Privacy Policy
This Privacy Policy describes how EHIRAR ("we", "us", "our") collects, uses, and protects information when you use our compliance posture scanning platform at ehirar.com (the "Service"). We operate in alignment with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL), the United Arab Emirates Federal Decree-Law No. 45 of 2021 on Personal Data Protection, and the EU General Data Protection Regulation (GDPR) where applicable.
The short version: We only collect what is strictly necessary to run a compliance scan. We do not sell, rent, or share your personal data with third parties for advertising. We scan only the domains you submit using the same public signals an external observer can already see.
1. Who we are
EHIRAR is operated by its founders from Türkiye, providing a Software-as-a-Service (SaaS) external posture assessment platform for businesses subject to KSA PDPL, UAE PDPL, and NCA ECC-2:2024 compliance obligations. For any privacy enquiry you may contact us at privacy@ehirar.com.
2. What data we collect
2.1 Information you provide
- Account information: name, email address, company name, and password (stored as a one-way hash).
- Domain names: the domain or domains you submit for scanning.
- Billing information: processed entirely by our payment processor, Lemon Squeezy. We never see or store your full payment card number — only the last four digits and the card brand for invoice display.
- Support correspondence: messages you send to our support address.
2.2 Information collected automatically
- Scan output: public DNS records, SSL/TLS certificate metadata, HTTP response headers, publicly accessible files, subdomain enumeration results, and JavaScript bundle content for the domains you submit. All of this is information already publicly observable.
- Usage data: pages visited within the platform, scan timestamps, and feature usage — used only to improve the Service.
- Technical data: IP address, browser type, and operating system, retained for 90 days for security and abuse prevention.
2.3 What we do not collect
- We do not place agents on your servers.
- We do not perform active intrusion, port scanning, brute-force, fuzzing, or any technique requiring an NCA penetration testing licence.
- We do not access any private or authenticated area of your systems.
- We do not collect personal data belonging to your end users.
3. Why we process your data — legal basis
We process personal data under the following legal bases:
- Performance of contract — to deliver the scan you have subscribed to (PDPL Art. 6(2), UAE PDPL Art. 4(2)).
- Legitimate interest — to secure our Service, detect abuse, and improve scan quality.
- Legal obligation — to maintain accounting and tax records as required by Turkish, Saudi, and Emirati law.
- Consent — for any optional marketing communication, withdrawable at any time.
4. How we share data
We share data with a limited set of service providers, each bound by contract and selected for their own compliance posture:
- Lemon Squeezy (Merchant of Record) — payment processing, invoicing, and tax handling.
- Railway — application hosting infrastructure.
- Turso — encrypted database hosting.
- DeepSeek, Anthropic, Google (Gemini) — AI providers used to generate the remediation commentary attached to your findings. Findings are sent without account-identifying information.
- Jina AI — public website content fetcher used to identify the business context of the domain you submitted.
We do not sell your data. We do not share data with advertising networks. We disclose data to law-enforcement authorities only where compelled by a valid court order from a competent jurisdiction.
5. International transfers
EHIRAR is operated from Türkiye. Our hosting is currently located in the United States. For Enterprise customers and upon request, we offer deployment within AWS Bahrain (region: me-south-1) to ensure data remains inside the GCC. Where data leaves the Kingdom of Saudi Arabia or the United Arab Emirates, we rely on the safeguards permitted by Article 29 of the KSA PDPL and Article 22 of the UAE PDPL, including contractual safeguards with each processor.
6. How long we keep data
- Account data: for as long as your account is active, plus 12 months after closure.
- Scan results: retained for 24 months to enable trend analysis; deletable on request at any time.
- Billing records: 10 years, as required by Turkish accounting law.
- Server logs: 90 days.
7. Security
We apply the technical and organisational measures required by Article 19 of the KSA PDPL, including TLS 1.2+ in transit, encrypted storage at rest, principle-of-least-privilege access controls, multi-factor authentication on all administrative accounts, daily backups, and an internal incident-response procedure. In the event of a personal data breach, we will notify the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours and affected customers without undue delay, as required by Article 20 of the KSA PDPL.
8. Your rights
Under the KSA PDPL, UAE PDPL, and GDPR you may exercise the following rights free of charge:
- Right of access — receive a copy of the personal data we hold about you.
- Right of rectification — correct inaccurate data.
- Right of erasure — request deletion of your account and associated data.
- Right to restrict processing — limit how we use your data.
- Right to data portability — receive your data in a machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — at any time, without affecting the lawfulness of prior processing.
- Right to lodge a complaint — with the Saudi Data and Artificial Intelligence Authority (SDAIA), the UAE Data Office, or your local data protection authority.
To exercise any of these rights, write to privacy@ehirar.com. We will respond within 30 days.
9. Cookies
We use a small number of strictly necessary cookies to keep you logged in and remember your language preference. We do not use third-party advertising cookies. We do not run analytics that profile individual users; aggregate usage analytics are based on anonymised, sampled logs.
10. Children
EHIRAR is a B2B service. We do not knowingly collect data from anyone under 18 years of age. If you believe a minor has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to active customers at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
Contact
Privacy enquiries: privacy@ehirar.com
General support: support@ehirar.com
Website: ehirar.com