Privacy Policy — Haflati (حفلتي / My Party)

Effective date: 2026-04-18

Last updated: 2026-04-18

App: Haflati — My Party (App ID com.datadigalyz.haflati)

Publisher: Datadigalyz (the "Company," "we," "us," "our")

Contact: privacy@haflati.app

Data protection officer: dpo@haflati.app

Haflati is committed to protecting your personal data under the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) (Royal Decree M/19 of 1443H, as amended), the PDPL Executive Regulations, the Saudi Data & AI Authority (SDAIA) guidance, and (where applicable) the EU General Data Protection Regulation (GDPR).

This policy describes what personal data we collect, why we collect it, how long we keep it, who we share it with, and the rights you have as a data subject. Please read it carefully before using the Haflati app or website.

1. Who we are

Haflati is an event-planning marketplace that connects customers (event hosts) with approved vendors (venues, caterers, photographers, florists, lighting/AV providers, DJs, MCs, invitation designers, etc.) across the Kingdom of Saudi Arabia.

The Company is the data controller for all data processed through the customer-facing portals. Vendors are joint controllers for the customer data we pass to them when you confirm an order with them.

2. Data we collect

2.1 Data you provide directly

| Category | Examples |

|---|---|

| Account data | Full name, email address, phone number, hashed password, preferred language |

| Profile data | Profile photo (optional), city, user role (customer / vendor / admin) |

| Event data | Event type, event date, guest count, budget range, selected services, free-text notes |

| Vendor-specific data | Legal business name, CR number, tax (VAT) number, bank account details for settlement, IBAN, ID documents, package photos and descriptions |

| Communication | Messages you send via the in-app AI planner (transcribed voice or typed text), support emails |

2.2 Data collected automatically

| Category | Examples |

|---|---|

| Device data | Device model, OS version, app version, language, timezone, screen size |

| Usage data | Screens visited, features used, buttons tapped, time spent, crash reports |

| Performance data | Network request latency, errors, exceptions (via Sentry) |

| Analytics events | Sign-up, plan-event-started, payment-succeeded, order-completed, etc. (no raw PII attached) |

| Log data | Supabase edge-function logs with masked identifiers |

2.3 Location data

We collect city-level location only as text you provide (e.g., "Riyadh"). We do not collect GPS coordinates or continuous location in the background.

2.4 Payment data

Payment details (card number, expiry, CVV) are never stored on our servers. Card data is entered directly into Moyasar's secure PCI-DSS–certified vault; we only store a tokenized payment identifier (moyasar_payment_id), the payment status, and the amount.

2.5 Voice input

When you use the AI event planner by voice, your voice is transcribed locally on your device or via Apple's / Google's on-device speech recognition. The resulting text — not the raw audio — is then sent to Google Gemini to generate a plan. We do not retain the audio.

2.6 Data we do NOT collect

• Government ID numbers (except vendor CR and VAT numbers for tax compliance)
• Health data
• Biometric data
• Raw GPS or background location
• Contacts, calendar, photos, or files you have not explicitly selected and shared

3. Why we process your data (legal basis under PDPL + GDPR)

| Purpose | PDPL legal basis | GDPR legal basis |

|---|---|---|

| Create and operate your account | Necessary to perform the contract between us and you | Art. 6(1)(b) contract |

| Match you with vendors and coordinate your order | Contract performance | Art. 6(1)(b) |

| Process payments (via Moyasar) | Contract performance + legal obligation (tax records) | Art. 6(1)(b), Art. 6(1)(c) |

| Send transactional notifications (order confirmed, vendor accepted, etc.) | Contract performance | Art. 6(1)(b) |

| Customer support | Legitimate interest / contract | Art. 6(1)(b), Art. 6(1)(f) |

| Crash reports and bug fixing | Legitimate interest (service stability) | Art. 6(1)(f) |

| Product analytics (aggregated, non-PII) | Legitimate interest (product improvement) | Art. 6(1)(f) |

| Marketing emails and push notifications | Your explicit consent (opt-in) | Art. 6(1)(a) |

| Tax invoicing (ZATCA) | Legal obligation (VAT Law, E-Invoicing Regulation) | Art. 6(1)(c) |

| Fraud prevention | Legitimate interest / legal obligation | Art. 6(1)(f) |

You may withdraw consent at any time for processing that relies on consent (e.g., marketing). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

4. Who we share data with

We only share the minimum data necessary. Recipients:

| Recipient | Purpose | Data shared |

|---|---|---|

| Approved vendors | Fulfil your order once you confirm it | Your first name, masked phone number, event address, service-level notes — only after you confirm the order |

| Moyasar Payment Services | Card/Apple Pay processing | Card token, amount, order reference |

| Supabase (AWS) | Hosting, database, realtime, storage | All backend data |

| Google (Gemini API) | AI planner text generation | Your typed or transcribed planner prompt (no identifiers) |

| Apple / Google (push services) | Delivering push notifications | Push token + notification payload |

| Sentry | Error monitoring | Stack traces, sanitized device/user IDs, never payment data |

| Amplitude / Posthog (analytics) | Product analytics (aggregated) | Event names, counts, anonymized user ID |

| ZATCA | E-invoice submission | Invoice details (for vendors) |

| Law enforcement | Legal obligation | Only under valid legal request |

We never sell your personal data. We never share your data with advertising networks.

5. International data transfers

Some of our service providers (Google, Sentry, Supabase, Amplitude) may process data outside the Kingdom of Saudi Arabia (primarily in the European Union, United States, or elsewhere). Transfers are protected under:

• PDPL Art. 29 — adequate levels of protection or controller-declared safeguards,
• GDPR Standard Contractual Clauses (SCCs) where the recipient is in a non-adequate jurisdiction, and
• Binding corporate policies and audited security certifications of our processors.

You may request a copy of the safeguards by writing to dpo@haflati.app.

6. How long we keep your data

| Data | Retention |

|---|---|

| Account data | For as long as your account is active + 90 days after closure |

| Order and invoice data | 10 years (required by Saudi VAT / ZATCA law) |

| Payment tokens | For as long as Moyasar retains them (per their policy) |

| AI planner conversation logs | 90 days, then purged |

| Crash and performance logs | 30 days |

| Marketing consent records | Until you revoke + 2 years (audit) |

| Support tickets | 3 years |

You can request earlier deletion under Section 9 below, subject to legal retention requirements.

7. Security measures

• TLS 1.2+ for all traffic in transit
• AES-256 at-rest encryption for Supabase storage and database
• PCI-DSS Level 1 payment processing via Moyasar
• Row-Level Security (RLS) on every database table with role-based policies
• Principle of least privilege for all internal access
• Regular third-party penetration testing
• Centralized logging and intrusion detection via Sentry and Supabase
• Automatic session timeout and re-authentication for sensitive operations

In the event of a data breach that poses a high risk to your rights, we will notify you and SDAIA within 72 hours as required by PDPL Art. 20.

8. Children

Haflati is not directed at children under 16. We do not knowingly collect data from children under 16. If we learn that we have collected such data, we delete it immediately. If you believe we have collected data from a minor, contact privacy@haflati.app.

9. Your rights

You have the following rights under PDPL Art. 4–11 and GDPR Art. 15–22:

1. Right to know — what data we hold about you and why.
2. Right of access — receive a copy of your data in a portable format.
3. Right to rectification — correct inaccurate data.
4. Right to erasure ("right to be forgotten") — delete your data, subject to legal retention (e.g., tax records).
5. Right to restrict processing — pause certain processing.
6. Right to object — object to processing based on legitimate interest or marketing.
7. Right to withdraw consent — revoke previously given consent.
8. Right to data portability — receive your data in JSON or CSV.
9. Right to lodge a complaint with SDAIA (https://sdaia.gov.sa) or, if you are in the EU, your local data-protection authority.

To exercise any right, email privacy@haflati.app from the email on file. We respond within 30 days (extendable by 30 days for complex requests).

10. Cookies and similar technologies

Our web landing page uses:

• Strictly necessary cookies — session, auth, CSRF. Always on.
• Analytics cookies — only after you consent via banner. Aggregated, non-PII.
• Marketing cookies — only after you consent.

The mobile app does not use cookies but uses equivalent local storage for session and preferences.

11. Automated decision-making

The AI event planner makes recommendations but does not make legally or significantly important automated decisions about you. All final choices (selecting a vendor, confirming an order, paying) require your explicit action.

12. Changes to this policy

We may update this policy. Material changes will be announced in-app and by email at least 14 days before they take effect. Your continued use after the effective date constitutes acceptance.

13. How to contact us

• General: support@haflati.app
• Privacy / data requests: privacy@haflati.app
• Data Protection Officer: dpo@haflati.app
• Postal: Datadigalyz, P.O. Box TBD, Riyadh, Kingdom of Saudi Arabia

This policy is available in Arabic at /privacy-ar. In case of conflict, the Arabic version prevails.