Imtisalامتثال

Privacy Policy

Last updated: April 2026

1. Introduction

Imtisal ("we", "our", or "us") is committed to protecting your personal data in accordance with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL), issued under Royal Decree M/19 dated 09/02/1443H. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use our compliance platform at imtisal.net.

By using Imtisal, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

2. Data Controller

The data controller responsible for your personal data is:
Imtisal
King Fahd Road, Riyadh 12345, Kingdom of Saudi Arabia
Email: azim.faisal23@gmail.com
Commercial Registration: [CR Number]

3. What data we collect

We collect the following categories of personal data:

  • Account information: Name, email address, phone number, password (hashed)
  • Business data: Commercial Registration number, VAT number, business name, industry type, number of employees
  • Invoice data: Customer names, addresses, VAT numbers, invoice amounts — required for ZATCA compliance processing
  • Usage data: Features used, pages visited, compliance scores, actions taken within the platform
  • Technical data: IP address, browser type, device information, session identifiers
  • Communications: Support messages, feedback, and any other communications you send us

4. How we use your data

We use your personal data for the following purposes:

  • Service provision: Operating the Imtisal platform, processing your invoices through ZATCA's Fatoora system, generating compliance documents
  • Compliance processing: Submitting required data to regulatory bodies (ZATCA, SDAIA) on your behalf as required by Saudi law
  • Communications: Account notifications, deadline reminders, WhatsApp alerts (where consented), support responses
  • Improvements: Analyzing usage patterns to improve our platform and develop new features
  • Legal compliance: Meeting our own obligations under Saudi law, including PDPL, ZATCA regulations, and NCA requirements

5. Data storage and security

Data residency:All personal data is stored exclusively on Google Cloud's Dammam region (me-central2) within the Kingdom of Saudi Arabia. No personal data is transferred outside Saudi Arabia without your explicit consent.

Security measures: We implement industry-standard security measures including:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Role-based access controls (RBAC)
  • Regular security audits aligned with NCA's ECC-2:2024 controls
  • Multi-factor authentication for all administrative access
  • Automated intrusion detection systems

6. Data sharing

We share your data with third parties only in the following circumstances:

  • ZATCA (Zakat, Tax and Customs Authority): Invoice data submitted to Fatoora on your behalf, as required by Saudi e-invoicing law
  • Payment processors: Billing information with our PCI-DSS compliant payment processor. We do not store full card details
  • Google Cloud: Our infrastructure provider, operating within Saudi Arabia (me-central2)
  • Legal requirements: When required by Saudi law, court order, or government authority

We do not sell, rent, or share your personal data with advertisers or data brokers. Ever.

7. Your rights under PDPL

Under Saudi Arabia's Personal Data Protection Law, you have the following rights:

  • Right to access: Request a copy of all personal data we hold about you
  • Right to correction: Request correction of inaccurate or incomplete data
  • Right to deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Right to portability: Receive your data in a machine-readable format
  • Right to object: Object to certain processing activities, including marketing
  • Right to restrict processing: Request that we limit how we use your data

To exercise any of these rights, contact our Data Protection Officer at azim.faisal23@gmail.com. We will respond within 30 days, as required by PDPL.

8. Data retention

We retain your data for the following periods:

  • Invoice records: 6 years from the date of issue (as required by ZATCA regulations)
  • Account data: For the duration of your account, plus 3 years after closure
  • Support communications: 2 years from the date of the communication
  • Usage logs: 90 days rolling window
  • Consent records: 5 years from the date of consent (as required by PDPL)

After the applicable retention period, data is securely deleted or anonymized.

9. Breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we commit to:

  • Notifying the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware of the breach
  • Notifying affected individuals without undue delay when the breach is likely to result in high risk
  • Documenting all breaches in our internal breach register
  • Providing clear information about the nature of the breach, likely consequences, and measures taken

If you believe your data has been compromised, contact us immediately at azim.faisal23@gmail.com.

10. Cookies

We use cookies and similar tracking technologies on our website. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

11. Data Protection Officer

We have appointed a Data Protection Officer (DPO) as required by PDPL. You can contact our DPO at:
Email: azim.faisal23@gmail.com
Post: Data Protection Officer, Imtisal, King Fahd Road, Riyadh 12345, Saudi Arabia

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by posting a notice on our website at least 30 days before the change takes effect. Your continued use of Imtisal after the effective date constitutes acceptance of the updated policy.

For questions about this policy, contact us at azim.faisal23@gmail.com.