Privacy Policy
1. Scope of this policy
This policy explains how GaflahTech («قفلة تك») collects and uses personal data when you use our property-access platform or visit our website. For your account and business data, GaflahTech is the data controller. For the guest data you enter (names, phone numbers, stay details), you — the property manager — are the controller and we process it on your behalf and on your instructions.
2. Data we collect
Account data: name, mobile number (your sign-in identifier), email, preferred language, and a hashed password — we never store passwords in plain text. Property and device data: property names and addresses, smart-lock identifiers, lock status and battery levels. Reservations and guests: guest names, phone numbers, optional emails, and stay dates that you enter or that sync from your PMS. Access codes: stored hashed with a masked preview — active codes are never stored in plain text. Billing: subscription, plan, and invoice records. Card payments are handled by a licensed payment provider; we do not store full card numbers. Technical data: IP addresses, sign-in and security audit logs, API usage records, and basic device/browser information.
3. How we use your data
We use data to: operate the service (including sending lock commands through the lock vendors and delivering access codes by SMS, email, or WhatsApp); synchronize reservations with the PMS systems you connect; bill subscriptions; secure the platform, prevent abuse, and keep audit trails; provide support; and understand aggregate usage to improve the product. We do not sell personal data and we do not run third-party advertising.
4. Legal bases under the PDPL
We process personal data in line with the Saudi Personal Data Protection Law (PDPL), relying on: performance of our contract with you (operating your account and the service), our legitimate interests (security, fraud prevention, service improvement), your consent where required (for example certain messages), and compliance with legal obligations (such as retaining invoicing records).
5. Guest data and messaging
Guest phone numbers and emails are used only to deliver stay-related messages on your instruction — access codes, check-in instructions, and reservation notices — through our messaging providers. We do not use guest contact details for marketing. As the party who collects guest data, you are responsible for having a lawful basis to share it with us and to have guests contacted this way.
6. Sharing and processors
We share data only with service providers that help us run the platform, under contracts limiting their use of it: smart-lock vendors (Tuya, TTLock) — device commands and status; messaging providers (Twilio for SMS/WhatsApp, SendGrid for email) — message delivery; our payment provider — subscription payments; hosting and infrastructure providers — the website, API, and databases; an error-monitoring service (Sentry) — technical diagnostics; and any PMS provider you choose to connect. We may also disclose data where required by law or to protect the platform and its users.
7. International transfers
Some of our service providers operate infrastructure outside the Kingdom of Saudi Arabia. Where personal data is transferred abroad, we do so in accordance with the PDPL's transfer requirements and with safeguards that hold providers to protections consistent with this policy.
8. How we protect your data
Security measures include: encryption in transit (TLS) across the platform; authentication via HttpOnly cookies rather than browser-readable storage; bcrypt hashing for passwords and access codes; encryption of stored PMS credentials; role-based access controls inside your account; hashed API keys with scoped permissions and rate limiting; and security audit logging. No system is perfectly secure, but we design for least privilege and review our practices regularly.
9. Retention
We keep account and service data while your account is active. After closure, you have 30 days to request an export; we then delete or anonymize personal data within 90 days, except records we must keep longer by law (such as invoices) and minimal audit entries kept for security. Expired access codes are cleaned up automatically, and guest data is removed when you delete the related reservations or your account.
10. Your rights
Under the PDPL you may request access to your personal data, correction of inaccurate data, deletion (subject to legal retention duties), a copy of data you provided, and withdrawal of consent where processing relies on it. Guests may exercise these rights through the property manager who holds their booking, or by contacting us and we will coordinate with that manager. To exercise any right, email support@gaflah.tech — we respond within the timeframes the PDPL sets, and you may escalate complaints to the Saudi Data & AI Authority (SDAIA).
11. Cookies
We use only what the service needs to work: an HttpOnly authentication cookie that keeps you signed in, and a locale cookie that remembers your language. We do not use third-party advertising or cross-site tracking cookies.
12. Changes and contact
We will post updates to this policy here with a new “last updated” date, and notify you of material changes. Privacy questions or requests: support@gaflah.tech.