Privacy Policy

    Effective Date: April 20, 2026

    xPMO Digital Services
    Riyadh, Kingdom of Saudi Arabia
    hazem@xpmo.com | +966 55 827 8536 | xpmo.com

    1. Introduction

    This Privacy Policy describes how xPMO Digital Services ("xPMO", "we", "us") collects, uses, stores, and protects personal data when you use the xPMO enterprise project management platform ("Platform") accessible at app.xpmo.com.

    This policy is drafted in compliance with the Saudi Personal Data Protection Law (PDPL), issued by Royal Decree No. M/19 dated 9/2/1443H, and its implementing regulations.

    2. Data Controller

    • Company: xPMO Digital Services
    • Address: Riyadh, Kingdom of Saudi Arabia
    • Email: admin@xpmo.com
    • Phone: +966 55 827 8536
    • Data Protection Officer: Hazem Altahan

    3. Data We Collect

    3.1 Account & Profile Data

    • Full name (first and last)
    • Email address and phone number
    • Company name, job title, and department
    • Profile photo (optional)
    • Language and regional preferences

    3.2 Project & Business Data

    • Project details, milestones, tasks, and schedules
    • Risk registers, issue logs, and change requests
    • Budget lines, commitments, invoices, and cost data
    • Stage gate configurations and approval decisions
    • Documents and files you upload
    • Team assignments, RACI matrices, and role configurations

    This data belongs to you. xPMO acts solely as a data processor on your behalf.

    3.3 Technical & Usage Data

    • IP address and approximate geographic location
    • Browser type, device type, and operating system
    • Session logs, page views, and feature usage patterns
    • Error logs and crash reports

    3.4 Payment Data

    • Payment transactions are processed entirely by Moyasar — a SAMA-licensed Saudi payment gateway
    • xPMO does not store or have access to your card number, CVV, or banking credentials
    • We retain payment records for a minimum of 10 years for ZATCA/VAT compliance

    4. Legal Basis for Processing

    • Contractual necessity — to provide the services you subscribed to
    • Legal obligation — to comply with Saudi laws including ZATCA, SAMA, and PDPL
    • Legitimate interest — to improve the platform, prevent fraud, and ensure security
    • Consent — for optional features such as marketing communications

    5. How We Use Your Data

    • Providing and maintaining the xPMO platform
    • Processing subscription payments and managing your account
    • Sending transactional emails (receipts, password resets, alerts)
    • Providing customer support
    • Analyzing anonymized usage data to improve features
    • Detecting and preventing fraud and abuse
    • Complying with Saudi legal obligations
    • Sending product updates and newsletters (with your consent)

    6. Data Sharing & Third Parties

    We do not sell, rent, or trade your personal data. We share data only with the following processors under strict data processing agreements:

    6.1 Infrastructure Providers

    • Supabase Inc. (USA) — database hosting, authentication, and file storage.
    • Vercel Inc. (USA) — application hosting and content delivery network.

    6.2 Payment Processing

    • Moyasar Financial Company (Saudi Arabia) — SAMA-licensed payment gateway.

    6.3 AI Processing

    • Anthropic PBC (USA) — powers the "Ask X" AI assistant. Prompts are not used for model training per our enterprise agreement.

    6.4 Legal Disclosure

    We may disclose data to Saudi government authorities or law enforcement when required by law.

    7. Data Retention

    • Active account data: retained for the duration of your subscription
    • After account deletion: personal data removed within 30 days
    • Financial records: retained for 10 years per ZATCA requirements
    • Audit logs: retained for 5 years
    • Backup copies: purged within 90 days of deletion request

    8. Your Rights Under PDPL

    8.1 Right to Access

    You may request a copy of all personal data we hold about you. We will respond within 30 days.

    8.2 Right to Correction

    You may request correction of any inaccurate personal data.

    8.3 Right to Deletion

    You may request deletion of your personal data, subject to legal retention requirements.

    8.4 Right to Data Portability

    You may request your data in a structured, machine-readable format (JSON or CSV).

    8.5 Right to Object

    You may object to processing for marketing purposes by emailing admin@xpmo.com.

    To exercise any of these rights: admin@xpmo.com

    9. Data Security

    • All data encrypted in transit using TLS 1.3
    • All data encrypted at rest using AES-256
    • Row-Level Security (RLS) ensures complete isolation between organizations
    • Authentication uses JWT tokens with secure httpOnly cookies
    • Administrative access requires multi-factor authentication
    • Regular security reviews and vulnerability assessments
    • All staff bound by confidentiality agreements

    10. Data Transfers Outside Saudi Arabia

    Some service providers operate outside Saudi Arabia. We ensure adequate protection through:

    • Standard Contractual Clauses (SCCs)
    • Data Processing Agreements with all third-party processors

    We are working to migrate our primary database infrastructure to the Middle East (Bahrain) region.

    11. Cookies & Tracking

    xPMO uses only essential cookies:

    • Authentication cookies
    • Session cookies

    We do not use advertising cookies, third-party tracking, or behavioral analytics.

    12. Children's Privacy

    xPMO is a B2B enterprise tool. We do not knowingly collect personal data from individuals under 18.

    13. Changes to This Policy

    We may update this policy periodically. We will notify users of material changes via email and in-platform banner.

    14. Contact & Complaints

    • Email: admin@xpmo.com
    • Phone: +966 55 827 8536
    • Address: Riyadh, Kingdom of Saudi Arabia

    If unsatisfied with our response, you may lodge a complaint with the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa.