Legal

Privacy Policy

Last updated: 17 May 2026

Last updated: 17 May 2026

1. Introduction

This Privacy Policy describes how BillingSaaS ("we", "us", or "our") collects, uses, and protects personal data in accordance with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia (Royal Decree M/19, 9/2/1443H) and its Implementing Regulations.

By using our platform, you consent to the practices described in this policy.

2. Data Controller

The data controller responsible for your personal data is BillingSaaS. For privacy inquiries, contact us via our contact page.

3. Personal Data We Collect

We collect the following categories of personal data:

  • Identity Data: Business name, trade name, commercial registration number, VAT number
  • Contact Data: Email address, phone number, physical address
  • Account Data: Username, encrypted password, account preferences
  • Financial Data: Invoice records, payment history, tax data (retained for ZATCA compliance)
  • Usage Data: Log data, IP addresses, browser type, pages visited

4. Legal Basis for Processing

We process your personal data on the following legal bases under PDPL Article 5:

  • Contractual necessity: To provide the services you have subscribed to
  • Legal obligation: ZATCA e-invoicing requirements (Phase 1 & 2), VAT compliance under the VAT Implementing Regulation
  • Consent: For marketing communications and optional features
  • Legitimate interest: Security monitoring, fraud prevention, service improvement

5. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy, subject to mandatory legal requirements:

  • Tax invoices (ZATCA): 6 years from the date of issue — mandatory under ZATCA Article 66 and VAT law
  • Subscription payment records: 6 years — financial audit and tax compliance
  • Account and profile data: Duration of your subscription + 30 days after termination, then deleted on request
  • Usage logs: 90 days for security purposes

6. Your Rights Under PDPL

Under Saudi Arabia's Personal Data Protection Law (PDPL), you have the following rights:

  • Right to Access (Article 9): Request a copy of your personal data held by us
  • Right to Rectification (Article 10): Correct inaccurate or incomplete personal data
  • Right to Erasure (Article 14): Request deletion of your personal data, subject to legal retention requirements
  • Right to Restriction: Restrict processing in certain circumstances
  • Right to Object: Object to processing based on legitimate interest
  • Right to Data Portability: Receive your data in a structured, machine-readable format

To exercise any of these rights, log in to your account and navigate to Data Privacy, or contact us via our contact page. We will respond within 30 days as required by PDPL Article 15.

7. Data Sharing and Third Parties

We do not sell your personal data. We may share data with:

  • ZATCA (Zakat, Tax and Customs Authority): As required by e-invoicing regulations
  • Payment processors: Stripe, for processing subscription payments (subject to their privacy policy)
  • Cloud hosting: Infrastructure providers under data processing agreements
  • Email service providers: For transactional notifications only

All third-party processors are contractually bound to protect your data and process it only on our instructions.

8. Cross-Border Data Transfers

Some of our service providers are located outside Saudi Arabia. Where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with PDPL Article 29, including contractual protections and adequacy assessments.

9. Security

We implement technical and organisational measures to protect your personal data, including:

  • TLS/HTTPS encryption for all data in transit
  • Encryption at rest for sensitive data fields
  • Role-based access controls within the platform
  • Regular security reviews and penetration testing

10. Cookies

We use essential cookies required for the platform to function, and an optional consent cookie to record your privacy preferences. We do not use third-party advertising cookies. You may clear cookies at any time through your browser settings.

11. Children's Data

Our services are intended for businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice within the platform. Continued use after notification constitutes acceptance of the updated policy.

13. Contact and Complaints

For any privacy concerns or to exercise your rights, contact us via our contact page.

You also have the right to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA), the supervisory authority responsible for PDPL enforcement in the Kingdom of Saudi Arabia.

Have a question?
Contact us at our contact page
Privacy Notice (PDPL)
We use data to operate this service and meet ZATCA compliance requirements. By accepting, you acknowledge our Privacy Policy and data retention policy.
Learn more