Effective: 2026-06-06 · v3.0

Privacy Policy

This policy explains our processing of your personal data in compliance with the Saudi Personal Data Protection Law (PDPL).

1. Who We Are & Data Protection Officer

This policy is issued by Amjad IT Co. ("the Company", "we"), operator of the Raqeb AI platform which helps restaurants document delivery orders and dispute invalid complaints.

This policy explains the data we collect, the lawful basis for processing, who can access it, and how the data subject exercises rights under the Personal Data Protection Law (Royal Decree M/19 of 9 /2 /1444H) and its Implementing Regulations.

For any privacy inquiry or request, contact our Data Protection Officer (DPO): dpo@amjad.sa or privacy@amjad.sa.

2. Statutory Definitions

  • "Data Subject": the natural person to whom the personal data relates.
  • "Controller": the entity that determines the purposes and means of processing.
  • "Processor": the entity that processes personal data on behalf of and per the instructions of the Controller.
  • "Sensitive Personal Data": data defined in Article 1(11) of the PDPL (health, biometric, religious, racial, criminal).
  • "Competent Authority": the Saudi Data and Artificial Intelligence Authority (SDAIA).

3. Data We Collect

We collect the following data to operate the Service:

  • Account data: establishment name, branch, email, phone, role (manager/staff).
  • Platform credentials: usernames and passwords for delivery platforms the establishment connects (encrypted with AES-256 via Fernet keys).
  • Order photos: photos taken by staff before delivery, with capture time and location (if you opt in).
  • Order and payout data: order number, platform, amount, status, complaints, refunds.
  • Operational data: device type, OS, app version, IP address, error logs.
  • End-customer data extracted from the Platforms (the establishment is the Controller; we process it as Processor — see Section 7).

Note: we do not collect sensitive personal data per Article 1(11) of the PDPL unless the Subscriber explicitly provides it for a specific purpose.

4. Lawful Basis for Processing

We rely on the following lawful bases set out in Article 6 of the PDPL:

  • Performance of contract (Art. 6/2): for processing account data and credentials to operate the agreed Service.
  • Legitimate interests (Art. 6/4): for statistical analytics, fraud detection, and service improvement, without prejudice to the rights of the data subject. We maintain a written Legitimate Interest Assessment (LIA) available for SDAIA review.
  • Legal obligation (Art. 6/3): to retain invoices per ZATCA requirements.
  • Explicit consent (Implementing Regulation Art. 11): for sensitive data, marketing communications, or automated decisions with legal effect — collected via independent, revocable opt-in.

5. Why We Use This Data (Processing Purposes)

  • Operating the Service, documenting delivery, and protecting the establishment from baseless complaints.
  • Extracting complaint and payout reports from Platforms and preparing dispute PDFs to recover wrongful deductions.
  • Analyzing branch and staff performance and providing an operational dashboard.
  • Improving AI model accuracy on aggregated, de-identified data only.
  • Bug fixing, security, and performance improvements.
  • Technical support and service notifications (no marketing messages without separate explicit consent).
  • Regulatory compliance and responding to competent authorities.

6. Data Sources

  • Data entered directly by the Subscriber via the app or dashboard.
  • Photos and media captured by establishment staff via the app.
  • Data extracted from Platform accounts under the Digital Authorization granted by the Subscriber.
  • Technical data collected automatically when the Service is used (IP, device type, logs).

7. Controller/Processor Allocation for End-Customer Data

For end-customer data extracted from the Platforms (customer name, phone, address, order details):

  • The establishment is the "Controller" of this data, having the original relationship with the customer at order creation.
  • Our company acts as "Processor", operating per the establishment's documented instructions in the Digital Authorization and this Policy — pursuant to Article 19 of the PDPL and Article 32 of the Implementing Regulation.
  • We do not process this data for any purpose outside the documented instructions. If we exceed those instructions, we become the Controller of that excess processing by operation of law and bear its consequences independently.
  • The establishment as Controller must ensure a lawful basis for collecting end-customer data from the Platforms in the first place, and must inform its customers of the processing under Article 4 of the PDPL.

8. When We Share Data & Sub-processor Categories

We do not sell personal data. We share data only with carefully selected sub-processors, strictly to the extent necessary for operation, within the following categories:

  • Cloud hosting and core server infrastructure providers: within the European Union.
  • AI and large language model (LLM) inference providers: within the United States — used for invoice OCR and intelligent reply preparation, with controls to prevent identified-PII exfiltration.
  • Object and file storage providers: self-hosted within our own infrastructure.
  • Internal VPN providers between our servers: within the United States — no customer data flows over them.
  • Technical error-tracking providers (optional): within the United States, with controls preventing identified-PII exfiltration enabled by default.
  • Saudi government authorities: upon formal request or final court order.

We execute Standard Contractual Clauses (SCCs) similar to those approved by SDAIA with each non-KSA sub-processor, along with technical safeguards including encryption in transit and at rest.

For the current list of named sub-processors, please contact our Data Protection Officer (DPO) at: dpo@amjad.sa.

We notify the Subscriber thirty (30) days before adding any new sub-processor that touches personal data.

9. Cross-Border Transfers

Some of our services are hosted outside the Kingdom (notably core server infrastructure and AI services). Cross-border transfers are conducted per the PDPL controls:

  • Transfers to jurisdictions with adequate protection levels per SDAIA's assessment.
  • Standard Contractual Clauses (SCCs) executed with non-KSA processors.
  • Additional technical safeguards: full TLS 1.3 in transit and AES-256 at rest.
  • Data minimization — only the minimum data needed for the purpose is transferred.

10. Retention Periods

  • Account data: kept for the subscription term + sixty (60) days after termination.
  • Order photos: kept for twelve (12) months from order creation, then automatically deleted.
  • Order and payout data: kept six (6) years to comply with ZATCA requirements.
  • Session files and Platform credentials: deleted within seven (7) business days of authorization revocation.
  • Access logs and audit logs: retained for two (2) years for security and investigation.
  • Records of Processing Activities (RoPA): retained for five (5) years per Article 33 of the Implementing Regulation.

11. Security Measures

We apply appropriate technical, administrative, and organizational safeguards to protect personal data, per Article 19 of the PDPL:

  • Encryption: AES-256 at rest, TLS 1.3 in transit.
  • Credentials encryption: Fernet keys managed via secure environment variables; not stored in the database or in code.
  • Access control: least-privilege principle with full administrative-access logging.
  • Backups: daily encrypted backups with periodic restore tests.
  • Security scanning: periodic code reviews (SAST) and periodic penetration testing.
  • Staff training on PDPL and information security.
  • Network isolation: production behind Tailscale with full internet-side access blocked except documented Service endpoints.

12. Data Subject Rights

Pursuant to Article 4 of the PDPL, the data subject has the following rights:

  • Right to information: know the lawful basis, purpose, and recipients of processing.
  • Right of access: obtain a copy of personal data we hold.
  • Right to rectification: request correction or completion or update of inaccurate data.
  • Right to erasure: request deletion when the processing purpose lapses or consent is withdrawn.
  • Right to withdraw consent: where processing is based on consent, withdrawal is as easy as giving consent.
  • Right to object: to processing based on legitimate interests, on legitimate grounds.
  • Right to lodge a complaint with SDAIA if dissatisfied with our response.

To exercise any of these rights, contact dpo@amjad.sa. We respond within thirty (30) days of receiving the request, extendable to sixty (60) days for complex requests with notification of the reason.

13. Breach Notification

If we become aware of any breach or unauthorized access to personal data, we commit to:

  • Notifying SDAIA within seventy-two (72) hours of becoming aware, per Article 20 of the PDPL.
  • Notifying the Controller (the affected establishment) without undue delay.
  • Notifying affected data subjects directly when the incident entails serious risk to their rights.
  • Providing complete details on the nature of the incident, the data affected, corrective measures taken, and our recommendations to reduce impact.

14. Camera, Photos & Location

The app requests camera permission to allow staff to document orders. Permission can be revoked any time from device settings.

Geolocation is captured only if the Subscriber opts in (optional setting in the dashboard) to confirm delivery at the designated branch. It is not used to track staff outside order-logging windows.

15. Children

The Service is directed at commercial establishments and does not target children under eighteen. We do not knowingly collect personal data from children. If we become aware that a child has provided data to us, we delete it immediately.

16. Cookies

We use cookies strictly necessary to operate the Service (authentication, preference persistence, session protection). We do not use advertising cookies or cross-site tracking. Details of each cookie are shown on the first site visit.

17. Changes to This Policy

We may update this policy from time to time to meet regulatory requirements or to reflect Service changes. We publish the updated version on this page with an updated version number and effective date.

We notify the Subscriber of material changes thirty (30) days before they take effect via email and the dashboard.

18. Contact & Complaints

General privacy inquiries: privacy@amjad.sa.

Data-subject rights requests (access, correction, erasure, etc.): dpo@amjad.sa.

Technical support: support@amjad.sa.

If dissatisfied with our response, the data subject may file a complaint directly with the Saudi Data and Artificial Intelligence Authority (SDAIA) via its official portal.

19. Governing Language

This policy was drafted in Arabic, and any translation into another language is for reference only. The Arabic version remains the legally binding version in case of conflict.

Version: v3.0 — Effective date: 2026-06-06.