Legal
Privacy Policy
Last updated: 2025-05-23
This Privacy Policy explains what personal data muqawil (مقاول) collects, why we collect it, and the choices you have about it. It applies to anyone who uses our platform, marketing pages, or contacts us.
1. Data we collect
We collect only what we need to operate the platform:
- Account data: your name (Arabic + English), email, role, locale, and tenant.
- Operational data you submit: project, worker, attendance, task, BOQ, financial, and document records.
- Technical data: IP address, browser/OS, language preference, anonymous usage analytics.
- Payment data: handled by Stripe — we never store full card numbers on our servers.
2. Why we use it
We process personal data for these purposes:
- To provide the platform features you use (login, project management, attendance, notifications, billing).
- To secure the platform — fraud detection, audit logs, abuse prevention.
- To send transactional emails (password reset, invitation, billing notices).
- To improve the product based on aggregate, de-identified usage patterns.
3. Legal basis
We process personal data on the basis of (a) the contract we have with your tenant, (b) our legitimate interest in operating and securing the service, (c) your consent where required for marketing communications, and (d) compliance with legal obligations.
4. Who we share data with
We share data only with vetted sub-processors that help us run the platform: PostgreSQL hosting (Railway), email delivery (Resend), payments (Stripe), web hosting and CDN (Netlify). We do not sell personal data, and we do not share it with advertising networks.
5. International transfers
Our infrastructure runs in the EU and US. When data crosses borders, we rely on Standard Contractual Clauses or equivalent safeguards with each sub-processor.
6. Retention
We retain data for the lifetime of your subscription plus a 30-day grace window after cancellation, then permanently delete it from active systems. Backups roll off within 90 days. We may retain limited records longer to meet legal obligations (e.g. tax invoices), in which case:
- We minimise the data retained to what the obligation requires.
- We isolate it from production access.
- We delete it as soon as the obligation expires.
7. Your rights
Depending on your jurisdiction you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can exercise most of these rights from the Settings screen; for others, contact us at the address below.
8. Security
We use strong password hashing (Argon2id), TLS for all traffic, encrypted 2FA secrets at rest (AES-256-GCM), strict tenant isolation in every database query, and short-lived JWTs with rotating refresh tokens. No system is perfect — please report suspected vulnerabilities responsibly.
9. Children
muqawil is built for businesses. We do not knowingly collect personal data from anyone under 16. If we learn we have, we will delete it promptly.
10. Contact
Questions, requests, or complaints about your data? Reach us at: