Privacy Policy
This Privacy Policy explains how [LEGAL ENTITY] ("MASAR", "we") collects, uses, discloses, and protects personal data when you use MASAR Cloud (the "Service"). We act as a data controller for account and usage data, and as a processor for the content you upload ("Customer Data"), which you control. This Policy is intended to be consistent with the Saudi Personal Data Protection Law (PDPL).
1. Personal data we collect
- Account data — name, work email, company name, role, and company size you provide at sign-up.
- Customer Data (content) — documents, notes, tasks, meeting information, and other materials you upload or create. This may contain personal data about you and others; you are responsible for having a lawful basis to provide it.
- Usage data — log data, device/browser information, IP address, and feature usage, used for security and to operate the Service.
- Communications — messages you send us (e.g., support requests).
- Payment data — when billing is enabled, payment is handled by a third-party payment processor; we do not store full card numbers.
2. How we use personal data
- To provide, secure, and support the Service and your workspace.
- To generate AI answers, summaries, and briefings from your content (see §4).
- To communicate with you about your trial, account, and service notices.
- To process billing and comply with tax and legal obligations.
- To detect, prevent, and investigate abuse, fraud, and security incidents.
We do not sell your personal data, and we do not use your Customer Data to train publicly available AI models.
3. Legal bases for processing
Depending on the context, we rely on: performance of our contract with you; your consent (which you may withdraw); compliance with a legal obligation; and our legitimate interests in operating and securing the Service, balanced against your rights, in a manner consistent with the PDPL.
4. AI processing and important disclosure
To produce Output, the Service sends relevant portions of your content and prompts to a third-party AI model provider (Anthropic) for processing. This processing may take place on infrastructure located outside the Kingdom of Saudi Arabia. The provider processes the data to return a response and, under our agreement, does not use it to train its general models. By using AI features, you acknowledge this processing and transfer. If your organisation requires that all processing remain within the Kingdom, contact us about our sovereign (single-tenant, in-Kingdom) deployment option.
5. Sub-processors
We use a small number of vetted sub-processors to operate the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI model inference (Output generation) | United States / international |
| Brevo | Transactional email (verification, notices) | European Union |
| [HOSTING PROVIDER] | Application & database hosting | [REGION — to be confirmed] |
| [PAYMENT PROCESSOR] | Payment processing (when billing is enabled) | [REGION] |
We require sub-processors to protect personal data under terms consistent with this Policy and the PDPL. We will update this list as it changes.
6. Data residency and transfers
Where personal data is transferred outside the Kingdom (for example, for AI processing or email delivery), we rely on lawful transfer mechanisms and appropriate safeguards consistent with the PDPL and its regulations on cross-border transfer. [Confirm mechanism with counsel.]
7. Disclosure of personal data
We disclose personal data only to: our sub-processors (above); authorities where required by law; and parties to a corporate transaction (e.g., merger), subject to this Policy. We will not otherwise disclose your Customer Data without your instruction.
8. Retention
We retain account data for as long as your account is active and as needed for legal, tax, and security purposes. Customer Data is retained while your workspace is active. After a trial ends or a subscription is cancelled, we keep Customer Data for a limited grace period (target: [30] days) so you can resume or export, after which it is deleted or irreversibly anonymised, unless a longer period is required by law.
9. Security
We protect personal data with encryption in transit and at rest, access controls, per-account isolation, audit logging, and regular backups. No system is perfectly secure; we will notify you and the competent authority of a personal-data breach as required by the PDPL.
10. Your rights
Subject to the PDPL, you have the right to: be informed about how your data is used; access your personal data; request correction; request deletion; and withdraw consent. To exercise these rights, contact us using the details below. You also have the right to lodge a complaint with the competent supervisory authority in the Kingdom (currently SDAIA).
11. Cookies
Our marketing site uses only essential cookies/local storage (for example, to remember your language choice). The application uses cookies/local storage necessary to keep you signed in and to operate the Service. We do not use third-party advertising cookies.
12. Children
The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal data from children.
13. Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a new "last updated" date and, for material changes, provide additional notice.
14. Contact
For privacy questions or to exercise your rights: abdulkarim.kazzaz@gmail.com — [LEGAL ENTITY], [ADDRESS]. [Appoint and name a data-protection contact/officer if required.]