Abzer DMCC and affiliates (“Abzer”, “we”) provide the FatooraOnline Platform. The Merchant is the Data Controller (decides what is processed and why). Abzer acts as Data Processor, processing data only per the Merchant’s documented instructions to deliver the Platform’s functionality.

We collect only the data necessary to provide the service: business name, commercial registration number, tax identifiers, contact details, authorized-user credentials, invoice data (customer details, items, tax values), ZATCA clearance data, and limited technical data (IP, browser, timestamps). Support correspondence may be retained to resolve issues. Payment card data is handled exclusively by licensed PSPs; Abzer receives only non-sensitive transaction references.

We use data to provide and maintain the Platform, generate and clear ZATCA-compliant invoices, manage subscriptions and billing, send administrative notifications, improve reliability and security, and meet legal obligations. Abzer does not use personal or business data for marketing or commercial monetization beyond the described operational purposes.

Processing is based on: performance of contract (to deliver services), legal obligation (tax, regulatory requirements), legitimate interest (security, fraud prevention, platform improvements), and consent (where required for optional communications or integrations).

Production data is hosted in the Kingdom of Saudi Arabia on certified infrastructure (for example OCI or an equivalent local provider) aligned with NDMO. Data is not transferred outside the Kingdom except under strictly controlled, temporary, and encrypted circumstances (e.g., technical support or disaster recovery) with PDPL safeguards in place.

Data is retained only as necessary to provide the service. After subscription ends, Merchants have 30 days to export data; after that data is deleted from active systems and encrypted backups are purged within the subsequent month. A paid Managed Archive service is available. Minimal metadata (invoice hashes, audit logs) may be retained up to six months for legal or security obligations.

Abzer maintains an ISMS aligned with ISO 27001 and SOC 2. Controls include AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication, role-based access, continuous monitoring, and regular vulnerability testing. Access is limited to authorized, trained personnel and incidents are handled per established response procedures. Where legally required, affected Merchants will be notified without undue delay after verification of an incident.

Abzer does not disclose Merchant data except to operate the Platform, comply with law, or enforce contractual rights. Data may be shared with approved sub-processors (hosting, messaging, support) under equivalent protection agreements, with ZATCA or authorities for clearance or audit, and with professional advisers under confidentiality obligations.

Under PDPL you may request access, correction, deletion, or a copy of your personal data. Requests are subject to identity verification and legal retention limitations. Abzer will respond within a reasonable timeframe consistent with operational feasibility and applicable law.

We use essential cookies for session management and limited analytics cookies to measure usage and performance. Analytics data is anonymized and aggregated. Cookie preferences can be managed via browser settings or the site cookie-preference banner. See our Cookie Policy for details.

The Platform is for business use. Abzer does not knowingly collect data of minors under 18; any such data discovered will be deleted promptly.

Temporary, encrypted access by technical/support personnel outside Saudi Arabia may be required for operational support. Such access is authorized, PDPL-compliant, and contractually safeguarded. Abzer does not maintain primary data storage outside Saudi Arabia.

The Platform may integrate with third-party systems (payment gateways, accounting software). Each external provider has its own privacy policy; Abzer is not responsible for their practices. Review third-party policies before enabling integrations.

We may update this Privacy Policy periodically. The “Last Updated” date shows the effective revision. Material changes may be communicated by email or dashboard notice. Continued use after publication constitutes acceptance of the revised Policy.

For privacy or data-rights requests contact:

Data Protection Officer – Abzer DMCC
Email: privacy@abzer.com or compliance@abzer.com
Registered Office: Abzer DMCC, Cluster I, Jumeirah Lake Towers, Dubai, UAE
Operational Jurisdiction: Kingdom of Saudi Arabia

This Privacy Policy and its interpretation are governed by the laws of the Kingdom of Saudi Arabia. The competent courts of Riyadh have exclusive jurisdiction over related proceedings.

Nothing in this Policy creates contractual warranties or liabilities on Abzer beyond those required by law. This Policy describes privacy and security practices and is not intended to create enforceable third-party rights.

Abzer is committed to privacy-by-design, protecting data processed through the Platform, and collaborating with Merchants to meet PDPL, NDMO, and ZATCA obligations. We treat privacy and compliance as a shared responsibility.