Privacy Policy
Arabic is the legally binding version per Saudi law.
Effective date: 1 May 2026 / 1 مايو 2026
This policy describes how Asas Albahth Commercial Limited Company ("Jabr") handles and protects personal data, in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations.
1. Data We Collect From You Directly
We collect the following when you register or set up your business:
- Account data: Name (Arabic and English), email, phone number, preferred language
- Business data: Company name, Commercial Registration number, VAT number, full address, legal form, business type, partner details (name, ownership percentage, capital, nationality)
2. Data You Create Inside the Platform
Jabr is an accounting platform. The financial data you enter (journal entries, invoices, bank statements, receipts, customer and supplier records) is data you create in your own workspace, not data we collect from you. We provide the infrastructure to store it securely on your behalf.
Each company's data is fully isolated from all other companies. No user can access another company's data.
3. Data We Collect Automatically
- Abuse prevention data: IP address at registration (stored temporarily to limit fake account creation), and a device fingerprint (an encrypted hash of browser type, screen dimensions, and language - used solely to prevent multiple-account abuse)
- Usage metrics: Number of AI calls, tokens consumed (for plan limit enforcement and billing), types of operations performed (e.g., entry created, document uploaded)
- Audit trail: An immutable log recording who made each change and when (required for accounting and regulatory compliance)
We do not use Google Analytics. We use the X Pixel and X Conversions API to measure advertising performance and attribute registrations and paid subscriptions to X campaigns. We do not send accounting data or invoice contents.
We do not collect sensitive data as defined by PDPL (such as health or biometric data) and do not request it.
4. Jabr Internal Team Access Boundaries
Jabr internal administrators can view:
- Company metadata (name, plan tier, status, creation date)
- Aggregate usage statistics (total entry count, token consumption, estimated cost)
- Member information (email, name, role, last login)
Jabr administrators have no interface or access to view your individual journal entries, invoices, bank statements, or customer and supplier records. Financial data is stored in Firestore with security rules that restrict reads to authorized company members only.
5. Data Sent to AI Providers
Jabr does not operate its own AI service. When you connect your own AI account (Claude or ChatGPT) to your books via the MCP connector:
- Your AI application requests data from Jabr through the connector. Only data relevant to your specific query is sent. For example, if you ask "What were my January expenses?" only January-related entries are sent.
- Operational context is sent: company name, business type, fiscal year, VAT registration status, and chart of accounts.
- Your entire financial database is never sent automatically.
- Data is sent directly to whichever AI provider you use (Anthropic, OpenAI, etc.) under your own account and their terms of service.
The only exception: Jabr uses an internal AI service for a single purpose: verifying payment receipt images uploaded during subscription renewal. This process does not access any of your financial data.
6. Legal Basis for Processing
We process your data based on:
- Contract performance: To deliver the accounting service you subscribed to
- Legal obligation: To comply with the Commercial Books Law and ZATCA requirements (10-year record retention)
- Legitimate interest: To protect the platform from fraud (rate limiting, device fingerprinting)
7. How We Use Your Data
We use data exclusively for:
- Operating the accounting service and storing your data securely
- Processing subscriptions and verifying payment receipts
- Sending operational emails only (account confirmations, subscription notifications, usage alerts, filing deadline reminders). We do not send marketing or promotional emails. Our emails do not contain your financial transaction details.
- Enforcing plan limits (entry counts, AI token usage)
- Preventing fake multi-account creation
- Maintaining an audit trail of changes (required for regulatory compliance)
We do not sell your data. We do not share it for marketing or advertising. We do not use your data to train AI models.
8. Data Storage and Security
- Location: Google Cloud in the Middle East region (me-central1)
- Encryption in transit: HTTPS with TLS 1.3 and HSTS enabled
- Encryption at rest: AES-256 with Google-managed keys (Firestore and Cloud Storage)
- Sensitive secrets: ZATCA signing keys are encrypted with AES-256-GCM before storage
- Passwords: We do not store them. Firebase Authentication manages them with industry-standard hashing
- Access control: Firestore security rules operate on a default-deny basis and verify company membership before any read or write
- Backups: Automated daily backups
9. Data Retention
- Account data: For the duration of the subscription + 90 days after cancellation to allow account recovery
- Financial data: 10 years after account cancellation (per the Saudi Commercial Books Law)
- Abuse prevention data (IP, device fingerprint): IP addresses are stored for 24 hours. Device fingerprints are stored as identifiers only to prevent multi-account abuse
- Usage metrics: 90 days
- You may request deletion of your account at any time. Financial data is retained per the legal obligation above.
10. Third Parties (Sub-processors)
We work with the following service providers only as needed to operate the platform:
- Google Cloud / Firebase: Database (Firestore), authentication (Firebase Auth), cloud storage (Cloud Storage) - data stored in the Middle East region
- Anthropic (Claude): Used internally by Jabr solely to verify subscription payment receipts. Does not access your financial data.
- Hostinger: SMTP server for sending operational emails only (account confirmations, subscription notifications)
Note on MCP connector: When you connect your own AI account (Claude or ChatGPT) to your books, data flows directly to the provider you use under your own account. Jabr does not control that provider or act as an intermediary - the relationship is directly between you and the AI provider under their terms of service.
We do not share your data with any other third party except under a court order or official request from a competent government authority.
11. International Data Transfers
Your core data (account, business, financial records) is stored in the Middle East region (Google Cloud me-central1). Jabr does not transfer your data outside the Middle East region on its own. If you connect an external AI account to your books via the MCP connector, data related to your queries is sent to whichever AI provider you use (which may be outside the Middle East region) under their terms of service. This transfer is at your own initiative and choice.
12. Your Rights
Under PDPL, you have the right to:
- Access: View your personal data held by us
- Export: Export all your financial data at any time in Excel and CSV formats directly from within the platform
- Correction: Update inaccurate data from your account settings
- Deletion: Request deletion of your account and data (subject to 10-year legal retention obligation for financial records)
- Objection: Object to the processing of your data
- Restriction: Restrict the processing of your data
To exercise any of these rights, contact: info@jabrhq.com
13. Breach Notification
In the event of a security breach affecting your personal data:
- We will notify SDAIA (Saudi Data and AI Authority) within 72 hours
- We will notify you directly as soon as possible with a description of the breach, its impact, and the measures taken
14. Policy Changes
We may update this policy. Material changes will be communicated via email 30 days before they take effect.
15. Contact
Asas Albahth Commercial Limited Company
Email: info@jabrhq.com