Privacy Policy for Nabrah.ai

https://www.nabrah.ai/en/privacy

Last Updated: August 17, 2025

1. Who is Nabrah and what does this Policy cover?

Nabrah for Information Technology ("Nabrah," "we," "us," or "our") provides a sophisticated, AI-powered Conversational Intelligence platform designed to help businesses analyze and improve their customer communications. Our services include, but are not limited to, AI-driven call transcription, sentiment analysis, call summarization, and performance analytics (the "Services").

At Nabrah, we take your personal data and privacy seriously. This Privacy Policy ("Policy") is designed to be transparent and to explain our practices regarding the collection, use, protection, and disclosure of Personal Data. It outlines our commitment to processing data responsibly and in compliance with applicable data protection laws and regulations, including the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) and other relevant international standards.

This Policy applies to the Personal Data we process from three main groups of individuals:

• Website Visitors: Individuals who visit or interact with our public-facing websites (e.g., nabrah.ai).
• Customers: Authorized users representing an organization that has entered into an agreement with Nabrah to use our Services.
• End-Users: Individuals whose communications are processed through our Services by our Customers (for example, a person who participates in a phone call with one of our Customer's sales or support agents).

A critical distinction in our data processing activities is our role as either a "Data Controller" or a "Data Processor." For the Personal Data of our Website Visitors and Customers, Nabrah acts as the Data Controller, meaning we determine the purposes and means of processing. For the Personal Data of End-Users that we process on behalf of our Customers through our Services, our Customer is the Data Controller, and Nabrah acts as the Data Processor, processing such data only on the documented instructions of our Customer.2 This distinction is fundamental to understanding the rights and responsibilities outlined in this Policy. The legal responsibility for ensuring a valid legal basis for processing End-User communications (such as obtaining necessary consents for call recording) rests with our Customers.

Please read this Policy carefully. By accessing our websites or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, you must not use our websites or Services.

2. What personal data do we collect about you and how do we collect it?

We collect Personal Data through various means to provide and improve our Services. The types of data we collect depend on your relationship with us, as detailed below. This approach adheres to the principle of data minimization, ensuring we only collect what is necessary for the specified purpose.

Data You Provide Directly to Us

When you interact with us, you may provide us with Personal Data directly. This includes:

• Account and Contact Information: When you register for an account, request a demo, or contact us for support, we collect information such as your full name, business email address, phone number, company name, job title, and billing or physical address.
• Payment Information: For paying Customers, we collect billing details and payment information, which are processed securely by our third-party payment processors.
• Communications and Support Data: If you contact us via email, support tickets, feedback forms, or other communication channels, we will collect the information contained in your correspondence, including any attachments.

Data We Collect Automatically

When you use our websites or Services, we automatically collect certain information about your device and your usage:

• Usage and Log Data: We collect information about your interactions with our Services, such as the features you use, the pages you visit, the dates and times of your access, and performance statistics.
• Device and Connection Information: We collect data from the device you use to access our Services, including your IP address, browser type and version, operating system, device identifiers, and location information derived from your IP address.
• Cookies and Other Tracking Technologies: We use cookies and similar technologies to operate and administer our websites, gather usage data, and support our marketing efforts. For more detailed information, please refer to Section 11 of this Policy.

Data We Process on Behalf of Our Customers (as a Data Processor)

When our Customers use our Services to manage their communications, we process the data they submit to our platform. Nabrah has no direct relationship with the End-Users whose data is processed in this context. The collection of this data is managed by our Customers, who are the Data Controllers. This data includes:

• Interaction Content: This is the core data our AI platform analyzes. It includes audio from phone calls, video recordings, and the resulting transcripts generated by our speech-to-text engine. This content may contain various types of Personal Data and, potentially, Sensitive Personal Data of End-Users, depending on the nature of the conversation.
• Interaction Metadata: We process data related to the communications, such as the phone numbers of the calling and receiving parties, the start time and duration of the call, call direction (inbound/outbound), and other technical details associated with the interaction.
• CRM Integration Data: If a Customer chooses to integrate our Services with a third-party application, such as a Customer Relationship Management (CRM) system (e.g., Salesforce, HubSpot), we may access and process data from that system as directed by the Customer. This can include contact details, deal information, and other business records stored in the CRM.

3. How and why do we use your personal data?

We are committed to the principle of "purpose limitation," meaning we only use your Personal Data for specific, explicit, and legitimate purposes that we have disclosed to you. We do not process your data for purposes that are incompatible with these original intentions. Our use of your data depends on our role as either a Data Controller or a Data Processor.

As a Data Controller (For our own business purposes)

When we act as a Data Controller for the data of our Website Visitors and Customers, we use it for the following purposes:

• To Provide Services and Manage Your Account: We use your Account and Contact Information to create and maintain your account, process payments, provide you with access to our Services, and send essential service-related communications (e.g., billing notices, security alerts).
• To Provide Customer Support: We use your communications data and account information to investigate and respond to your inquiries, troubleshoot technical issues, and provide other support services.
• For Marketing and Communications: With your consent where required by law, we may use your Contact Information to send you newsletters, promotional materials, and other information about our products and services. We will always provide a clear and simple way for you to opt out of these communications, in compliance with regulations such as the PDPL.
• To Improve Our Services and Websites: We analyze Usage and Log Data to understand how our users interact with our platform. This helps us to improve functionality, enhance the user experience, and develop new features.
• For Security and Legal Compliance: We use your Personal Data to maintain the security and integrity of our platform, prevent fraud, enforce our legal agreements (such as our Terms of Service), and comply with our legal obligations, including responding to lawful requests from public authorities.

As a Data Processor (On behalf of our Customers)

When we process End-User data on behalf of our Customers, our role is strictly limited to providing the Services as instructed by the Customer in our contractual agreement. Our purposes for processing this data are:

• To Deliver the Core AI Services: We process Interaction Content, Interaction Metadata, and CRM Integration Data to perform the functions contracted by our Customer. This includes routing calls, creating recordings and transcripts, generating analytical reports, and displaying relevant information within the Customer's Nabrah account. The entire basis for this processing is the contract we have with our Customer.

4. How does Nabrah's Artificial Intelligence process call data?

The core value of Nabrah's platform lies in its ability to apply advanced Artificial Intelligence to conversational data. This section provides transparency into how our AI systems work and the safeguards we have in place to protect the data they process.

Core AI Functionality

Our AI models are designed to transform unstructured conversational data into structured, actionable intelligence for our Customers. When a Customer uses our Services, their Interaction Content is processed by our AI to provide features such as:

• Speech-to-Text Transcription: Our AI automatically converts the audio from calls into written text, creating a searchable and analyzable record of the conversation.
• Automated Summarization: The AI can generate concise summaries of long conversations, highlighting key points and outcomes to save our Customers time.
• Sentiment Analysis: We analyze the language, tone, and other cues within a conversation to determine the sentiment (e.g., positive, negative, neutral) of the participants. This helps our Customers gauge satisfaction and identify areas for improvement.
• Topic and Keyword Tracking: Our platform can identify and track the frequency of specific keywords or topics mentioned during conversations, enabling Customers to spot trends, monitor compliance, and understand common queries.

AI Model Training and Improvement

To ensure our AI models remain accurate, competitive, and effective, they require continuous training and refinement. This process may involve using data that we process on behalf of our Customers. However, we recognize the sensitivity of this data and have implemented strict controls and safeguards around this practice.

Using customer data for model improvement is not part of our core service delivery; it is a separate processing activity that requires a distinct legal basis and a high degree of transparency. We are committed to giving our Customers full control over this process.

• Data Protection Safeguards: Before any data is used for training purposes, we employ technical measures to anonymize or pseudonymize it to the greatest extent possible. This involves removing or obscuring direct personal identifiers to protect the privacy of individuals.
• Customer Control and Consent: We believe that our Customers should decide whether their data contributes to the improvement of our AI models. Therefore, we provide our Customers with clear options within their account settings to opt out of having their data used for AI training and development purposes. Unless a Customer provides explicit consent, their data will be used solely for the purpose of providing the Services to them. This approach ensures that our AI development is both ethical and compliant with data protection principles that prioritize user consent and control.

By providing this level of granular control, we aim to build trust and demonstrate our respect for our Customers' data ownership. This transforms a potentially sensitive processing activity into a transparent, consent-based partnership that benefits all parties.

5. What is our legal basis for processing your data?

Under modern data protection laws, including the PDPL and GDPR, all processing of Personal Data must be justified by a "legal basis." We are transparent about the legal bases we rely on for our various processing activities. The primary legal bases we use are:

• Performance of a Contract: When processing is necessary to fulfill our contractual obligations to you (e.g., providing the Services you have subscribed to).
• Consent: When you have given us your explicit and informed permission to process your Personal Data for a specific purpose (e.g., for sending marketing materials or for AI model training).
• Legitimate Interest: When we have a legitimate business interest in processing your data, provided that this interest is not overridden by your fundamental rights and freedoms. This legal basis is not used for processing Sensitive Data.
• Legal Obligation: When we are required to process your Personal Data to comply with a law or a binding legal order.

6. Who do we share your personal data with?

We do not sell your Personal Data to third parties. This is a core commitment of our privacy program. We only share Personal Data in the limited circumstances described below, and we take steps to ensure that any third party with whom we share data provides an adequate level of protection.

• Sub-processors and Service Providers: We engage third-party companies and individuals to perform services on our behalf, such as cloud hosting, payment processing, data analytics, and customer support. These parties are our "sub-processors." We only share the minimum amount of Personal Data necessary for them to perform their function, and we have legally binding Data Processing Agreements (DPAs) in place that require them to protect the data and process it only in accordance with our instructions. Our primary cloud infrastructure provider is.
• Third-Party Integrations: When a Customer chooses to connect our Services to a third-party application (e.g., a CRM), we will share data with that service as directed by the Customer. We are not responsible for the privacy practices of these third-party services, and we encourage our Customers to review their privacy policies.
• Legal and Regulatory Bodies: We may be required to disclose Personal Data in response to a lawful request by public authorities, such as to comply with a court order, a legal proceeding, or national security or law enforcement requirements. We will only disclose the data required by law and will notify the relevant Customer before disclosure, unless legally prohibited from doing so.
• Business Transfers: In the event of a merger, acquisition, bankruptcy, or other sale of all or a portion of our assets, your Personal Data may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your Personal Data.

Our robust vendor management program ensures that any sub-processor we engage is contractually obligated to maintain security and privacy standards at least as stringent as our own, protecting your data throughout the entire service delivery chain.

7. Where is your data stored and is it transferred internationally?

The location and transfer of Personal Data are subject to strict legal requirements, particularly under the Saudi PDPL. We have designed our infrastructure and policies to respect data residency and ensure that all cross-border data transfers are lawful.

• Primary Data Storage Location: To support our Customers in the region, we prioritize data residency. All Customer data, including Interaction Content and Metadata, is primarily stored on secure servers located within the Kingdom of Saudi Arabia. This helps our Customers meet their own data localization and compliance obligations.
• International Data Transfers: In certain circumstances, such as for providing 24/7 customer support or utilizing specialized sub-processors located outside of the Kingdom, it may be necessary to transfer Personal Data internationally. We will only conduct such transfers in strict compliance with the PDPL and other applicable laws.
• Legal Safeguards for Transfers: Any transfer of Personal Data outside of Saudi Arabia will be protected by appropriate legal safeguards as mandated by the PDPL. These safeguards include:

• Transferring data to countries that have been deemed by the competent authority (the Saudi Data & Artificial Intelligence Authority - SDAIA) to provide an adequate level of data protection.
• Implementing "appropriate safeguards" when an adequacy decision is not available. These may include using government-approved Standard Contractual Clauses (SCCs) or adopting Binding Corporate Rules (BCRs).
• Conducting a thorough risk assessment for the transfer to ensure that the data remains protected to a standard equivalent to that provided under the PDPL.

By explicitly adhering to the PDPL's framework for cross-border transfers, we provide our Customers with the assurance that their data is handled in a compliant and secure manner, regardless of where it is processed.

8. How long do we keep your personal data?

We adhere to the principle of "storage limitation," which means we do not retain Personal Data for longer than is necessary to fulfill the purposes for which it was collected, or to comply with our legal and contractual obligations.

• Customer-Controlled Data: The retention period for Interaction Content and Metadata processed on behalf of our Customers is determined and controlled by the Customer. Our platform provides Customers with configurable data retention policies, allowing them to set their own schedules for how long this data is stored. This flexibility enables our Customers to meet their specific industry, legal, and business requirements.
• Data Deletion Upon Contract Termination: When a Customer terminates their contract with us, all data associated with their account, including all Interaction Content, will be permanently deleted from our production systems after a brief grace period (e.g., 90 days) to allow for account reactivation.
• Nabrah-Controlled Data: For Personal Data where we are the Controller (e.g., Customer Account Data), we retain it for the duration of the business relationship. After the relationship ends, we may retain the data for a limited period as necessary to comply with our legal obligations (e.g., for financial auditing or to defend against legal claims).
• Marketing Data: Personal Data used for marketing purposes is retained until you withdraw your consent by unsubscribing from our communications.

9. What are your rights regarding your personal data?

We respect your right to control your Personal Data. In accordance with the PDPL and other applicable data protection laws, you have the following rights regarding your data:

• The Right to be Informed: You have the right to be informed about the collection and use of your Personal Data, which is the purpose of this Privacy Policy.
• The Right of Access: You have the right to request a copy of the Personal Data we hold about you.
• The Right to Correction (Rectification): You have the right to request that we correct any inaccurate or incomplete Personal Data we hold about you.
• The Right to Destruction (Erasure): You have the right to request the deletion of your Personal Data when it is no longer necessary for the purpose for which it was collected, or when you withdraw your consent.
• The Right to Withdraw Consent: Where we are processing your Personal Data based on your consent, you have the right to withdraw that consent at any time.

How to Exercise Your Rights

If you are a Customer or Website Visitor and wish to exercise any of these rights, please contact our Data Protection Officer at the email address provided in Section 14. We will respond to your request in a timely manner, in accordance with applicable law.

If you are an End-User who has interacted with one of our Customers, please note that Nabrah processes your data as a Data Processor on behalf of that Customer. Therefore, to exercise your rights, you must direct your request to the relevant Customer (the organization that contacted you). We are legally and contractually obligated to act only on the documented instructions of our Customers regarding the data they control.9

10. How do we use cookies and other tracking technologies?

We use cookies and similar tracking technologies on our websites to provide and improve our services, analyze usage, and for marketing purposes.

• What are Cookies? A cookie is a small text file that a website stores on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences over a period of time.
• How We Use Cookies: We use different categories of cookies:

• Strictly Necessary Cookies: These are essential for you to browse the website and use its features, such as accessing secure areas of the site.
• Performance and Analytical Cookies: These cookies collect information about how you use our website, like which pages you visited and which links you clicked on. This information is aggregated and anonymized and helps us to improve how our website works.
• Functional Cookies: These cookies allow our website to remember choices you have made in the past, like your preferred language or region.
• Marketing and Targeting Cookies: These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad.

• Managing Your Preferences: When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or reject different categories of non-essential cookies. You can also control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

11. What is our policy regarding children's data?

Our Services are intended for business use and are not directed at individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child without verification of parental consent, we will take steps to delete that information from our servers as quickly as possible.

12. How will you be notified of changes to this policy?

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this Policy. If we make a material change, we will provide you with notice, such as by sending an email to the address associated with your account or by posting a prominent notice on our website, before the change becomes effective. We encourage you to review this Policy periodically to stay informed.

13. How can you contact us about your privacy?

If you have any questions, concerns, or complaints about this Privacy Policy or our data protection practices, or if you wish to exercise your rights, please contact us below:

Email: contact@nabrah.ai

Postal Mail:

Riyadh, Kingdom of Saudi Arabia

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.