  • unfinished brief information: up to 30 days;

  • completed project information and correspondence: up to 24 months after delivery;

  • payment, invoice and tax records: at least seven years where required;

  • security logs: up to 12 months;

  • analytics data: according to the configured analytics retention period;

  • backups: until replaced through the normal backup cycle.

Information may be retained longer where required for legal claims, fraud prevention or regulatory obligations.

9. Security

We use reasonable technical and organisational safeguards designed to protect personal data.
However, no online service can guarantee absolute security.

You should not send passwords, payment-card details or highly sensitive personal information through the project brief.

10. Your rights

Depending on applicable law, you may have the right to:

  • access your personal data;

  • correct inaccurate data;

  • request deletion;

  • restrict processing;

  • object to certain processing;

  • receive portable data;

  • withdraw consent;

  • complain to a data-protection authority.

Requests may be sent to hello@onfly.design.

We may need to verify your identity before completing a request.

You may also complain to the DIFC Commissioner of Data Protection or another competent authority in your country.

11. Automated processing

We do not use solely automated decision-making that produces legal or similarly significant effects.

Automation may be used to send reminders, update project statuses and support production.

12. Children

The service is not intended for people under 18.
We do not knowingly collect personal data from children.

13. Third-party websites

Our website may link to third-party services.
Their privacy practices are governed by their own policies.

14. Changes

We may update this Privacy Policy to reflect changes in the service, providers or applicable law.

The current version will be published on this page with its effective date.

15. Contact

Privacy questions and requests: hello@onfly.design

Postal address:
Advanced Design Technologies Ltd.
Innovation One, Level 3, DIFC
Dubai, United Arab Emirates