Rafeeq Agent helps businesses run AI-powered customer engagement across WhatsApp, Instagram, LinkedIn, website chat, voice, and video. This page is a plain-language overview of how we handle business and customer data, designed with the principles of Saudi PDPL and SDAIA guidance in mind. For the full policy, see our Privacy Policy.
Informational, not legal advice Last updated June 2026
Saudi privacy baseline
PDPL & SDAIA principles
We aim to handle data in line with applicable privacy and data protection requirements in the Kingdom of Saudi Arabia, including the principles of the Personal Data Protection Law, where applicable.
Omnichannel AI engagement
6 connected agents
WhatsApp, Instagram, LinkedIn, Web, Voice, and Video agents help businesses engage their own customers from one workspace.
Designed with security in mind
Access control & isolation
Authentication, role-based access, workspace isolation, hashed API keys, and operational logging — applied across the platform.
Designed with PDPL in mind
We aim to align with applicable Saudi data protection requirements, including the principles of the Personal Data Protection Law, where applicable.
Protected by access controls
Authentication, role-based access, workspace isolation, hashed API keys, webhook validation, and operational logging across the platform.
Careful with global tools
Where data is processed outside Saudi Arabia by infrastructure or AI providers, we aim to apply appropriate safeguards, where supported by our infrastructure.
Section 1 · Introduction
Our commitment to privacy
Rafeeq Agent is committed to protecting the confidentiality of business, customer, and conversation data, and to handling it responsibly. As a Saudi-focused platform, we aim to handle data in line with applicable privacy and data protection requirements in the Kingdom of Saudi Arabia, including the principles of the Personal Data Protection Law (PDPL) and SDAIA guidance, where applicable. We continue to improve our privacy and security posture as the platform grows.
Section 2 · What we do
An omnichannel AI engagement platform for businesses
Rafeeq Agent is a business-to-business (B2B) platform. Businesses use it to run AI-powered customer engagement across WhatsApp, Instagram, LinkedIn, website chat, voice interactions, and video interactions. The platform helps a business talk to its own customers — it is not a consumer service and the connected customers are the business's own contacts.
Section 3 · Data we process
Personal data we may process
Depending on the features a business enables, the platform may process the following categories of data.
Account information
Name, email, role, and workspace details for the users who sign in to the dashboard.
Business information
Business name, workspace settings, and the communication channels a business chooses to connect.
Customer conversation data
Messages, inquiries, AI-generated replies, lead details, and support conversations handled on the business's behalf.
Channel data
WhatsApp, Instagram, LinkedIn, and website chat interactions exchanged through connected messaging providers.
Voice & video data
Call content, transcripts, duration, and related interaction metadata — only where the voice or video agents are enabled.
Technical data
IP address, browser/device information, logs, cookies, usage data, and security logs, where applicable.
Section 4 · Purpose
Why we process data
Creating and managing user accounts and workspaces
Connecting a business's communication channels
Sending and receiving customer messages
Generating AI-assisted replies
Running AI voice, video, and web agents where enabled
Providing customer support
Maintaining platform security
Monitoring usage, credits, quotas, and service performance
Improving reliability and user experience
Meeting legal or regulatory obligations, where applicable
Section 5 · AI agents
How AI agents use data
AI agents may use business instructions, saved context, connected channel data, and customer messages to generate replies.
AI replies are based on the configuration and context provided by the business user.
Businesses are responsible for reviewing, configuring, and supervising the AI agents according to their own customer communication policies.
AI-generated replies are produced automatically and are not guaranteed to be accurate, complete, or legally reviewed.
Section 6 · Channels
Privacy across every channel
Each connected agent processes the interaction data needed to do its job — and nothing the business has not connected.
WhatsApp Agent
Customer phone numbers, message threads, media, AI replies, and delivery metadata, processed to automate WhatsApp conversations.
Instagram Agent
Instagram direct-message content, sender identifiers, and AI replies handled through the connected messaging provider.
LinkedIn Agent
LinkedIn conversation messages, contact identifiers, and AI replies for the business's connected account.
Web Agent
Website chat messages, session identifiers, page context, and AI replies for visitors on the business's own site.
Voice Agent
Voice call audio, generated transcripts, language, duration, and usage metadata — only when the voice agent is enabled.
Video Agent
Video session content, duration, and interaction metadata — only when the video agent is enabled.
Section 7 · Retention
Data storage, retention, and deletion
Data is retained only as long as needed for service delivery, account management, security, legal, or operational purposes.
Businesses can request deletion of relevant data by contacting info@rafeeqagent.com.
Where data is stored or processed by third-party providers, deletion may depend on those providers' systems and retention policies.
Cross-border transfer
If data is processed or transferred outside Saudi Arabia through third-party services or infrastructure providers, Rafeeq Agent aims to apply appropriate safeguards and assess such transfers in line with applicable Saudi data protection requirements.
Section 8 · Your rights
Data subject rights
Subject to applicable law, individuals may have the following rights over their personal data.
Right to be informed
Understand what personal data is processed and why.
Right to access
Request access to the personal data held about you.
Right to request correction
Ask that inaccurate or incomplete data be corrected.
Right to request deletion
Ask that personal data be deleted or destroyed, where applicable.
Right to withdraw consent
Withdraw consent where processing is based on consent.
The measures below reflect controls currently in place in the platform. We continue to improve our security posture as the platform grows.
Firebase Authentication with verified ID tokens for dashboard and API access
Workspace-scoped access control — every data request is bound to the authenticated user's workspace
Role-based access (super-admin, admin, workspace admin, viewer) with admin-only sections
Firestore security rules that enforce workspace isolation at the database layer
Workspace API keys stored only as SHA-256 hashes and compared in constant time — never kept in plaintext
Secrets held in server-side environment variables, not in client-side code
HTTPS-encrypted transport across the platform
Webhook signature validation on inbound messaging events
Rate limiting and input validation to reduce abuse and injection risk
Usage, credit, and quota tracking plus operational logging for reliability and security
Private file and media storage served through controlled access rather than public links
Section 10 · Integrations
Third-party services and integrations
Rafeeq Agent may rely on third-party providers to deliver the service. These providers may process data as needed to perform their role. Businesses should also review the privacy terms of the platforms they connect, such as WhatsApp, Instagram, and LinkedIn.
Messaging & channel delivery
Providers that deliver and receive messages across WhatsApp, Instagram, LinkedIn, and other connected channels.
AI processing
AI model providers that generate replies, transcribe voice, and power knowledge search.
Hosting, storage & infrastructure
Cloud hosting, database, file storage, and content-delivery providers that run the platform.
Voice & video processing
Speech and avatar providers used to generate and process voice and video interactions, where enabled.
Section 11 · Your responsibilities
Customer responsibilities
Businesses using Rafeeq Agent remain responsible for how they collect and use their customers' data, including:
Having the right to upload, connect, or process their customers' data
Obtaining customer consent where it is required
Configuring AI agents responsibly
Reviewing AI-generated replies where needed
Ensuring their own customer-communication practices follow applicable laws
Avoiding uploading sensitive data unless it is necessary and lawful
Managing employee access to their workspace
Section 12 · In depth
Privacy & security principles in depth
Deeper notes on the rules and engineering practices behind the summary above.
Law and standards
SDAIA PDPL is the baseline, with international privacy and security principles layered in
The page is built from Saudi SDAIA PDPL requirements and implementing rules, then explained alongside familiar international expectations from GDPR, CCPA/CPRA, NIST CSF, and OWASP application-security guidance.
PDPL guides the Saudi rules for collection, purpose, rights, consent, minimization, processors, transfer, breach notice, and security measures.
GDPR and CCPA/CPRA help explain common global privacy rights in language many clients already recognize.
NIST CSF and OWASP inform the security language around access control, validation, monitoring, incident response, and safer application design.
PDPL drives the Saudi baseline; GDPR, CCPA, NIST CSF, and OWASP inform the rest.
Privacy roles
Clear responsibility for client and customer data
For most WhatsApp automation use cases, the client decides why their customer data is collected and used. Rafeeq operates the platform and handles that data only to provide the service, protect the platform, and support the client.
Clients stay responsible for the customer relationship and their own privacy notices.
Rafeeq uses client data only for service delivery, support, security, troubleshooting, and lawful operational needs.
Where a vendor processes data for the platform, we treat that vendor as a processor or service provider and limit the data shared with them.
You keep control of your business data. We operate the automation layer around the purpose you approved.
Personal data
Contacts, messages, leads, voice, video, files, and workspace settings are protected
PDPL guidance treats contact details as personal data when they can identify or single out a person. Across WhatsApp, Instagram, LinkedIn, web chat, voice, and video, that means contact identifiers, message history, call transcripts, lead notes, uploaded knowledge-base files, media, and account records are handled as protected information.
We classify phone numbers and WhatsApp conversations as personal data.
Uploaded business files and media are protected because they may contain customer or business information.
Operational logs are limited to what is needed for support, abuse prevention, debugging, and security review.
We do not treat WhatsApp data as casual chat data. If it can identify a person or reveal a business relationship, it is protected.
Purpose limitation
Data is used for specific, explained purposes
Privacy laws expect businesses to explain why data is collected and to avoid using it for unrelated purposes later. Our product purpose is narrow: automate conversations across the connected channels, answer from approved knowledge, qualify leads, support handoff, maintain records, and protect the service.
We avoid collecting data that is not needed for the WhatsApp automation workflow.
If data is needed for a new purpose, the purpose should be explained before that new processing starts.
Sensitive, health, credit, or highly private data should not be added unless the client has a clear lawful basis and a real business need.
The platform is built around clear business purposes, not hidden reuse of customer conversations.
Data minimization
Only the minimum useful data should be collected
SDAIA PDPL implementing rules emphasize collecting and retaining only the minimum personal data needed for the stated purpose. The same idea appears in global privacy programs: less unnecessary data means less risk.
Workspace features should ask for the smallest amount of customer information that can complete the task.
Knowledge-base files should contain the business facts the AI needs, not unrelated personal data.
Exports, logs, and admin views should avoid exposing more data than the user needs for their role.
We design around useful data, not excessive data collection.
Tenant isolation
Each client workspace is separated from every other client
The platform is multi-tenant, so privacy depends on strong separation. Every workspace has its own protected boundary for messages, leads, files, settings, integrations, and AI knowledge.
Server-side data access is scoped to the authenticated user's workspace.
Client-provided workspace identifiers are not trusted as the source of access rights.
Knowledge retrieval is designed so one client's files cannot answer another client's customers.
Your business workspace is not mixed with another client's workspace.
Individual rights
People can ask about, correct, access, or delete their data
PDPL, GDPR, and CCPA/CPRA all give people meaningful control over personal data. Depending on the law and request, customers may ask to be informed, access data, receive a copy, correct inaccurate data, delete or destroy data, restrict or object to certain uses, withdraw consent, or opt out of some marketing uses.
Requests should be verified so one person cannot access another person's data.
Saudi PDPL implementing rules describe response handling and documentation for data-subject requests.
Deletion may be limited where a law, dispute, fraud-prevention need, or contractual obligation requires retention.
We support clear privacy request handling instead of making customers guess where to go.
Consent and marketing
Marketing must be clear, consent-based, and easy to stop
SDAIA PDPL implementing rules require consent before processing personal data for direct marketing and an easy mechanism to stop receiving marketing. CCPA/CPRA also focuses on opt-out rights for certain sharing and targeted advertising.
Clients should clearly identify themselves when sending marketing messages.
Marketing consent should be separate from general service communication where required.
Opt-out should be as easy to use as opt-in.
WhatsApp automation should help clients communicate responsibly, not trap customers in unwanted marketing.
Processors and vendors
Third-party providers are used only where needed
The platform may rely on providers for WhatsApp delivery, hosting, storage, AI processing, search, integrations, monitoring, and email or notification workflows. Privacy rules expect careful vendor selection, clear instructions, and appropriate safeguards.
Typical providers can include Twilio, Firebase/Google Cloud, OpenAI, Pinecone, Vercel, and integration providers where a client enables them.
Only the data needed for the provider's role should be shared.
Vendor access should support confidentiality, breach notice, deletion, and security obligations.
Vendors help operate the service, but they should not receive more data than they need.
Cross-border transfer
Transfers outside Saudi Arabia need safeguards
Saudi PDPL transfer rules require attention when personal data is transferred or disclosed outside the Kingdom. The practical client promise is simple: know why the transfer is needed, limit the transferred data, use safeguards, and assess risk where required.
Cross-border transfer should be tied to a valid service or legal purpose.
The transferred data should be limited to what the service needs.
Safeguards may include contractual commitments, vendor due diligence, and documented risk assessment.
When global cloud or AI services are involved, transfer decisions are treated as a privacy risk to be managed.
Retention and deletion
Data is kept only as long as it is needed
Privacy laws expect a retention reason. Conversation records, leads, files, logs, and exports should be retained for service delivery, security, legal, audit, or client business needs, then deleted or anonymized when they are no longer needed.
Deletion requests should be handled after identity and authority are verified.
Backups and copies should be included in deletion planning according to applicable requirements.
Anonymized data should not be re-identifiable before it is treated as outside personal-data scope.
Data should have a purpose while it is stored, and a path to deletion when that purpose ends.
Security controls
Technical controls protect accounts, files, messages, and APIs
Security is explained in client language, but it maps to real application controls: authenticated sessions, role-based and workspace-scoped API access, encrypted transport, hashed API keys, private storage, controlled media access, webhook validation, rate limiting, input validation, and safer error handling.
All protected dashboard and API actions require verified authentication.
Inbound messaging webhooks are validated so attackers cannot easily fake channel events.
Private files and media are served through controlled access instead of public bucket links.
Rate limits and input validation reduce abuse, spam, and injection risk.
The platform combines privacy rules with practical engineering controls.
AI safeguards
AI answers are grounded in the right workspace knowledge
AI automation creates privacy risk if it can mix clients, expose secrets, or answer from unapproved sources. Our rule is that AI should answer from the right workspace, use approved knowledge, avoid unnecessary personal data, and hand off when confidence or policy is unclear.
Workspace-scoped retrieval reduces the chance of cross-client knowledge leaks.
Input sanitization and prompt-safety checks reduce prompt injection and unsafe automation behavior.
Human takeover is available when a conversation needs judgment, consent, or sensitive handling.
AI is treated as a controlled workflow, not an unrestricted data explorer.
Incident response
Security incidents are handled with containment and notice planning
SDAIA's breach notification service references notice within 72 hours of awareness when an incident may harm personal data or affect data-subject rights or interests. Our platform rules support fast investigation, containment, documentation, client communication, and notification planning.
Incidents should be triaged to understand affected workspaces, data categories, timing, and likely impact.
Clients should receive the information they need to meet their own legal duties.
Security findings should lead to follow-up fixes, monitoring, and prevention steps.
If something goes wrong, the response should be documented, fast, and useful to clients.
Transparency
Clients should tell customers when AI and WhatsApp automation are used
Privacy notices should explain who is collecting data, what is collected, why it is used, how long it may be kept, who it may be shared with, rights available to the person, and how to contact the business.
Customers should know when they are interacting through WhatsApp automation.
Privacy notices should be clear, accessible, and easy to understand.
If automated decisions or sensitive uses are introduced, they should be explained before use where required.
Clear notices help customers trust the automation instead of feeling surprised by it.
Governance
Privacy and security are reviewed as operating rules, not one-time copy
NIST CSF 2.0 emphasizes governance alongside identifying, protecting, detecting, responding, and recovering from cyber risk. For clients, this means security should be assigned, reviewed, documented, and improved as the service changes.
Admin access should be limited to people who need it.
Changes to integrations, AI knowledge, retention, and exports should be reviewed for privacy impact.
Security checks, dependency reviews, and audit logs help keep controls current.
Protection is an ongoing operating habit, not a static claim on a webpage.
This page may be updated as Rafeeq Agent expands, adds new channels, improves security measures, or responds to regulatory changes. The latest version always appears here.
Section 13 · Contact
Privacy & security contact
For privacy questions, data requests, or anything outside this page, reach us by email.
This page is provided for informational purposes only and does not constitute legal advice. It describes current product behavior and intentions, which may change over time. Rafeeq Agent does not claim official certification by SDAIA, the NCA, or any other authority. Businesses are responsible for ensuring their own use of the platform complies with applicable laws.