ARIAARIA
Sign inGet started

Privacy Policy

How ARIA collects, uses, stores, and protects personal data under KSA's Personal Data Protection Law (PDPL).

v0.1-dummyEffective at current version·PrivacyTermsCookiesDisclosures

This Policy explains how ARIA ("we") handles personal data when you use our consumer advisory, institutional terminal, or admin surfaces. It is governed by KSA PDPL and applicable sub-processor DPAs. For the authoritative Arabic version, see the Arabic language toggle — the Arabic text governs in case of conflict per KSA regulatory expectation.

1. Data we collect

  • Identity — name, email, phone (via Clerk), Nafath-verified ID at Beta+
  • Household — income, expenses, debt, savings for consumer advisory (consent-gated)
  • Activity — sign-in times, surfaces visited (truncated IP per PDPL proportionality)
  • Institutional — project inputs, memos, committee votes (tenant-isolated)
  • Consent — every grant and withdrawal in an append-only ledger

2. How we use it

  • To deliver the services you request (contractual basis)
  • To fulfill legal obligations (e.g., SDAIA register, ZATCA invoicing from Live)
  • With explicit consent — marketing, SMS, WhatsApp, data-sharing with partners

3. Data residency

Primary storage in AWS me-south-1 (Bahrain). Backups in-region. Cross-border transfers only to documented sub-processors with executed DPAs; current list available under "Sub-processors" in the consent footer of every page.

4. Retention

  • Active account data — for the life of the account plus 12 months
  • Audit chain — 7 years (ZATCA/regulatory compatible)
  • Marketing consent withdrawals — indefinitely, append-only
  • Truncated access logs — 12 months

5. Your PDPL rights

  • Access — export everything we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion (subject to legal retention)
  • Portability — structured machine-readable export
  • Withdrawal — revoke any consent purpose one-click from Settings → Privacy

6. DPO contact

Contact our Data Protection Officer at the address in the platform footer. In Beta and Live we publish a named DPO under BRP-03 / BRP-04; during Preview, the DPO is a fractional engagement (see BRP-04 onboarding pack).

7. Automated decisions + AI

ARIA uses Claude (Anthropic) for rationale generation and scoring explanations under a prompt-hash cache (ADR 0006). You can request human review of any Safety Score or Confidence Score. We never make binding financial commitments on your behalf without explicit confirmation.

8. Changes to this Policy

Material changes trigger a version bump and a re-consent modal for authenticated users. Superseded versions remain linked for historical reference.