Privacy Policy

1. Data controller

The controller responsible for your personal data is MARSAD ALEBDAA IT EST, a sole-proprietor establishment registered in the Kingdom of Saudi Arabia under Commercial Registration No. 7023462158, with its registered office at 2794, Al-Azhari, 6336, Ar Riyad 12471, Saudi Arabia. All references in this policy to “we”, “us”, “Yameen”, or “the Service” mean MARSAD ALEBDAA IT EST acting as data controller.

For any privacy question or to exercise your rights, contact us at contact@yameen.app.

2. Personal data we process

2.1 Account data

Telegram chat ID, username, and first name (received from Telegram when you message the bot).
Email address of the third-party provider account you connect (Google / Microsoft / Slack).
Timezone you set via /timezone or auto-detected.
Subscription status and payment record (when paid plans are active).

2.2 OAuth tokens

Encrypted access tokens, refresh tokens, and granted scopes for Google, Microsoft, and Slack. Tokens are encrypted with AES-256-GCM at rest and never leave our database in plaintext.

2.3 Conversation data

Messages you send to the bot, the assistant’s replies, tool inputs and outputs, and pending confirmations. Stored as a rolling window of the most recent 40 turns or 7 days (whichever is shorter) to provide context across sessions.

2.4 Provider data accessed at your instruction

When you connect a provider, the bot reads the data necessary to answer your request and acts only on your explicit instruction. The exact scope is deliberately narrow:

Google Calendar — full read & write (events, attendees, free/busy).
Gmail (gmail.modify scope) — at your instruction, Yameen can read messages (including full bodies and attachment names/sizes), search your mailbox, send and reply to email (every send requires your tap-to-confirm in Telegram), and perform inbox organisation you ask for: archive, mark read/unread, star, and apply or remove labels. Yameen cannot permanently delete email — the scope we request does not allow it and no delete feature exists. Email content is read to answer the specific request and is not persisted beyond the rolling conversation window described in 2.3.
Google Drive — read (drive.readonly scope) — Yameen can search your Drive by file name and content and read file content (Google Docs / Sheets / Slides exported to text, plus plain-text files) in order to find and summarise documents you ask about. It cannot modify or delete your existing Drive files under this scope.
Google Drive — write (drive.file scope) — lets Yameen create files in your Drive when you ask it to (for example, saving a document for you) and access files you explicitly shared via the Google Picker (/share). This scope only reaches files Yameen created or you picked — never the rest of your Drive.
Multiple Google accounts — you may connect more than one Google account. Each account is authorised separately, its tokens are stored and encrypted separately, and you can disconnect any single account at any time. You can also revoke Yameen’s access from your Google Account permissions page.
Microsoft 365 — Outlook — read, draft, and send email (always with tap-to-confirm).
Microsoft 365 — Calendar — full read & write.
OneDrive — full-text search and content reads of files you ask about.
Slack — read-only: channel history, your @mentions, user lookup, search.

We process the minimum data needed to fulfil each request, return a result, and discard ephemeral context (e.g. an email body retrieved to answer a single question is not persisted beyond the conversation turn).

2.5 Operational logs

Tool-call audit records (which tool, input arguments, success/error, duration) for up to 30 days for debugging and abuse prevention, after which they are deleted.

3. Why we process your data (purposes & legal bases)

Purpose	Legal basis (PDPL)	Legal basis (GDPR)
Provide the Service (account, OAuth, tools, briefings)	Contract performance — PDPL Art. 6(1)(b) & explicit consent	Contract — Art. 6(1)(b)
Process payments & subscriptions	Contract performance	Contract — Art. 6(1)(b)
Cross-border transfer to Anthropic for LLM inference	Explicit consent — PDPL Art. 6(1)(a) & Art. 29	Contract + appropriate safeguards (SCCs) — Art. 46
Security, abuse prevention, audit	Legitimate interest of the controller	Legitimate interest — Art. 6(1)(f)
Improving the Service from your feedback signals (👍/👎)	Consent (you choose to send feedback)	Consent — Art. 6(1)(a)

What we do not do. We do not use your data, your prompts, or any content read from Google / Microsoft / Slack to train AI models. We do not sell personal data. We do not allow human review of your data except where you explicitly request support on a specific item, or as required by law.

4. Subprocessors

Each subprocessor below has a written data-processing arrangement with us (signed DPA or the provider’s standard customer terms — whichever is appropriate to the data flow).

Subprocessor	Role	Region
WafaiCloud	Application + Postgres database hosting (single VM). All user data resides here.	Saudi Arabia
Anthropic PBC	LLM inference (Claude API). Customer prompts and responses are retained by Anthropic for up to 30 days for safety monitoring, then deleted. Anthropic does not use customer API data to train its models. Cross-border transfer to the United States is governed by the EU Standard Contractual Clauses in Anthropic’s DPA.	United States
Telegram FZ-LLC	Bot messaging delivery. Messages traverse Telegram’s infrastructure.	United Arab Emirates / distributed
Google LLC	OAuth-authorised access to Gmail (read, send, and inbox organisation — gmail.modify), Calendar (read/write), and Drive (content search and reads — drive.readonly; file creation and Picker-shared files — drive.file). Your data remains in your Google account; we transit access tokens.	Your Google account region
Microsoft Corporation	OAuth-authorised access to Outlook, Calendar, and OneDrive. Your data remains in your Microsoft tenant.	Your Microsoft tenant region
Slack Technologies, LLC	OAuth-authorised read of channel history, @mentions, and user lookup.	Your Slack workspace region
Moyasar	Payment processing for KSA cards (mada, Apple Pay, STC Pay) — when subscriptions are active.	Saudi Arabia
Stripe, Inc.	Payment processing for international cards — feature-flagged, when activated.	United States / Ireland

5. International data transfers

All persistent user data — accounts, OAuth tokens, conversation history, briefing preferences — resides on infrastructure inside Saudi Arabia. The only routine cross-border transfer is the LLM-inference call to Anthropic in the United States. We rely on the following safeguards for that transfer:

Your explicit consent, obtained during onboarding via the cross-border transfer disclosure (PDPL Art. 6(1)(a) and Art. 29).
A Data Processing Addendum with Anthropic, automatically incorporated into Anthropic’s Commercial Terms of Service.
EU Standard Contractual Clauses (Schedule 3 of Anthropic’s DPA) and the UK Addendum, relied upon as the appropriate safeguard for the cross-border transfer under PDPL Art. 29.
Anthropic’s standard data-handling commitment: customer API data is not used to train models, and prompts and responses are retained for up to 30 days for safety monitoring before deletion.
Documented Transfer Risk Assessment retained in our compliance file.

Data transferred to Google, Microsoft, and Slack flows back to your own accounts on those platforms — they are recipients you have an existing relationship with, not an onward transfer initiated by us.

6. How long we keep data

Data	Retention
Encrypted OAuth tokens	While the integration is connected. Deleted within 7 days of disconnection or account deletion. Provider-side access is also revoked at disconnection where the provider supports it.
Conversation history	Rolling 40-turn / 7-day window. Cleared on `/reset` or account deletion.
Account profile, briefing preferences	While account is active. Deleted within 7 days of account-deletion request.
Pending confirmations	Auto-expire after 10 minutes.
Tool-call audit logs	30 days, then deleted.
Encrypted backups	Rotated every 14 days; deletion request is propagated through the next backup cycle.
Payment / billing records	Retained as required by Saudi tax and consumer-protection law (typically 5 years), in pseudonymised form where possible.

7. Security

Encryption in transit: TLS 1.3 (HSTS preloaded for the .app TLD).
Encryption at rest: AES-256 on the database volume; OAuth tokens additionally encrypted with AES-256-GCM at the application layer.
Key management: master encryption key held only in environment configuration; never logged, never echoed to the agent, never sent to the LLM.
Row-level isolation enforced in application code — one user’s data is never visible in another user’s session.
Confirmation flow on every destructive action: send email, create / update / cancel calendar event.
Telegram webhook secret verification on every incoming update.
Cloud-firewall and host-firewall both restrict ingress to ports 22 / 80 / 443.

8. Your rights

Under PDPL (Articles 4–9) and GDPR (Articles 12–22) you have the right to:

Access the personal data we hold about you and receive a copy.
Rectify inaccurate or incomplete data.
Erase your data (right to deletion).
Restrict or object to processing.
Receive your data in a structured, machine-readable form (data portability).
Withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
Lodge a complaint with a supervisory authority — in the Kingdom of Saudi Arabia, the Saudi Data & AI Authority (SDAIA); in the EU, your local data-protection authority.

9. How to exercise your rights

Three ways, all of equal effect:

Email contact@yameen.app from the address on your account.
Send /delete_account in Telegram, then confirm with /delete_account CONFIRM.
Use the data-deletion control on the web dashboard once it’s available to your account.

We respond to rights requests within 30 days and document each response in our compliance log. See our Data Deletion Policy for the exact cascade.

10. Google API user data — Limited Use

Yameen’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

We use Google user data only to provide or improve user-facing features that are prominent in the Service’s user interface.
We do not transfer Google user data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger / acquisition / sale of assets with continued obligations.
We do not use Google user data for serving advertisements.
We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, to comply with law, or our use is for internal operations and the data has been aggregated and anonymised.
We do not use Google user data to develop, improve, or train generalised or non-personalised AI/ML models.

11. Microsoft and Slack data handling

Data accessed via Microsoft Graph and the Slack API is used solely to respond to your in-bot requests. We do not redistribute Microsoft or Slack data, do not use it for advertising, and do not use it to train AI models. Disconnecting your account in /disconnect revokes our access tokens and triggers deletion of the encrypted tokens within 7 days.

12. Children

Yameen is not directed at children. We do not knowingly process the personal data of anyone under 16. If you believe a child has provided us with personal data, please contact contact@yameen.app and we will delete it.

13. Changes to this policy

Material changes will be announced at least 30 days before they take effect, both at this page (with an updated effective date) and through the Telegram bot. Continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.

14. Contact

Privacy contact: contact@yameen.app
Postal address: MARSAD ALEBDAA IT EST, 2794, Al-Azhari, 6336, Ar Riyad 12471, Saudi Arabia (CR No. 7023462158).