Privacy Policy

Last updated: 1 June 2026 — Effective date: 11 February 2025

1. Who We Are (Data Controller)

Encrypted Code Information Technology Co. (ECIT) is the Data Controller responsible under the Personal Data Protection Law. To contact us on any privacy matter:

2. Scope of This Policy

This policy applies to personal data we collect or process via:

• The Company's corporate website: ecit.sa and its subdomains.
• Our SaaS products, including the Murafaah platform for legal-practice management and its portals (lawyers, clients, staff), and any other platform or service we launch in the future under the Company.
• Software development & integration services we deliver to our clients (web & mobile development, ZATCA integrations, AI systems, IoT, tracking & inventory).
• Electronic invoicing services and integration with the Zakat, Tax and Customs Authority (ZATCA).
• Customer-communication channels when you explicitly enable any of them (Meta — WhatsApp, Instagram, Facebook — and X, YouTube, Snapchat, TikTok).
• Official communication channels (info@ecit.sa for official matters & complaints, support@ecit.sa for operational support, phone).

3. Data We Collect

a. Identity & account data

• Full name, national ID, nationality, date of birth (only where required to verify a lawyer or an Organization’s manager).
• Email, mobile, profile picture (optional).
• Password (stored hashed/salted, never recoverable as plaintext).

b. Organization data

• Organization name, commercial registration, VAT number, unified number, address, branches, team.
• Logo (optional).

c. Operational data

• Cases, clients, vendors, documents, invoices, payments, reports, support messages, activity logs.
• Dates & appointments, court sessions, reminders.

d. Technical data

• IP address, browser type, operating system, app version.
• Access logs (login date, pages visited) — for security and audit.
• Strictly necessary cookies for sessions (detailed in section 13).

e. Payment data

• Billing name, subscription details, transaction reference.
• We do not store payment card data. It is processed via SAMA-licensed payment providers on secure pages (PCI-DSS).

f. Social-media integration data (optional)

• When you connect a WhatsApp/Instagram Business account: page/account ID, WhatsApp number, display name, short-lived OAuth access token.
• Messages sent and received through the integration — stored in your database on our local servers.
• For the other channels (X, YouTube, Snapchat, TikTok): account handle, display name, short-lived OAuth access token, basic reporting data (followers, views, post counts), and copies of posts/videos/comments you choose to manage from the platform.

4. Sources of Data

• Directly from you: at registration, setup, data entry, payment, support requests.
• Automatically: technical access logs, essential cookies.
• From parties you choose to connect: Meta (WhatsApp, Instagram, Facebook), X (Twitter), YouTube/Google, Snapchat, TikTok — only when you explicitly click “Connect” for the relevant channel; payment providers when you complete a payment; ZATCA when you issue an e-invoice.

5. Purposes & Legal Basis

We process your data only for the following purposes:

• Performance of contract (PDPL): providing the Services, account management, invoicing, technical support.
• Legal obligations: ZATCA e-invoicing, retention of accounting records, responses to lawful requests from authorities.
• Legitimate interests: cybersecurity, fraud prevention, performance improvement, fault diagnosis.
• Your explicit consent: activating Meta integrations, sending optional marketing notifications (you may withdraw consent at any time).

6. No Sharing With External Parties

The only, very limited exceptions are:

• Legal obligation: judicial order or an official request from a competent Saudi government authority.
• Vital interests: averting imminent threat to a person’s safety.
• Your explicit prior consent: if you specifically request sharing certain data with a specific party.

7. Integrations You Choose

When you explicitly enable one of the integrations below, only the data needed to deliver the requested service is sent:

• Zakat, Tax and Customs Authority (ZATCA): invoice data legally required for e-stamping upon issuance.
• SAMA-licensed payment providers: payment data to process your transactions (such data does not pass through our servers).
• Meta (WhatsApp / Instagram / Facebook): messages you choose to send to your customers (see section 8 for Meta specifics).
• X (Twitter): posting tweets, replying, managing Direct Messages, reading account analytics — only what you request from within the platform.
• YouTube (via Google): uploading videos and Shorts, managing comments, reading channel analytics.
• Snapchat: publishing Snaps and Stories and reading view/follower reports.
• TikTok: uploading videos, managing comments, reading account analytics.

The same principles apply to each of the channels above:

• Connection is fully optional and begins only with your explicit click on the “Connect” button inside the “Social Media” or “Integrations” tab.
• We never see your password on any platform — sign-in happens directly with the platform via OAuth.
• Our servers receive only an encrypted, short-lived access token, which we never share with any party.
• You can revoke the connection at any time, either from our integration settings or from your account settings on the original platform; the token is then invalidated immediately.
• Data that flows between your browser and the original platform is subject to that platform’s policies (Google/YouTube, X, Snap, TikTok).

These entities are “Independent Controllers/Processors” under their own regulations, and are not “third parties with whom we exchange data for commercial interest”.

8. Meta Integrations (WhatsApp, Instagram, Facebook)

If you choose to connect a Meta Business account, processing happens as follows:

1. You open the secure connect page from within the platform dashboard, and sign in to your Facebook account directly via OAuth.
2. You select the requested permissions and confirm them yourself. We never see or store your Facebook password.
3. Meta returns a short-lived access token to us, which we store encrypted and use only to send/receive the messages you request.
4. A copy of channel messages is stored in your database on our local servers for record and follow-up purposes only.

Data exchanged with Meta is also subject to Meta’s policies (facebook.com/privacy/policy). You may revoke the connection at any time:

• From your Facebook account settings: facebook.com/settings?tab=business_tools.
• From the integrations settings inside the platform dashboard.
• By emailing info@ecit.sa.

Upon revocation, the access token is invalidated immediately, and message copies are deleted in line with the periods in section 10 and in the Data Deletion Policy.

9. No Data Transfer Outside KSA

All our infrastructure, storage and processing servers are located within the Kingdom of Saudi Arabia. Your data is not transferred to servers or data centres outside the Kingdom. The only cases that may involve limited technical data (such as an IP address) leaving the Kingdom are:

• Your browser’s direct connection to Facebook when you connect to Meta (we do not control Facebook’s servers).
• Payment gateways that host their own payment pages (under SAMA supervision).

These connections happen directly between your browser and the relevant party — we are not the party transferring the data.

10. Retention Periods

11. Security Measures

We apply a range of technical and administrative controls to protect your data:

• Encryption in transit: TLS 1.2 or higher on all connections.
• Encryption at rest: hashed passwords (bcrypt/argon2), sensitive data encrypted.
• Tenant isolation: every Organization isolated by tenant_id at the application and database layers.
• Access control: role-based access control (RBAC), auditing of every sensitive read/write.
• Authentication: strong passwords, Sanctum tokens, single sign-on between portals.
• Monitoring: intrusion attempts monitoring, rate limiting, bot protection.
• Backups: daily, encrypted, within KSA.
• Periodic testing: regular penetration tests, dependency updates.

Despite these measures, no digital system is completely free of risk. You may notify us of any potential vulnerability at info@ecit.sa.

12. Your Rights Under the PDPL

As a data subject, you have the following rights, which you can exercise free of charge by emailing info@ecit.sa:

• Right to be informed: know the legal basis and purpose of processing.
• Right of access: obtain a copy of your data being processed.
• Right to rectification: request correction or updating of inaccurate data.
• Right to destruction: request deletion of your data (see Data Deletion Policy).
• Right to restrict processing: in certain cases (dispute, purpose fulfilled).
• Right to data portability: receive your data in a structured, portable format (JSON/CSV).
• Right to withdraw consent: at any time, without affecting prior lawfulness of processing.
• Right to object: object to processing in certain cases.
• Statutory right to complain: if we do not resolve your request, the PDPL grants you the right to lodge a complaint with the Saudi Data & AI Authority (SDAIA) — with which the Company is registered in the National Personal Data Protection Registry under No. 3260006674 — at sdaia.gov.sa.

We commit to responding to your request within thirty (30) days, extendable by an additional thirty days for reasons we will explain to you.

13. Cookies

We use only strictly necessary cookies:

• Session cookies: to link your requests to your signed-in account (the platform cannot function without them).
• Preference cookies: language, theme (dark/light mode).
• Security cookies: CSRF token, device identifier (for suspicious-session detection).

We do not use advertising or third-party tracking cookies. External analytics such as Google Analytics or Facebook Pixel are not present on Murafaah.

14. Children’s Privacy

The Services are directed at adults and organizations. We do not knowingly collect personal data from anyone under the legal age (18). If we learn that data of a minor has been collected without parental consent, we promptly delete it.

15. Automated Decisions

The platform does not make automated decisions that produce significant legal effects on you without human review. Any AI suggestion (such as text suggestions or case classification) is assistive only — the final decision is yours.

16. Breach Notification

In the event of a security breach exposing your personal data:

• We notify the competent KSA data-protection regulator (SDAIA) within 72 hours at most of becoming aware of the breach, as required by the PDPL.
• We notify you directly as soon as possible if the breach poses a serious risk.
• We document the incident and remediation actions.

17. Policy Updates

We may update this policy to reflect legal or technical developments. Changes are published on this page with an updated “effective date”. Material changes are notified in advance by email or in-platform notice.

18. Contact & Complaints

For any inquiry, request to exercise your rights, or privacy complaint:

If your request is not properly handled, the PDPL entitles you to lodge a complaint with the competent regulator in KSA.