Privacy Policy
Sanad HR is a human-resources management platform operated by Mawarid Manpower Company (listed on Saudi Tadawul under ticker 1833), with offices in Riyadh, Saudi Arabia. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Sanad HR web application at hrartsa.com and the Sanad HR mobile application (collectively, the "Service").
Sanad HR is a Software-as-a-Service product. Your employer (a Customer of Mawarid Manpower) provides your data to us so that we can deliver HR services on their behalf. For most personal data, your employer is the Data Controller and Sanad HR is the Data Processor. We comply with the Saudi Personal Data Protection Law (PDPL) and Implementing Regulations.
1. Data we collect
| Category | Examples | Source |
|---|---|---|
| Identity | Full name, employee number, national ID / iqama, passport, date of birth, gender, nationality, photo | Your employer |
| Contact | Mobile number, email, address | Your employer / you |
| Employment | Job title, department, contract, joining date, work schedule | Your employer |
| Financial | Salary, allowances, deductions, bank/IBAN, payslip history | Your employer |
| Attendance | Clock-in / clock-out times, geolocation at clock events | Mobile app on your device |
| Requests | Vacation, loan, overtime requests and any attachments you upload | You |
| Device | Push notification token, app version, OS version, crash diagnostics | Mobile app on your device |
| Authentication | One-time codes (OTP) sent to your mobile | You |
2. How we use your data
- To provide HR services to you and your employer (attendance tracking, payroll, leave, KPIs, official documents).
- To verify your identity and prevent unauthorized access.
- To comply with Saudi labour and tax laws (GOSI, Mudad/WPS, Qiwa, Muqeem).
- To respond to support requests.
- To improve the Service (aggregated, non-identifying analytics only).
We do not sell your data, share it with advertisers, or use it for cross-app tracking. We do not engage in profiling that produces legal effects.
3. Legal basis for processing (PDPL Art. 6)
- Performance of contract — your employment contract with your employer.
- Legal obligation — payroll, social insurance, residency, and tax reporting required by Saudi law.
- Legitimate interest — securing the Service against unauthorized access.
- Consent — for device location and biometric face verification at clock-in. You may withdraw consent at any time in the app settings.
4. Location and biometric data
The Sanad HR mobile app requests access to your device location only when you tap "Clock In" or "Clock Out" to verify you are physically at your employer's worksite (geofencing). We do not track your location continuously and we do not access your location when the app is closed.
If your employer enables face verification, your device may capture a photo at clock-in. The photo is processed on the device or transmitted securely to verify your identity for that specific clock-event. We do not build a permanent biometric template for advertising or any other purpose.
5. Sharing your data
We share data only with:
- Your employer — full access to their employees' HR data as Data Controller.
- Saudi government systems — GOSI, Qiwa, Mudad, Muqeem, Absher, ZATCA — only the specific data required by law.
- Sub-processors — cloud hosting (Oracle Cloud, Riyadh region), SMS gateway providers, payment processors. All bound by written contracts with PDPL-equivalent obligations.
- Authorities — when required by valid legal order from a Saudi court or competent authority.
6. Data location and transfers
Your data is hosted in Saudi Arabia (Oracle Cloud Riyadh region) by default. Cross-border transfer is performed only when strictly necessary (for example, push notification dispatch via Apple Push Notification service or Google Firebase Cloud Messaging) under the safeguards permitted by PDPL Art. 29.
7. Retention
| Data | Retention |
|---|---|
| Active employee records | For the duration of your employment |
| Payroll, attendance, leave history | 10 years after end of service (Saudi labour law) |
| Push notification tokens | Until the device unregisters or 90 days idle |
| OTP codes | 10 minutes |
| Crash diagnostics | 180 days |
| Account deletion log | Permanent (legal requirement) |
8. Your rights under PDPL
- Access — request a copy of the data we hold about you.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your data (subject to legal retention).
- Withdraw consent — for location, biometrics, or marketing.
- Object — to processing for direct marketing (we do not engage in this).
- Lodge a complaint — with the Saudi Data & AI Authority (SDAIA).
Delete your account from the mobile app
Open Sanad HR → My Profile → Delete account. Your personal identifiers are removed within 30 days, except for records we are legally required to retain (payroll, attendance history) which are anonymized and retained for the statutory period.
9. Security
We use HTTPS/TLS 1.2+ for all communications, encrypt sensitive data at rest, restrict access by role, run regular security audits, and maintain ISO 27001 and ISO 9001 certifications for the parent organization.
10. Children
Sanad HR is an employment tool. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy. Material changes will be notified in the app and at hrartsa.com at least 30 days before they take effect.
12. Contact
For privacy questions, data access requests, or to lodge a complaint:
- Email: privacy@hrartsa.com
- Phone: +966 53 728 8731
- Postal: Mawarid Manpower Company, Riyadh, Kingdom of Saudi Arabia
- Regulator: Saudi Data & AI Authority — sdaia.gov.sa