Privacy Policy

This Privacy Policy explains how QistasChain ("QistasChain", "we", "us", "our") collects, uses, discloses, and protects personal data when you access or use our websites, applications, and related services (collectively, the "Services").

We are committed to processing personal data responsibly and transparently, including in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations, and where applicable, other laws such as the EU General Data Protection Regulation (GDPR).

1) Who we are (Controller)

QistasChain is the controller responsible for personal data processed through the Services, unless we clearly state otherwise.

2) Personal data we collect

We may collect the following categories of personal data (depending on how you use the Services):

A. Data you provide

• Identity and contact details (e.g., full name, email, phone number, country, address)
• Account and profile information (e.g., user identifiers, preferences)
• Verification and compliance data (e.g., KYC/KYB information, identity documents where applicable)
• Communications (messages, support requests, feedback)

B. Data collected automatically

• Device and usage data (IP address, user-agent, device identifiers, pages viewed, timestamps, clickstream)
• Cookies and similar technologies (see Section 10)

C. Data from third parties

• Identity/verification providers, fraud-prevention and screening providers (where used)
• Business partners and integrations you choose to connect (e.g., evidence or operational data sources)

Sensitive personal data: If we ever need to process sensitive personal data (as defined by applicable law), we will apply enhanced protections and obtain any required consents or other lawful basis.

3) Why we process personal data (purposes)

We process personal data for purposes such as:

• Providing the Services (account creation, authentication, platform access, user requests)
• Compliance and due diligence (KYC/KYB workflows where applicable, audit trails, evidence preservation)
• Security and fraud prevention (monitoring, abuse prevention, incident detection)
• Operations and performance (analytics, debugging, service improvement)
• Communications (service notices, support responses)
• Legal obligations and dispute handling (complaints, claims, enforcement of terms)
• Marketing (where permitted and with required choices/consent)

4) Lawful basis for processing

Where required by applicable law, we rely on one or more lawful bases, including:

• Performance of a contract (to provide the Services you request)
• Compliance with legal obligations (e.g., regulatory, recordkeeping, lawful requests)
• Legitimate interests (e.g., securing the Services, preventing fraud, improving reliability—balanced against your rights)
• Consent (e.g., optional marketing, certain cookies; and any other processing where consent is required)

5) How we share personal data

We may share personal data only as needed for the purposes above, including with:

• Service providers / processors (hosting, analytics, security, verification, communications) under contractual controls
• Professional advisors (legal, compliance, auditors) where necessary
• Authorities where we have a lawful obligation to disclose
• Business transfers (merger, acquisition, reorganization), with appropriate safeguards

We do not sell personal data.

6) Cross-border transfers (especially for Saudi Arabia)

If personal data is transferred outside Saudi Arabia, we will do so in accordance with PDPL and applicable transfer regulations, using appropriate safeguards and assessments for the destination and transfer context.

7) Data retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, including to meet legal, regulatory, security, and audit requirements. Retention periods may vary by data type and context (e.g., compliance records may be retained longer than basic contact details).

8) Security

We implement administrative, technical, and organizational security measures designed to protect personal data, including access controls, logging, encryption where appropriate, and environment segregation. No system is 100% secure; however, we work to prevent unauthorized access, alteration, disclosure, or destruction.

If a personal data breach occurs, we will evaluate it and take steps consistent with applicable law and regulator guidance, including notification where required.

9) Your rights

Depending on your jurisdiction (including Saudi Arabia), you may have rights such as:

• Right to be informed about processing (this Policy)
• Access to your personal data
• Correction of inaccurate data
• Deletion in certain circumstances
• Restriction / objection in certain circumstances
• Withdraw consent (where processing is based on consent)
• Complaint to a competent authority (where applicable)

To exercise rights, contact us at tayel@qistaschain.com. We may need to verify your identity before fulfilling requests.

10) Cookies and similar technologies

We use cookies and similar technologies to:

• Keep the Services functional (essential cookies)
• Improve performance and security
• Understand usage (analytics) and, where applicable, support marketing preferences

You can control cookies through your browser settings and, where offered, on-site cookie controls. Where consent is required, we will request it before placing non-essential cookies.

11) Children

The Services are not intended for children. If you believe a child has provided us personal data, contact us and we will take appropriate steps.

12) Third-party links

The Services may contain links to third-party sites. We are not responsible for their privacy practices. Review their policies before providing data.

13) Changes to this Policy

We may update this Policy to reflect changes in our practices or legal requirements. We will update the "Last updated" date and, where appropriate, provide additional notice.

14) Contact

For privacy questions or requests: