Website Policies

Data Processing Terms.

DATA PROCESSING TERMS

Last updated May 21, 2026

These Data Processing Terms ("Terms") apply when GPR Business Services ("GPR", "we", "us", or "our") processes personal data on behalf of a customer or tenant in connection with GPR platform, execution, onboarding, communication, support, or related services.

These Terms are intended to be incorporated into the applicable customer agreement, order form, statement of work, or online terms. If a signed agreement contains different data processing terms, the signed agreement applies to the extent of the difference.

Related legal documents. These Terms should be read with our Privacy Policy, Platform Terms, Subprocessors and Transfers Notice, Data Deletion Notice, Retention Notice, and Security Incident Response Notice, where those documents apply to the relevant service or customer relationship.

  1. Roles

The customer is generally the controller of customer personal data and is responsible for determining the purposes and lawful basis of processing. GPR is generally the processor or service provider when it processes customer personal data to provide the services according to the customer's documented instructions.

GPR remains an independent controller for its own business operations, including billing, account administration, website operations, security, compliance, and relationship management.

  1. Customer instructions

GPR will process customer personal data only to provide, secure, support, maintain, and improve the services, to comply with lawful customer instructions, to meet legal obligations, and as otherwise permitted by the applicable agreement.

The customer's instructions include the agreement, service configuration, tenant settings, channel enablement, support requests, approved workflows, and other documented instructions provided through authorized customer users.

If GPR believes that an instruction cannot be performed lawfully or securely, GPR may pause the affected processing and request clarification or a corrected instruction.

  1. Customer responsibilities

The customer is responsible for:

  • providing all required notices to its users, contacts, message recipients, employees, contractors, and end users;
  • obtaining and maintaining all required consents, permissions, opt-ins, and legal bases;
  • ensuring that data submitted to the services is lawful, accurate, relevant, and limited to what is necessary;
  • ensuring that its use of messaging, voice, email, AI, and other provider services complies with applicable law and provider terms;
  • responding to data subject requests where the customer is the controller; and
  • not submitting sensitive personal data unless the applicable agreement expressly permits it and suitable safeguards are in place.
  1. Subject matter and categories of data

The services may process account data, tenant profile data, administrator and user data, customer records, end-user contact data, message and conversation content, channel identifiers, provider configuration, usage records, support records, workflow state, audit logs, billing-related records, and security records.

Data subjects may include customer administrators, customer employees and contractors, customer contacts, message recipients, leads, support contacts, and end users interacting with customer-enabled services.

  1. Processing activities

GPR may collect, receive, host, store, access, organize, validate, transmit, disclose to providers, retrieve, use, configure, secure, log, analyze for service operation, delete, return, or otherwise process customer personal data as needed to provide the services.

  1. Security measures

GPR will maintain reasonable technical and organizational measures designed to protect customer personal data. These may include authentication, authorization, tenant scoping, least-privilege access, operational logging, request ledgers, secret-reference handling for credentials where supported, confidentiality controls, provider due diligence, and incident response procedures. Security incident handling is described further in the Security Incident Response Notice.

Customer acknowledges that security measures may vary by service, provider, environment, and customer configuration.

  1. Confidentiality

GPR will require personnel and support providers who are authorized to process customer personal data to handle it confidentially and only for authorized service, support, security, maintenance, or legal purposes.

  1. Subprocessors and providers

GPR may use subprocessors and third-party providers to provide the services, including hosting, communications, WhatsApp Business Platform, voice, email, AI processing, payment, security, monitoring, support, and maintenance providers.

GPR will use reasonable diligence when engaging subprocessors and will require subprocessors that process customer personal data to protect such data under appropriate contractual obligations. Customer authorizes GPR to use subprocessors as needed to provide the services and customer-enabled provider integrations. Additional information is available in the Subprocessors and Transfers Notice.

  1. International transfers

For the Saudi-operated platform model, production platform hosting and operation are intended to be performed by GPR in Saudi Arabia where applicable. Customer acknowledges that some transfers or disclosures outside Saudi Arabia may still occur where required for customer-enabled providers, AI processing, messaging, voice, email, payment, security, monitoring, support, maintenance, or legal compliance.

Where personal data is transferred outside Saudi Arabia, GPR will use appropriate safeguards according to the nature of the transfer and applicable law. These safeguards may include data minimization, transfer records, transfer assessments, contractual restrictions, confidentiality obligations, access controls, logging, and approved transfer clauses where required. Transfer information is described further in the Subprocessors and Transfers Notice.

  1. Foreign support access

Where support, maintenance, or incident assistance is provided from outside Saudi Arabia, GPR will aim to limit access to what is necessary for the support purpose. Access may be subject to approval, authentication, confidentiality, logging, and time or scope limits. GPR will not describe foreign access as impossible unless the relevant service configuration technically prevents it.

  1. Data subject requests

GPR will provide reasonable assistance to the customer for data subject requests relating to customer personal data. Unless a self-service tool is available, assistance may be handled manually through support or privacy request workflows. Requests may be sent to contact@gpr.sa.

If a data subject contacts GPR directly about customer-controlled data, GPR may refer the request to the customer or coordinate with the customer before taking action.

  1. Deletion and return

Upon termination of the services or upon lawful customer instruction, GPR will delete or return customer personal data using available service tools or manual operational processes, subject to legal, accounting, tax, audit, security, backup, dispute, and operational retention requirements. More detail is available in the Data Deletion Notice and Retention Notice.

  1. Personal data breaches

GPR will maintain an incident response process. If GPR becomes aware of a personal data breach affecting customer personal data, GPR will notify the customer without undue delay after confirming the incident and will provide information reasonably available to GPR so the customer can meet its legal obligations.

Where GPR is the controller for affected data, GPR will assess and make required notifications to the competent authority and affected individuals according to applicable law. Additional process information is available in the Security Incident Response Notice.

  1. Audit and compliance assistance

GPR will provide reasonable information to demonstrate compliance with these Terms, subject to confidentiality, security, service integrity, and protection of other customers. Formal audits, if required, must be scoped and scheduled under the applicable customer agreement.

  1. WhatsApp and provider data restrictions

Where customer personal data is processed through WhatsApp Business Platform or another provider, GPR and the customer must use that data only for the customer-enabled service and in accordance with applicable provider terms. WhatsApp Business Platform data must not be sold, used to build or augment unrelated consumer profiles, shared for unrelated third-party use, or used for retargeting on or off WhatsApp. Platform-specific service obligations are described further in the Platform Terms.

  1. Contact

Privacy, processing, and data protection requests may be sent to contact@gpr.sa.