Privacy Policy
Note on this translation. This English page is a working translation of the canonical Arabic policy at
/privacy/. If the two ever conflict, the Arabic version governs. Sections track the Arabic structure one-to-one.
zmam.ai (referred to as “zmam” or “we”) is committed to protecting users’ personal
data under the Personal Data Protection Law (Royal Decree M/19) and its
implementing regulations. This policy describes the categories of data we collect,
the purposes of processing, the legal basis, retention periods, data subject
rights, and how to exercise them. It applies to every visitor who uses the
external-scan service at zmam.ai.
Data controller
The data controller is the zmam service, operating under the trade name “zmam” (zmam.ai):
- Trade name: zmam (zmam.ai)
- Privacy contact:
[email protected]
zmam currently operates as a trade name in a pre-incorporation phase. We will update controller details immediately upon registering the formal legal entity.
What we collect and why
| Category | Purpose | Legal basis |
|---|---|---|
| Requester email | Sending the verification link and delivering the scan report. | Performance of the requested service; explicit consent via the form. |
| Submitted domain | Running the external scan against the specified domain. | Performance of the requested service. |
| sha256 hash of IP address | Enforcing daily usage limits and preventing abuse. | Legitimate interest in protecting the service; original IP is never stored. |
| sha256 hash of user-agent | Detecting automated abuse patterns. | Legitimate interest in abuse prevention. |
| External-scan results | Generating the report sent by email, and (in v0.1) routing sensitive findings. | Performance of the requested service. |
Notes:
- Neither the original IP nor the full user-agent is ever logged; only the hashed values are stored.
- zmam uses no analytics trackers, advertising, or analytical cookies.
- zmam does not make purely automated decisions that have legal effects on the data subject.
Retention periods
| Class | Period |
|---|---|
Scan requests (scan_requests) | 90 days from creation |
Scan results (scan_results) | 90 days from scan completion |
Outbound email log (report_emails) | 90 days from send |
Audit logs (audit_logs) | 365 days from event |
| Daily usage limits | 32 days from the end of the window |
| Verification email tokens | 7 days after verification or expiry (24-hour TTL) |
Data is purged on a rolling schedule once the retention window elapses.
Unverified pending_verification requests are deleted within 24 hours of the
verification link’s expiry.
Cross-border data transfer
zmam relies on infrastructure providers outside the Kingdom of Saudi Arabia to operate the service and deliver email:
- Cloudflare, Inc. (United States): site hosting, edge function execution,
and the Cloudflare D1 database. The
weurregion (Western Europe) was selected for data storage because Middle East regions are not currently offered by Cloudflare D1. Data Processing Addendum. - Resend (Resend, Inc.) (United States): delivery of verification emails and scan reports. Data Processing Addendum.
Transfers are performed under the Personal Data Protection Law and its implementing regulations on cross-border transfer (Article 29 of the Law), using contractual safeguards that match the protection level inside the Kingdom.
Your rights and how to exercise them
zmam guarantees data subject rights under the Personal Data Protection Law, including:
- The right to be informed of the bases and purposes of collection.
- The right to access personal data we hold about you.
- The right to request correction, update, or completion of your data.
- The right to request destruction of your data when no longer needed.
- The right to lodge a complaint with the Saudi Data and AI Authority (SDAIA).
How to file a request (DSAR):
- Email
[email protected]. - The email must come from the same address you used in the original scan request, so we can verify your identity without requesting additional documents.
- State the right you wish to exercise and the relevant domain (if any).
- We will respond within 30 days of receipt, unless the request requires a justified extension.
If you cannot prove identity via the original email (e.g., loss of access), contact us to agree on an alternative verification method using the minimum amount of additional data necessary.
Breach notification
If a breach affecting your personal data occurs, zmam undertakes to notify the Saudi Data and AI Authority (SDAIA) within 72 hours of becoming aware of it, in accordance with Article 24 of the implementing regulations of the Personal Data Protection Law. We will also notify the affected data subject when the incident requires.
Version 0.0.1 — Last updated: 2026-05-27