Privacy Policy

Last updated: May 3, 2026

Who we are

Handz ("we" / "the Platform") is a Saudi-licensed platform serving recruitment offices and Saudi families. We comply with the Saudi Personal Data Protection Law (PDPL) issued under Royal Decree M/19 (1443H) and its executive regulations.

What we collect

• Office data: name, license number, city, email, phone.
• Family data: full name, national ID, phone, email, city, worker preferences.
• Worker data: name, nationality, passport number, date of birth, experience, medical status.
• Usage data: sign-in records, order events, system actions.

How we use your data

• Operate the platform and enable workflows between offices, families, and foreign agents.
• Issue ZATCA Phase 2 compliant invoices.
• Sync Musaned contracts via official deep-links only.
• Send real-time notifications (WhatsApp / email / SMS) about your order status.
• Internal analytics to improve the platform (aggregated only, never identifying you).

Sharing

We do not sell your data. We share only with:

• The office you chose to engage (families).
• The foreign agent assigned to your order (if needed).
• Saudi government bodies upon formal written request.
• Technical service providers (Vercel for hosting, Neon for database, Resend for email) — all bound by confidentiality and ISO 27001 certified.

Where your data lives

The Handz database is hosted in EU Central (eu-central-1) on Neon. Sensitive records (IDs, passports) will move to Middle East (me-south-1) as soon as Neon supports it (expected 2026).

Your rights under the Saudi PDPL

• Right to be informed (Article 4): know the lawful purpose of processing and the recipients of your data.
• Right of access (Article 20): request a full copy of your data at any time.
• Right to correction (Article 19): correct or update any inaccurate data.
• Right to erasure (Article 18): request deletion of your account and data (excluding records required by law for 7 years for accounting).
• Right to data portability (Article 22): receive a structured copy of your data to move to another platform.
• Right to objection (Article 23): stop notifications or specific data processing.

To exercise any right, email [email protected] — we commit to a response within the statutory 30 days.

Breach notification

Under Article 24 of the Saudi PDPL we will notify the Saudi Data and AI Authority (SDAIA) within 72 hours of discovering any breach affecting data subject rights, and notify affected individuals without undue delay.

Retention

• Active accounts: for the duration of service use.
• Inactive accounts: 90 days, then automatically purged.
• Accounting and tax records: 7 years (regulatory requirement).
• Security audit logs: 2 years.
• Consent records: for the lifetime of the account + 1 year as proof of compliance.

Security

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Data access is restricted to authorized Handz staff only; every access is logged in an immutable audit trail.

Cookies

We only use essential cookies needed to run your session and remember your language. No advertising trackers. On your first visit a consent banner will ask you to accept.

Contact

• Email: [email protected]
• WhatsApp: +966 XX XXX XXXX

v1.0.0 · hash 2df389aa4ef84361