ASAS CRM

Privacy Policy

Effective date: 2026-04-24
Version: v1.1

1. Data Controller

The controller responsible for processing your personal data is __TODO_LEGAL_ENTITY_EN__, Commercial Registration No. __TODO_CR_NUMBER__, registered address: __TODO_REGISTERED_ADDRESS_EN__.

To contact our Data Protection Officer (DPO), write to __TODO_DPO_EMAIL__.

2. Categories of Data We Collect

  • Account data: full name, email address, phone number, profile photo.
  • Company data (for customers): legal name, commercial registration number, VAT number, address, branding assets.
  • Usage data: audit logs, member activity within the platform, preferences.
  • Marketing data: name, email, phone, and message from contact/demo forms; a hashed IP fingerprint for abuse prevention.

3. Lawful Basis and Purpose

  • Contract performance with your company (PDPL Art. 6) — for account, company, and usage data.
  • Legitimate interest for platform security and audit trails — for audit logs and abuse-detection data.
  • Explicit consent for marketing contact (demo/contact forms) — for marketing data only.

4. Retention

We retain personal data only as long as necessary:

  • User accounts: duration of subscription + 30 days post-deletion (recovery window).
  • Marketing data: 12 months from consent.
  • Audit logs: 24 months active, then archived up to 7 years (Saudi commercial-record retention).

5. Sub-processors

  • Google Cloud Platform / Firebase (infrastructure, Google LLC).
  • Google Cloud Logging (log retention, Google LLC).
  • Email service provider (to be disclosed before launch).

6. Cross-border Transfers

Customer data (Firestore database + media files) is currently stored in the Google Cloud me-central1 region located in Doha, Qatar — a jurisdiction with a comparable personal-data-protection regime (Law No. 13 of 2016). This is an interim state; we plan to migrate the data to the me-central2 region in Dammam, Saudi Arabia once billing onboarding with Google Cloud's authorized KSA reseller (CNTXT) is complete. The presentation layer (Next.js SSR) currently runs in us-central1 with no persistent personal data, and will move to a Middle-East region once Firebase App Hosting becomes available there. We will notify users at least 30 days before any change in storage location.

7. Your Rights (PDPL Art. 13)

You have the right to access, correct, delete, port, withdraw consent, and object to the processing of your data. You can exercise these rights directly from your in-app account settings (data export and account deletion are self-service) or by writing to __TODO_DPO_EMAIL__. We respond within 30 days of receiving a request.

8. Breach Notification

In the event of a breach affecting your personal data we will notify the Saudi Data & AI Authority (SDAIA) and affected individuals within 72 hours per PDPL Art. 24.

9. Complaints

You may lodge a complaint with SDAIA at sdaia.gov.sa.

The Arabic version is legally authoritative for users residing in the Kingdom of Saudi Arabia.