مواعيديmwa3eedi

Privacy Policy

Version 1.0 — Effective 2026-04-29

This Privacy Policy explains how SULIMAN SAMI ALHAMMAD Shop Commercial (Commercial Registration number 7053568312, registered in the Kingdom of Saudi Arabia) — operating the mwa3eedi platform at mwa3eedi.com — collects, uses, shares, and protects personal data. We refer to ourselves as "mwa3eedi", "we", "us", or "our".

This policy is part of our Terms of Service and uses the same defined terms, including "Business" (the salon, barbershop, or other service provider that subscribes to our platform) and "Customer" (an end-user who books an appointment through a Business's mwa3eedi page).

The Arabic-language version of this Privacy Policy is the legally authoritative version. This English version is provided for convenience only. In case of any conflict, the Arabic version controls.

1. Who this policy is for

We process personal data of two distinct groups:

  • Business owners and team members who sign up to the platform, log in to the dashboard, and manage their salon's bookings.
  • Customers who visit a Business's public booking page on mwa3eedi.com to book an appointment.

The way we treat each group is different, and is described separately below.

2. Our role under the Saudi Personal Data Protection Law (PDPL)

For the purposes of the Saudi Personal Data Protection Law:

  • We are the Data Controller for personal data of Business owners (you) and any team members you invite. We decide why and how that data is processed.
  • We act as the Data Processor for personal data of Customers who book through your booking page. The Business is the Controller; we process Customer data only to operate the Service for the Business.

3. Personal data we collect

3.1 Data you give us when you sign up as a Business

  • Email address (used as your login identity and as the destination for one-time login codes).
  • Business information — your business name in English and Arabic, city, customer-contact phone number, optional owner contact email, business description, slug (your booking URL), and uploaded images (logo, cover photo).
  • Team information — names, photos (optional), services performed, and weekly working hours of staff members you add.
  • Service information — names, prices, and durations of the services you offer.
  • Business categories — the type(s) of business you select (e.g. hair salon, barber, spa).

3.2 Data we collect via Google sign-in (if you use it)

If you sign up using Google, Google shares with us your name, email address, and profile picture. We do not receive your Google password.

3.3 Payment data

To start a paid subscription, we collect a payment card via our payment processor, Moyasar. Full card details (PAN, CVC, expiry) are sent directly from your browser to Moyasar and never reach our servers. We store only a Moyasar-issued card token, the card brand (e.g. Visa, mada), and the last four digits. We also store invoices, billing periods, and payment status.

3.4 Data Customers give us when they book

  • Name.
  • Email address.
  • Phone number (optional).
  • Booking selections — chosen service, staff member (or "any available"), date, and time.

Customers do not create an account; this data is collected only for the booking and stored on the Business's account.

3.5 Data we collect automatically

  • Authentication cookies set by Supabase to keep you logged in to the dashboard.
  • Language-preference cookie (NEXT_LOCALE) so the site remembers whether you chose Arabic or English.
  • Server logs — when requests are made to the site, our hosting provider records the IP address, user agent, request path, and timestamp for security and debugging.
  • Local storage on the Customer's device — when a Customer completes a booking, their name and email address are stored in their browser's local storage so the booking form can pre-fill on a future visit. The Customer can clear this at any time from inside their browser, or by tapping the "Not you?" link on the booking-confirmation page.
  • Local storage on the Business owner's device during signup — the multi-step signup wizard saves your progress in your browser so you can return to it. It is cleared automatically when signup completes.

3.6 Things we do not collect

We do not run any analytics or advertising trackers (such as Google Analytics, Meta Pixel, Posthog, or Vercel Analytics). We do not buy or sell personal data. We do not use cookies for advertising.

4. Why we use personal data

The table below summarises the main purposes for which we process personal data and the legal basis under PDPL we rely on for each.

  • Operate the Service for you (creating your account, displaying your booking page, accepting bookings, sending confirmation emails). Legal basis: performance of our contract with you.
  • Process payments (charging your subscription, generating invoices). Legal basis: performance of contract; compliance with tax law for invoice retention.
  • Authenticate users (sending login codes, verifying sessions, securing the dashboard). Legal basis: performance of contract; legitimate interest in keeping accounts secure.
  • Send transactional emails to Business owners (login codes, billing receipts, trial-ending and payment-failure notices, important service announcements about your account). Legal basis: performance of contract.
  • Send booking confirmations to Customers on behalf of the Business. Legal basis: performance of the booking; instruction of the Business as Controller.
  • Investigate fraud and abuse (rate limiting, blocking suspicious activity, complying with court orders). Legal basis: legitimate interest in protecting the platform; legal obligation.
  • Comply with Saudi tax and accounting law (retaining invoices for the legally required period). Legal basis: legal obligation.

We do not use personal data for marketing newsletters, promotions, or third-party advertising. We do not profile users for any purpose other than security.

5. Who we share personal data with

We share personal data only with sub-processors that help us operate the Service, and only the data each sub-processor needs. We do not sell or rent personal data.

5.1 Sub-processors

  • Supabase — database and authentication. Project hosted in the Singapore region (ap-southeast-1). Receives all account, business, booking, and Customer data.
  • Moyasar — payment processing, based in the Kingdom of Saudi Arabia. Receives card details (directly from your browser), name on card, and amount.
  • Resend — transactional email delivery, based in the United States. Receives the recipient's email address, the sender name, and the email content (login codes, booking confirmations, billing receipts).
  • Vercel — hosting and serverless compute, with edge nodes globally and primary infrastructure in the United States. Processes traffic to and from the website, including IP addresses and request metadata.
  • Google — only if you sign in with Google: receives your authentication request and returns your basic profile (name, email, picture). The Google Maps integration on Customer-facing pages is shown only to Customers who choose to view a map; no personal data is sent unless they interact with the map.

5.2 Other recipients

  • The Business, when a Customer books — the Business sees the Customer's booking-form data so it can fulfil the appointment.
  • Saudi authorities, where we are required to disclose data by court order, regulator request, or applicable law.
  • Professional advisors (lawyers, accountants, auditors) bound by confidentiality, where needed for our own legal or accounting matters.
  • Buyers, in the event of a corporate transaction — if the business is sold, merged, or restructured, personal data may transfer to the acquirer under the same protections as this policy.

6. International transfers

Some of our sub-processors are located outside the Kingdom of Saudi Arabia. Specifically: Supabase (Singapore), Resend (United States), Vercel (United States and global edge), and Google (global). When personal data is transferred to these providers, we rely on the legal bases permitted by PDPL — primarily that the transfer is necessary for the performance of the contract with you, and that we use providers with appropriate technical and organisational safeguards, including TLS encryption in transit, encryption at rest, and contractual data-processing terms.

If the Saudi Data and Artificial Intelligence Authority (SDAIA) issues guidance affecting any of these flows, we will adjust accordingly and, where required, notify you.

7. How long we keep personal data

We keep personal data only for as long as we need it for the purposes set out above, or as required by law. Specifically:

  • Account and business data (your business profile, services, staff, working hours): kept for as long as your subscription is active. After cancellation, you have a thirty (30) day window during which you can request an export. After that window, the data is permanently deleted, except where law requires longer retention.
  • Booking history: kept for as long as your account is active so you have full appointment history. Deleted at the end of the post-cancellation window described above.
  • Customer contact data collected via the booking form: kept on the Business's account for the same period as the related booking. The Business may delete a Customer record from the dashboard at any time.
  • Authentication and access logs: kept for ninety (90) days for security investigations, then deleted.
  • Backups: rolling backups are retained for thirty (30) days. Personal data deleted from the live system is automatically purged from backups after that period.
  • Invoices and billing records: retained for ten (10) years to comply with Saudi tax and commercial-records law.
  • Local storage on Customer devices: persists in the Customer's browser until the Customer clears it manually or uses the in-product "Not you?" link.

If you ask us to delete your data earlier than the periods above, we will do so to the extent we are not required to keep it for legal, tax, or fraud-prevention reasons.

8. How we keep personal data secure

We take reasonable technical and organisational measures to protect personal data, including:

  • HTTPS / TLS encryption for all traffic between your browser and our servers.
  • Encryption at rest on the Supabase database.
  • Row-Level Security (RLS) on the database, so a Business can never access another Business's data.
  • Passwordless email-OTP authentication; we never store passwords.
  • Payment card tokenisation by Moyasar — full card data never reaches our infrastructure.
  • Strict separation between the public booking page and the dashboard, so Customers cannot see Business administrative data.
  • Regular software updates and dependency scanning.
  • Access to production systems limited to authorised personnel under a least-privilege model.

No system is perfectly secure. If we become aware of a personal-data breach affecting your data, we will notify you and the Saudi Data and Artificial Intelligence Authority (SDAIA) as required by PDPL — generally within seventy-two (72) hours of becoming aware of the breach.

9. Your rights under PDPL

Subject to PDPL, you have the right to:

  • Be informed about how we process your personal data — this policy is the primary means of fulfilling that right.
  • Access the personal data we hold about you.
  • Request correction of any data that is inaccurate, incomplete, or outdated.
  • Request deletion of your personal data, subject to our legal retention obligations.
  • Object to certain processing of your data.
  • Withdraw your consent, where we relied on your consent.
  • Lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) if you believe we are not complying with PDPL.

To exercise any of these rights, email support@mwa3eedi.com. We may need to verify your identity before acting on your request to prevent disclosure of your data to anyone else. We aim to respond within thirty (30) days.

If you are a Customer who booked through a Business and you want to exercise these rights over data the Business holds about you, please contact the Business directly first — they are the Controller of that data. We will assist where we can as the Processor, and we can forward requests to the Business if needed.

10. Children

The mwa3eedi dashboard is for Business owners aged eighteen (18) or older. We do not knowingly create accounts for anyone under that age.

The booking page itself does not impose an age limit, because real-world salons and barbershops serve customers of all ages — including children, who are typically booked by a parent or guardian. If you are a parent or guardian booking on behalf of a minor, you are providing consent on the minor's behalf and you remain responsible for the minor's interaction with the Business.

If you believe a minor has provided personal data without appropriate parental consent, contact us at support@mwa3eedi.com and we will delete it.

11. Marketing communications

We do not send marketing newsletters, promotions, or advertising emails. The only emails we send to Business owners are transactional: login one-time codes, billing receipts, payment-failure or trial-ending notices, and important service announcements about your specific account (for example, a security-relevant change).

If at any future point we want to send you product or marketing emails, we will ask for your separate, explicit opt-in first, in line with CITC anti-spam rules. Even after opt-in, you will always be able to unsubscribe with one click.

12. Cookies and similar technologies

We use a small number of strictly necessary cookies and browser-storage entries, and no others.

  • Supabase authentication cookies — set when you sign in to the dashboard so we can keep you logged in. Removed when you sign out or when the session expires.
  • NEXT_LOCALE cookie — stores your chosen language (Arabic or English). One year lifetime; can be cleared from your browser at any time.
  • Local storage during signup — saves the multi-step signup wizard's progress so you can refresh without losing data. Cleared automatically when signup completes.
  • Local storage after a Customer booking — stores the Customer's name and email so the booking form pre-fills next time. Stored only on the Customer's own device. Can be cleared from the browser, or via the "Not you?" link on the booking-confirmation page.

We do not use any analytics, marketing, or tracking cookies. Because the cookies we do set are strictly necessary for the Service to function, we do not display a cookie-consent banner. If we ever introduce non-essential cookies (for example, analytics), we will add a banner and ask for your consent first.

13. Automated decision-making

We do not use solely automated decision-making or profiling that produces legal effects for you. Some operational decisions (for example, the slot the system assigns when a Customer picks "Any available staff member") are automated, but they do not have legal or similarly significant consequences.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change (such as adding a new sub-processor, expanding the types of data we collect, or changing how we use it), we will notify you by email to the address on your account and by displaying a notice in the dashboard at least thirty (30) days before the change takes effect, and where required we will ask for fresh consent. Non-material updates (such as clarifications or fixes) take effect when posted.

The current version is shown at the top of this page. Older versions are available on request.

15. Language

This Privacy Policy is issued in Arabic and English. The Arabic version is the legally authoritative version. In case of any conflict between the two versions, the Arabic version controls.

16. Contact

For any privacy question, request, or complaint, please write to:

SULIMAN SAMI ALHAMMAD Shop Commercial
Commercial Registration 7053568312
RRMB2915, Kingdom of Saudi Arabia
Email: support@mwa3eedi.com

Document version: 1.0
Effective date: 2026-04-29