AI Assistant Privacy Policy

Last updated: June 2025

This AI Assistant Privacy Policy ('AI Policy') governs the collection, processing, storage, and use of data generated when you interact with Elbetron's AI Assistant features and services ('AI Services'). This AI Policy supplements — and should be read alongside — our main Privacy Policy. By using our AI Services, you acknowledge that you have read, understood, and agreed to the practices described in this document. If you do not agree with any part of this AI Policy, please refrain from using the AI Services.

1. Scope of This Policy

This AI Policy applies specifically to all interactions you have with Elbetron's AI Assistant, including but not limited to: text-based chat conversations, voice queries and audio input, file uploads submitted for analysis, document processing requests, and any automated AI-generated responses you receive. This policy does not apply to third-party websites, products, or services that may be linked from our AI interface. We encourage you to review the privacy policies of any third-party services you access through our platform.

2. Data We Collect When You Use the AI Assistant

When you interact with the AI Assistant, we may collect and process the following categories of data:

• Conversation Content: All text messages, prompts, questions, and instructions you submit to the AI Assistant during a session.
• AI-Generated Responses: The outputs, answers, recommendations, and content generated by the AI in response to your queries.
• Session Metadata: Technical information such as session start/end timestamps, session duration, number of messages exchanged, and session identifiers.
• Device & Browser Information: IP address, browser type and version, operating system, screen resolution, and device identifiers, collected automatically for security and performance purposes.
• User Account Data (if authenticated): Your registered name, email address, organization name, and user role, used to personalize your AI experience and maintain usage history.
• Feedback & Ratings: Any explicit feedback, thumbs up/down ratings, correction requests, or comments you provide on AI responses.
• Error & Diagnostic Logs: Automatically generated logs that capture errors, failed queries, system warnings, and debugging information to ensure service stability.
• Usage Patterns: Aggregate, anonymized data about how features are used, which tools are accessed, and what types of queries are most common, used to improve the AI product.
• File & Document Metadata (if files are uploaded): File names, file types, sizes, and processing status — separate from the file content itself.

We do not sell, rent, or trade any of the data collected through your AI interactions to third parties for marketing or advertising purposes.

3. Data We Do NOT Collect or Store

To protect your privacy and minimize data exposure, our AI Assistant is designed with the following explicit exclusions:

• We do not permanently store the full content of your AI conversations after your session ends, unless you have explicitly opted in to conversation history features.
• We do not use your individual conversation data to train our AI models without your express, informed, and documented consent.
• We do not collect biometric data such as facial recognition data, fingerprints, or retinal scans through our AI services.
• We do not intentionally collect sensitive personal data categories such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation — and we actively filter prompts that may inadvertently contain such information.
• We do not record or store raw audio voice recordings after they have been transcribed and processed, unless you explicitly enable a voice memory feature.
• We do not share conversation content with third-party advertisers, data brokers, or analytics platforms in personally identifiable form.

4. How We Use Your Data

The data collected through your AI interactions is used strictly for the following purposes:

• Service Delivery: To generate accurate, relevant, and helpful responses to your queries in real time.
• Session Continuity: To maintain context within a single conversation session, enabling the AI to provide coherent and contextually appropriate follow-up answers.
• Service Improvement: To analyze anonymized and aggregated interaction patterns, identify gaps in AI knowledge or accuracy, and improve response quality over time.
• Safety & Content Moderation: To detect and prevent the generation of harmful, misleading, illegal, or policy-violating content, ensuring the AI behaves responsibly.
• Security Monitoring: To detect unauthorized access attempts, abuse of the AI system, prompt injection attacks, and other security threats.
• Personalization (opt-in): If you have enabled personalization features, to remember your preferences, communication style, and frequently referenced topics to provide a more tailored AI experience.
• Legal Compliance: To fulfill obligations under applicable Saudi Arabian law, including the PDPL, as well as regulatory requests from competent authorities.
• Customer Support: To assist our support team in diagnosing and resolving issues you report regarding AI responses or service functionality.
• Analytics & Reporting: To generate internal performance reports about AI accuracy, user satisfaction, and service reliability — always in aggregated, non-identifiable form.

5. Voice & Audio Input Processing

If you use voice input features with our AI Assistant, the following practices apply:

• Your voice input is converted to text (speech-to-text transcription) in real time using secure, encrypted channels before being sent to the AI model.
• The resulting transcribed text is processed in exactly the same way as typed text input — subject to all the same protections described in this policy.
• Raw audio files are not retained on our servers after successful transcription. Transcription happens in-memory and audio data is discarded immediately upon conversion.
• Voice transcription may be performed by a trusted third-party speech recognition provider operating under a strict data processing agreement with Elbetron, ensuring your audio data is not used for any purpose beyond transcription.
• If voice transcription fails or produces inaccurate results, no audio snippet is stored for manual review without your explicit consent.
• You may disable voice input at any time from the AI Assistant settings, at which point no audio data will be captured or transmitted.

6. File & Document Uploads

When you upload files or documents to the AI Assistant for analysis, summarization, translation, or other processing tasks:

• Uploaded files are transmitted over encrypted HTTPS connections and temporarily stored in a secure, isolated processing environment.
• File content is processed by the AI model solely for the purpose of fulfilling your specific request (e.g., summarizing, answering questions, translating).
• Files are automatically deleted from our servers within 24 hours of processing completion, or immediately upon your manual deletion request — whichever occurs first.
• We do not use the content of your uploaded documents to train AI models unless you have provided explicit written consent.
• Do not upload files containing highly sensitive personal information of third parties (such as national ID numbers, medical records, financial account details, or HR records) unless you are authorized to share such data and have obtained the necessary consents from the individuals concerned.
• File metadata (name, type, size, upload timestamp) may be retained in logs for up to 30 days for security and audit purposes, even after the file content itself has been deleted.
• We support standard document formats including PDF, DOCX, XLSX, PPTX, TXT, CSV, and common image formats. Files exceeding the maximum size limit are rejected and not stored.

7. Data Retention

We retain different categories of AI-related data for varying periods based on their purpose and our legal obligations:

• Active Session Data (conversation content): Retained only for the duration of your active session. Once the session is closed or times out, conversation content is purged unless you have opted into a conversation history feature.
• Conversation History (opt-in only): If you enable the history feature, conversations are retained for a maximum of 90 days, after which they are automatically and permanently deleted.
• Session Metadata & Logs: Retained for up to 12 months for security, analytics, and audit compliance purposes, then securely deleted.
• User Account & Profile Data: Retained for as long as your account is active, plus a maximum of 90 days after account deletion to allow for dispute resolution or legal holds.
• Anonymized & Aggregated Analytics Data: Retained indefinitely in anonymized form for product improvement and research purposes, as this data cannot be used to identify any individual.
• Legal Hold Data: In cases where data must be preserved due to an ongoing legal dispute, regulatory investigation, or court order, data may be retained beyond standard retention periods solely for those legal purposes.
• Uploaded File Content: Deleted within 24 hours of processing or immediately upon manual deletion request.
• Voice Audio Recordings: Not retained after transcription — discarded immediately post-conversion.
• Security Incident Data: Data related to detected security threats, abuse patterns, or breaches may be retained for up to 3 years for forensic and legal purposes.

8. Data Storage & Geographic Residency

We take data residency seriously, particularly in light of Saudi Arabia's PDPL requirements for cross-border data transfers:

• Primary data storage for users located in the Kingdom of Saudi Arabia is hosted on cloud infrastructure within the Kingdom of Saudi Arabia or the broader GCC region, in compliance with PDPL data localization requirements where applicable.
• In certain cases, data may be processed by AI model infrastructure located outside Saudi Arabia. When this occurs, we ensure that appropriate contractual safeguards (such as Standard Contractual Clauses or equivalent mechanisms approved by the NDMO) are in place to protect your data.
• All data in transit is protected using industry-standard TLS 1.2 or TLS 1.3 encryption. All data at rest is encrypted using AES-256 encryption.
• Our cloud infrastructure partners are certified to internationally recognized security standards including ISO 27001, SOC 2 Type II, and CSA STAR.
• If you are an enterprise customer with specific data residency requirements, please contact us to discuss dedicated infrastructure arrangements.
• We maintain a record of all cross-border data transfers as required by PDPL Article 29 and make this record available to the NDMO upon request.

9. Personal Data Detection & Handling in AI Conversations

Because users may inadvertently include personal information in their AI queries, we have implemented the following protections:

• Automated PII Detection: Our systems include automated scanning to detect and flag conversations that appear to contain personal identifiable information (PII) such as national ID numbers, passport numbers, credit card numbers, phone numbers, or email addresses.
• Redaction in Logs: Where PII is detected in session logs or stored metadata, it is automatically redacted or pseudonymized before storage.
• User Guidance: The AI Assistant is programmed to remind users not to share sensitive personal data unnecessarily and will provide a warning if it detects that a query appears to contain sensitive personal information.
• No Third-Party PII Sharing: Personal data that appears in your AI conversations is never shared with third parties in identifiable form, except where required by law.
• Minimization Principle: We actively apply the principle of data minimization — only storing and processing the personal data that is strictly necessary for the AI to fulfill your request.
• Sensitive Data Filtering: Prompts that contain or request information about sensitive data categories (health, religion, political views, sexual orientation) are subject to additional safeguards and content policy enforcement.

10. Third-Party AI Model Providers

Elbetron's AI Assistant is powered by one or more large language model (LLM) providers. We may utilize AI infrastructure from providers such as leading cloud AI platforms, subject to the following conditions: (a) All third-party AI providers are contractually bound to process your data only for the purpose of providing the AI inference service and are prohibited from using it for model training, marketing, or any other purpose without your explicit consent. (b) We conduct due diligence on all AI providers to verify their compliance with applicable data protection laws, including GDPR (for European users) and Saudi Arabia's PDPL. (c) The names of our current AI model providers are disclosed in our publicly available vendor transparency register, which is updated quarterly. (d) We will notify you of any change to our primary AI model provider that may materially affect how your data is processed, with a minimum of 30 days' advance notice. (e) All data shared with AI model providers is minimized, pseudonymized where possible, and subject to strict contractual confidentiality obligations.

11. Security Measures

We employ multiple layers of technical and organizational security measures to protect your AI interaction data:

• End-to-End Encryption: All communications between your device and our AI services are encrypted using TLS 1.3, preventing interception in transit.
• Encryption at Rest: All stored data, including logs and session metadata, is encrypted at rest using AES-256.
• Access Controls: Access to AI conversation data is strictly limited to authorized Elbetron personnel on a need-to-know basis, enforced through role-based access controls (RBAC) and multi-factor authentication (MFA).
• Zero Trust Architecture: Our internal infrastructure follows Zero Trust security principles, meaning no internal system or user is automatically trusted without continuous verification.
• Prompt Injection Defense: We have implemented technical controls to detect and prevent prompt injection attacks — attempts by malicious actors to manipulate AI behavior through crafted inputs.
• Regular Security Audits: We conduct quarterly internal security audits and annual third-party penetration testing of our AI infrastructure.
• Vulnerability Management: A dedicated security team monitors for newly discovered vulnerabilities in AI systems and applies patches within defined SLA windows.
• DDoS Protection: Our AI services are protected by distributed denial-of-service (DDoS) mitigation systems.
• Incident Response Plan: We maintain a formally documented incident response plan specifically covering AI data breaches, with defined escalation procedures and notification timelines.
• Employee Training: All Elbetron employees with access to AI systems receive mandatory annual data privacy and security training.

12. Your Rights (Including PDPL Rights)

Depending on your location and applicable law, you have the following rights regarding your personal data processed through our AI services. Saudi Arabian residents have these rights under the PDPL:

• Right to Access: You have the right to request a copy of the personal data we hold about your AI interactions, including session metadata and, where retained, conversation history.
• Right to Correction (Rectification): You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
• Right to Deletion (Erasure): You have the right to request permanent deletion of your personal data, including all stored AI conversation history, session metadata, and account data. We will fulfill verified deletion requests within 30 days.
• Right to Restrict Processing: You have the right to request that we restrict processing of your personal data while a dispute about its accuracy or legality is being resolved.
• Right to Data Portability: Where technically feasible, you have the right to receive your personal data (including AI conversation history, if enabled) in a structured, machine-readable format such as JSON or CSV.
• Right to Object: You have the right to object to processing of your personal data for purposes of direct marketing, profiling, or any processing based on legitimate interests.
• Right to Withdraw Consent: Where our processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right Not to Be Subject to Solely Automated Decisions: If we make any decisions that significantly affect you based solely on automated AI processing, you have the right to request human review of such decisions.
• Right to Lodge a Complaint: If you are a Saudi Arabian resident and believe your PDPL rights have been violated, you have the right to lodge a complaint with the National Data Management Office (NDMO).

To exercise any of the above rights, please submit a request via email to global.business@elbetron.com with the subject line 'AI Data Rights Request'. We will verify your identity before processing your request and will respond within 15 business days. Identity verification is required to protect your data from unauthorized access.

13. Consent & Withdrawal

Your use of the AI Assistant constitutes your consent to the data practices described in this policy for the purposes of delivering the AI service. Where additional, optional AI features require processing of data beyond what is necessary for core service delivery (such as enabling conversation history, enabling voice memory, or opting into AI model improvement programs), we will obtain your explicit, freely given, specific, and informed consent before enabling those features. You may withdraw your consent for optional features at any time by toggling them off in the AI Assistant settings or by submitting a withdrawal request to global.business@elbetron.com. Withdrawal of consent for optional features will not affect the availability of core AI Assistant functionality. If you withdraw consent for all AI data processing, you will need to discontinue use of the AI Services, as some level of data processing is technically necessary to operate the service.

14. Data Breach Notification

In the event of a personal data breach affecting your AI interaction data, Elbetron will: (a) Contain the breach and begin internal investigation immediately upon discovery. (b) Notify the National Data Management Office (NDMO) within 72 hours of becoming aware of the breach, in accordance with PDPL Article 20, where the breach is likely to result in harm to individuals. (c) Notify affected users as soon as reasonably practicable after notifying the NDMO — and in any event within 72 hours of the notification to the NDMO — if the breach is likely to result in a high risk to their rights or interests. (d) Our breach notification to you will include: a description of the nature of the breach, the categories and approximate number of records affected, the likely consequences of the breach, the measures we have taken or propose to take to address the breach, and the contact details of our Data Protection Officer. (e) We will maintain a formal record of all data breaches, including those not reported to the NDMO, as required by PDPL.

15. AI Services & Minors

Our AI Assistant services are intended for use by individuals who are 18 years of age or older. We do not knowingly collect personal data from children under 18 years of age through our AI Services. If you are a parent or guardian and believe your child has interacted with our AI Assistant and provided personal data without your consent, please contact us immediately at global.business@elbetron.com with the subject line 'Minor Data Removal Request'. We will promptly investigate and delete any data related to minors upon verified notification. We have implemented technical age-verification prompts during account registration; however, we acknowledge that determined users may misrepresent their age, and we rely on parents and guardians to supervise minors' internet use.

16. Changes to This AI Privacy Policy

We may update this AI Privacy Policy from time to time to reflect changes in our AI services, applicable laws, or industry best practices. When we make material changes, we will: (a) Post the updated policy on this page with a revised 'Last Updated' date. (b) Send an in-app notification or email to registered users at least 15 days before material changes take effect. (c) Where required by law (such as changes affecting how we process sensitive data or how we share data with third parties), we will seek your renewed consent before the new practices take effect. Your continued use of the AI Services after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the updated policy, you should discontinue use of the AI Services and request deletion of your data before the effective date.

17. Contact Us & Data Protection Officer

For any questions, concerns, or requests related to this AI Privacy Policy or to exercise your data rights, please contact us through any of the following channels:

• Email (General Privacy): global.business@elbetron.com
• Subject Line for AI Policy Queries: 'AI Privacy Policy Inquiry'
• Data Rights Requests (Access, Deletion, Correction): global.business@elbetron.com with subject 'AI Data Rights Request'
• Data Breach Reports (urgent): global.business@elbetron.com with subject 'URGENT: Data Breach Report'
• Postal Address: Elbetron Technologies, Kingdom of Saudi Arabia
• Website Contact Form: Available on the Contact page of our website
• NDMO (Saudi National Data Management Office) – for escalated complaints: www.ndmo.gov.sa