Privacy Policy

1. Data Controller

Bana’i (بنائي) is a building compliance management platform operated under the brand Imtisal (إمتثال) by Osama Shehab. The platform is currently in early-access stage. Commercial registration is in progress. For data protection enquiries, contact privacy@binaey.com. This section will be updated with the registered entity name and commercial registration number upon incorporation.

2. Data We Collect

We collect the following categories of personal data when you use our Platform:

• Identity data: full name, national ID or Iqama number (where required for regulatory compliance)
• Contact data: email address, phone number
• Organisation data: company name, commercial registration number, role within organisation
• Facility data: building addresses, floor plans, facility classifications, compliance certificates
• Inspection data: inspection records, findings, corrective actions, photographic evidence
• Technical data: IP address, user-agent string, login timestamps, device information
• Consent records: timestamped record of consents given or withdrawn

3. Purpose of Processing

We process your personal data for the following purposes:

• Compliance management: tracking building compliance status against Saudi Building Code, Civil Defence (Salamah), and Balady requirements
• Reporting: generating compliance reports, dashboards, and analytics for your organisation
• Notifications: sending expiry alerts, inspection reminders, and compliance deadline notifications
• Account management: authenticating users, managing subscriptions, and providing customer support
• Legal obligations: maintaining records as required by applicable Saudi regulations
• Service improvement: analysing usage patterns to improve Platform functionality (using aggregated, anonymised data only)

4. Legal Basis for Processing

We process your personal data on the following legal bases under PDPL Article 6:

• Contractual necessity: processing required to provide the compliance management service you have contracted for
• Explicit consent: marketing communications and optional data processing, where you have provided separate, freely-given consent
• Legal obligation: retention of compliance records as required by Saudi Building Code and Civil Defence regulations
• Legitimate interest: fraud prevention, security monitoring, and service improvement using anonymised data

5. Data Retention

We retain personal data for the following periods, in accordance with applicable law and our data retention policy:

• Account data (name, email, phone): retained for the duration of your account plus 3 years after account closure
• Compliance and building records: retained for 7 years to comply with Saudi Building Code requirements
• Inspection records and evidence: retained for 7 years from the date of inspection
• Marketing consent records: retained for 3 years from last interaction; withdrawn consent records are retained as evidence
• Technical logs: retained for 12 months for security and troubleshooting purposes

6. Your Data Subject Rights

Under the Saudi Personal Data Protection Law (PDPL), you have the following rights:

• Right to access: obtain a copy of your personal data held by us (PDPL Article 4)
• Right to rectification: request correction of inaccurate or incomplete data (PDPL Article 5)
• Right to erasure: request deletion of your data, subject to legal retention requirements (PDPL Article 6)
• Right to data portability: receive your data in a structured, commonly used format (PDPL Article 7)
• Right to withdraw consent: withdraw any consent at any time without affecting the lawfulness of prior processing (PDPL Article 10)
• Right to restriction: request that we restrict processing of your data in certain circumstances
• Right to object: object to processing of your data in certain circumstances

We will respond to data subject rights requests within 30 days as required by PDPL. To exercise your rights, contact privacy@binaey.com.

7. Cross-Border Data Transfer

The Platform currently uses Supabase database infrastructure hosted in Frankfurt, Germany (EU). This means your personal data is stored and processed outside the Kingdom of Saudi Arabia. We disclose this transparently in accordance with PDPL Article 29. During our early-access period, your use of the Platform constitutes informed consent to this cross-border transfer as disclosed here. We implement contractual safeguards with our infrastructure providers, and apply encryption in transit (TLS 1.2+) and at rest (AES-256), along with strict access controls. SDAIA has not yet published a formal list of adequate jurisdictions. We are evaluating options to host data within the GCC region and will update this section when our infrastructure arrangements change.

8. Data Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) policies ensuring data isolation between organisations
• Multi-factor authentication support for user accounts
• Regular security assessments and vulnerability scanning
• Access controls and audit logging for all data access
• Incident response procedures with breach notification within 72 hours as required by PDPL

9. Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: required for authentication, security, and basic Platform functionality. These cannot be disabled.
• Functional cookies: remember your preferences such as language selection and display settings.
• Analytics cookies: help us understand how users interact with the Platform to improve our service. These are only set with your consent.

You can manage your cookie preferences at any time using the cookie settings available on our Platform. For more information, see our cookie consent banner.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on the Platform and, where appropriate, by email notification. Your continued use of the Platform after such changes constitutes acceptance of the updated policy.