Privacy Policy

Masaed is an AI-powered, multi-tenant SaaS customer support platform designed for businesses operating in the Middle East. We enable businesses ("Tenants") to deploy AI chatbots across WhatsApp, Telegram, Instagram, and Web Chat channels.

For data protection purposes, Masaed acts as the data processor on behalf of our Tenants, who are the data controllers for their customers' conversations.

Contact: privacy@masaed.net

Account & Tenant Data

• Company name, domain, and billing email
• Admin user: full name, work email, hashed password (bcrypt, strength 12)
• Agent and team member names and email addresses
• Subscription plan and billing information (via Stripe)

Customer Conversation Data

• Messages sent by your customers via WhatsApp, Telegram, Instagram, or Web Chat
• External user identifiers (phone numbers, Telegram IDs, Instagram IDs, or web session IDs)
• Conversation metadata: timestamps, channel, status
• AI-generated responses and internal notes added by your agents
• Detected Arabic dialect and conversation ratings (1–5 stars)

Knowledge Base Data

• Documents you upload (PDFs, Word files, text) and their extracted content
• Vector embeddings generated from your documents for AI retrieval

Usage & Technical Data

• API request logs, IP addresses, and authentication events (stored in audit logs)
• Conversation volume and plan usage metrics
• Browser type and device information for the dashboard

• Service delivery: Processing customer messages, generating AI responses, routing to human agents
• AI inference: Sending conversation context and knowledge base chunks to our AI providers (Together AI or OpenAI) to generate responses. Message content is sent to these providers for processing — it is not used to train their models under our agreements.
• Billing: Processing subscription payments via Stripe. We do not store card numbers — Stripe handles all payment data.
• Security & compliance: Detecting abuse, enforcing plan limits, and maintaining audit logs for PDPL compliance
• Service improvement: Aggregated, anonymized analytics to understand platform usage and improve our product
• Communications: Sending account verification emails, password reset links, and weekly usage reports to admins

We share data with the following trusted third parties only to the extent necessary to provide the service:

We do not sell your data or your customers' data to any third party.

Masaed supports configurable data residency for Tenants on Professional and Enterprise plans:

• Global (default): Data hosted on DigitalOcean infrastructure, may be processed in multiple regions
• Jordan: Conversation and knowledge base data stored in DigitalOcean's closest available region to comply with Jordan's PDPL
• GCC: Data stored in Gulf Cooperation Council region infrastructure

Note: AI inference calls are processed by Together AI or OpenAI regardless of data residency setting. Enterprise plans can request on-premise or private cloud deployment.

• Conversation messages: Retained for 2 years from the date of creation, or until you delete them. Configurable on Enterprise plans.
• Documents & embeddings: Retained until you delete the document from the platform.
• Audit logs: Retained for 1 year for compliance purposes.
• Account data: Retained until account deletion. After deletion, data is anonymized within 30 days.
• Billing records: Retained for 7 years as required by financial regulations.

As a Tenant (business account holder), you have the following rights over your data and your customers' data:

• Access: Export all conversation history and user data via GET /api/v1/compliance/users/{id}/export
• Correction: Update user profile data through the dashboard
• Deletion / Anonymization: Anonymize a user's data via POST /api/v1/compliance/users/{id}/anonymize
• Portability: Export data in JSON format via the compliance API
• Account deletion: Contact privacy@masaed.net to request complete account and data deletion

For requests from your end-customers regarding their personal data, you as the Tenant (data controller) are responsible for responding. We will support your compliance obligations upon request.

• All data in transit is encrypted via TLS 1.2+
• Passwords are hashed using bcrypt (strength 12) — never stored in plain text
• API keys are hashed using SHA-256 — only the hash is stored
• JWT tokens expire after 24 hours (access) and 7 days (refresh)
• Row-level security enforced at the database level — Tenants can only access their own data
• Rate limiting applied to all API endpoints (100 requests/minute per IP)
• All sensitive actions are recorded in audit logs with IP address and timestamp

Masaed is designed to support compliance with Jordan's Personal Data Protection Law No. 24 of 2023 (PDPL), which governs the processing of personal data within Jordan. Our compliance measures include:

• Data minimization — we only collect what is necessary
• Purpose limitation — data is used only for stated purposes
• Data subject rights — access, correction, deletion, and portability tools are built into the platform
• Data retention policies with automatic anonymization after the retention period
• Audit logging of all data access and modification events
• Data residency option for Jordan-based Tenants (Professional and Enterprise plans)

If you are a Jordanian business subject to the PDPL and need a Data Processing Agreement (DPA), contact privacy@masaed.net.

The Masaed dashboard does not use cookies for tracking or analytics. We use localStorage in your browser to store your authentication token and session data. This data is local to your browser and is not transmitted to third parties.

The embeddable Web Chat widget uses a session identifier stored in localStorage on your customers' browsers to maintain conversation continuity.

Masaed is a business-to-business platform not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through your customer support channel, please contact us immediately.

We may update this Privacy Policy from time to time. When we make material changes, we will notify Tenant admins via email and update the "Last updated" date at the top of this page. Continued use of Masaed after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions, data subject requests, or to request a Data Processing Agreement:

• Email: privacy@masaed.net
• Platform: masaed.net