PRIVACY POLICY

Last updated May 21, 2026

This Privacy Policy explains how GPR Business Services ("GPR", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you visit gpr.sa, use customer and platform services made available through app.gpr.sa, communicate with us, purchase services, or use services that link to this policy.

This policy is intended to cover the full GPR service lifecycle: website visitors, prospects, customers, tenant administrators, customer users, support contacts, and, where applicable, individuals whose data is processed through customer-enabled platform services such as messaging, voice, email, AI-assisted operations, workflow automation, and channel provisioning.

Questions or requests? You may contact us at contact@gpr.sa.

Related legal documents. This policy should be read with our Data Processing Terms, Platform Terms, Subprocessors and Transfers Notice, Data Deletion Notice, Retention Notice, and Security Incident Response Notice, where those documents apply to the relevant service or customer relationship.

SUMMARY OF KEY POINTS

• We process personal data to provide our website, customer services, platform onboarding, billing, support, security, communications, and lawful business operations.
• Where GPR provides platform services for a customer or tenant, GPR may act as a processor or service provider for personal data that the customer controls, subject to applicable data processing terms.
• For the Saudi-operated platform model, production platform hosting and administration are intended to be operated by GPR in the Kingdom of Saudi Arabia. Some data may still be disclosed or transferred outside Saudi Arabia when a customer enables external providers such as WhatsApp, voice, email, AI services, support, security, or other integrated services.
• We use manual request handling where a self-service privacy control is not available. We do not claim an automated right-management or deletion portal unless such a feature is made available in the relevant service.
• We apply technical and organizational safeguards such as access controls, tenant scoping, request logging, encrypted or secret-reference based credential handling where supported by the platform, and controlled provider/support access.
• Customers using communications channels are responsible for lawful contact collection, opt-in, message content, template use, and compliance with applicable provider terms, including WhatsApp Business terms where WhatsApp is enabled.

TABLE OF CONTENTS

1. Scope of this policy
2. Our roles
3. Personal data we collect
4. How we use personal data
5. Platform, tenant, and end-user data
6. WhatsApp, messaging, voice, email, and AI providers
7. Legal bases and customer instructions
8. Sharing and subprocessors
9. International transfers
10. Cookies and analytics
11. Retention and deletion
12. Security
13. Children
14. Your privacy rights
15. Data deletion requests
16. Changes to this policy
17. Contact us

1. Scope of this policy

This policy applies to personal data processed in connection with GPR websites, forms, sales and support interactions, customer accounts, customer relationship management, payment and billing flows, service delivery, platform onboarding, tenant administration, and platform services that link to this policy.

This policy does not replace a customer contract, order form, statement of work, data processing agreement, or provider-specific terms. If a customer agreement contains more specific terms for a service, those terms apply to that service.

2. Our roles

GPR may process personal data in different roles depending on the context:

• As a controller, when we decide why and how personal data is processed for our own website, sales, billing, customer administration, marketing, security, compliance, and support operations.
• As a processor or service provider, when we process personal data on behalf of a customer or tenant through platform services, execution services, integrations, communications channels, or support workflows, subject to the customer's instructions and applicable Data Processing Terms.
• As an intermediary with providers, when a customer enables third-party services such as WhatsApp, voice, email, AI, payment, hosting, support, or security providers. Those providers may also process data under their own terms and privacy notices.

3. Personal data we collect

Information you provide to us. We may collect names, business names, job titles, email addresses, phone numbers, mailing or billing addresses, account credentials or authentication data, service requests, consultation details, customer support messages, order details, payment-related records, and other information you submit through our forms, portals, or communications.

Website and device information. When you use our website or online services, we may collect IP address, browser type, device information, operating system, language preferences, referring URLs, pages viewed, date and time stamps, approximate location derived from IP address, and other log or usage information needed for security, diagnostics, analytics, and service operation.

Customer and tenant administration data. For app.gpr.sa and related platform services, we may process tenant profile records, user and administrator accounts, workspace information, subscription or commercial lifecycle status, usage summaries, support records, configuration requests, audit events, and integration readiness information.

Platform runtime and channel data. Where a customer enables platform execution services, we may process inbound and outbound communication metadata, message or conversation content, workflow state, channel identifiers, recipient addresses, provider status records, usage events, logs, audit records, and integration configuration needed to operate the service.

Credentials and secrets. Where platform architecture supports it, secret-bearing values such as provider tokens, signing materials, API keys, and connector credentials are handled through secret storage or secret-reference mechanisms rather than being returned in ordinary service responses.

Payment data. We may collect payment-related information needed to process purchases. Payment processing may be handled by third-party payment providers such as Moyasar. Payment providers process payment information under their own terms and privacy notices.

Sensitive personal data. We do not intentionally request sensitive personal data through the public website. Platform customers must not submit sensitive personal data unless the applicable service agreement permits it and suitable safeguards are in place.

4. How we use personal data

We process personal data for the following purposes:

• to operate, secure, maintain, and improve our website and services;
• to respond to inquiries, requests, and support cases;
• to create and manage customer, tenant, and user accounts;
• to provide business services, consultations, documents, subscriptions, platform onboarding, and platform operations;
• to configure, validate, provision, operate, and support customer-enabled channels and integrations;
• to process payments, invoices, refunds, accounting, and tax records;
• to send service notices, administrative messages, and policy updates;
• to send marketing communications where permitted and subject to opt-out rights;
• to detect, prevent, investigate, and respond to security incidents, abuse, fraud, and service misuse;
• to maintain audit trails, request ledgers, logs, and operational evidence; and
• to comply with legal obligations, enforce agreements, and protect legal rights.

5. Platform, tenant, and end-user data

When a customer or tenant uses GPR platform services, the customer may provide or enable processing of personal data relating to its own administrators, employees, contractors, customers, leads, contacts, end users, message recipients, or business partners.

For such customer-controlled data, the customer is generally responsible for deciding the purpose of processing, ensuring it has a lawful basis, providing any required notices, obtaining required consents or opt-ins, honoring end-user rights, and giving lawful instructions to GPR.

GPR processes customer-controlled data to provide the service, maintain security, support the customer, execute customer-enabled workflows, maintain records required for operation, and comply with applicable law and contractual obligations.

6. WhatsApp, messaging, voice, email, and AI providers

Customers may enable third-party communication and processing providers. Depending on the services configured, this may include WhatsApp Business Platform, voice providers, email providers, AI service providers, payment providers, hosting providers, monitoring tools, security tools, or support tools.

WhatsApp and messaging. Where WhatsApp or another messaging provider is enabled, GPR may process business account identifiers, phone number identifiers, display phone numbers, channel configuration, provider status records, message metadata, message content, templates, recipient addresses, webhook events, access-token references, validation records, and audit events needed to configure and operate the channel. Meta and WhatsApp process data under their own applicable terms and policies.

GPR does not use WhatsApp Business Platform data obtained through customer-enabled WhatsApp services to sell personal data, build or augment consumer profiles unrelated to the customer-enabled messaging service, or retarget individuals on or off WhatsApp.

Voice and email. Where voice or email providers are enabled, GPR may process call, message, sender, recipient, delivery, credential-reference, validation, and provider-status information needed to operate those services.

AI-assisted services. Where AI-assisted functions are enabled, personal data may be included in prompts, outputs, classifications, summaries, extractions, or operational decisions only as needed to provide the configured service. We do not state that AI data processing is fully local or fully automated unless the relevant service configuration expressly provides that.

Customers are responsible for ensuring that their use of messaging, voice, email, AI, and similar providers complies with applicable law, provider terms, consent or opt-in requirements, prohibited-use rules, and message-content requirements. Platform-specific service obligations are described further in our Platform Terms.

7. Legal bases and customer instructions

Where GPR acts as a controller, we process personal data based on one or more applicable legal grounds, which may include performance of a contract, consent, legitimate interests where permitted by law and not overridden by individual rights, compliance with legal obligations, protection of rights and security, or other grounds permitted by applicable law.

Where GPR acts as a processor or service provider, we process personal data according to the customer's documented instructions, the applicable service agreement, data processing terms, and lawful operational requirements needed to provide and secure the services.

8. Sharing and subprocessors

We may share personal data with service providers, subprocessors, affiliates, advisors, payment processors, hosting providers, communications providers, AI providers, security and monitoring providers, support providers, government authorities, and other parties where necessary for the purposes described in this policy.

For customer-controlled platform data, GPR uses subprocessors and provider services as needed to deliver the services selected or enabled by the customer. We maintain provider and transfer information through our operational records and customer-facing notices where applicable. Additional information is available in our Subprocessors and Transfers Notice.

We may also disclose personal data if required by law, legal process, regulatory request, court order, governmental request, security investigation, enforcement of agreements, or protection of rights, safety, and service integrity.

9. International transfers

For the Saudi-operated platform model, GPR aims to operate and host production platform services in Saudi Arabia where applicable. However, personal data may be transferred or disclosed outside Saudi Arabia when necessary for customer-enabled providers, communications delivery, AI processing, voice or email services, payment processing, security, support, maintenance, legal compliance, or other services described in this policy.

Where personal data is transferred outside Saudi Arabia, we apply appropriate safeguards according to the nature of the transfer, the role of the recipient, the sensitivity of the data, the customer's instructions, and applicable legal requirements. These safeguards may include contractual controls, data minimization, access restrictions, transfer assessments, provider due diligence, confidentiality obligations, audit logs, and approved transfer clauses where required.

Foreign support access, where needed, is intended to be controlled, limited to the support purpose, and subject to approval, confidentiality, access control, and logging. We do not describe foreign support access as impossible unless the relevant service configuration technically prevents it. Additional transfer-related information is available in our Subprocessors and Transfers Notice.

10. Cookies and analytics

We may use cookies, pixels, and similar technologies to operate the website, keep sessions secure, remember preferences, measure performance, understand traffic, and improve services. Some analytics or advertising tools may be provided by third parties and may process data under their own notices.

You can usually control cookies through your browser settings. If you disable cookies, some website or service functions may not operate correctly.

11. Retention and deletion

We retain personal data for as long as needed for the purposes described in this policy, including service delivery, customer administration, legal compliance, accounting, tax, security, fraud prevention, dispute resolution, audit, backup, and operational continuity.

Where a customer agreement, data processing terms, applicable retention rule, or lawful instruction requires deletion or return of customer-controlled data, we will handle the request manually or through available service tools. Some records may be retained where required or permitted by law, security, audit, fraud prevention, accounting, dispute resolution, or backup processes. More detail is available in our Retention Notice and Data Deletion Notice.

12. Security

We use reasonable technical and organizational measures designed to protect personal data. These may include access controls, authentication, authorization, tenant scoping, logging, encryption or protected secret storage where supported, provider due diligence, confidentiality obligations, and internal procedures for security and incident response. Security incident handling is described further in our Security Incident Response Notice.

No electronic transmission, storage system, or online service can be guaranteed to be fully secure. You should use our services only through secure devices, networks, and authorized accounts.

13. Children

Our services are intended for business use and are not directed to children. We do not knowingly collect personal data from children through the public website. Customers must not use platform services to intentionally collect children's data unless their agreement with GPR permits that use and all required legal safeguards are in place.

14. Your privacy rights

Depending on applicable law and the context of processing, you may have rights to request information about processing, access your personal data, correct inaccurate data, request deletion or destruction, withdraw consent where processing is based on consent, object or restrict certain processing, and submit a complaint to the competent authority.

If your data is processed by GPR on behalf of a customer or tenant, we may need to refer your request to that customer or coordinate with that customer before acting, because the customer may be the controller of that data.

To exercise privacy rights, contact us at contact@gpr.sa. We may need to verify your identity and the context of your request before responding.

15. Data deletion requests

You may request review, correction, deletion, or account closure by contacting contact@gpr.sa. We handle deletion requests manually or through available service tools. We may retain limited records where required or permitted for legal, tax, accounting, audit, security, fraud prevention, dispute resolution, backup, or service integrity purposes. Additional request handling information is available in our Data Deletion Notice.

If you are an end user of one of our customers, please also contact the business or tenant that collected your data, because that customer may control the purpose and handling of your data.

16. Changes to this policy

We may update this policy from time to time. The updated version will be indicated by an updated date at the top of this page. If we make material changes, we may provide notice through the website, customer portal, direct communication, or another appropriate method.

17. Contact us

If you have questions, requests, or complaints about this policy or our processing of personal data, contact us at:

GPR Business Services
Email: contact@gpr.sa
Riyadh, Kingdom of Saudi Arabia