Privacy Policy
Last updated: 29 May 2025
This Privacy Policy describes how Rotherine Technology Company(“Rotherine”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards personal and business data processed through the Rotherine supply-chain intelligence platform (“Service”). It applies to all authorised users acting on behalf of subscriber organisations (“Customers”). It is governed by the Personal Data Protection Law of the Kingdom of Saudi Arabia (PDPL) and its implementing regulations, effective 14 September 2024.
1. Data Controller
Rotherine Technology Company is the data controller for personal data processed in connection with account management, communications, and billing. For supply-chain operational data (supplier records, shipment data, contracts, inventory) that Customers upload or generate within the Service, Rotherine acts as a data processor on behalf of the Customer, who is the controller of that data.
For privacy enquiries or to exercise your rights, contact us at:
Email: privacy@rotherine.com
Address: Riyadh, Kingdom of Saudi Arabia
2. Data We Collect
We collect and process the following categories of data:
2.1 Account and Identity Data
- Full name, business email address, job title, and phone number of authorised users
- Organisation name, commercial registration number, and billing address
- Login credentials (email and hashed password managed via Supabase Auth)
- Profile preferences and notification settings
2.2 Supply-Chain Operational Data
- Supplier profiles: names, contact details, locations, performance records, contracts
- Shipment records: origin, destination, routing, carrier, status, and customs data
- Inventory and product data entered or imported by the Customer
- Purchase orders, financial exposure figures, and risk assessments
- Documents and files uploaded to the platform (e.g., contracts, invoices)
This operational data belongs to the Customer (see Section 10 of the Terms of Service). Rotherine processes it solely to deliver the contracted Service.
2.3 Usage and Technical Data
- Log data: IP address, browser type, operating system, pages visited, timestamps
- Session tokens and device identifiers
- Feature usage analytics (aggregated and pseudonymised) to improve the Service
- Error reports and performance diagnostics
2.4 Payment Data
Payment card details are collected and processed exclusively by Stripe, Inc. Rotherine receives only a tokenised payment reference, billing address, and transaction status. We do not store full card numbers or CVV codes.
2.5 AI-Analysis Inputs
When a user invokes AI-powered analysis features, the relevant supply-chain data is transmitted to Anthropic’s Claude API solely to generate the requested analysis. See Section 5 for details on this third-party processor.
3. How We Use Your Data
We process personal and operational data for the following purposes and legal bases under the PDPL:
| Purpose | Legal Basis (PDPL) |
|---|---|
| Providing and operating the Service | Performance of contract |
| Account authentication and access control | Performance of contract |
| Processing subscription payments via Stripe | Performance of contract |
| Sending transactional emails (alerts, reports, account notices) via Resend | Performance of contract |
| Providing AI-powered supply-chain analysis via Anthropic Claude | Performance of contract / Legitimate interest |
| Detecting and preventing fraud, abuse, and security threats | Legitimate interest / Legal obligation |
| Improving and developing platform features (aggregated analytics only) | Legitimate interest |
| Complying with Saudi law, ZATCA requirements, and court orders | Legal obligation |
| Responding to Customer support requests | Performance of contract / Legitimate interest |
We do not sell, rent, or trade personal data. We do not use Customer operational data for training AI models or for any purpose beyond providing the contracted Service.
4. Workspace Isolation and Data Segregation
Each Customer organisation operates within an isolated workspace. Operational data (suppliers, shipments, inventory, contracts, risk assessments) is logically segregated at the database level using row-level security policies enforced by Supabase. No Customer can access another Customer’s data. Rotherine staff access to Customer data is restricted to authorised personnel on a need-to-know basis, governed by internal access-control policies and audit logging.
5. Third-Party Processors
We engage the following sub-processors to deliver the Service. Each is bound by a data processing agreement consistent with applicable data-protection law:
Supabase (via Amazon Web Services)
Privacy policyRole: Database, authentication, and file storage
Data processed: All Customer operational data, account credentials, uploaded documents
Processing location: AWS — EU-West-1 (Ireland) by default; regional residency configurable at enterprise plan level
Anthropic, Inc.
Privacy policyRole: AI-powered supply-chain analysis (Claude API)
Data processed: Supply-chain data excerpts submitted by users when invoking AI features. Anthropic processes this data only to generate the requested analysis and does not retain it for model training under its API data-use policy.
Processing location: United States
Stripe, Inc.
Privacy policyRole: Subscription billing and payment processing
Data processed: Billing contact details, tokenised payment method reference, transaction records
Processing location: United States
Resend, Inc.
Privacy policyRole: Transactional email delivery (alerts, reports, notifications)
Data processed: Recipient email address, email content generated by the Service
Processing location: United States
Cross-border transfers to processors outside Saudi Arabia are conducted under appropriate safeguards, including standard contractual clauses and the processors’ adherence to internationally recognised data-protection standards, consistent with PDPL Article 30 requirements.
6. Data Retention
We retain data for the following periods:
Customers may request deletion of their data at any time subject to the legal-hold exception for financial records.
7. Your Rights Under the PDPL
Individuals whose personal data we process have the following rights under the Saudi PDPL (Royal Decree No. M/19, 9/2/1443H). These rights apply to personal data for which Rotherine is the controller (account and identity data). For operational data, rights should be directed to the Customer organisation that controls that data.
- Right to know: You have the right to be informed about the personal data we hold about you and how it is processed.
- Right of access: You may request a copy of the personal data we hold about you.
- Right to correction: You may request correction of inaccurate or incomplete personal data.
- Right to erasure: You may request deletion of your personal data, subject to legal-hold obligations and contractual requirements.
- Right to data portability: You may request your personal data in a structured, machine-readable format.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to object: You may object to processing based on legitimate interest where your interests override ours.
To exercise any right, submit a written request to privacy@rotherine.com. We will respond within 30 days. If you believe we have not adequately addressed your request, you may lodge a complaint with the Saudi Data and AI Authority (SDAIA) at sdaia.gov.sa.
8. Cookies and Tracking Technologies
The Rotherine platform uses the following types of cookies and browser storage:
| Type | Purpose | Retention |
|---|---|---|
| Strictly necessary | Session authentication tokens (Supabase), CSRF protection, user preferences | Session / 7 days |
| Functional | Language preference, UI state | 30 days |
| Analytics | Aggregated feature-usage metrics (no personal identifiers shared with third parties) | 90 days |
We do not use third-party advertising cookies or behavioural tracking technologies. Strictly necessary cookies cannot be disabled as they are essential to the operation of the Service.
9. Security
We implement industry-standard technical and organisational measures to protect personal and operational data against unauthorised access, alteration, disclosure, or destruction. These include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 via Supabase/AWS)
- Row-level security enforced at the database layer for workspace isolation
- Role-based access controls with principle of least privilege
- Multi-factor authentication available to all users
- Regular security reviews and vulnerability assessments
- Audit logging of administrative access to Customer data
In the event of a personal data breach that creates a risk to data subjects, we will notify affected Customers without undue delay and, where required by the PDPL, notify SDAIA within the prescribed timeframe.
10. Children and Individual Consumers
The Rotherine platform is a business-to-business (“B2B”) service intended solely for use by organisations and their authorised employees. It is not directed at individuals under 18 years of age, nor at consumers in a personal capacity. We do not knowingly collect personal data from minors. If you believe we have inadvertently received data from a minor, contact us at privacy@rotherine.com for immediate deletion.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our data-processing practices, or the Service. When we make material changes, we will notify Customers by email and post a notice in the platform at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
12. Contact and Privacy Requests
For all privacy-related enquiries, data-subject rights requests, or to report a concern:
Privacy Contact: Data Protection Officer
Email: privacy@rotherine.com
Address: Rotherine Technology Company, Riyadh, Kingdom of Saudi Arabia
Response time: We aim to acknowledge requests within 5 business days and resolve them within 30 days.
You also have the right to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) if you believe your rights under the PDPL have not been respected.
Also see: Terms of Service
Last updated: 29 May 2025