# Privacy Policy — Dealix (Template) > **DISCLAIMER**: Template only. Must be reviewed by qualified Saudi counsel before publication. Not legal advice. > **Version**: 1.0 DRAFT > **Effective Date**: [DATE] > **Last Updated**: [DATE] --- ## 1. Who We Are Dealix ("we", "us", "our") is operated by [LEGAL ENTITY NAME], a [LLC/company type] registered in [JURISDICTION] under commercial registration [CR NUMBER], with registered office at [ADDRESS]. Contact: privacy@dealix.sa | +966 [NUMBER] Data Protection Officer (DPO): [NAME], [EMAIL] --- ## 2. Scope This Privacy Policy explains how we collect, use, store, and disclose personal data when you: - Use the Dealix platform (the "Service") - Visit our website - Interact with our team This Policy is compliant with: - Saudi Personal Data Protection Law (PDPL) - UAE Personal Data Protection Law (if applicable) - GDPR (where applicable to EU visitors) --- ## 3. Data We Collect ### 3.1 From Account Holders - Name, email, phone number - Company name, role, tax identification - Authentication credentials (passwords hashed) - Usage data (logs, activity, IP address) ### 3.2 From Workflow Execution - Partner/vendor data entered into the Platform - Deal data (values, terms, counterparties) - Approval records with decision audit trail - Evidence packs (hash-chained) ### 3.3 From Integrations - Data from connected systems (WhatsApp, email, CRM) per integration scope and consent ### 3.4 Cookies and Tracking - Session cookies (essential) - Analytics cookies (with consent) - We do not sell cookie data to third parties --- ## 4. Legal Basis for Processing (PDPL compliance) We process personal data based on: - **Consent** (explicit, withdrawable) - **Contract performance** (to deliver the Service) - **Legal obligation** (tax, audit, regulatory) - **Legitimate interest** (security, fraud prevention) --- ## 5. How We Use Data - Provide and improve the Service - Process approvals and generate evidence packs - Send transactional notifications - Billing and payment processing - Security monitoring and incident response - Regulatory compliance (ZATCA, PDPL, NCA) We do NOT: - Sell personal data to third parties - Use customer data to train public AI models - Share data across tenants --- ## 6. Data Retention | Category | Retention Period | |----------|------------------| | Account data | Duration of engagement + 2 years | | Audit logs / evidence packs | 7 years (regulatory requirement) | | Billing records | 10 years (tax law) | | Marketing preferences | Until withdrawn | | Session logs | 90 days | Deletion requests per §8 are honored within 30 days, subject to legal retention obligations. --- ## 7. Data Sharing We share personal data only with: - **Sub-processors** (cloud hosting, email delivery) — listed at `/trust/subprocessors` - **Professional advisors** (auditors, counsel) under confidentiality - **Law enforcement** when legally compelled All sub-processors sign a Data Processing Agreement (DPA) with equivalent protections. --- ## 8. Your Rights (PDPL Articles) You have the right to: - **Access** your personal data - **Rectify** inaccurate data - **Delete** your data (subject to retention obligations) - **Restrict** processing - **Port** your data (receive in machine-readable format) - **Object** to processing based on legitimate interest - **Withdraw consent** at any time Exercise rights via: privacy@dealix.sa We respond within 30 days. --- ## 9. Cross-Border Transfers We primarily process data in **AWS me-south-1 (Bahrain)**. Transfers outside GCC are: - Subject to Data Subject consent where required - Protected by Standard Contractual Clauses or equivalent - Disclosed in this Policy --- ## 10. Security We implement: - TLS 1.3 for data in transit - AES-256 encryption at rest - PostgreSQL Row-Level Security for tenant isolation - Role-based access with MFA for staff - Annual penetration testing - SOC 2 Type II audit (in progress) - PDPL-aligned controls Breach notification: We notify affected users and the Saudi Data and AI Authority (SDAIA) within 72 hours of confirmed breach affecting personal data. --- ## 11. Children The Service is for business use only. We do not knowingly collect data from anyone under 18. --- ## 12. Changes to This Policy Material changes will be announced via in-app notification + email 30 days before effect. Historical versions are archived at `/trust/policy-archive`. --- ## 13. Contact and Complaints Privacy concerns: **privacy@dealix.sa** Data Protection Officer: **dpo@dealix.sa** You may also lodge a complaint with: - Saudi Data and AI Authority (SDAIA): https://sdaia.gov.sa - Or the relevant data protection authority in your jurisdiction