Privacy Policy — Khutwah

1. Who We Are / من نحن

Khutwah ("we", "us", "our") is a gym management software platform. Our registered office is at Khutwah, CR [PENDING], 7007 Wadi Haqeel, Hai Alnakheel, Riyadh 12381, Saudi Arabia.

We act as a data processor on behalf of gym owners (the data controllers) who use our platform. We also act as a data controller for information we collect about gym owners and platform users directly.

2. What Personal Data We Collect / البيانات التي نجمعها

We collect and process the following categories of personal data:

For gym members (collected on behalf of the gym)

Identity data: Full name, date of birth
Contact data: Email address, mobile number
Emergency contact data: Name, phone number, and relationship of your nominated emergency contact
Biometric-adjacent data: Profile photo used for identity verification at gym entry
Membership data: Membership plan, start date, expiry date, visit count, status (active / frozen / expired)
Access data: Date, time, and result of each gym check-in
Payment data: Invoice amounts, payment method (cash or card terminal). We do not store card numbers — payment processing is handled externally.
Waiver record: Date and time you signed the gym's liability waiver
Barcode ID: A unique alphanumeric identifier used to scan you into the gym

For gym owners and staff

Identity data: Full name
Contact data: Email address
Account data: Hashed password, account creation date, role
Activity logs: Actions taken within the platform (for security and audit purposes)

Automatically collected data

Login metadata: IP address, timestamp of login attempts (retained for 15 minutes for rate-limiting, then discarded)
Technical logs: Error logs and performance data. These do not contain personal member information.

3. Legal Basis for Processing / الأساس القانوني للمعالجة

Under the Saudi Personal Data Protection Law (PDPL, نظام حماية البيانات الشخصية), we process personal data under the following grounds:

Purpose	Legal Basis
Creating a gym membership account	Performance of a contract (the membership agreement)
Verifying identity at gym entry	Contractual necessity / legitimate interest (safety)
Sending your login code (OTP)	Contractual necessity
Sending membership confirmation and barcode emails	Contractual necessity
Issuing ZATCA-compliant tax invoices	Legal obligation (Saudi VAT regulations)
Security logging and rate limiting	Legitimate interest (preventing fraud and abuse)
Emergency contact storage	Explicit consent (collected at registration)

4. How Long We Keep Your Data / مدة الاحتفاظ بالبيانات

Data type	Retention period	Reason
Member profile (name, email, phone, photo)	Duration of membership + 2 years after last activity	Contractual / PDPL minimum
Check-in history	3 years from the check-in date	Gym operational records
Tax invoices and financial records	5 years from the invoice date	ZATCA Article 53 — mandatory retention
Waiver signatures	Duration of membership + 5 years	Legal protection in liability claims
Login rate-limit buckets	15 minutes	Security only — automatically purged
OTP tokens	10 minutes from generation (then marked used)	Security — short-lived by design
MFA challenge tokens	5 minutes from creation	Security — single-use, then expired
Staff / owner accounts	Until account deletion by gym owner	Contractual

5. Who We Share Data With / مشاركة البيانات

We do not sell personal data. We share it only with the following categories of service providers, under contractual obligations that require them to protect it:

Cloud hosting (Vercel): Hosts the application servers. Data is processed in their infrastructure. Vercel is SOC 2 certified.
Database hosting (Neon / PostgreSQL): Stores all structured data. Encrypted at rest and in transit.
File storage (AWS S3, Bahrain — me-south-1): Stores member photos. Bucket has no public access — files are served via short-lived signed URLs only. Stored in the Middle East region to support PDPL data residency.
Email delivery (Resend): Used to send OTP login codes and barcode emails. Receives only the recipient email address and the message content.
Barcode image service (barcodeapi.org): Generates barcode images from your unique barcode ID. Only the barcode ID string (a random alphanumeric code, not your name or contact information) is transmitted.

We do not share data with advertising networks, data brokers, or third-party analytics platforms.

6. Cross-Border Data Transfers / نقل البيانات خارج المملكة

Member photos are stored in AWS S3 Bahrain (me-south-1), which is within the Gulf region. Application servers and database may be hosted in data centres outside Saudi Arabia (US or EU). Where personal data is transferred outside the Kingdom, we rely on:

Standard contractual clauses incorporated in our agreements with sub-processors
The data protection certifications of the receiving party (SOC 2, ISO 27001)

If you require your gym's data to be stored exclusively within Saudi Arabia, contact us to discuss a dedicated regional deployment.

7. Your Rights Under PDPL / حقوقك بموجب نظام حماية البيانات

Under the Saudi Personal Data Protection Law you have the right to:

Access: Request a copy of the personal data we hold about you
Correct: Ask us to fix inaccurate data. (You can also ask the gym reception to update your details directly.)
Delete: Request deletion of your data. We will comply unless we are required to retain it by law (e.g. ZATCA 5-year invoice retention).
Withdraw consent: Where processing is based on consent (e.g. emergency contact storage), you may withdraw it at any time without affecting the lawfulness of prior processing.
Object: Object to processing based on legitimate interest.
Portability: Request your data in a structured, machine-readable format.

To exercise any of these rights, contact your gym directly (they are the data controller for your membership data) or contact us at privacy@khutwah.com. We will respond within 30 days.

8. How We Protect Your Data / أمان البيانات

All data is transmitted over HTTPS with HSTS enforced
Passwords are hashed with bcrypt (minimum 10 rounds) — we never store plaintext passwords
OTP codes are stored as bcrypt hashes — even a database breach would not expose valid login codes
Member photos are stored in a private S3 bucket — every view requires a short-lived signed URL
Access to member data is role-scoped — staff can only see data for their own gym franchise
Owner accounts support two-factor authentication (TOTP)
Login attempts are rate-limited to prevent brute-force attacks

In the event of a personal data breach that poses a risk to your rights, we will notify affected individuals and the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware, as required by PDPL Article 20.

9. Cookies and Session Storage / ملفات تعريف الارتباط

We use a single session cookie to keep you logged in. This cookie is:

httpOnly — cannot be read by JavaScript (prevents XSS theft)
Secure — only sent over HTTPS
SameSite: Lax — not sent on cross-site requests
Expires: 7 days from login

We do not use tracking, advertising, or analytics cookies. We do not use third-party cookie-based tracking of any kind.

10. Changes to This Policy / تغييرات هذه السياسة

We may update this policy from time to time. Material changes will be communicated by posting the new policy on this page with an updated date. For significant changes that affect your rights, we will notify gym owners by email at least 14 days in advance.

11. Contact / التواصل معنا

For privacy-related questions or to exercise your rights:

Data Protection Contact:

Email: privacy@khutwah.com

Address: [Company address, Riyadh, Saudi Arabia]

For complaints you may also contact the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.