Privacy Policy — Saudi Tradex

Effective date: May 18, 2026 Controller/Operator: HATTAN SAMEER MUQBIL ALTHAGAFI Establishment Commercial Commercial Registration: 7052466369 VAT Registration: 314378959700003 Business Address: MFEA6983 Privacy contact: [email protected] Arabic version controls if there is any conflict with translations.

1. Purpose

This Privacy Policy explains how Saudi Tradex collects, uses, stores, shares, transfers, protects, and retains personal data when users access the platform.

The policy is designed around the actual platform architecture and workflows: registration, verification, RFQs, supplier profiles, messages, orders, invoices, media uploads, admin review, security logs, and account closure.

2. Personal data we collect

We may collect:

Account data

• name, username, email, phone number;
• account type, role, permissions, account status;
• password hash, session data, verification status;
• preferred language and settings.

Business/supplier data

• company/factory name;
• commercial and verification documents;
• factory address/region/city;
• product listings, media, pricing tiers;
• supplier/factory members and roles.

Marketplace data

• RFQs, quotes, orders, invoices;
• messages and attachments;
• reviews, reports, disputes;
• favorites, cart, checkout intents.

Technical/security data

• IP address, user agent, device/browser information;
• login/logout events;
• audit logs and admin actions;
• rate-limit events;
• security headers/session metadata;
• file upload metadata.

Communication data

• email verification, password reset, notices;
• SMS/OTP delivery status via Twilio;
• support, abuse, IP, privacy, and security reports.

3. Why we process data

We process data to:

• create and manage accounts;
• verify email and phone ownership;
• operate buyer/supplier workflows;
• enable RFQs, quotes, orders, invoices, and messaging;
• verify suppliers/factories;
• prevent fraud, abuse, spam, and unauthorized access;
• moderate content and enforce policies;
• provide support;
• comply with legal obligations;
• maintain audit logs and security records;
• improve platform reliability and user experience.

4. Legal basis

Depending on context, processing may be based on:

• user consent;
• performance of a contract or requested service;
• compliance with legal obligations;
• legitimate operational, security, fraud-prevention, and marketplace integrity interests;
• establishment, exercise, or defense of legal claims.

If consent is the sole basis for a processing activity, users may withdraw consent where applicable, subject to legal and contractual limitations.

5. Data minimization

We aim to collect only data necessary for the platform’s purposes. Users should not upload unnecessary personal data or confidential third-party information.

6. Public and private visibility

Some business information may be public or visible to relevant users:

• public product/factory information;
• public or matching-supplier RFQs;
• supplier verification badge status;
• messages and attachments only to authorized participants;
• protected media through authenticated routes.

Direct contact details may be limited or hidden from public users to protect platform integrity.

7. RFQ attachment notice

Public RFQ attachments may be visible to matching suppliers. Users should not upload confidential manufacturing drawings, proprietary specifications, trade secrets, or sensitive business documents in public RFQs.

8. Service providers

We may use third-party processors/subprocessors, including:

• Render for application hosting;
• Supabase PostgreSQL for database hosting;
• Cloudflare for DNS, WAF, R2 storage, Turnstile, and edge security;
• Resend for transactional email;
• Twilio for SMS/OTP verification;
• analytics, monitoring, logging, or support tools if added later.

These providers process data only as needed to deliver the platform services and security operations.

9. International data transfers

Some service providers may process or store data outside the Kingdom of Saudi Arabia. Where personal data is transferred outside the Kingdom, we will assess the transfer and use safeguards required by applicable Saudi data protection rules, including limiting transfer to what is necessary and maintaining appropriate protections.

10. Cookies and similar technologies

We use cookies and similar technologies for:

• authentication/session security;
• language and user preferences;
• security protections such as Turnstile;
• platform reliability and traffic protection;
• analytics if enabled.

See the Cookie Policy for details.

11. Retention

We retain data for as long as needed for platform operations, legal obligations, audit, fraud prevention, dispute handling, and security.

Examples:

• active account data: while account is active;
• closed account identifiers: active email/phone may be released, but original contact identifiers may be retained internally for audit/legal traceability;
• transactions/orders/invoices: retained as needed for legal, accounting, dispute, and audit purposes;
• security logs: retained for security and abuse prevention;
• verification documents: retained only as necessary for verification, legal, and fraud-prevention needs.

12. Account closure and deletion

Users may close their accounts subject to platform rules. Account closure does not automatically delete all records. The platform may retain data needed for:

• orders, invoices, RFQs, disputes, or legal claims;
• fraud prevention and audit logs;
• regulatory or accounting obligations;
• security investigations.

Self-closed account email/phone identifiers may be released for reuse while original contact identifiers remain internally archived for traceability.

13. User rights

Subject to applicable law and verification of identity, users may request:

• information about processing purposes and legal basis;
• access to personal data;
• a copy of personal data in a readable format;
• correction, completion, or update;
• deletion/destruction where legally required and no retention basis exists;
• withdrawal of consent where applicable;
• complaint or objection through available channels.

Requests: [email protected]

14. Security

We use administrative, technical, and organizational measures such as:

• password hashing;
• secure session cookies;
• access controls and admin permissions;
• audit logs;
• private media storage;
• rate limits;
• WAF/security headers;
• verification workflows.

No online service is 100% secure. Users must protect their credentials and report suspected compromise.

15. Children

Saudi Tradex is a B2B platform and is not intended for children or minors lacking legal capacity.

16. Changes

We may update this Privacy Policy as the platform changes. Material changes will be communicated where appropriate.

17. Contact

Privacy requests: [email protected] Support: [email protected] Security reports: [email protected]