Privacy Policy

1. Introduction

TaskyInn is a cloud-based Software-as-a-Service (SaaS) property management system designed for hotels, serviced apartments, and residential accommodation units in the Kingdom of Saudi Arabia and beyond. The Service covers operational tasks including reservations, front desk, housekeeping, financial management, guest registration, reporting, and related hospitality functions.

This Privacy Policy applies to all users of the Service, including property administrators, staff members, and any person whose personal data is processed through the platform. By using TaskyInn, you acknowledge and agree to the practices described in this policy.

This Privacy Policy should be read in conjunction with our Terms & Conditions, which govern your use of the Service.

2. Data Controller & Data Processor

2.1 Our Role

Under the Saudi PDPL, the Customer (the hotel or property subscribing to TaskyInn) is the "Data Controller" — the entity that determines the purposes and means of processing personal data. Alrabt Aldhaki Company for Information Technology acts as the "Data Processor" — processing personal data on behalf of and according to the instructions of the Data Controller.

2.2 Controller Responsibilities

As Data Controller, you are responsible for ensuring that all personal data processed through the Service has been collected lawfully, that appropriate consents have been obtained where required, and that the processing complies with the PDPL and its implementing regulations.

2.3 Processor Obligations

As Data Processor, we shall: (a) process personal data only in accordance with your documented instructions; (b) implement appropriate technical and organizational security measures; (c) assist you in fulfilling data subject rights requests; (d) notify you of any data breach without undue delay; and (e) delete or return personal data upon termination of the Service, subject to legal retention requirements.

3. Information We Collect

3.1 Information You Provide

3.2 Information Collected Automatically

4. Legal Basis for Processing

In accordance with the Saudi PDPL (Articles 5-10), we process personal data based on the following legal grounds:

5. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: Providing, operating, maintaining, and improving the TaskyInn platform and all its features.
• Account Management: Creating and managing your account, processing subscriptions, and handling billing.
• Customer Support: Responding to your inquiries, troubleshooting issues, and providing technical assistance.
• Regulatory Compliance: Generating ZATCA-compliant e-invoices, facilitating Shomoos guest registration, and meeting tax reporting obligations.
• Security: Detecting, preventing, and addressing fraud, unauthorized access, and security threats.
• Analytics & Improvement: Analyzing usage patterns to improve the Service, develop new features, and optimize performance.
• Communications: Sending transactional notifications (invoices, alerts, system updates) and, with your consent, marketing communications about new features or services.
• Legal Compliance: Fulfilling our obligations under applicable laws and responding to lawful government requests.

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We may share your information only in the following circumstances:

6.1 Service Providers

We engage trusted third-party service providers who assist us in operating the Service, including cloud hosting providers, payment processors, email delivery services, and analytics tools. These providers are contractually bound to process data only as instructed by us and to maintain appropriate security measures.

6.2 Government Authorities

We may disclose information to Saudi government authorities when required by law, including to ZATCA for e-invoicing compliance, the Ministry of Interior (Shomoos) for guest registration, and law enforcement agencies pursuant to valid legal process.

6.3 Legal Requirements

We may disclose information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law or legal process; (b) protect and defend our rights or property; (c) prevent fraud or abuse; or (d) protect the safety of our users or the public.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

7. Data Storage & Security

7.1 Data Location

Your data is stored and processed on secure servers. We prioritize data residency in compliance with the PDPL and Saudi regulatory requirements. Where data processing occurs outside the Kingdom, we ensure adequate safeguards are in place as required under Article 29 of the PDPL.

7.2 Security Measures

We implement comprehensive security measures including:

• Encryption: All data in transit is encrypted using TLS/SSL protocols. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
• Access Controls: Role-based access control (RBAC) ensures users access only the data necessary for their role. Multi-tenant data isolation prevents cross-tenant data access.
• Authentication: Secure authentication mechanisms with password hashing and session management.
• Monitoring: Continuous monitoring and logging of system activities, with automated alerts for suspicious behavior.
• Backups: Daily automated backups with encrypted storage to ensure data recovery capability.
• Security Reviews: Periodic security assessments and vulnerability scans.

7.3 Your Security Responsibilities

You are responsible for maintaining the security of your account credentials, managing user access within your organization, and ensuring that devices used to access the Service meet reasonable security standards.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:

Upon termination of your subscription, we will retain your data for thirty (30) days to facilitate export. After this period, data will be securely deleted unless retention is required by law.

9. Your Rights Under the PDPL

Under the Saudi Personal Data Protection Law, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us at privacy@taskyinn.com. We will respond to your request within thirty (30) days.

10. Cookies & Tracking Technologies

10.1 Types of Cookies We Use

10.2 Cookie Management

You can control cookies through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of the Service. We do not use advertising or third-party tracking cookies on the TaskyInn platform.

10.3 Session Management

We use session tokens for authentication purposes. These tokens do not contain personal data about you or your organization and expire automatically after the session ends or after a period of inactivity.

11. Payment & Credit Card Data

We take the security of payment information extremely seriously:

• No Card Storage: We do not store credit card numbers, CVV codes, or other sensitive payment card data in our databases or systems.
• PCI Compliance: All payment processing is handled by PCI DSS-compliant third-party payment processors. Payment data is transmitted directly to the payment processor using SSL/TLS encryption.
• Tokenization: Where recurring payments are enabled, payment processors store card data and provide us with secure tokens only. We cannot access the underlying card details.
• Guest Payment Data: Credit card information entered by your property for guest reservations is encrypted and handled in accordance with PCI DSS standards. We do not access or use this data for any purpose other than facilitating the specific transaction.

12. Cross-Border Data Transfers

In accordance with Article 29 of the PDPL, we may transfer personal data outside the Kingdom of Saudi Arabia only when:

• The transfer is necessary for the performance of the Service agreement;
• Adequate data protection safeguards exist in the recipient country or organization;
• The transfer complies with SDAIA-approved mechanisms and guidelines; or
• You have provided explicit consent to the transfer.

We implement appropriate contractual and technical safeguards to ensure that personal data transferred outside the Kingdom receives a level of protection substantially equivalent to that provided under the PDPL.

13. Data Breach Notification

In the event of a personal data breach that may result in significant harm to data subjects:

• We will notify you (the Data Controller) within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 20 of the PDPL.
• The notification will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.
• We will assist you in notifying the Saudi Data & Artificial Intelligence Authority (SDAIA) and affected individuals as required by law.
• We will cooperate fully in the investigation and remediation of the breach and take all necessary steps to mitigate its impact.

We maintain an incident response plan and regularly test our breach detection and notification procedures to ensure timely and effective response.

14. Children's Privacy

The TaskyInn platform is a business-to-business service designed for use by hospitality professionals. We do not knowingly allow registration or direct use of the Service by individuals under the age of 18.

If we become aware that personal data of a minor has been collected through our Service without proper parental or guardian consent, we will take immediate steps to delete that information. If you believe that a minor's personal data has been processed through our platform, please contact us at privacy@taskyinn.com.

15. Third-Party Links & Integrations

The Service may contain links to third-party websites or integrate with third-party services (such as online travel agencies, payment gateways, or government platforms). This Privacy Policy applies only to the TaskyInn platform. We are not responsible for the privacy practices of third-party websites or services.

We encourage you to review the privacy policies of any third-party services you interact with through our platform. Your use of third-party integrations is governed by those services' own terms and privacy policies.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will post the revised policy on our website with an updated "Last updated" date.
• We will notify you via email or through the Service at least thirty (30) days before the changes take effect.
• We will clearly highlight what has changed for your convenience.

Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the revised policy. If you do not agree with the changes, you should discontinue use of the Service.

17. Contact & Complaints

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or want to file a complaint about our data processing practices, please contact us:

If you are unsatisfied with our response, you have the right to lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.