Skip to main content
NOLCARD/AED
+971 4 308 7700

Privacy policy.

Last updated: 2 May 2026

1. Who we are

This privacy policy applies to nolcardaed.my, operated by NOLCARD/AED Top-up — an independent online service for refilling Dubai public-transport nol cards. We are not part of any government transport authority. Postal address: PO Box 47, 2 12th Street, Al Karama, Dubai, UAE.

2. Data we collect

  • nol card number — used to send the top-up request to the processing partner. We never persist the number after the order is closed.
  • email address (taken on the call-back step) — used to deliver the receipt and any follow-up support replies. Stored for the legally required retention period of 5 years for VAT purposes.
  • amount and payment status — kept for accounting and refund eligibility checks.
  • technical data — IP address, user agent and a session cookie. Used only for fraud prevention and to keep the form session intact.

We do not collect names, dates of birth, ID numbers, biometrics, location data, or anything about other family members or vehicles.

3. Card data

Card numbers, CVV, expiry dates and 3-D Secure codes are entered directly on the bank gateway and never touch our servers. The bank returns only a tokenised reference to the order.

4. Sharing

Personal data is shared only with: the acquiring bank, the email-delivery provider and the accounting/tax authorities when legally required. We do not sell or rent any data, and we do not run advertising trackers or behavioural profiling.

5. Your rights

You can ask us at any time to confirm what data we hold about you, correct it, delete it (subject to legal retention rules), or export it in a machine-readable format. The Data Protection Officer aims to acknowledge requests within 5 business days and respond in full within 30 calendar days, in line with the General Data Protection Regulation and applicable UAE data-protection law.

  • Right of access — copy of the data we hold and the source it came from.
  • Right of rectification — correct an inaccurate email or order detail.
  • Right of erasure — delete data once VAT-retention windows have closed.
  • Right to data portability — receive a JSON export of your records.
  • Right to lodge a complaint with the relevant supervisory authority.

6. Cookies

One strictly necessary session cookie (form integrity), one preference cookie (language toggle), one consent cookie. No analytics, no remarketing, no third-party scripts. See the cookies policy for details.

7. Data Protection Officer

For privacy-specific enquiries write to noreply@nolcardaed.my with subject «DPO». The DPO oversees data-subject requests, security incidents and the annual record of processing activities.

8. Security & breach notification

Personal data is encrypted in transit using TLS 1.2 or higher and at rest with AES-256 column-level encryption. Access to the production database is limited to two engineers and is logged. In the unlikely event of a personal-data breach affecting our records we will notify affected users by email within 72 hours and publish a public note on this page describing the scope and remediation steps.

9. International transfers

The hosting infrastructure is located in the European Union. The bank gateway and the email-delivery provider keep customer data on servers in the European Economic Area, with onward transfers governed by Standard Contractual Clauses.

10. Children

This service is intended for adults. We do not knowingly collect data from anyone under 16. If you believe a minor has used the form, write to the DPO and the records will be removed.

11. Changes

If this policy changes materially, the date at the top is updated and a notice is shown on the home page for 14 days. Old versions can be requested at support@nolcardaed.my.