Privacy Policy

Who we are (the data controller)

Wathba is the community of AI-powered product builders in Saudi Arabia. We are the data controller of your personal data under the Saudi Personal Data Protection Law.

For any question about this policy or to exercise the rights listed below, contact us at hello@wathba.sa.

What data we collect

When you submit the join form we collect the data you enter into the form: full name, phone number, email, city, product URL, product description and how you built it, your answers to the product questions (user count, revenue, build approach, technical level), your LinkedIn URL (optional), and your X / Twitter handle (optional).

We also automatically record: your IP address, user-agent, a timestamp confirming you agreed to the eligibility criteria, and a timestamp recording your phone-number verification via SMS one-time code — for review, fraud prevention, and protecting the form from abuse.

Why we collect it

We use your data solely to review your application to the Wathba community, to contact you by email about your application, and — once accepted — to create your community account and invite you to community events and conversations.

We may use your phone number to contact you directly as a community member — for example, messages from the Wathba team via WhatsApp or SMS about events or operational matters. This communication is limited to membership-related topics and will not be used for marketing or third-party promotion.

We do not use your data for external marketing, we do not sell it, and we do not share it with advertising networks.

Legal basis for processing

We rely on your explicit consent at the moment you submit the form as the legal basis for collecting and processing your data, per the Saudi Personal Data Protection Law. We additionally rely on legitimate interest for the fraud-prevention measures around the form (OTP verification, rate limiting, audit logging).

Who we share your data with

We share specific portions of your data with trusted service providers, only to the extent needed for the system to operate:

• Authentica (Saudi Arabia): For delivering the SMS verification code to your phone. We share only your phone number with them.
• Resend (US / EU): For delivering transactional email (application receipt and any reply about your application). We share your email address and your name. This is a cross-border data transfer under Article 29 of the law; we rely on Resend’s contractual safeguards equivalent in level to the Saudi PDPL.
• Google Cloud (Dammam — me-central2): For hosting the site and database, located inside Saudi Arabia. No cross-border transfer is involved.
• Google Analytics 4 (United States): For measuring aggregate site traffic and navigation patterns. We run Consent Mode v2 with analytics_storage denied by default — analytics cookies are not set unless you explicitly grant consent. This is a cross-border data transfer under Article 29.
• ConvertKit / Kit (United States): For managing newsletter subscriptions only (if you voluntarily sign up via the homepage newsletter form). We share your email address with them. This is a cross-border data transfer under Article 29.
• Tally (United States) — being deprecated: We currently run a backup application form via forms.wathba.sa, and your input passes through Tally’s servers before reaching us. This path is being retired now that the native form on wathba.sa/ar/join is live.
• WhatsApp (Meta, United States): We may contact you directly via WhatsApp using your phone number for operational communication about your membership (event reminders, conversation coordination, replies to member queries). We use only your individual number — we do not add you to broadcast lists without your explicit consent. These messages pass through Meta’s servers, which counts as a cross-border data transfer under Article 29 of the Saudi PDPL.

We do not share your data with any marketing partners, data brokers, or advertising networks. When your application is accepted, we may invite you to additional community platforms (e.g. Slack or WhatsApp group chats) — we will request your explicit consent before adding you to any of them.

How long we keep your data

We retain your data only as long as necessary for the purpose it was collected:

• Pending applications: 12 months from submission, then deleted unless the application is accepted.
• Accepted members: For the duration of your membership plus 24 months after departure, for audit and re-onboarding purposes.
• Administrative audit logs: 36 months from creation.

Your rights under the Saudi PDPL

Saudi law gives you several rights over your personal data:

• Access: Request a copy of the data we hold about you.
• Correction: Request that we correct any inaccurate data.
• Deletion: Request that we delete your data (subject to data we are legally required to retain, such as audit logs).
• Withdraw consent: Ask us to stop processing your data at any time, without affecting the lawfulness of prior processing.
• File a complaint: If you are not satisfied with our response, you may file a complaint with the Saudi Data & AI Authority (SDAIA) via sdaia.gov.sa.

To exercise any of these rights, email hello@wathba.sa. We will respond within 30 days of receipt, per Article 33 of the law.

How we protect your data

We apply appropriate technical and organizational measures to protect your data:

• TLS encryption in transit; encryption at rest in the Cloud SQL database managed by Google Cloud.
• Access restricted to a small set of Wathba administrators via Google SSO and IAP.
• Every administrative action is logged to an audit trail tied to the actor’s identity and timestamp.
• HMAC-signed phone-verification tokens, single-use, valid for 10 minutes only.
• Per-IP and per-phone rate limits to prevent abuse and repeated-submission attacks.

Changes to this policy

We may update this policy from time to time. The current revision date is shown at the top of the page. When we make material changes, we will email you if you are a registered community member.