Back to Home

Privacy Policy

Last updated: 2026-03-04

SaudizationMeter ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Saudization compliance tracking platform at www.saudizationmeter.com. This policy is provided in accordance with the Saudi Personal Data Protection Law (PDPL) and the Google API Services User Data Policy.

1. Information We Collect

  • Account Information: When you create an account using email and password, we collect your email address, full name, and a securely hashed version of your password. We never store passwords in plain text.
  • Google OAuth Data: When you choose to sign in with Google, we receive your Google account email address, display name, and profile picture URL through Google OAuth 2.0. We do not access your Google Drive, Gmail, Google Contacts, Google Calendar, or any other Google service data. The only Google user data we access is your basic profile information (email, name, and profile picture) needed to create and identify your account.
  • Company Information: You provide company details including company name (English and Arabic), Commercial Registration (CR) number, unified number, industry sector, entity size, and total headcount.
  • Employee Data: You enter employee records including names, nationalities, employment types, monthly salaries, disability status, dual-employment status, and working hours. This data is used solely for Saudization percentage calculations and Nitaqat band classifications.
  • Usage & Analytics Data: We collect anonymized usage information such as pages visited, features used, browser type, device type, and approximate geographic region. This data is collected via Google Analytics with IP anonymization enabled and is used solely for service improvement. No personally identifiable information is sent to Google Analytics.

2. How We Use Your Information

  • Perform Saudization calculations and Nitaqat band classifications based on the employee data you provide.
  • Provide, maintain, and improve our services including dashboards, scenario planning, compliance snapshots, and reports.
  • Authenticate your identity and manage your account access, team member permissions, and session security.
  • Send you service-related communications including compliance alerts, subscription notifications, password reset emails, and important service updates.
  • Google User Data: Your Google account information (email, name, profile picture) is used exclusively for creating your account, authenticating your identity, and displaying your profile within the application. We do not use Google user data for advertising, marketing, analytics profiling, or any purpose unrelated to providing our core service.

3. Google OAuth — Limited Use Disclosure

SaudizationMeter's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: (a) We only request access to basic profile information (email address, display name, and profile picture) through Google OAuth 2.0. (b) We do not request access to any sensitive or restricted Google API scopes. (c) We do not use Google user data to serve advertisements. (d) We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, or it is required by applicable law. (e) We do not transfer Google user data to third parties except as necessary to provide or improve our service, as required by law, or as part of a merger or acquisition with adequate data protection provisions.

4. Data Sharing & Third Parties

  • Google User Data: We do not sell, rent, lease, or trade your Google user data to any third party. Google-sourced profile data (email, name, profile picture) is stored exclusively in our database for account identification and is never shared with advertising networks, data brokers, or information resellers.
  • Paddle: Processes subscription payments securely as our authorized payment processor and Merchant of Record. Paddle receives your email address and payment card details to process transactions. Paddle does not have access to your employee data, company information, or calculation results. See Paddle's privacy policy at paddle.com/legal/privacy for details.
  • Vercel: Hosts our application infrastructure on a globally distributed edge network. Vercel processes HTTP request metadata (IP addresses, headers) for routing and performance but does not access your stored application data. Vercel maintains SOC 2 Type II compliance.
  • Supabase: Provides our database (PostgreSQL) and authentication services. Supabase stores your account data, company data, and employee data with row-level security (RLS) policies. Supabase maintains SOC 2 Type II compliance and encrypts all data at rest and in transit.
  • Google Analytics: We use Google Analytics 4 (GA4) to collect anonymized usage metrics (page views, feature usage, session duration). IP anonymization is enabled. We do not send any personally identifiable information, employee data, or company data to Google Analytics. Analytics cookies are only loaded after you provide explicit consent.

5. Data Storage & Security

  • Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Database backups are encrypted with the same standards.
  • Row-Level Security: Our PostgreSQL database enforces row-level security (RLS) policies at the database level, ensuring each user can only access data belonging to companies they are a member of. This isolation is enforced on every database query, not just at the application layer.
  • Access Controls: Team members are assigned roles (owner, admin, editor, viewer) with granular permissions. Administrative database access (service-role key) is restricted exclusively to automated webhook processing and is never exposed to client-side code.
  • Infrastructure: Our application is hosted on Vercel (SOC 2 Type II). Our database is hosted on Supabase (SOC 2 Type II). All server-side input is validated using Zod schemas to prevent injection attacks. Authentication sessions are managed via secure, HTTP-only cookies.

6. Cookies & Tracking

We use the following categories of cookies: (a) Essential Cookies: Required for authentication, session management, and language preferences. These cannot be disabled as they are necessary for the service to function. (b) Analytics Cookies: Google Analytics cookies are loaded only after you explicitly accept analytics cookies via our consent banner. You may decline analytics cookies without any impact on service functionality. We do not use any third-party advertising, remarketing, or behavioral tracking cookies. You can revoke your analytics cookie consent at any time by clearing your browser's local storage and refreshing the page.

7. Data Retention & Deletion

  • Active Accounts: We retain your data for as long as your account is active and you maintain an active subscription or free plan.
  • Company Deletion: When you delete a company through the Settings page, all associated employee records, scenarios, scenario changes, snapshots, alerts, and audit logs are permanently and irrecoverably deleted via cascading database deletions.
  • Account Deletion: You may request deletion of your entire account by contacting us at admin@saudizationmeter.com. Upon receiving your request, we will delete your account and all associated data within 30 calendar days. After deletion, we retain only anonymized, aggregated usage statistics that cannot be linked back to you.
  • Google Data Revocation: You may revoke SaudizationMeter's access to your Google account at any time by visiting your Google Account permissions page at myaccount.google.com/permissions and removing SaudizationMeter. Upon revocation or account deletion, all Google-sourced data (email, name, profile picture) is permanently deleted from our systems within 30 calendar days.
  • Deletion Requests: To request data deletion, export your data, or inquire about data retention, please email admin@saudizationmeter.com. We will respond to all requests within 15 business days.

8. Your Rights Under Saudi PDPL

Under the Saudi Personal Data Protection Law (PDPL), you have the following rights regarding your personal data:

  • Right of Access: You can view all your stored data (profile, companies, employees, scenarios, snapshots) through the application at any time.
  • Right to Correction: You can update your personal information, company details, and employee records at any time through the application.
  • Right to Deletion: You can delete individual companies and all associated data from the Settings page. For full account deletion, contact admin@saudizationmeter.com.
  • Right to Data Portability: You can export all your company data in machine-readable formats (CSV, JSON) from the Reports and Settings pages.
  • Right to Object: You may object to the processing of your personal data for any purpose other than providing the core service. Contact admin@saudizationmeter.com to exercise this right.
  • To exercise any of these rights, contact us at admin@saudizationmeter.com. We will process your request in compliance with the Saudi PDPL within the legally required timeframe.

9. Children's Privacy

SaudizationMeter is a business-to-business (B2B) service designed for HR professionals and business owners. Our service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will promptly delete that data.

10. International Data Transfers

Your data may be processed on servers located outside the Kingdom of Saudi Arabia through our infrastructure partners (Supabase and Vercel), which operate data centers in multiple global regions. All international data transfers are protected by encryption (TLS 1.3 in transit, AES-256 at rest) and are conducted in accordance with the data transfer requirements of the Saudi PDPL. Our infrastructure partners maintain SOC 2 Type II compliance and implement industry-standard security controls.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of material changes via email and/or a prominent in-app notification at least 14 days before the changes take effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates when this policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy, your personal data, Google OAuth data handling, or wish to exercise your data rights, please contact us at admin@saudizationmeter.com. We aim to respond to all inquiries within 5 business days.

Privacy Policy — SaudizationMeter