Privacy Policy

This Privacy Policy describes how Alnawat Alshabiah Establishment (Commercial Registration No. 7054335406), the operator of the Aqarflow property-management platform, collects, uses, shares, and protects personal data. It is designed to comply with the Personal Data Protection Law of the Kingdom of Saudi Arabia (PDPL, Royal Decree M/19) and its Implementing Regulations, and forms part of the agreement between us and our Subscribers (as defined in the Terms of Service).

1. 1.Introduction

   Alnawat Alshabiah Establishment, a sole-proprietor establishment registered in the Kingdom of Saudi Arabia under Commercial Registration No. 7054335406 with its registered office at Office 5, 5105 Habib ibn Modaher Street, Al Muhammadiyah District, Dammam 32433, Kingdom of Saudi Arabia (referred to in this Policy as "we", "us", "our", or "the Provider"), operates the Aqarflow platform.

   This Policy applies to all personal data we process in connection with the Service, whether collected from our Subscribers (the businesses that register accounts) or from End Users (the natural persons whose data Subscribers upload, such as tenants, property owners, and staff).

   By using the Service, you acknowledge that you have read this Policy. Where we rely on consent as our legal basis for processing, we ask for it separately and you may withdraw it at any time. Where another legal basis applies (such as the performance of a contract or compliance with a legal obligation), we will note it in the relevant section below.

2. 2.Definitions

   Terms used in this Policy carry the meanings assigned to them in Article 1 of the PDPL. In particular:

   "Personal Data" means any data, of any form, that identifies an individual or could lead to identifying them, directly or indirectly, including without limitation name, national identification number, address, contact details, identifying numbers, image and visual records, and any data that would lead to knowing the individual's identity.

   "Sensitive Personal Data" means personal data that reveals racial or ethnic origin, religious, intellectual, or political belief, indicates membership in non-governmental associations or unions, criminal and security data, biometric or genetic data, health data, or data that indicates the identity of a natural person of unknown origin.

   "Processing" means any operation performed on Personal Data, including collection, recording, storage, access, organisation, alteration, retrieval, use, disclosure, transmission, publication, transfer, blocking, deletion, or destruction.

   "Controller" means any public or private entity that decides the purpose and means of processing Personal Data, whether processed by it or by another party on its behalf.

   "Processor" means any public or private entity that processes Personal Data on behalf of and for the benefit of the Controller.

   "Data Subject" means the natural person whose Personal Data is the subject of processing.

3. 3.Personal Data We Collect

   We collect Personal Data from three sources: directly from Subscribers when they register and use the Service, indirectly from Subscribers when they upload data about End Users, and automatically as part of operating the Service.

   1. 3.1From Subscribers

      When a Subscriber registers an account or uses the Service, we collect: full name; email address; mobile phone number; password (stored only as a salted cryptographic hash, never in plain text); the organisation name and Commercial Registration number provided by the Subscriber; billing details (cardholder name, billing address, and a tokenised reference to the payment method — we do not store full card numbers); job role; and preferences (language, theme, notification settings).

   2. 3.2About End Users

      When a Subscriber uses the Service, the Subscriber uploads Personal Data about End Users: tenant names, contact details, national identification or commercial registration numbers, copies of identifying documents, lease contracts, payment history, and other property-related information. The Subscriber is the Controller of this Personal Data; we are the Processor acting on the Subscriber's instructions.

   3. 3.3Automatically

      When you use the Service, we automatically collect: IP address; user-agent string (browser type, operating system, device type); pages and features accessed and the time of access; session identifiers (essential cookies); and security-relevant events (login attempts, password resets, sensitive operations). We do not use third-party advertising tracking on the Service.

4. 4.How We Use Personal Data

   We use Personal Data for the following purposes only: (a) to provide, operate, and maintain the Service; (b) to authenticate users, manage accounts, and apply role-based access controls; (c) to invoice Subscribers, process payments, and meet our obligations under the Zakat, Tax and Customs Authority (ZATCA) e-invoicing framework; (d) to communicate with Subscribers about service status, security notices, billing, and support requests; (e) to detect, investigate, and prevent fraud, abuse, and security incidents; (f) to improve the Service, including aggregating usage data into non-identifying analytics; (g) to comply with legal and regulatory obligations, including responding to lawful requests from competent authorities; and (h) where we have separately obtained consent, to send marketing communications.

   We do not use Personal Data to make decisions about End Users by automated means alone that have legal or similarly significant effects on them.

5. 5.Legal Bases for Processing

   Under Article 4 of the PDPL, we rely on the following legal bases for processing Personal Data:

   Performance of a contract — the primary basis for processing Subscriber data necessary to deliver the Service that the Subscriber has agreed to under our Terms of Service. Where End-User data is processed for the operation of the Subscriber's workspace, the Subscriber as Controller has its own contractual or other lawful basis with its End Users.

   Compliance with a legal obligation — for issuing ZATCA-compliant tax invoices, responding to lawful requests from regulatory or law-enforcement authorities, and retaining records to the extent required by Saudi law.

   Legitimate interests of the Controller — for ensuring the security and integrity of the Service, investigating misuse, and improving the Service. We balance our legitimate interests against the rights of Data Subjects before relying on this basis.

   Consent — for sending marketing communications and for any optional analytics that go beyond the essential operation of the Service. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

6. 6.Our Role and the Subscriber’s Role

   For Personal Data of the Subscriber's own employees and account contacts, the Subscriber and the Provider are each independent Controllers — each determining the purposes and means of processing within its own scope.

   For Personal Data of End Users that the Subscriber uploads to its Workspace (such as tenants, property owners, vendors, and the Subscriber's staff at the property level), the Subscriber is the sole Controller and the Provider is the Processor acting on the Subscriber's documented instructions. Our Terms of Service include the data-processing terms that govern this relationship.

   End Users who wish to exercise their PDPL rights with respect to data uploaded by a Subscriber should contact the Subscriber directly. We will refer such requests to the Subscriber and assist the Subscriber, on reasonable request, with responding.

7. 7.Sharing with Third Parties

   We share Personal Data only with the following categories of recipients, and only as necessary for the purposes described above:

   Sub-processors — third-party service providers we engage to operate the Service, under written contracts that bind them to confidentiality and to PDPL-aligned processing terms. Current categories include: cloud-infrastructure providers (Oracle Cloud Infrastructure as our primary host, with secondary providers as required for resilience); transactional-email services for system notifications; payment processors (for example, regulated Saudi payment service providers we use to charge Subscription Fees); the ZATCA Fatoora e-invoicing platform; and operational support tools such as customer-support ticketing.

   Saudi regulatory and law-enforcement authorities — where required by Saudi law, court order, or regulatory request, including disclosures to the Saudi Data and Artificial Intelligence Authority (SDAIA), the Zakat, Tax and Customs Authority (ZATCA), and the Communications, Space and Technology Commission (CST).

   Successors in interest — in connection with a merger, acquisition, financing, sale of business assets, or insolvency, in which case we will require the successor to honour this Policy or notify Subscribers and Data Subjects of any change.

   We do not sell Personal Data to any third party, and we do not use Personal Data for any advertising or marketing on behalf of any third party.

8. 8.International Data Transfers

   We aim to host and process Personal Data within the Kingdom of Saudi Arabia. Where it is necessary to transfer Personal Data outside Saudi Arabia for the operation of the Service (for example, to a cloud-provider region outside KSA, to a transactional-email provider, or to a payment processor with international processing nodes), we will only do so on the lawful bases permitted by Articles 29 and 30 of the PDPL and the cross-border transfer rules issued by the National Data Governance Platform (NDGP).

   Such transfers are subject to one or more of the following safeguards: (a) the destination country has been assessed by SDAIA as offering an adequate level of protection; (b) Standard Contractual Clauses approved by SDAIA are in place with the recipient; (c) Binding Corporate Rules apply; or (d) the Data Subject has given explicit consent.

   Subscribers may request a current list of cross-border transfers and the safeguards in place by contacting the Data Protection Officer at the address in section 17.

9. 9.Cookies and Similar Technologies

   We use cookies and similar technologies (local storage, session storage) for three purposes only:

   Essential cookies — strictly necessary to operate the Service, including authentication session cookies, CSRF protection tokens, and load-balancing identifiers. These cannot be disabled without breaking the Service.

   Preference cookies — to remember the user's locale (Arabic or English) and theme (light or dark). The user can clear these at any time via the browser settings.

   Analytics cookies — at present, the Service uses only first-party analytics necessary to monitor service health and to detect security events. We do not currently use third-party advertising or cross-site tracking cookies. If we introduce optional analytics in the future, we will request consent and provide an opt-out before they are activated.

10. 10.Data Retention

    We retain Personal Data only for as long as necessary for the purposes for which it was collected:

    Subscriber account data — for the duration of the subscription. After termination, we retain account data for thirty (30) days to allow the Subscriber to export it, after which active-system data is deleted. Backups may retain copies for up to ninety (90) days from active-system deletion before being purged.

    End-User data uploaded by a Subscriber — under the Subscriber's instructions. When the Subscriber's account is terminated and the export window has expired, the corresponding End-User data is deleted under the same schedule as the Subscriber account data.

    Billing and tax records — retained for the period required by Saudi tax and commercial law (currently a minimum of ten (10) years for tax and commercial records).

    Security and audit logs — retained for up to two (2) years to support incident investigation, then purged or anonymised.

    Where a legal hold applies (litigation, regulatory investigation, or specific statutory retention requirement), the data subject to the hold is retained for the duration of the hold notwithstanding the above schedules.

11. 11.Data Security

    We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include: encryption in transit (Transport Layer Security 1.2 or higher) for all client-server communication; encryption at rest for our primary database; role-based access controls and the principle of least privilege; multi-factor authentication for administrative access; structured audit logging of sensitive operations; segregation of test, staging, and production environments; routine vulnerability management and patching; backup and disaster-recovery procedures; and incident-response procedures aligned with PDPL Article 27 breach-notification obligations.

    No system can guarantee absolute security. We engage in continuous improvement of our security posture and we will notify affected Data Subjects and SDAIA in the event of a Personal Data breach where required by law, as described in section 13 below.

12. 12.Your Rights Under PDPL

    As a Data Subject, you have the following rights under the PDPL with respect to your Personal Data, subject to the limitations and exceptions provided by law:

    Right of access — to be informed about whether we process your Personal Data and, if so, to obtain a copy and information about the processing.

    Right of correction — to request correction of inaccurate, incomplete, or out-of-date Personal Data.

    Right of deletion — to request deletion of your Personal Data where it is no longer needed for the purposes for which it was collected, where consent has been withdrawn, or where the processing is unlawful.

    Right of restriction — to request that we restrict processing of your Personal Data in certain circumstances.

    Right of objection — to object to processing based on our legitimate interests, on grounds relating to your particular situation.

    Right of portability — to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible.

    Right to withdraw consent — where we rely on consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

    Right to be informed — to be informed about the legal basis and purpose of processing, the categories of recipients, retention periods, and your rights.

    Right to lodge a complaint — to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) through the National Data Governance Platform if you believe that our processing infringes the PDPL.

13. 13.How to Exercise Your Rights

    To exercise any of the rights described in section 11, please contact the Data Protection Officer at [email protected], identifying yourself and the right you wish to exercise. We may ask you for additional information to verify your identity before responding, in order to protect against fraudulent requests.

    We will respond to your request without undue delay and in any event within thirty (30) days of receiving a verified request, in line with PDPL Article 27. Where the request is complex, we may extend this period by a further thirty (30) days and will inform you of the extension and the reasons for it.

    End Users whose data was uploaded to the Service by a Subscriber should, as a first step, contact the Subscriber directly. The Subscriber, as Controller of that data, is primarily responsible for responding to End-User requests. We will refer requests we receive directly to the appropriate Subscriber.

14. 14.Personal Data Breach Notification

    If we become aware of a Personal Data breach (whether confidentiality, integrity, or availability) that is likely to result in harm to Data Subjects or their rights, we will notify the Saudi Data and Artificial Intelligence Authority (SDAIA) via the National Data Governance Platform without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with PDPL Article 27 and the SDAIA Personal Data Breach Incidents procedural guide.

    Where the breach is likely to result in high harm to Data Subjects, we will also notify affected Data Subjects without undue delay using their registered contact details, with information about the nature of the breach, likely consequences, and steps they should take.

    In addition to our own notification obligations, we will assist Subscribers (as Controllers for their End Users' data) in meeting their breach-notification obligations, including providing the information necessary for the Subscriber to make any required reports to SDAIA.

15. 15.Children’s Data

    The Service is intended for business users and is not directed at individuals under the age of eighteen (18). We do not knowingly collect Personal Data directly from minors. If a parent, guardian, or other authorised adult becomes aware that a minor has provided Personal Data to us without proper consent, please contact us via the address in section 17 and we will take steps to delete that data.

    Subscribers who, as part of their property-management business, may upload Personal Data of minors (for example, family-member entries on a household record) must ensure they have a lawful basis for doing so. The Subscriber, as Controller, is responsible for that lawful basis.

16. 16.Marketing Communications

    We send marketing communications about new features, product updates, and offers only to Subscribers who have given separate, opt-in consent. Every marketing email contains a clear unsubscribe link. We do not send SMS marketing without separate, specific consent.

    Operational communications about the Service (security notices, billing notifications, downtime alerts, scheduled maintenance, mandatory legal notices, and replies to support tickets) are sent on the legal basis of contract performance and are not marketing communications; they cannot be unsubscribed from while the account is active.

17. 17.Changes to This Policy

    We may amend this Policy from time to time. Material amendments will be communicated to Subscribers via the registered email address on the account and via an in-app banner at least thirty (30) days before they take effect, except where the change is required to come into effect immediately by law. The current version of this Policy and its effective date are shown at the top of this page.

    Archived prior versions are available on written request to the address in section 17.

18. 18.Data Protection Officer and Contact

    Our Data Protection Officer is responsible for overseeing compliance with this Policy and the PDPL. To contact the Data Protection Officer for any privacy-related question, complaint, or request, please email [email protected].

    Postal correspondence may be sent to: Alnawat Alshabiah Establishment, Data Protection Officer, Office 5, 5105 Habib ibn Modaher Street, Al Muhammadiyah District, Dammam 32433, Kingdom of Saudi Arabia.

    If you are not satisfied with our response, you may lodge a complaint with the Saudi Data and Artificial Intelligence Authority via the National Data Governance Platform.

19. 19.Language

    This Policy is issued in both English and Arabic. The Arabic version is the legally controlling text. In the event of any discrepancy, ambiguity, or inconsistency between the English and Arabic versions, the Arabic version prevails.

This Privacy Policy is version 1.0.0, effective 2026-05-13. The Arabic version of this Policy prevails in the event of any discrepancy. For questions about this Policy or the processing of your Personal Data, contact our Data Protection Officer at [email protected].