سياسة الخصوصية

1. النطاق

This Privacy Policy explains how hawtar collects, uses, stores, shares, and protects personal data when you use our platform, public website, authenticated panels, mobile clients, and related support channels.

2. Account, Identity, and Social Sign-In Data

We process account and identity data that you provide directly and, when you choose social sign-in, identity data returned by your selected provider. Depending on your use of the service, this may include:

• Account and profile data such as your name, email address, phone number, avatar, organisation membership, and role assignments.
• Provider account identifiers, provider name, and profile name.
• Email address supplied by the provider and the provider email-verification signal when available.
• Profile avatar URL and basic provider metadata when needed to complete sign-in or account linking.
• Connection and usage timestamps such as linked time, last login time, and last used time.
• A one-way hash or equivalent protected representation of provider token data where needed for integrity and security checks; we do not retain provider access tokens in plaintext in our social identity records.

For first-time social sign-in, we require an email from the provider to create or safely link an account. If a provider does not return a usable email, sign-in can be blocked until a safe identity match is available.

3. Operational, Publication, and Support Data

• Operational data such as tenders viewed, saved searches, workflows, submissions, compliance actions, generated document activity, and other platform interactions.
• Files, document metadata, questionnaire answers, product records, and related entity content submitted through the platform.
• Support, onboarding, and contact-form data such as messages, attachments, and follow-up history shared with our teams.
• Vendor publication data such as product, showroom, quotation, or other business content that the relevant party has submitted and approved for publication through platform workflows.

Commerce and Billing Data

• Commerce records such as orders, subscriptions, entitlements, report purchases, invoices, confirmations, payment references, and related commercial metadata.
• Checkout evidence such as terms version, pre-contract disclosure version, recurring-consent text, immediate-access evidence text, any applicable waiver text, buyer type, buyer country, resolved buyer classification, and associated timestamps.
• Seller identity and tax-status snapshots, including merchant legal name, address, internal tax references, VAT registration status, and buyer tax or country data where relevant.

4. Technical, Security, and Anti-Abuse Data

• Technical data such as IP address, device and browser details, language, session metadata, and sign-in context.
• Request and activity data such as request path, method, response status, workflow actions, audit entries, and operational diagnostics needed for security, troubleshooting, and compliance.
• First-party form-integrity and abuse-prevention signals such as hidden anti-automation fields, encrypted timing tokens, request context, guarded mutation method names, and submission-frequency metadata.
• Rate-limit, bot-detection, and abuse-prevention events related to actions such as create, save, register, reset, upload, import, send, or other protected mutations.

For standard browser form protection, Hawtar currently uses first-party anti-abuse controls operated within the application instead of a third-party CAPTCHA challenge provider.

4. لماذا نعالج البيانات

• To authenticate users, manage accounts, connect identities, and administer multi-tenant access.
• To operate procurement intelligence, supplier workflows, compliance processes, document generation, and related service functionality.
• To secure accounts and workflows, detect scripted or abusive activity, prevent scraping and fake submissions, and protect service integrity.
• To improve reliability, investigate incidents, measure platform safety, and maintain operational performance.
• To send required transactional notices, security alerts, workflow updates, and other service communications.
• لعرض معلومات المنتج/صالة العرض وعروض الأسعار المعتمدة من المورّد للجمهور المستهدف.
• To display vendor-approved public business content to intended audiences through platform publication workflows.

Commerce Classification, Tax, and Legal Evidence

For paid and zero-price commerce flows, Hawtar processes buyer classification, buyer-country evidence, merchant tax-status data, and disclosure, immediate-access, or any applicable waiver evidence to determine whether checkout, invoicing, and access can proceed lawfully.

An organization purchase is not automatically treated as B2B. Business treatment requires validated business evidence or explicit finance approval.

If buyer jurisdiction or seller VAT registration status is unresolved, Hawtar can place checkout or invoice issuance on compliance hold rather than proceeding on an assumed tax outcome.

6. Google API and OAuth Commitments

For Google sign-in, we request only the identity access needed for authentication and account management. We do not use Google user data for advertising, and we do not sell personal data.

If and when Google API Services user data is accessed, our use and transfer of that data will comply with the Google API Services User Data Policy, including Limited Use requirements.

7. AI and Optional Assisted Features

Certain Hawtar features use AI to assist with analysis, drafting, or conversational support. Where required, AI processing is optional and subject to a separate consent flow.

When you use these features, relevant prompt and response data may be sent to our AI service provider for processing on their servers and models. AI conversation data is retained for a limited period under our retention schedule, and current application retention for AI conversations is 90 days unless a stricter operational rule applies.

Do not submit passwords, secrets, or unnecessary sensitive personal information into AI conversations. AI outputs can be useful but still require human review and verification.

6. حدود بيانات المورّد

We do not use vendor-provided data as open public marketing data unless that data has been explicitly approved by the vendor for publication in platform workflows. Internal or non-public submissions are processed only for service operation, security, compliance, support, and related lawful platform purposes.

7. Legal Bases

We process personal data under contractual necessity, legitimate interests, legal obligations, and consent where required. Legitimate interests include service security, fraud prevention, first-party anti-abuse enforcement, operational monitoring, and protection of the platform and its users.

8. المشاركة

We do not sell personal data. We may share data with vetted processors and infrastructure providers only to operate the service, including cloud hosting and storage, identity and OAuth providers, email delivery providers, payment processors, and AI providers where you have enabled the relevant feature.

We may also disclose data to regulators, courts, or other authorities when legally required, or where necessary to investigate fraud, abuse, security incidents, or violations of our platform rules.

11. Retention and Deletion

We keep personal data only as long as needed for business, security, contractual, support, and legal purposes. Retention windows vary by data type and regulatory obligation. Security and anti-abuse signals follow the same retention controls as the underlying request, activity, and operational logs in which they are recorded.

If you disconnect a social provider from your account, the corresponding linked social identity record is removed from your profile, except where limited records must be retained for legal, fraud-prevention, or security-audit obligations.

Commercial, tax, consent, disclosure, immediate-access, and any applicable waiver evidence for Premium subscriptions and Tender Match Report purchases are retained by evidence class and legal obligation. Financial and tax records are retained longer than ordinary operational logs, and legal holds override ordinary deletion or anonymization schedules.

When you request account deletion, access credentials and contact channels are removed or anonymized, while official workflow and audit records may retain actor labels where legally required to preserve process integrity, legal defensibility, and accountability.

12. Your Rights and Choices

Depending on applicable law, you may request access, correction, deletion, restriction, portability, or objection to processing. You may also request account closure using available platform or support channels.

You may manage connected social providers from your profile settings, revoke provider access from your provider account, and withdraw AI consent where that feature is offered separately from core platform use.

For account deletion instructions and retention disclosures, see the Account Deletion page.

13. Automated Security Decisions

We use automated security controls to temporarily reject, delay, throttle, or require resubmission of requests that appear abusive, scripted, unsafe, or inconsistent with normal platform use. This helps protect accounts, workflows, and the broader service from fraud and operational abuse.

These controls are used for security and service integrity. They are not used as the sole basis for decisions producing legal or similarly significant effects about you.

14. Global Standardization and Assurance

Hawtar applies a unified global privacy and security baseline across platform workflows, with controls and legal disclosures maintained as a coordinated standard rather than isolated policies.

• Security and privacy controls are continuously validated through automated test suites and operational audits before release.
• Retention, consent, AI transparency, data-subject rights, and first-party anti-abuse controls are governed by documented runbooks and enforced implementation contracts.
• Legacy behavior that conflicts with current compliance controls is re-baselined to the latest documented standards.

This Privacy Policy and our Terms of Service are maintained as synchronized customer-facing legal disclosures and are updated together when compliance posture changes.

For global privacy and compliance inquiries, contact dpo@hawtar.com.

12. التواصل

For privacy requests, contact us through the صفحة التواصل or reach our data protection contact through the address above when your request is specifically privacy or compliance related.