1. Who We Are
The Najed AI platform at najed.ai, including Daleel and all other agents listed on the platform, is operated by Communicare OÜ, an Estonian private limited company (Estonian Business Register code 16013306). Communicare OÜ is the data controller for personal data processed through the Najed AI platform.
For questions about this policy, contact us at: privacy@najed.ai
2. Scope
This policy applies to all personal data we collect when you:
- Visit najed.ai or any subdomain
- Create an account or use Daleel
- Interact with our AI agents
- Make a payment for a report or service
- Contact us by any means
If you use our platform on behalf of a company, you confirm that you are authorized to accept this policy on behalf of that company, and "you" refers to that company.
3. What Data We Collect
3.1 Account Data
When you register, we collect your work email address and the date of registration. We do not accept personal email addresses (Gmail, Hotmail, Yahoo, etc.) — this is enforced at the point of registration.
3.2 Company Profile Data
Daleel collects structured information about your business during the intake flow. This includes:
- Business sector and primary activity
- Company type (e.g., foreign branch, LLC, representative office)
- Home country of the parent entity
- Target region within Saudi Arabia
- Planned headcount
- Any additional detail you provide in free-text answers
This profile is stored and reused across sessions so you do not need to re-enter it. You can request deletion at any time (see Section 8).
3.3 Conversation Data
We store the full conversation history between you and our agents. This includes your questions, the agent's responses, and any structured data exchanged during the session. Conversations are linked to your account.
3.4 Usage Data
We collect standard technical data: IP address, browser type and version, pages visited, time on page, referring URL, and error logs. This data is used for platform stability and security. We do not build advertising profiles.
3.5 Payment Data
When you purchase a report, payment is processed by a third-party payment processor (Stripe, Inc.). We do not store your card number, CVV, or full card details. We retain a transaction record including the amount paid, currency, timestamp, the product purchased, and the processor's payment ID.
3.6 Communications
If you contact us by email or through a contact form, we retain that correspondence.
4. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Daleel service (generating reports, running agent sessions) | Performance of contract |
| Storing your company profile so you don't repeat intake | Performance of contract |
| Processing payments and issuing invoices | Performance of contract, legal obligation |
| Security monitoring and fraud prevention | Legitimate interests |
| Platform analytics and service improvement | Legitimate interests |
| Sending transactional emails (report ready, payment confirmation) | Performance of contract |
| Complying with legal obligations | Legal obligation |
We do not use your data for advertising, do not sell your data, and do not use it to train AI models.
5. AI Processing and Third-Party Subprocessors
Daleel is powered by large language models. When you use Daleel, your inputs — including your company profile and conversation messages — are sent to the following subprocessors:
| Subprocessor | Role | Location | Data Protection |
|---|---|---|---|
| Anthropic, Inc. | AI inference (Claude models) | USA | Standard Contractual Clauses, Anthropic Privacy Policy |
| Supabase, Inc. | Database and authentication | USA (AWS us-east-1) | Standard Contractual Clauses, Supabase DPA |
| Vercel, Inc. | Hosting and CDN | USA | Standard Contractual Clauses, Vercel DPA |
| Stripe, Inc. | Payment processing | USA | Standard Contractual Clauses, Stripe Privacy Policy |
Anthropic data usage: We use Anthropic's API under a commercial agreement. Anthropic does not use API inputs to train its models. Prompts sent to the API may be logged by Anthropic for up to 30 days for safety and abuse monitoring under their usage policies.
6. Data Transfers
Communicare OÜ is established in Estonia (European Economic Area). Your data may be transferred to and processed in the United States by the subprocessors listed above. All such transfers are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission, providing an equivalent level of protection to EEA data protection law.
If you are located in or entering Saudi Arabia, note that Saudi Arabia's Personal Data Protection Law (PDPL) also applies to your data. We process Saudi-origin business data solely for the purpose of providing compliance intelligence services. We do not share that data with Saudi government agencies or third parties except as required by applicable law.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account + 30 days |
| Company profile | Until you delete your account + 30 days |
| Conversation history | 24 months from the last session, then deleted |
| Usage / technical logs | 90 days |
| Payment records | 7 years (legal/tax obligation) |
| Support correspondence | 3 years from last contact |
After the retention period, data is either deleted or irreversibly anonymized.
8. Your Rights
If you are in the EEA, UK, or a jurisdiction with equivalent data protection law, you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
- Restriction — ask us to restrict processing while a dispute is resolved
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is consent-based, withdraw at any time
To exercise any right, email privacy@najed.ai with subject line "Data Request". We will respond within 30 days. We may ask you to verify your identity before acting on the request.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee, or with the supervisory authority in your country of residence.
9. Cookies
| Cookie | Purpose | Type |
|---|---|---|
| Session token | Keeps you logged in | Strictly necessary |
| CSRF token | Protects form submissions | Strictly necessary |
| Analytics (anonymous) | Page view counts, no personal ID | Analytical (opt-out available) |
We do not use advertising or tracking cookies. You can disable analytical cookies in your browser settings or via our cookie preferences banner.
10. Children
Najed AI is a B2B service for business professionals. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has created an account, contact us at privacy@najed.ai and we will delete it promptly.
11. Security
We implement appropriate technical and organizational measures including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-Level Security on all database tables
- Access controls limiting employee access to production data
- Regular security reviews
No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to security@najed.ai.
12. Changes to This Policy
We will notify you of material changes by email (to your registered address) or by a prominent notice on the platform at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent version. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
13. Contact
Communicare OÜ
Estonian Business Register code: 16013306
Estonia
Email: privacy@najed.ai