Privacy Policy

1. Introduction

WameedPOS ("we," "us," or "our") is a product of Thawani Technology Company, registered in the Kingdom of Saudi Arabia. We operate the WameedPOS point-of-sale platform, including our web application, mobile applications, cloud services, hardware integrations, and related support services (collectively, the "Services").

This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Services. It applies to all merchants, employees, and end-users who interact with the WameedPOS platform. By using our Services, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Business name, owner name, email address, phone number, Commercial Registration (CR) number, VAT registration number, and business address.
• Staff Profiles: Employee names, roles, assigned PINs, and access permissions configured within the system.
• Product & Inventory Data: Product names, descriptions, SKUs, barcodes, pricing, stock quantities, and supplier information.
• Financial Records: Transaction histories, payment method details (card type, last four digits — never full card numbers), refund records, and daily settlement reports.
• Support Communications: Messages, ticket contents, and attachments you send to our support team.

2.2 Information Collected Automatically

• Device & Hardware Data: Device type, operating system, hardware serial numbers, printer and scanner configurations, and network connectivity status.
• Usage Analytics: Features used, session duration, screen views, error logs, and performance metrics to help us improve the platform.
• Location Data: Branch geo-coordinates (only when multi-branch management is enabled and with your explicit consent).
• Log Data: IP addresses, browser type, access timestamps, and referring URLs when you access our web dashboard.

2.3 Information from Third Parties

• Payment Processors: Transaction confirmation data from Thawani Pay, Mada, STC Pay, Apple Pay, and other integrated payment gateways.
• ZATCA: Invoice clearance responses, cryptographic stamps, and compliance status from the Zakat, Tax and Customs Authority.
• Delivery Platforms: Order data from HungerStation, Jahez, Keeta, Talabat, and other integrated delivery services.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: Processing transactions, managing inventory, generating invoices, and providing the core POS functionality.
• ZATCA Compliance: Generating QR codes, submitting e-invoices, and maintaining audit-ready records as required by Saudi tax law.
• Analytics & Reporting: Providing business intelligence dashboards, sales reports, profit analysis, and inventory insights.
• Platform Improvement: Analyzing usage patterns to improve features, fix bugs, and optimize performance.
• Customer Support: Responding to inquiries, troubleshooting issues, and providing technical assistance.
• Security: Detecting fraud, preventing unauthorized access, and maintaining system integrity.
• Legal Compliance: Meeting our obligations under Saudi law, including the Personal Data Protection Law (PDPL), and responding to lawful government requests.
• Communication: Sending service updates, security alerts, billing notifications, and — with your opt-in consent — promotional materials.

4. Data Storage & Security

4.1 Where We Store Data

All primary data is stored on servers located within the Kingdom of Saudi Arabia, in compliance with Saudi data residency requirements. Our cloud infrastructure is hosted on certified data centers that meet Tier III+ standards. Offline transaction data is stored locally on your POS hardware and automatically synced to our cloud servers when connectivity is restored.

4.2 How We Protect Data

• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmissions use TLS 1.3 encryption.
• Access Controls: Role-based access controls with multi-factor authentication for administrative access.
• Audit Logging: Comprehensive audit trails of all data access and modifications.
• Regular Assessments: Periodic penetration testing and vulnerability assessments by independent security firms.
• PCI-DSS Compliance: Payment card data is handled in accordance with Payment Card Industry Data Security Standard requirements. We never store full card numbers, CVVs, or PINs.

5. Data Sharing & Disclosure

We do not sell your personal or business data. We share information only in these circumstances:

• Service Providers: Trusted partners who help us operate the platform (cloud hosting, payment processing, SMS delivery) under strict confidentiality agreements.
• Government Authorities: When required by Saudi law, such as submitting e-invoices to ZATCA or responding to valid legal process from competent courts.
• Payment Networks: Transaction data shared with payment processors (Mada, Visa, Mastercard) solely to process your payments.
• Delivery Partners: Order and menu data shared with delivery platforms you have explicitly integrated and activated.
• With Your Consent: Any other sharing requires your explicit, informed consent.

6. Cookies & Tracking Technologies

Our web dashboard and website use the following technologies:

• Essential Cookies: Required for authentication, session management, and security. Cannot be disabled.
• Analytics Cookies: Help us understand how users navigate our platform. You can opt out via your browser settings or our cookie preferences panel.
• Performance Cookies: Monitor system performance and error rates to ensure service reliability.

We do not use advertising cookies or sell cookie data to third parties.

7. Data Retention

• Transaction Records: Retained for a minimum of 6 years to comply with Saudi tax regulations and ZATCA e-invoicing requirements.
• Account Information: Maintained for the duration of your active subscription and 12 months after account closure.
• Usage Analytics: Aggregated and anonymized data is retained indefinitely. Identifiable analytics data is deleted after 24 months.
• Support Tickets: Retained for 36 months after resolution for quality assurance purposes.
• Audit Logs: Retained for 7 years as required by financial regulations.

8. Your Rights Under Saudi PDPL

Under the Saudi Personal Data Protection Law (PDPL), you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right of Correction: Request correction of inaccurate or incomplete data.
• Right of Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing: Request limitation of how we process your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Withdraw Consent: Withdraw consent for optional data processing at any time without affecting the lawfulness of prior processing.
• Right to Object: Object to processing based on legitimate interests.

To exercise any of these rights, contact our Data Protection Officer at privacy@wameedpos.com. We will respond within 30 days.

9. International Data Transfers

We primarily process and store data within Saudi Arabia. In limited cases where data must be transferred internationally (e.g., for global payment network processing), we ensure adequate safeguards are in place, including Standard Contractual Clauses and data processing agreements that comply with PDPL requirements. We will never transfer data to jurisdictions that lack adequate data protection without implementing appropriate safeguards and obtaining your consent where required.

10. Children's Privacy

WameedPOS is a business-to-business platform designed for commercial use. Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately and we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email, in-app notification, or a prominent notice on our website at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: