Privacy Policy
Effective date: April 10, 2026
This Privacy Policy explains how Mise ("we", "us", "our"), operated by Mubangizi Moses and accessible at miseapp.app, collects, uses, and protects your personal data. This policy is designed to comply with the Saudi Arabia Personal Data Protection Law (PDPL), enacted by Royal Decree M/19, and its implementing regulations.
1. Data Controller
The data controller for personal data processed through the Service is Mubangizi Moses, contactable at privacy@miseapp.app.
2. Data We Collect
2.1 Account Data
When you register, we collect:
- Full name
- Email address
- Organisation name and type
- Role within the organisation
- Phone / WhatsApp number (optional, for supplier communication)
2.2 Operational Data
Data created through normal use of the Service:
- Procurement requests, approvals, and purchase orders
- Delivery records and inventory levels
- Supplier contact details (name, WhatsApp number, email)
- Delivery note photos (when using OCR feature)
- Issuance and waste tracking records
2.3 Payment Data
Payment is processed by Stripe. We store only your subscription plan, billing cycle, and invoice history. We never store full card numbers — Stripe handles this under PCI DSS Level 1 compliance.
2.4 Technical Data
We collect standard web analytics: IP address, browser type, device type, and pages visited. This data is used to maintain security and improve the Service.
3. Purpose and Legal Basis
Under PDPL Article 5, we process personal data for the following purposes:
| Purpose | Legal Basis (PDPL) |
|---|---|
| Providing the Service (auth, procurement workflows) | Performance of contract (Art. 5.1) |
| Processing payments | Performance of contract (Art. 5.1) |
| Sending order notifications via WhatsApp/email | Performance of contract (Art. 5.1) |
| Security monitoring and abuse prevention | Legitimate interest (Art. 5.2) |
| Product improvement and analytics | Legitimate interest (Art. 5.2) |
| Marketing communications | Consent (Art. 5.4) — opt-in only |
4. Data Sharing
We share personal data only with:
- Supabase (database hosting) — data stored in AWS infrastructure
- Vercel (application hosting) — processes requests
- Stripe (payment processing) — billing and invoicing
- Twilio (WhatsApp messaging) — supplier order notifications
- Resend (email delivery) — transactional emails
- Google Cloud (OCR) — delivery note image processing
We do not sell personal data. We do not share data for advertising purposes. All sub-processors are bound by data processing agreements.
5. Cross-Border Transfer
Per PDPL Article 29, personal data may be transferred outside the Kingdom of Saudi Arabia only when the recipient country provides an adequate level of protection or when appropriate safeguards are in place. Our sub-processors operate under standard contractual clauses and industry-standard security certifications (SOC 2, ISO 27001).
6. Data Retention
- Active accounts — data retained for the duration of the subscription.
- Cancelled accounts — data retained for 30 days after cancellation, then permanently deleted.
- Invoices and payment records — retained for 7 years as required by Saudi commercial law.
- Security logs — retained for 12 months.
7. Your Rights Under PDPL
As a data subject under PDPL, you have the right to:
- Access — request a copy of your personal data.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your data (subject to legal retention requirements).
- Restrict processing — request that we limit how we use your data.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — withdraw consent for marketing communications at any time.
To exercise these rights, contact us at privacy@miseapp.app. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organisational measures including:
- Row-level security (RLS) — each organisation's data is isolated at the database level.
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Role-based access control enforced via JWT claims.
- Webhook signature verification for all payment and messaging integrations.
- Regular security audits.
9. Children's Privacy
The Service is designed for business use and is not directed at individuals under 18. We do not knowingly collect data from minors.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before they take effect.
11. Complaints
If you believe your data rights have been violated, you may file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.
12. Contact
For privacy-related inquiries: privacy@miseapp.app