Privacy Policy

1. Who We Are

Saheeh POS ("Saheeh", "we", "us", "our") is a restaurant point-of-sale platform operated by Black Layers Corp, a corporation registered in Alberta, Canada.

Data Controller: Black Layers Corp, Calgary, Alberta, Canada
Contact: bl@blacklayers.ca
WhatsApp: +1 (587) 429-6200

2. What Data We Collect

We collect the minimum data needed to operate the service and remain ZATCA-compliant on your behalf.

Account & Business Data

• Business name, commercial registration (CR) number, VAT registration number
• Owner / authorized user name, email, phone (WhatsApp)
• Business address (required for ZATCA invoicing)
• Branch locations and configuration

Transactional Data

• Sales invoices (UBL 2.1 XML, mandated by ZATCA)
• Item-level sales, quantities, prices, VAT amounts
• Payment method (cash, Mada, etc.) — but NOT full card numbers (handled by PCI-compliant processors)
• Cryptographic invoice hash + digital signature (ZATCA Phase 2 requirement)

Customer Data (if you use Saheeh Order app)

• Customer name, phone, delivery address (only what's needed to fulfill orders)
• Order history
• Customer feedback / ratings

Technical Data

• IP address, device type, browser, operating system
• Login timestamps
• Error logs (anonymized where possible)
• Cookies (see Section 9)

Marketing & Communications Data

• If you contact us via WhatsApp, email, or our website: name, contact info, message content
• If you download our lead magnets (e.g. ZATCA checklist): email address

3. How We Use Your Data

• Service delivery: running your POS, generating ZATCA-compliant invoices, syncing to ZATCA Fatoora portal
• Legal compliance: meeting ZATCA Phase 2 requirements (mandatory invoice reporting, hash chains, signatures)
• Customer support: responding to your WhatsApp / email questions
• Service improvement: analyzing aggregated, anonymized usage to improve features
• Marketing (with consent): sending you updates about Saheeh — you can opt out at any time
• Security: detecting fraud, abuse, and unauthorized access

4. Who We Share Data With

We share data only with the following categories of recipients, and only as needed:

• ZATCA (Zakat, Tax and Customs Authority): all e-invoices, as legally mandated by Saudi law
• Cloud infrastructure: AWS (Bahrain region — me-south-1) for hosting; Google Cloud for analytics
• Payment processors: Moyasar, HyperPay, Tap, Stripe — only when you choose to integrate
• Delivery platforms: Talabat, Jahez, HungerStation, Keeta — only when you connect these
• Communication tools: Meta (WhatsApp Business), email providers
• Legal authorities: when required by law, court order, or to prevent illegal activity

We never sell your data to advertisers or data brokers.

5. Where We Store Data

For Saudi customers, all production data (invoices, customer records, transaction history) is stored on AWS Bahrain (me-south-1) in compliance with Saudi PDPL data residency requirements.

Backup and operational metadata may be stored in encrypted form in Canada (where Black Layers Corp is registered) and on other AWS regions for disaster recovery.

6. How Long We Keep Data

• Invoices & tax records: minimum 6 years (Saudi tax law) or as required by ZATCA, whichever is longer
• Account data: as long as your account is active, plus 24 months after closure
• Customer order data (Saheeh Order): 24 months unless you delete sooner
• Marketing data: until you unsubscribe
• Technical logs: 90 days

7. Your Rights

Under Saudi PDPL, GDPR (if applicable), and Canadian PIPEDA, you have the right to:

• Access: request a copy of all data we hold about you
• Correction: ask us to fix inaccurate data
• Deletion: ask us to delete your data (subject to legal retention requirements — see Section 6)
• Portability: get your data in a machine-readable format
• Objection: object to processing for marketing
• Withdraw consent: at any time, where consent was the basis for processing
• Lodge a complaint: with the Saudi Data & Artificial Intelligence Authority (SDAIA) or your local data protection authority

To exercise any of these rights, see our Data Deletion page or email bl@blacklayers.ca. We respond within 30 days.

8. Security Measures

• TLS 1.3 encryption in transit
• AES-256 encryption at rest
• Multi-factor authentication for admin access
• Role-based access control (RBAC)
• Regular security audits and penetration testing
• Encrypted backups stored separately from production
• Incident response plan — breach notifications within 72 hours, as required

9. Cookies & Tracking

We use cookies and similar technologies for:

• Essential cookies: required for login and security (cannot be disabled)
• Analytics: Google Analytics 4 (anonymized IPs)
• Marketing (with consent): Meta Pixel for ad measurement (you can opt out)

You can control cookies in your browser settings. Note: disabling essential cookies will prevent you from using the service.

10. Children's Privacy

Saheeh is a B2B product for restaurants. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-product notification at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent version.

12. Contact Us