Privacy Policy

1. Overview

Fattourah ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services, including during your 14-day free trial and paid subscription plans (Starter $19/month, Pro $39/month).

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services.

2. Data We Collect

2.1 Business Information

When you create an account, we collect:

• Company name and business registration number
• Tax identification number (TIN) and VAT number
• Contact information (email, phone, address)
• Account credentials (username, password)
• Billing and subscription details

2.2 Invoice Data

Your invoices and related financial records uploaded to or generated within Fattourah, including:

• Customer/client information
• Line items, quantities, and pricing
• Payment terms and transaction details
• Attachments and supporting documents

2.3 ZATCA Integration Credentials

For invoice submission to ZATCA, we collect and securely store:

• ZATCA API credentials and certificates
• Encryption keys for Phase 3 Wave 24 compliance
• ZATCA compliance configuration settings

2.4 Usage Data

We automatically collect:

• IP address and browser information
• Pages visited and features used
• Time and duration of usage
• Device type and operating system
• Referring URL and exit pages

2.5 Payment Information

Payment processing is handled by Moyasar (Saudi payment gateway). We do not store full credit card details; Moyasar securely handles all payment information.

3. How We Use Your Data

• Service Delivery: Process and store your invoices, manage subscriptions, and provide e-invoicing functionality
• ZATCA Integration: Submit invoices to ZATCA API in compliant formats (Phase 3 Wave 24)
• Reporting & Analytics: Generate usage reports and invoice summaries for your business
• Payment Processing: Process subscription payments through Moyasar
• Communication: Send account updates, billing notifications, and service announcements
• Technical Support: Provide customer support and troubleshoot issues
• Security: Detect and prevent fraud, abuse, and unauthorized access
• Analytics & Improvement: Via Plausible Analytics to improve our service (privacy-respecting, no tracking cookies)
• Legal Compliance: Comply with Saudi Arabia commercial law and tax regulations

4. Third-Party Services

4.1 Moyasar (Payment Processing)

We use Moyasar for all payment processing. Moyasar is PCI-DSS Level 1 certified and handles all credit card and payment data securely. Moyasar may store tokenized payment methods for subscription renewals. Note: Mada cards have limitations with auto-renewal subscriptions and may require manual intervention for monthly billing.

Moyasar Privacy Policy

4.2 ZATCA API

To submit invoices, we transmit invoice data to the Saudi ZATCA API in compliance with Phase 3 Wave 24 requirements. This data is transmitted via encrypted connections and includes your business TIN and invoice details.

ZATCA Official Website

4.3 Plausible Analytics

We use Plausible for privacy-respecting website analytics. Plausible does not use cookies, does not track across websites, and does not collect personal data. It only collects aggregated, anonymized usage patterns.

Plausible Privacy Policy

4.4 Cloudflare CDN

Our website is delivered via Cloudflare's content delivery network for performance and security. Cloudflare may log IP addresses and request metadata.

Cloudflare Privacy Policy

4.5 Supabase (Database & Hosting)

We use Supabase for secure database hosting, backup, and infrastructure. Your data is encrypted at rest on Supabase servers.

Supabase Privacy Policy

5. Data Security & Storage

• Encryption at Rest: All invoice data and business information is encrypted at rest using AES-256 encryption
• Encryption in Transit: All data transmitted to/from Fattourah is encrypted using TLS 1.2+ (SSL/HTTPS)
• Secure Authentication: We use bcrypt password hashing and support multi-factor authentication
• Access Controls: Only authorized personnel have access to customer data, with role-based access control (RBAC)
• Regular Audits: We conduct regular security audits and penetration testing
• Data Isolation: Each customer's data is logically isolated and encrypted separately

While we implement industry-standard security measures, no system is completely immune to security breaches. We cannot guarantee absolute security of your data.

6. Data Retention

• Active Accounts: Data is retained as long as your account is active
• Financial Records: In compliance with Saudi Arabia commercial law (Law of Commercial Transactions), financial records and invoices are retained for a minimum of 5 years from the date of transaction
• After Account Deletion: Backup copies may be retained for up to 30 days for recovery purposes; after which data is securely destroyed
• Legal Hold: If legally required, we may retain data beyond the stated periods to comply with court orders or government requests
• ZATCA Submissions: Records of ZATCA submissions are retained per ZATCA retention policies (currently 3 years)

7. Financial Data & PCI-DSS Compliance

We take the security of payment information extremely seriously:

• PCI-DSS Compliance: Fattourah is PCI-DSS Level 1 compliant through our payment partner Moyasar
• No Card Storage: We do not store full credit card numbers, CVV codes, or magnetic stripe data
• Tokenization: Moyasar tokenizes payment methods for secure recurring billing
• Mada Card Note: Due to Moyasar's current implementation, Mada card auto-renewal subscriptions may fail and require manual payment. We are working with Moyasar to resolve this limitation.
• Invoice Financial Data: Invoice amounts, customer payment information, and financial totals are treated as sensitive business data and encrypted

8. Your Rights

You have the right to:

• Access: Request a copy of all personal and business data we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Data Export: Request your data in a portable, machine-readable format (CSV/JSON)
• Opt-Out: Opt out of non-essential communications and marketing emails

To exercise any of these rights, contact us at [email protected] with your request. We will respond within 30 days.

9. Cookie Policy

• Essential Cookies: We use essential cookies for authentication, security, and session management
• Preferences: Cookies store your language and interface preferences
• Analytics: Plausible Analytics uses server-side tracking (no cookies) to respect your privacy
• No Tracking: We do not use third-party tracking cookies or behavioral advertising pixels

Most browsers allow you to control cookies through settings. Disabling essential cookies may affect your ability to use Fattourah.

10. Saudi Arabia Compliance

Fattourah operates in accordance with Saudi Arabia's regulatory frameworks:

• e-Invoice Law: We facilitate invoice generation in ZATCA-compliant formats per Vision 2030 e-invoicing mandate
• Commercial Law: Financial data retention follows the Law of Commercial Transactions (5-year minimum)
• Tax Regulations: We support VAT compliance and ZATCA Phase 3 Wave 24 requirements (deadline: June 30, 2026)
• Data Residency: While some infrastructure may be international, we ensure compliance with Saudi regulations
• Consumer Protection: We comply with applicable Saudi consumer protection laws

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices: