PocketTrainer

Privacy Policy

Pocket Trainer F&B Services LLC

Effective date: 6 May 2026

1. About this policy

Welcome to the PocketTrainer Privacy Policy. Pocket Trainer F&B Services LLC, trading as PocketTrainer, is committed to protecting the personal information of clients and their staff members who visit our website at pockettrainer.app and use our software platform (together, the Platform).

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have. Please read it carefully. By accessing or using our Platform, you confirm that you accept the practices described here.

If you are a staff member using the Platform as a condition of your employment, please raise any concerns about this Policy with your employer. If you have questions, contact us at tech@pockettrainer.app.

2. Who we are

Pocket Trainer F&B Services LLC is incorporated and registered in the United Arab Emirates (company registration number 2111811.01), with registered address at Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, UAE.

We are the data controller for the purposes of this Privacy Policy. You can contact us regarding any data protection matter at:

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing compliance with this Policy, handling data subject requests, and acting as the point of contact for supervisory authorities. All data protection enquiries should be directed to tech@pockettrainer.app.

3. Who this policy applies to

This Policy applies to:

  • Businesses: organisations that have entered into a commercial agreement with PocketTrainer to access our Platform (also referred to as Customers or Clients).
  • Staff Members: individual employees or contractors of a Business who have been given access to the Platform as part of their role.
  • Website visitors: any person visiting pockettrainer.app.

Certain Staff Members are designated as Admin Users with elevated account permissions. All Users are subject to this Policy.

4. What personal data we collect and why

4.1 Data you provide to us

When you or your employer creates an account or uses our Platform, we may collect:

  • Account information: full name, email address, date of birth, employee ID, job position, department, and assigned location(s).
  • Profile data: starting date, control settings, training assignments, documents uploaded by the user or admin, and notes left by managers.
  • Communications: any correspondence you send to us directly.
  • Marketing preferences: consent choices and communication preferences you have provided.

4.2 Data we collect automatically

When you visit our website or use our Platform, we may collect:

  • Usage data: number of platform sessions, course attempts and completions, quiz attempts and completions, videos and documents opened, live training attendance records, and whether a course completion certificate was issued.
  • Technical data: IP address, browser type and version, device type, operating system, and approximate location derived from IP address.
  • Tracking data: where you have given consent via our cookie banner, data collected through analytics and advertising tools including Google Analytics, the LinkedIn Insight Tag, and the Meta Pixel (Facebook / Instagram). This may include pages visited, time on site, referral source, and behavioural data used for retargeting and lookalike audience creation on LinkedIn and Meta platforms.

4.3 AI-powered features

Our Platform includes optional AI-powered features, currently limited to automated quiz generation based on content hosted on the Platform. This feature is off by default and must be actively enabled by your organisation. When enabled, relevant training content may be securely transmitted to OpenAI through an encrypted API connection for processing.

OpenAI processes this content solely to generate quiz output in response to your request. By default, OpenAI does not use your organisation's content to train its models. No human at PocketTrainer or OpenAI routinely reviews your content. In very limited circumstances, OpenAI may temporarily access data to investigate abuse or security issues.

We do not send personal profile data to OpenAI. Inputs and outputs are handled automatically and are not retained by OpenAI beyond a limited period of up to 30 days for misuse and abuse monitoring purposes, after which they are deleted.

If your organisation chooses not to enable AI features, no content will be transmitted to OpenAI. As we introduce additional AI features in future, this Policy will be updated to reflect any changes to data processing activities.

4.4 Sensitive data

We do not intentionally collect special category data (such as health, biometric, or criminal records data). However, we note that manager notes left on staff profiles may occasionally contain performance or conduct-related information. Managers are responsible for ensuring any such notes comply with their own internal HR policies and applicable employment law. PocketTrainer is not responsible for the content of manager notes.

5. Legal basis for processing

We only process your personal data where we have a lawful basis to do so. The bases we rely on are:

  • Contract performance: processing necessary to deliver our Platform and services to you or your employer, including account management, billing, and platform access.
  • Consent: where you have actively opted in, including for website analytics cookies, advertising and retargeting tracking, and marketing communications. You may withdraw consent at any time (see Section 11).
  • Legitimate interests: where processing is necessary for our legitimate business interests, including platform security, fraud prevention, audit logging, product improvement, and the maintenance of our certifications and compliance obligations, provided those interests are not overridden by your rights.
  • Legal obligation: where processing is required to comply with applicable law or regulatory requirements.

5.1 Notice to California residents (CCPA / CPRA)

This section supplements the rest of this Policy and applies to residents of California whose personal information we process. It is provided to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (together, CCPA).

Categories of personal information collected in the last 12 months. Using the categories defined in Cal. Civ. Code §1798.140, we collect:

  • Identifiers — name, email address, employee ID, IP address, device identifiers.
  • Customer records information (Cal. Civ. Code §1798.80(e)) — job title, department, work location, date of birth where provided by an employer.
  • Commercial information — subscription and billing records between PocketTrainer and the contracting Business.
  • Internet or other electronic network activity information — pages visited, time on site, referral source, device and browser metadata, interactions with the Platform.
  • Geolocation data — approximate (city-level) location derived from IP address. We do not collect precise geolocation.
  • Professional or employment-related information — role, training assignments, course progress, manager notes where provided by an employer.
  • Inferences — limited inferences drawn from the above to measure advertising performance where marketing consent has been granted.

We do not process sensitive personal information within the meaning of Cal. Civ. Code §1798.140(ae), and we do not use or disclose any information for the purpose of inferring characteristics about a consumer. As a result, we have no sensitive personal information to sell, share, or subject to a right-to-limit request.

Sources, purposes, and recipients are described in Sections 4, 5, and 8 above and apply equally to California residents.

Sale and sharing of personal information. We do not sell personal information for monetary consideration. We do share personal information for cross-context behavioural advertising, as that term is defined in Cal. Civ. Code §1798.140(ah), but only where a California resident has granted marketing consent via our cookie banner: specifically, we share online identifiers and internet activity information with LinkedIn via the LinkedIn Insight Tag and with Meta Platforms via the Meta Pixel. We do not share the personal information of consumers we know to be under 16.

Retention. We retain each category of personal information for the periods described in Section 10.

Your California privacy rights. If you are a California resident, you have the right to:

  • know what personal information we have collected about you;
  • request a copy of your personal information in a portable format;
  • request correction of inaccurate personal information;
  • request deletion of your personal information, subject to statutory exceptions;
  • opt out of the sharing of your personal information for cross-context behavioural advertising;
  • limit the use of sensitive personal information (not applicable — we do not use sensitive personal information for purposes beyond those permitted without a limit request);
  • be free from retaliation or discrimination for exercising any of these rights.

How to exercise your rights. To exercise your right to know, delete, correct, or opt out, email tech@pockettrainer.app with the subject line "California Privacy Request". We will verify your identity by matching the details of your request against information we already hold. You may also designate an authorised agent to submit a request on your behalf by providing the agent with written, signed permission and, where required, verifying your own identity directly with us.

Opt-out of sharing for advertising. You can opt out of sharing at any time by (a) selecting "Reject all" or disabling the "Marketing & advertising" category in our cookie banner or cookie settings link, or (b) sending a Global Privacy Control (GPC) signal from your browser. We treat a verified GPC signal as a valid opt-out of sharing for the browser and device on which it is received, in accordance with Cal. Code Regs. tit. 11, §7025.

Non-discrimination. We will not deny you service, charge you a different price, or provide a different level of quality because you exercised a CCPA right.

Contact. For any California privacy enquiry, contact tech@pockettrainer.app.

6. Cookies and tracking technologies

We use cookies and similar tracking technologies on our website. These are small files stored on your device that help us understand how visitors use our site and enable us to show relevant advertising.

We operate a cookie consent banner on our website. No cookies and no personalised or identifier-based tracking — including the LinkedIn Insight Tag and the Meta Pixel — will run until you have given consent. Google Analytics operates under Google Consent Mode v2: by default it sends only identifier-free measurement pings (no cookies, no client ID, no cross-session linking) so we can count aggregate page views. Cookies and full analytics tracking only begin if you grant analytics consent, and you can withdraw at any time via the cookie settings link in the footer of our website.

The categories of cookies we use are:

  • Strictly necessary cookies: essential for the website to function. These do not require consent.
  • Analytics cookies: used to understand how visitors interact with our website (e.g. Google Analytics). Requires consent.
  • Marketing and advertising cookies: used to track visitors across websites to enable retargeting and lookalike audience advertising on LinkedIn (via the LinkedIn Insight Tag) and on Meta platforms — Facebook and Instagram — (via the Meta Pixel). Requires consent.

Where you consent to marketing cookies, data collected may include your IP address, browser type, device information, pages visited, and behavioural signals. This data is shared with LinkedIn and Meta to build custom and lookalike audiences and to measure campaign performance. You can withdraw consent at any time by adjusting your cookie preferences.

Your cookie choice is stored locally in your browser (in localStorage) as a small JSON record containing your preference, a version tag, and a timestamp. We do not maintain a central server-side log of marketing-website cookie consent; your choice persists only on the device and browser where you made it, and you may be prompted again if you clear site data, switch browsers, or after 12 months.

When you withdraw consent, we stop further data collection from our origin immediately. However, cookies previously set by third parties (e.g. on linkedin.com) remain on your device until they naturally expire or you clear them via your browser settings — we are technically unable to delete cookies scoped to another party's domain.

7. Platform in-app marketing communications consent

This section applies only to logged-in users of the Pocket Trainer Platform. For cookie consent on this marketing website, see Section 6.

If you are a Platform user, we may wish to send you marketing communications about PocketTrainer products, features, and updates. We will only do so if you have given us explicit, separately obtained consent through the opt-in screen presented on first login (and to existing users at their next login following the introduction of this mechanism).

Your consent to marketing communications is entirely separate from your acceptance of these Terms and Conditions. You are not required to opt in to marketing in order to use the Platform.

Every marketing communication we send will include a clear and functional unsubscribe mechanism. You may withdraw your consent at any time by clicking unsubscribe in any email or by contacting tech@pockettrainer.app. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

We store your consent choice, including a timestamp and user ID, in a retrievable and auditable format.

8. How we share your personal data

We do not sell your personal data. We may share it in the following circumstances:

  • Within PocketTrainer: with our staff, contractors, and advisors who need access to provide our services, on a need-to-know basis.
  • Service providers: with third-party providers who process data on our behalf, including cloud infrastructure (Amazon Web Services), email services (AWS SES), authentication services (AWS Cognito), push notification services (Firebase), marketing and CRM tools (HubSpot, Buffer), scheduling tools (Calendly, loaded only when you open the booking widget), customer-support chat (Tawk.to, Inc., US-hosted, loaded only when you open the chat widget), static-site delivery, edge caching, and DDoS protection (Cloudflare, Inc.), web analytics (Google LLC, via Google Analytics — see Section 6 for the consent model and Consent Mode v2 details), and AI processing (OpenAI). All providers are subject to data processing agreements and are not permitted to use your data for their own purposes.
  • Advertising platforms: where you have consented to marketing cookies, limited data is shared with LinkedIn (LinkedIn Ireland Unlimited Company / LinkedIn Corporation) via the LinkedIn Insight Tag and with Meta (Meta Platforms Ireland Limited / Meta Platforms, Inc.) via the Meta Pixel, for the retargeting and campaign-measurement purposes described in Section 6. We do not share personal data with Google for advertising purposes (our use of Google is limited to Google Analytics for measurement).
  • Business transfers: in connection with any merger, acquisition, restructuring, or sale of assets, your data may be transferred to the relevant successor entity.
  • Legal requirements: where disclosure is required by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of PocketTrainer, our users, or the public.

9. International data transfers

PocketTrainer is headquartered in the UAE and serves clients globally, including across the European Union, the United Kingdom, the United States, and Asia.

Our production data is currently stored on Amazon Web Services infrastructure located in the United States (us-east-1 region). AWS processes personal data on our behalf under the AWS GDPR Data Processing Addendum, which incorporates Standard Contractual Clauses as the transfer mechanism for personal data transferred from the European Economic Area to the United States. This provides an appropriate level of protection for your data in accordance with applicable data protection law.

We are in the process of migrating our data infrastructure to an EU-based AWS region as part of our GDPR compliance programme. Once completed, personal data relating to EU users will be stored within the European Economic Area. This Policy will be updated to reflect that change.

Where we transfer personal data to other third-party providers outside the EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

10. How long we keep your data

We retain personal data only for as long as necessary for the purposes set out in this Policy. Our standard retention periods are:

  • Active account data: retained for the duration of the active contract between PocketTrainer and the relevant Business.
  • Data following contract termination: deleted within 30 days of contract end or account closure, unless we are required by law to retain it for longer.
  • Financial and transaction records: retained for a minimum of 7 years for tax, audit, and accounting purposes as required by UAE law. This includes the amount of each transaction, what it related to, and who we transacted with.
  • Soft-deleted staff profiles: retained in the deleted folder until permanently deleted by an admin, after which all associated personal data is removed.
  • Marketing consent records: retained for 3 years from the date of withdrawal of consent, to demonstrate compliance.
  • Website analytics data: retained for up to 14 months in accordance with our Google Analytics 4 retention setting. If you would like this figure confirmed in writing, contact tech@pockettrainer.app.
  • Legal and compliance records: retained for as long as required by applicable law or our regulatory obligations.
  • Statistical data: where we retain data for statistical purposes, it will always be anonymised so that no individual is identifiable from that information.

Users can download the following directly from the Platform at any time while their account is active: training attendance certificates, course completion certificates, and documents stored in their profile document section that have been marked as public by either the user or an admin. Private documents are accessible only to the uploader. PocketTrainer does not retain any of these files following account deletion.

11. Security of your personal data

We are committed to protecting your personal data and implement appropriate technical and organisational measures. These include encryption of data in transit using TLS 1.2, role-based access controls and least-privilege principles, regular vulnerability assessments and penetration testing by independent third parties, and secure development and change management procedures.

Despite these measures, no internet transmission is completely secure. You acknowledge that any transmission of data to us over the internet is at your own risk, and we cannot guarantee absolute security.

12. Your rights

Depending on where you are located, you may have the following rights in relation to your personal data:

  • Right of access: to request a copy of the personal data we hold about you.
  • Right to rectification: to request correction of inaccurate or incomplete data.
  • Right to erasure: to request deletion of your personal data in certain circumstances.
  • Right to restriction: to request that we limit the processing of your data in certain circumstances.
  • Right to data portability: to receive your data in a structured, commonly used format.
  • Right to object: to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

If you are located in the European Economic Area or the United Kingdom, you have these rights under the General Data Protection Regulation (GDPR) and applicable national implementing legislation, and we will honour them regardless of where your data is processed.

To exercise any of these rights, contact us at tech@pockettrainer.app. We will respond without undue delay and within one month of receipt of your request. Where a request is particularly complex or where we have received a number of requests from you, we may extend this period by up to two further months and will inform you of any such extension within the first month, together with the reasons. We reserve the right to charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive.

You also have the right to lodge a complaint with your local data protection supervisory authority. For EU users, this is the data protection authority in your country of residence.

13. Data breach procedure

In the event of a personal data breach, we follow a structured incident response process: identifying and containing the breach, assessing the scope and affected data, notifying relevant supervisory authorities where required within 72 hours of becoming aware, and communicating transparently with affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

We maintain an incident log and conduct root cause analysis to prevent recurrence.

14. Age restrictions

Our Platform is intended for professional use by individuals aged 16 and above. If you are under 16, please do not use our Platform or submit personal data to us.

Where staff members aged 16 or 17 are registered by their employer (for example, as part of a student work programme or seasonal role), the employer is responsible for ensuring compliance with applicable labour and data protection laws in their jurisdiction. If we become aware that we have collected personal information from a person under 16 without appropriate employer oversight, we will delete that information promptly. If you believe we have collected such data, please contact us immediately at tech@pockettrainer.app.

15. Third-party links

Our Platform may contain links to third-party websites. This Privacy Policy applies only to data processed by PocketTrainer. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before submitting any personal data.

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. We will notify you of material changes via the Platform or by email. The current version is always available at pockettrainer.app/privacy-policy. Continued use of the Platform following notification of changes constitutes acceptance of the updated Policy.

17. Governing law and jurisdiction

This Privacy Policy is governed by and interpreted in accordance with the laws of the United Arab Emirates. All disputes arising in connection with this Policy are subject to the exclusive jurisdiction of the courts of the Dubai International Financial Centre (DIFC).

Notwithstanding the above, if you are located in the European Economic Area or the United Kingdom, you retain all rights afforded to you under the GDPR and applicable national data protection legislation, and nothing in this clause affects your ability to raise a complaint with your local supervisory authority.

18. Contact us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact:

Data Protection Contact
Pocket Trainer F&B Services LLC
Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, UAE
Email: tech@pockettrainer.app
General: talktous@pockettrainer.app

If you are not satisfied with our response, you have the right to escalate your complaint to the relevant supervisory authority in your jurisdiction.