Privacy Policy

SOM3A is operated from the Kingdom of Saudi Arabia and is the data controller for the data described below. Contact us at support@som3a.tech for any privacy matter, including data-subject-rights requests.

Merchant account data: details about your store team and your platform connection, such as name, business email, mobile, store identifier, the access tokens used to call your e-commerce platform on your behalf, and activity logs. End-customer data from your platform: for each order on a connected store we receive the customer's contact details and the order's contents, status, and totals, and we derive behaviour signals used to compute a risk score. We do not collect payment card numbers, government IDs, or biometric data.

We use personal data to operate SOM3A for the connected merchant, compute a risk score that helps merchants decide whether to accept, hold, or refuse an order, share aggregated trust signals across the merchant network, manage billing and subscriptions through your e-commerce platform, send service notifications, and prevent fraud and abuse. Our lawful bases under PDPL are the merchant's legitimate interest in protecting their business, the contract formed when you sign in, and consent where required.

To recognise the same customer across the network, we match on one-way hashed phone and email values. Raw contact details stay with the merchant where the order was placed, and customer names are never shared between merchants.

We share personal data only with: the merchant the data originated from; other merchants in the network, in the form of an aggregated trust tier and the reasons behind it, never raw names, contact details, or order content; your e-commerce platform, for billing and subscription events; service providers who host our infrastructure and deliver our email and analytics; and regulators or law enforcement where Saudi law requires. We do not sell personal data. A current list of subprocessors is available from support@som3a.tech.

Some of our service providers may store or process data outside Saudi Arabia. Where they do, we rely on contractual safeguards and select providers with PDPL-aligned commitments.

We use analytics and anonymised session-recording tools to understand usage and improve the product. Input fields are masked and customer names, emails, and phone numbers are suppressed. We do not run advertising trackers. You can block these via your browser settings or a Do-Not-Track signal without affecting your use of SOM3A.

Merchant account data is retained while your store is connected and for 12 months after disconnection to support reconnection, billing, and audit. End-customer data is retained while the merchant subscription is active. You can request earlier deletion at support@som3a.tech.

Under PDPL you may request access, correction, deletion or anonymisation, portability, or object to specific processing, and withdraw any consent given. Send your request from the email tied to your account to support@som3a.tech and we will respond within 30 days. End-customers should first contact the merchant they purchased from; we will support that merchant in fulfilling the request.

We protect data with encryption in transit and at rest, scoped platform access tokens, hashed identifiers, passwordless multi-factor login, and audit logs. No system is perfectly secure; we will notify the relevant Saudi authority and affected users of any incident as required by PDPL.

SOM3A is a tool for merchants and is not directed at children. We do not knowingly process data of anyone under 18. Contact us if you believe such data has been ingested in error.

We may update this policy as the service or Saudi law changes. Material changes are notified to merchants by email at least 14 days before they take effect.