Aqar — Privacy Policy

Last updated: [DATE] Effective date: [DATE]

⚠️ DRAFT — TO BE REVIEWED BY A PRIVACY LAWYER. Saudi Arabia's Personal Data Protection Law (PDPL) is in force since September 2023. This template covers the main PDPL requirements but is not legal advice. Have a lawyer review before publishing.

1. Who we are

This Privacy Policy explains how [LEGAL ENTITY NAME] (the "Company", "we", "us") collects, uses, shares, and protects your personal data when you use the Aqar Platform.

The Company is the Data Controller of the data described below, within the meaning of Saudi PDPL Article 1 and equivalent international data-protection laws.

Contact for privacy questions: [PRIVACY EMAIL] Data Protection Officer: [DPO NAME / EMAIL] (required by PDPL if user base > 5,000)

2. Data we collect

Category	Examples	Source
Identity	name, Saudi National ID / Iqama, date of birth	You + Nafath
Contact	email, phone, address	You
Account	password (hashed), authentication tokens	Created on signup
Property (Owners only)	property location, photos, ownership docs	You + Saqr
Transaction	order history, lease/sale agreements, amounts paid	Platform usage
Payment	card last-4, type, gateway transaction IDs	Moyasar
Device	device type, FCM push token, IP address, user agent	Automatic on connect
Usage	pages viewed, searches performed, listings favorited	Automatic
Communications	in-app chat messages, support tickets	You

We do NOT collect:

raw payment-card numbers (handled by Moyasar; tokenized client-side)
biometric data
precise location beyond what you explicitly attach to a listing

3. Why we collect it (lawful basis)

Under PDPL Article 5 / 7 we process your data on the following bases:

Purpose	Basis
Create and operate your account	Contract
Match Owners with Tenants	Contract
Register rental contracts with Ejar / Wafi	Legal obligation
Identity verification via Nafath	Legal obligation
Process payments via Moyasar	Contract
Send transactional emails / push notifications	Contract
Send marketing emails	Consent (you can withdraw any time)
Detect and prevent fraud	Legitimate interest
Comply with tax / regulatory requests (ZATCA, REGA)	Legal obligation

4. Who we share data with

We share data only with the following parties, and only the minimum necessary for each:

Ejar (Ministry of Housing) — full rental contract data, as required by Saudi housing law
Wafi (Ministry of Municipal & Rural Affairs) — off-plan sale contract data
ZATCA (General Authority of Zakat and Tax) — invoice data for tax purposes
Moyasar (Saudi payment processor) — order amount + identifier only; never your full identity
Nafath / Absher — for identity verification
Twilio — your phone number for SMS verification
Firebase (Google) — your FCM push token, device type, anonymized usage events
AWS — encrypted database backups + storage of listing photos

We never sell your personal data.

5. Cross-border transfers

Some processors (Firebase, AWS) may transfer data outside KSA. Per PDPL Article 29 such transfers require either:

the recipient country to have a level of protection equivalent to PDPL, or
explicit user consent (collected at signup), or
contractual safeguards approved by SDAIA.

We rely on contractual safeguards (Standard Contractual Clauses) for non-KSA transfers.

6. How long we keep data

Category	Retention period
Account data	While the account exists + 1 year after deletion
Transaction data	10 years (Saudi commercial code)
Tax records	10 years (ZATCA requirement)
Marketing consent records	3 years from consent
Device tokens	Until you log out / uninstall
Support tickets	3 years
Server logs	90 days

7. Your rights (PDPL Articles 4, 17–21)

You have the right to:

Access your data — get a copy of what we hold
Correct inaccurate data
Delete your data, subject to the retention periods in §6
Restrict processing
Object to processing based on legitimate interest
Withdraw consent at any time (for marketing emails etc.)
Lodge a complaint with the Saudi Data and AI Authority (SDAIA)

To exercise any of these rights, email [PRIVACY EMAIL]. We respond within 30 days as required by PDPL Article 17.

8. Security

We protect your data with:

TLS 1.2+ on all connections
BCrypt-hashed passwords (cost 12+)
Database encryption at rest
Daily encrypted backups with off-site storage
Role-based access control on the admin panel
Annual security audit by an independent firm
24-hour breach notification per PDPL Article 35

9. Children's data

The Platform is not directed at users under 18. We do not knowingly collect data from children. If you believe we have, email [PRIVACY EMAIL] and we will delete it.

10. Cookies & similar technologies

We use cookies for:

session authentication (required — cannot be disabled)
remembering your language preference (Arabic / English)
anonymized analytics (Google Analytics) — opt-in via cookie banner

11. Updates to this Policy

We will notify you of material changes at least 30 days before they take effect, via email and an in-app banner.

12. Contact

[LEGAL ENTITY NAME] [ADDRESS] Email: [PRIVACY EMAIL] Data Protection Officer: [DPO EMAIL]

Drafted as a PDPL-compliant template. Replace every [BRACKETED] field. Have a privacy lawyer review.