Legal
Privacy Policy
Effective 14 July 2026 · Applies to the SaiBrief private beta
This policy describes, in plain language, what data SaiBrief actually collects and what actually happens to it. It is written specifically for the current private beta — when the product changes, this page changes. SaiBrief is operated by a Riyadh-led founding team; a Saudi-incorporated contracting entity is planned before general availability. This policy will be reviewed by counsel before GA; until then it is our honest, maintained statement of practice.
What we collect
Account data. Your email address, used for magic-link sign-in via Supabase Auth. We never see or store a password, because there are none.
Documents and briefs. Files you upload (PDF, Word, PowerPoint, text), the text extracted from them, and the executive briefs generated from that text — including every saved brief version. These are stored in your workspace until you delete them.
Contact requests. If you submit the early-access form: your name, organisation, email, role, request type, and message.
Technical data. Application error reports (error message and the page where it occurred) are captured by our hosting platform's telemetry to help us fix failures. We do not run advertising trackers or analytics pixels. We use browser localStorage for your session and interface preferences (such as text direction).
Where it lives
Documents, briefs, account data, and contact requests are stored with Supabase (database, authentication, and private file storage) in the Singapore region (ap-southeast-1). The application itself is served from managed infrastructure outside Saudi Arabia. In-Kingdom hosting is on our roadmap and is not in place today — please do not place regulated or classified data in the beta.
AI processing
When you generate a brief, the document's extracted text is sent to Google Gemini via the Lovable AI Gateway solely to produce the brief you requested. Per the gateway's processor terms, your content is not used to train models. We do not use your content to train anything ourselves. The full sub-processor list is maintained on our Trust Center.
Retention and deletion
Your documents and briefs are retained until you delete them. Deleting a document permanently and immediately removes the stored file, the document record, and every brief and brief version generated from it — there is no recycle bin and no soft delete. Automatic retention windows are planned for GA but do not exist yet.
To delete your entire account and workspace, contact us via the request form; during the beta this is handled manually, and we will confirm by email when complete.
Your rights
We aim to honour the data-subject rights in Saudi Arabia's Personal Data Protection Law (PDPL) — access, correction, deletion, and portability — for every user, Saudi or not. During the beta these requests are handled manually via the request form. A formal in-app workflow with response-time commitments is planned for GA. We are not PDPL-certified and do not claim certified alignment; our current posture and roadmap are published on the Compliance page.
What we do not do
We do not sell your data. We do not use your documents for advertising or model training. We do not share your data with anyone beyond the sub-processors listed on the Trust Center, and we add nothing to that list without updating it.
Security
Traffic is encrypted in transit (HTTPS/TLS). Workspace data is logically isolated per organisation using Postgres row-level security. At-rest encryption beyond our providers' defaults, server-side audit logging, and independent certifications are on the roadmap and are not in place during the beta — the honest, current list is on the Trust Center.
Changes and contact
We will update this page when practice changes, and material changes will be flagged to active beta users by email. Questions, complaints, or rights requests: use the request form (a dedicated, monitored privacy mailbox will be published here once provisioned).