ProCul

Legal

Privacy Policy

Last updated: 23 April 2026

This Privacy Policy explains how ProCul KSA ("ProCul") collects, uses, discloses, and protects Personal Data when you use procul.app. We are committed to complying with the Personal Data Protection Law (PDPL) of Saudi Arabia (Royal Decree M/19 of 1443H) and applicable international best practice.

1. Who we are

ProCul KSA is the data controller for Personal Data you submit through procul.app. Contact the data team at privacy@procul.app.

2. What we collect

  • Account data: full name, work email, password hash, phone number, job title, organization name, organization size, industry, country of operation.
  • RFQ content: the requirements you submit, the AI-drafted emails, and the supplier replies parsed into the system.
  • Usage telemetry: pages viewed, buttons clicked, timestamps, approximate geolocation (from IP).
  • Communications: email you send or receive through ProCul, including supplier replies parsed by our webhook.
  • Payment data: handled by a third-party processor (we never store card numbers); we retain only the last-4 digits and transaction reference.

3. Why we collect it

  • To deliver the Service — draft emails, send on your behalf, parse replies, present comparisons, benchmark prices.
  • To maintain account security and prevent abuse (rate limits, anomaly detection, audit logs).
  • To improve the product — we use aggregated, anonymized usage data to understand which features get used and which don't.
  • To communicate with you — product updates, billing, service notifications. You can opt out of marketing communications at any time.
  • To comply with Saudi legal obligations (ZATCA, PDPL, AML where applicable).

4. Legal bases

Under PDPL, we rely on:

  • Contract: to provide the Service you signed up for.
  • Consent: for marketing emails and non-essential cookies.
  • Legitimate interest: for security, fraud prevention, and product improvement in an anonymized form.
  • Legal obligation: where Saudi law requires us to retain or disclose data.

5. Who we share with

  • Service providers: Supabase (database), Vercel (hosting), Resend (email), OpenRouter (LLM inference), a payments processor, and a support-ticketing vendor. Each is bound by written data-processing agreements.
  • Suppliers you contact: when you approve sending, your message (including your organization name and the RFQ brief) is delivered to the suppliers you select.
  • Legal authorities: only when compelled by Saudi court order, PDPL regulator request, or to protect life or property.
  • We never sell Personal Data.

6. International transfers

Our database is hosted in the EU region of Supabase today. We are actively evaluating Saudi-region hosting providers for 2026-2027. We apply contractual and technical safeguards for cross-border transfers consistent with PDPL's cross-border provisions.

7. Retention

  • Account data: retained for the life of your account plus 3 years after closure, for audit and legal purposes.
  • RFQ content: retained for as long as you keep it. You may delete individual RFQs at any time; they are permanently erased within 30 days.
  • Usage telemetry: retained in aggregated, anonymized form only after 13 months.
  • Payment records: retained for 7 years to comply with Saudi tax law.

8. Your rights (PDPL)

You have the right to: (a) access your Personal Data; (b) correct inaccurate data; (c) request deletion subject to legal-retention floors; (d) object to certain processing; (e) request a machine-readable export; (f) withdraw consent for any consent-based processing. Contact privacy@procul.app to exercise any of these rights. We respond within 30 days.

9. Security

  • All traffic encrypted via TLS 1.2+.
  • Passwords stored as bcrypt hashes, never in plaintext.
  • Row-level security on Supabase for tenant isolation.
  • Inbound email signatures verified via Svix on every webhook.
  • Principle-of-least-privilege access for internal staff; all access logged.

10. Children

ProCul is a B2B product intended for use by professionals. We do not knowingly collect data from children under 18.

11. Changes

We may update this policy. Material changes are emailed to your account address at least 30 days before they take effect.

12. Contact & complaints

Email privacy@procul.app. You also have the right to complain to the Saudi Data & AI Authority (SDAIA) as the PDPL supervisory authority.