Privacy Policy

1. Data Controller & Data Protection Officer

Mustafeed is the data controller of personal information processed via the platform. A Data Protection Officer (DPO) has been appointed to oversee PDPL compliance.

• • Privacy contact: privacy@mustafeed.com.sa
• • Data Protection Officer (DPO): dpo@mustafeed.com.sa
• • Address: Riyadh, Kingdom of Saudi Arabia

2. Scope

This policy applies to all visitors and users of the Mustafeed platform (mustafeed.com.sa) and its companion applications. It does not cover the practices of banks or third-party websites linked from our platform — please review those parties' policies directly.

3. Categories of Data We Collect

• • Identity data: name, email, phone number, password (stored bcrypt-hashed).
• • Demographic data: nationality, salary range, city, age, gender, marital status, lifestyle preferences.
• • Spending data: monthly spending categories you voluntarily enter into the calculator (not collected from your banks or statements).
• • Account & usage data: saved cards, optimizations, quiz results, calculator interactions, AI assistant conversations, referral click events.
• • Technical data: IP address, browser type, operating system, device identifiers, pages visited, timestamps, audit logs.
• • Subscription & payment data: subscription status, transaction reference. Full card numbers are processed by Moyasar or a licensed gateway — not stored by us.
• • Consent records: timestamp of terms acceptance, version of terms, marketing and AI consents.

What we do NOT collect:

We do not collect special/sensitive categories of personal data (health, biometric, genetic, religious belief, political opinion) or children's data. We do not connect directly to your banks or import your statements — all spending data is entered by you manually.

4. Legal Basis for Processing (PDPL Article 6 and its Implementing Regulations)

• • Contract performance: operating your account, providing calculator/recommendation services, processing your subscriptions.
• • Consent: marketing emails, analytics cookies, AI-powered personalization — withdrawable at any time.
• • Legitimate interests: security and fraud prevention, product improvement, aggregated market statistics, referral abuse detection.
• • Legal obligation: responding to lawful requests from competent authorities (SDAIA, SAMA, courts).

5. Retention Schedule

• • Account data: for the duration of account activity + 12 months after deletion (for legal/accounting purposes).
• • Spending & calculator data: until you update or delete it, or a maximum of 36 months from last use.
• • AI assistant conversations: 12 months for service improvement, then de-identified.
• • Payment & billing records: 10 years per Saudi E-invoicing and VAT regulations.
• • Security & audit logs: 24 months.
• • Consent records: for the duration of the account + 24 months after termination.

6. Third-Party Sub-Processors

We engage the following sub-processors under strict Data Processing Agreements (DPAs):

This list may change. Updates will be posted here and material changes will be notified.

Credit information (SIMAH):

We do not currently share your data with the Saudi Credit Bureau (SIMAH) or any other credit bureau, nor do we pull credit reports about you. If this changes in the future (e.g., to add lending-comparison features), we will obtain your explicit prior consent and update this policy.

7. Data Localization & Cross-Border Transfers

By default, we seek to store personal data within the Kingdom of Saudi Arabia. Except for the sub-processors listed in Section 6, your data is not transferred abroad. Where an in-Kingdom alternative becomes available at acceptable quality and price, we will migrate to it.

Some of your data may be processed outside Saudi Arabia by listed sub-processors (e.g., Anthropic, Vercel, Neon). We rely on the following safeguards per PDPL Article 29 and its Implementing Regulations:

• • Explicit consent (where applicable).
• • Data Processing Agreements with equivalent protection clauses.
• • Processing necessary for service delivery.
• • Vital interests or public interest where applicable.
• • Periodic cross-border transfer risk assessments.

8. Your Rights Under PDPL

• • Right to be informed about processing of your data.
• • Right of access and to obtain a copy.
• • Right to rectification and completion.
• • Right to erasure (the right to be forgotten).
• • Right to data portability.
• • Right to object to specific processing, including automated decision-making.
• • Right to restrict processing.
• • Right to withdraw consent (without affecting prior lawful processing).
• • Right to lodge a complaint with the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa.

To exercise any right, use the data-request form below or email privacy@mustafeed.com.sa and we will respond within 30 days (extendable by 30 days for complex requests). We may require identity verification before fulfilling a request.

9. AI Assistant & Automated Decision-Making

We use AI models to provide recommendations and answers. These are guidance, not binding decisions — they create no legal effect on you. You can turn off AI-powered personalization from your profile. We do not sell your data for external model training, nor directly input your personally-identified data into third-party training systems.

10. Cookies

• • Essential: session, security, preferences — do not require consent.
• • Analytics: PostHog and GA4 to understand usage — enabled only with your consent.
• • Marketing: we do not currently use third-party marketing cookies.

You can update your consents from your profile, or disable cookies in your browser settings (note that some services will not function).

11. Data Security & Governance

Our security controls align with the Essential Cybersecurity Controls (ECC) issued by the National Cybersecurity Authority (NCA), and the data governance standards issued by the National Data Management Office (NDMO). These include:

• • TLS 1.3 encryption for all communications.
• • Password hashing with bcrypt (12 rounds).
• • Role-based access control (RBAC) for all admin accounts.
• • Data classification, access control, and data minimization per NDMO standards.
• • Rate limiting and fraud monitoring.
• • Daily encrypted backups with periodic restore testing.
• • Periodic security testing and review of dependencies and open-source software.
• • Audit logs for sensitive events, retained for 24 months.

Responsible Vulnerability Disclosure:

Security researchers may report potential vulnerabilities to security@mustafeed.com.sa. We commit to acknowledging reports within 3 business days and to not pursuing legal action against good-faith research conducted in line with this policy.

12. Data Breach Notification

In the event of a personal data breach likely to result in serious harm to your rights and freedoms, we will notify the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware, and notify you without undue delay per PDPL Article 20.

13. Children's Data

Our Services are for users aged 18 and above. We do not knowingly collect data from minors. If you believe a minor has provided data, email privacy@mustafeed.com.sa and we will delete it promptly.

14. Updates to This Policy

We may update this policy to reflect changes in the Services, the law, or best practices. We will notify you of material changes via email or in-app notice at least 14 days before they take effect, and we may request re-consent where PDPL requires it.