Tawqee

Privacy Policy

Effective: April 28, 2026 · Version 1.0

Tawqee, Inc. (“we”) is committed to protecting your personal data. This Privacy Policy describes how we collect, use, share, and protect personal data when you use the Tawqee platform.

1. Scope

This policy covers personal data we process as a Controller (e.g., for our marketing site, sign-up flow, billing). When we process Customer Content on behalf of a customer organization, we act as a Processor governed by our Data Processing Agreement.

2. Data we collect

  • Account data — name, email, organization, password hash
  • Identity proofs — Nafath responses, ID document hashes, KBA scores when explicitly provided for authentication
  • Usage data — IP address, user-agent, audit events
  • Billing data — handled by Stripe; we store a customer ID and plan, never card numbers
  • Customer Content— documents you upload and signatures captured; processed under the customer’s instructions per the DPA

3. Legal bases (GDPR / PDPL)

  • Performance of contract — to provide the Service you signed up for
  • Legitimate interests — security monitoring, fraud prevention, product analytics
  • Legal obligation — keeping audit records as required by ESIGN, eIDAS, Part 11, PDPL, and other applicable rules
  • Consent — for marketing emails and optional cookies; revocable at any time

4. Saudi PDPL specifics

For Customer Content originating in the Kingdom of Saudi Arabia and held in the Saudi data-residency option, processing is performed inside KSA. Cross-border transfers occur only on a documented legal basis and only to processors with equivalent protections. You may exercise your PDPL rights (access, correction, erasure, restriction, objection, withdrawal of consent) by emailing privacy@tawqee.com. We will respond within 30 days.

5. How we share data

We share personal data only with the subprocessors listed at /legal/subprocessors and only as needed to operate the Service. We do not sell personal data and do not share it for advertising.

6. Retention

We retain Customer Content for as long as the customer’s organization remains active, plus 90 days after termination for export. Audit records covering Part 11 envelopes are retained for the longer of (a) the customer’s configured retention and (b) the period required by the predicate rule. Marketing-list data is retained until you unsubscribe.

7. Security

Encryption in transit (TLS 1.3+) and at rest (AES-256), tenant isolation in the application layer, daily PITR backups, role-based access, mandatory MFA for admins. See /security for the technical brief.

8. International transfers

Where data is transferred internationally, we rely on Standard Contractual Clauses (EU SCCs) and the equivalent KSA cross-border transfer safeguards. The list of regions is in the Subprocessors page.

9. Your rights

Subject to applicable law you may request access, correction, erasure, restriction, portability, or to object to processing. Contact us at privacy@tawqee.com.

10. Children

The Service is not directed to individuals under 18 and we do not knowingly collect their personal data.

11. Changes

We will notify you of material changes by email and post the revised version with a new effective date.

12. Contact

Privacy: privacy@tawqee.com · DPO: dpo@tawqee.com