1. Who we are
Moyafa (the "Platform," "we," "us," "our") is a software service operated by Three Lines Company Ltd, a company registered in the Kingdom of Saudi Arabia.
- Registered address: 32 A Street, Khobar, Eastern Province 34234, Saudi Arabia
- Privacy contact: privacy@moyafa.com
- General contact: support@moyafa.com
This Privacy Policy explains how we handle personal data when stores and brands ("Stores") use the Platform to communicate with their customers over WhatsApp and connected channels.
2. Our two roles — please read this first
The Platform processes two different categories of personal data under two different roles:
- As a controller — for the personal data of our Stores and their staff (account holders, agents, billing contacts). We decide how this data is used to provide and operate the Platform.
- As a processor — for the personal data of a Store's own customers ("Shoppers") — for example phone numbers, names, message content, and order details that flow through the Platform. Here the Store is the controller and decides why and how that data is used. We process it only on the Store's documented instructions, to deliver the service the Store has configured.
If you are a Shopper and want to exercise your rights or ask why you received a message, your first point of contact is the Store you were messaging. We will assist that Store in responding.
3. Personal data we collect
From Stores and their staff (we are controller):
- Identity and contact details: name, business name, email, phone number, role.
- Account and authentication data.
- Billing and subscription data (we do not store full payment card numbers; payments are handled by our payment provider).
- Configuration data, including AI provider API keys you choose to add (stored encrypted — see Section 7).
- Usage, log, and device data needed to run and secure the service.
On behalf of Stores (we are processor):
- Shopper contact details (e.g. WhatsApp phone number, name).
- Message content exchanged between the Store and its Shoppers, including text and voice notes, and AI-generated transcriptions and reply suggestions.
- Order, cart, customer, and product data synchronized from the Store's Salla or Zid account.
- Conversation metadata (timestamps, assignment, status, labels).
- For Stores using booking and field-service features: staff and driver phone numbers and preferred language; a driver's device location pings, shared at the driver's choice and only while a visit is in progress, to show the customer live arrival (these are transient); and job photos — before/after photos, and, where a visit could not be completed, door/evidence photos — uploaded by the Store's staff.
We instruct Stores not to collect or send full payment card numbers, bank account numbers, or national ID numbers through chat, in line with WhatsApp policy and applicable law.
4. How we use personal data
We use Store data to create and secure accounts, provide and improve the service, process billing, provide support, and meet legal obligations.
We process Shopper data only to provide the service to the Store, including routing and displaying conversations, syncing orders, transcribing voice notes, generating AI reply suggestions and automated replies, and producing analytics for that Store. We do not sell personal data, and we do not use Shopper data for our own independent purposes.
5. Legal basis (PDPL)
We process personal data under the Saudi Personal Data Protection Law ("PDPL") on the basis of: performance of a contract (operating the Platform for the Store); the Store's lawful basis and consent for messaging its Shoppers; our legitimate business interests in securing and improving the service; and compliance with legal obligations. Stores are responsible for obtaining valid opt-in consent from Shoppers before messaging them.
6. Opt-in and opt-out
Messaging through the Platform requires that Shoppers have opted in to receive messages from the Store, consistent with WhatsApp's Business Messaging Policy. Stores must honor every opt-out promptly, and the Platform provides tooling to record consent and suppress contacts who opt out.
7. AI features and your provider key
The Platform's AI features (reply suggestions, transcription, automated replies) operate using an AI provider key that the Store supplies (e.g. OpenAI or Anthropic). That key is stored encrypted, and usage is billed by the AI provider directly to the Store. When AI features are used, relevant message content is sent to the chosen AI provider to generate a response. AI output is assistive and may be inaccurate; a human reviews suggestions unless the Store has enabled confidence-gated automation.
8. Sub-processors and third parties
We share personal data only with service providers needed to run the Platform, under appropriate contracts. These include: Meta Platforms (WhatsApp Cloud API messaging), Salla and Zid (store integrations, at the Store's direction), the Store's chosen AI provider (e.g. OpenAI, Anthropic), our hosting and infrastructure providers (e.g. Supabase, Vercel), and our payment provider for subscription billing. A current list of sub-processors is available on request.
9. Google user data (Gmail / email integration)
When a Store connects its own Gmail or Google Workspace mailbox to Moyafa's email channel, the Store authorizes Moyafa, via Google OAuth, to access that mailbox on the Store's behalf. This section describes that access and our commitments for it.
What we access. With the Store's explicit consent, we request the minimum Gmail scopes needed to operate a shared inbox:
- Read messages (
gmail.readonly) — to import the Store's incoming customer emails into its Moyafa inbox. - Send messages (
gmail.send) — to send the Store's own replies from its own address.
How we use it. Google user data is used only to provide the user-facing email-inbox feature to the connecting Store: showing that Store's incoming emails as conversations in its inbox, and sending the Store's replies. Access and refresh tokens are stored encrypted and are never exposed to any other Store.
What we do not do. We do not use Google user data to serve advertising; we do not sell or transfer it; and we do not use it to develop, train, or improve generalized artificial-intelligence or machine-learning models. Message content is only sent to a Store's own configured AI provider when that Store enables AI reply suggestions for its inbox (see Section 7), at the Store's direction and never to train shared models.
Limited Use. Moyafa's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Revoking access. A Store can disconnect a mailbox at any time from Settings → Channels → Email, which deletes the stored tokens, and can also revoke Moyafa's access from its Google Account security settings.
10. Cross-border transfers
Some of these providers process data outside the Kingdom of Saudi Arabia. Where personal data is transferred outside the Kingdom, we rely on the transfer mechanisms permitted under the PDPL and apply appropriate safeguards. In particular, where a Store enables AI features, Shopper message content may be transferred to and processed by the Store's chosen AI provider outside the Kingdom; the Store is responsible for ensuring it has a lawful basis for this transfer.
11. Data retention
We retain Store account data for as long as the account is active and as required by law (for example, billing and tax records). We retain Shopper data on behalf of a Store for as long as the Store's account is active or until the Store instructs us to delete it, after which we delete or anonymize it within a reasonable period, subject to legal retention requirements.
For booking and field-service features specifically: a driver's live-location pings are transient and are automatically deleted within about seven days of the visit; job photos are retained for as long as the related booking record is kept by the Store; and staff contact details are retained while that staff member is active in the Store's workspace.
12. Security
We apply technical and organizational measures appropriate to the risk, including encryption of sensitive fields (such as AI keys), encryption in transit, access controls, and database-level tenant isolation so that one Store's data is not accessible to another. No system is perfectly secure, but we work to protect personal data and to notify affected parties and the competent authority of a personal data breach as required by the PDPL.
13. Your rights
Under the PDPL, individuals have rights including the right to be informed, to access their personal data, to request correction, and to request deletion, subject to legal limits. Stores may exercise these rights for their own account data by contacting us. Shoppers should contact the relevant Store, which is the controller of their data; we will support the Store in fulfilling valid requests. You may also lodge a complaint with the Saudi Data & AI Authority (SDAIA).
14. Children
The Platform is a business tool and is not directed to children. We do not knowingly collect personal data directly from children through the Platform.
15. Changes to this policy
We may update this policy from time to time. We will post the updated version with a new "Last updated" date and, where appropriate, notify Stores.
16. Contact
Questions or requests about this policy: privacy@moyafa.com, or write to Three Lines Company Ltd, 32 A Street, Khobar, Eastern Province 34234, Saudi Arabia.