Who's responsible
The data controller is Much Information Technology, Saudi CR 7038460742. We're the legal entity that decides why and how your data is processed when you use Fahras.
This policy explains what personal data we collect, why, how long we keep it, and the rights you have over it. It's written in plain language. Anywhere we use a specialist term, we explain it.
Last updated: May 2026
The data controller is Much Information Technology, Saudi CR 7038460742. We're the legal entity that decides why and how your data is processed when you use Fahras.
Account data — name, email, phone number, locale preference; required to give you an account and send transactional messages (sign-in links, receipts, RFQ replies). Company data — anything you publish about your listed company: legal name, CR number, addresses, photos, descriptions, products, offers, jobs. This is public by design. Verification documents — CR certificate, VAT certificate, owner ID. Stored in a private bucket. Only the admin moderation team can read them, only at review time, only through short-lived signed URLs. Never published. Activity data — pages you view, searches you run, RFQs you post, offers you claim. Used to power analytics dashboards (the publisher's own) and to deliver alerts you've opted into. Device + network data — IP address, browser fingerprint, locale. Used for anti-abuse (rate limiting, fraud detection) and for the audit trail behind any reported incident.
• To run the directory: render your listings, deliver search results, route RFQ replies. • To bill you: process payments via our payment processor (Tap Payments). • To send transactional emails: sign-in links, receipts, verification approvals, supplier replies. • To send opt-in newsletters and alerts you've explicitly subscribed to. Always with an unsubscribe link. • To investigate abuse and comply with legal obligations in Saudi Arabia.
Saudi Arabia's Personal Data Protection Law (PDPL) gives you the right to: • Access the personal data we hold about you. • Correct anything that's wrong. • Delete your account and the personal data tied to it (some operational records — payment receipts, abuse reports — must be retained under Saudi law for the legally mandated period). • Withdraw consent for non-essential processing (newsletters, alerts) at any time. Email privacy@fahras.info to exercise any of these. We respond within 30 days.
• Active accounts — for as long as the account is open. • Deleted accounts — purged within 30 days, except for billing records (retained as required by Saudi tax law) and abuse-investigation records (retained for 1 year). • Email logs — 90 days of delivery + open + click events for deliverability diagnostics, then purged. • Verification documents — retained while the company is verified; purged within 30 days of the company being closed or the verification being revoked.
Sensitive credentials (payment tokens, third-party API keys) are encrypted at rest with AES-256-CBC. Passwords are not stored — we use email-link sign-in and SMS OTP, so there's no password database to leak. Sessions use signed, short-lived tokens. Verification documents and admin-uploaded files live in a private bucket reachable only through short-lived signed URLs.
Privacy questions: privacy@fahras.info General support: support@fahras.info Legal entity: Much Information Technology, CR 7038460742, Saudi Arabia.