PDPL Compliant

Privacy Policy

We are committed to protecting your privacy and handling your data in accordance with Saudi Personal Data Protection Law (PDPL).

Last Updated: March 1, 2026 ~10 min read

PDPL Compliance

We process personal data in accordance with Saudi Personal Data Protection Law (PDPL) No. 151 of 2021, effective September 2023, issued under Royal Decree M/19.

01 Introduction

Sutahi ("we," "us," or "our") operates a cloud-based Hotel Property Management System (PMS) designed for the Saudi hospitality industry. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, including sutahi.com and all associated subdomains and services.

By accessing or using Sutahi, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access the platform.

This policy applies to all users of the platform, including hotel owners, managers, employees, and travel agency operators operating within the Kingdom of Saudi Arabia.

02 Information We Collect

We collect several categories of information when you use Sutahi:

Account & Company Data

Company name, commercial registration number, and VAT number
Administrator name, email address, and phone number
Employee profiles: name, role, department, national ID (for NTMP/Nusuk registration)
Hotel property details: location, star rating, room inventory, facility data

Usage & Technical Data

IP address, browser type, device information, operating system
Pages visited, actions taken, session duration, and feature usage patterns
Log data: server logs, error reports, API call logs (retained 90 days)
Cookies and similar tracking technologies (see our Cookie Policy)

Payment Data

Subscription billing information (processed by Stripe — we do not store raw card numbers)
Transaction records, invoice numbers, and SAR amounts for ZATCA compliance
Bank transfer receipts uploaded as payment proof (stored encrypted)

Hotel Guest Data (Processed on Your Behalf)

As a data processor, we handle guest personal information on behalf of hotels (data controllers). This includes:

Guest name, nationality, passport/Iqama number, date of birth
Contact details: email, phone, address
Booking history, room preferences, special requests
Payment records for stays, VAT receipt data mandated by ZATCA

03 How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery

Operating the PMS, processing reservations, generating invoices, managing housekeeping schedules.

ZATCA Compliance

Generating Phase 2 e-invoices, TLV QR codes, clearance/reporting submissions to Fatoorah API.

Customer Support

Responding to support tickets, troubleshooting issues, and providing onboarding assistance via WhatsApp.

Platform Improvement

Analyzing aggregated, anonymized usage data to improve features, performance, and reliability.

Security & Fraud Prevention

Detecting unauthorized access, monitoring for suspicious activity, and maintaining audit logs.

Communication

Sending service notifications, billing alerts, product updates, and regulatory compliance notices.

04 Data Storage & Security

Data Residency

All hotel and guest data is stored on servers located in the Kingdom of Saudi Arabia (AWS me-south-1, Bahrain region — nearest to KSA with Saudi data compliance). We do not transfer your primary data outside the GCC region without explicit written consent.

We implement industry-standard and PDPL-required technical and organizational measures:

AES-256 encryption for all data at rest
TLS 1.3 for all data in transit
Tenant data isolation — each company's data is logically separated using company_id scoping
Role-based access controls: employees only access data their role permits
ZATCA CSID private keys stored in encrypted vault, never in plaintext
Automated daily backups with 30-day retention
Annual third-party penetration testing
SOC 2 Type II certification in progress (target Q4 2026)

05 Your Rights Under PDPL

30-Day Response Commitment

We respond to all PDPL rights requests within 30 days. Submit requests to privacy@sutahi.com with subject line "PDPL Data Request."

Under Saudi PDPL, you have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you or your organization.

Right to Correction

Request correction of inaccurate or incomplete personal data held in our systems.

Right to Deletion

Request deletion of your personal data, subject to legal retention obligations (ZATCA: 7 years).

Right to Portability

Receive your data in a structured, machine-readable format (JSON/CSV export available from your dashboard).

Right to Object

Object to processing of your data for marketing purposes or non-essential analytics.

Right to Complain

Lodge complaints with the Saudi National Data Management Office (NDMO) if you believe your rights have been violated.

06 Third-Party Services

We use the following third-party services to operate our platform. Each has their own privacy policy governing their data handling:

ServicePurposeData Shared

StripeSubscription payment processingBilling info, email

ZATCA Fatoorah APIE-invoice clearance & reportingInvoice XML, VAT number, CSID

Nusuk APIHajj & Umrah pilgrim registrationGuest name, ID, booking dates

NTMPNational tourism guest reportingGuest nationality, passport, stay dates

WhatsApp BusinessCustomer support & notificationsPhone number, message content

CloudflareCDN, DDoS protection, DNSIP address, request metadata

We require all third parties to maintain appropriate data protection standards and prohibit them from using your data for their own marketing purposes.

07 Data Retention

ZATCA Records: 7-Year Retention

Invoice data is retained for a minimum of 7 years as required by Saudi tax regulations and ZATCA Phase 2 compliance rules. This includes e-invoice XML files, hash chains, and CSID signing records.

Data TypeRetention PeriodLegal Basis

Active account dataDuration of subscription + 30 daysContract performance

ZATCA invoice records7 years minimumSaudi Tax Law

Guest reservation data5 yearsPDPL Article 18

Security & access logs90 daysLegitimate interest

Support communications3 yearsLegitimate interest

Marketing consentsUntil withdrawnConsent

08 Children's Privacy

Sutahi is a professional B2B SaaS platform intended solely for use by hospitality businesses and their authorized personnel. Our services are not directed to individuals under 18 years of age.

We do not knowingly collect or solicit personal information from anyone under the age of 18. If we learn that personal information from a minor has been collected, we will delete that information as quickly as possible.

Please note that hotel guest data may include family members of all ages for booking purposes. This data is processed strictly on behalf of the hotel operator under their data controller obligations.

09 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of material changes through:

Email notification to the registered account administrator
In-app banner notification at least 14 days before the change takes effect
Updated "Last Updated" date at the top of this page

Continued use of Sutahi after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised terms, you must discontinue use of the service.

10 Contact Us

For any privacy-related questions, PDPL rights requests, or data concerns, please contact:

Privacy Team

privacy@sutahi.com

Mailing Address

Riyadh, Kingdom of Saudi Arabia

Response Time

Within 30 days (PDPL)

Subject line for PDPL rights requests: "PDPL Data Request — [Your Company Name]". Include your company registration number and describe your request clearly.