Privacy
Policy

Mawidi ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our WhatsApp appointment management platform and related services.

This policy applies to: Business owners and administrators using Mawidi, end-users booking appointments through Mawidi, and visitors to our website.

Jurisdictions & Compliance: We operate globally with a focus on the GCC region (Saudi Arabia, UAE, Qatar, Kuwait, Bahrain, Oman), United Kingdom, and serve customers worldwide.

We comply with GDPR (General Data Protection Regulation) for EU users, CCPA (California Consumer Privacy Act) for California residents, GCC Data Protection Laws for users in Gulf Cooperation Council countries, and UK Data Protection Act for UK users.

Account Information: Full name and email address, password (encrypted and hashed), business name and industry type, contact information (phone number, business address), operating hours and service offerings.

Business Data: Service descriptions and pricing, staff member information, WhatsApp Business account details, appointment schedules and availability.

Payment Information: Payment method details (processed securely by Stripe), billing address and VAT/Tax registration, transaction history. Note: We do not store full credit card numbers.

Usage Data: Device information (type, operating system, browser), IP address and location data, pages visited and features used, time spent on platform, referral sources.

Communication Data: Conversation transcripts between businesses and customers, voice recordings (when using AI voice receptionist feature), message metadata (timestamps, read receipts), media files shared through conversations.

Service Delivery: Provide and maintain our appointment management platform, process bookings and manage schedules, handle payments and invoicing, enable WhatsApp Business integration, provide AI-powered features.

Account & Security: Create and manage user accounts, authenticate users and prevent unauthorized access, detect and prevent fraud, abuse, and security incidents, conduct security audits.

Communication: Send appointment confirmations and reminders, provide customer support and respond to inquiries, send transactional emails, deliver service updates and important notices.

Analytics & Improvement: Analyze platform usage and user behavior, improve features and develop new functionality, conduct A/B testing and performance optimization.

Marketing (With Consent): Send promotional offers and feature announcements, personalize marketing communications, conduct market research and surveys. You can opt-out anytime via email preferences.

Third-Party Service Providers: Stripe (payment processing, PCI-DSS compliant), Twilio (SMS and communication services), ElevenLabs (voice AI processing), Google Analytics (anonymized website usage).

Business Transfers: In the event of merger, acquisition, or sale of assets, your information may be transferred. You will be notified via email and prominent website notice.

Legal Requirements: We may disclose information to comply with court orders or legal processes, enforce our Terms of Service, protect rights and safety of Mawidi and users.

B2B Context: Mawidi is a B2B platform. Your business customers' data is processed on your behalf. You remain the data controller for your customer data.

We Never Sell Your Data: We do not and will never sell your personal information to third parties or share data for third-party marketing without your consent.

Right to Access (GDPR Art. 15, CCPA): Request a copy of all personal data we hold about you. Email privacy@mawidi.com with subject "Data Access Request". We respond within 30 days.

Right to Rectification (GDPR Art. 16): Correct inaccurate or incomplete personal information. Update directly in your account settings or contact support.

Right to Erasure (GDPR Art. 17, CCPA): Request deletion of your personal data. Account deletion removes all associated data permanently within 30 days.

Right to Data Portability (GDPR Art. 20): Receive your data in a structured, machine-readable format. Manual export available via support request.

Right to Object (GDPR Art. 21): Object to processing for direct marketing purposes. Unsubscribe from marketing emails or contact privacy@mawidi.com.

Encryption: All data transmitted using TLS 1.3 encryption. Database encryption using AES-256. Password hashing with bcrypt (industry standard).

Access Controls: Multi-factor authentication (MFA) available, strong password requirements enforced, role-based access control (RBAC), regular access reviews and audits.

Infrastructure Security: Regular security updates and patches, vulnerability scanning and penetration testing, DDoS protection and rate limiting, SOC 2 Type II compliant hosting.

Data Retention: Active accounts retain data as long as account is active. Deleted accounts have data permanently removed within 30 days, backups within 90 days.

Your Responsibility: Keep your password confidential, enable two-factor authentication, use secure networks for sensitive operations, report security concerns to security@mawidi.com.

Essential Cookies (Always Active): Required for platform functionality, authentication and session management, security features. Cannot be disabled.

Analytics Cookies (With Consent): Google Analytics tracks website usage and performance with anonymized IP addresses. You can opt-out via cookie consent banner or browser settings.

Preference Cookies (With Consent): Language selection (Arabic/English), theme preferences (dark/light mode), dashboard customizations.

Third-Party Cookies: Google Analytics (website analytics), Stripe (payment processing session management). We do not use social media tracking pixels or third-party advertising networks.

Managing Cookies: Cookie consent banner appears on first visit. You can accept all, reject non-essential, or customize your preferences. We respect browser Do Not Track signals.

Data Storage Locations: Cloud infrastructure providers (AWS, Google Cloud, or Azure). Servers located in EU (Ireland/Germany), UK, and/or USA. All providers meet GDPR and international compliance standards.

Cross-Border Transfers: We comply with GDPR requirements for international transfers. Standard Contractual Clauses (SCCs) in place with all US providers.

Third-Party Processors: Stripe (US-based, GDPR and PCI-DSS compliant), Twilio (US-based, GDPR compliant), ElevenLabs (voice data processed temporarily), Google (global infrastructure, GDPR compliant).

Your Rights: You have the right to be informed about where your data is transferred, object to transfers to specific countries, and request that data remain in your jurisdiction.

Data Localization: We are working on data localization options for customers who require data storage exclusively in GCC region or EU-only data processing.

Minimum Age: 13 years old in most jurisdictions, 16 years old in EU/EEA countries (GDPR requirement), 18 years old for business account creation.

Business Use Context: Mawidi is a B2B platform designed for business owners, professional service providers, and business administrators. We do not target children with our marketing.

Parental Consent: If your business serves minors (under 18), you are responsible for obtaining parental consent and complying with COPPA and local laws.

If We Discover Child Information: We will delete the information immediately, close any accounts created, and take steps to prevent future collection.

How to Report: If you believe a child has provided information to us, email privacy@mawidi.com with subject "Child Privacy Concern".

How We Update: We may update this Privacy Policy to reflect changes in our business practices, new features, legal requirements, or user feedback.

Material Changes: For significant changes affecting your rights, we will send email notification at least 30 days before changes take effect, display a prominent website banner, and show in-app notifications.

Minor Changes: For non-material changes (typos, clarifications), we will update the "Last Modified" date. Changes take effect immediately.

Your Options: If you disagree with changes, you can email us with concerns, request data deletion before changes take effect, or close your account within the 30-day notice period.

Version History: Current version: January 2025. We maintain archives of previous privacy policy versions available upon request.

Privacy Team: Email privacy@mawidi.com. Response time: Within 3 business days for acknowledgment, 30 days for full response.

Security Issues: Email security@mawidi.com for urgent security matters only. Response time: Within 24 hours.

Data Protection Officer (DPO): Email dpo@mawidi.com for GDPR-related inquiries.

Regulatory Authorities: If not satisfied with our response, you can lodge a complaint with your local data protection authority. UK: ICO (ico.org.uk), EU: Find your authority at edpb.europa.eu.

Response Timeline: Acknowledgment within 3 business days, simple requests within 14 days, complex requests within 30 days (45 days if exceptionally complex).