Privacy Policy

We collect: (a) Account information — name, email address, job title, company name; (b) Usage data — features accessed, actions performed, timestamps; (c) Project and business data you upload — project details, documents, financial data, team assignments; (d) Technical data — IP address, browser type, device information, and cookies; (e) Payment information — processed by Moyasar; we do not store raw card details.

We use your information to: provide and maintain the Platform; process payments and issue ZATCA-compliant invoices; send service notifications and updates; respond to support requests; improve Platform features and performance; comply with legal obligations; and detect and prevent fraud or security threats. We do not use your business data to train AI models without explicit consent.

Your data is stored on secure cloud infrastructure. Enterprise plan customers may elect Saudi Arabia data residency to meet local compliance requirements. Starter and Professional plan data may be stored on regional GCC infrastructure. We maintain backups and use encryption at rest (AES-256) and in transit (TLS 1.3).

We do not sell your personal data. We may share data with: (a) Service providers — infrastructure, payment processing, and email delivery partners bound by confidentiality agreements; (b) Legal authorities — when required by Saudi law or court order; (c) Business transfers — in the event of a merger or acquisition, with appropriate notice. We will always inform you of material changes to data sharing practices.

We use essential cookies for authentication and session management, and analytics cookies to understand how the Platform is used. You can control cookie preferences in your browser settings. Disabling essential cookies may affect Platform functionality. We do not use cross-site tracking or third-party advertising cookies.

We retain your account and project data for the duration of your subscription plus 30 days after termination, during which you may export your data. Financial records required by ZATCA are retained for a minimum of 5 years. Anonymized usage analytics may be retained indefinitely. You may request earlier deletion — see Section 10.

We implement technical and organizational security measures including: encryption at rest and in transit; role-based access controls; multi-factor authentication support; regular penetration testing; SOC-aligned security monitoring; and employee training on data protection. We comply with SAMA cybersecurity regulations for SaaS platforms operating in Saudi Arabia.

The Platform is intended for business use by adults aged 18 and above. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, please contact us immediately at admin@xpmo.com and we will delete that information promptly.

Under Saudi Arabia's PDPL and applicable regulations, you have the right to: access your personal data; correct inaccurate data; request deletion of your data; object to or restrict processing; request data portability (export); and withdraw consent for non-essential processing. To exercise any right, email admin@xpmo.com. We will respond within 30 days.

Some of our service providers are located outside Saudi Arabia. Where data is transferred internationally, we ensure appropriate safeguards are in place — including data processing agreements and adherence to PDPL cross-border transfer requirements. Enterprise customers with Saudi residency elected are not subject to international transfers for their core data.

The Platform integrates with third-party services including Moyasar (payments), Wafeq (e-invoicing), and Supabase (infrastructure). Each service has its own privacy policy. We select partners that meet our security and compliance standards. Links to external websites are provided for convenience; we are not responsible for their privacy practices.

We may update this Privacy Policy periodically. For material changes, we will notify you by email and in-app notification at least 30 days before the change takes effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the Platform after changes take effect constitutes your acceptance.

xPMO acts as the data controller for personal data processed on the Platform. For privacy questions, data requests, or complaints, contact our Privacy Officer at admin@xpmo.com. We are committed to responding within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Saudi Data & AI Authority (SDAIA).