Privacy Policy

# Privacy Policy **Effective Date:** November 1, 2025 **Last Updated:** October 20, 2025 **Version:** 1.0 --- ## Introduction This Privacy Policy applies to all visitors and users of the cxcoast.com websites, mobile applications, and CXCoast Digital Hub platform (collectively, the "Platform" or "Services"), which are offered by C X Coast Technology Solutions & Consulting W.L.L. and/or any of its affiliates ("CXCoast", "we", "us", or "our"). By accessing or using any part of our Services, you acknowledge that you have been informed of and consent to our practices concerning your personal information and data. **Company Information:** C X Coast Technology Solutions & Consulting W.L.L. Al Raya, Office 51, Building 1025, Road 3621, Seef, Kingdom of Bahrain Commercial Registration: 183646-1 VAT Number: 220025565100002 --- ## Data Protection Officer For data security matters, modifications, deletions, or additions to your personal data, or any security concerns, please contact our Data Protection Officer at **legal@cxcoast.com**. --- ## What Information We Collect and Why ### Information from Website Visitors Like most website operators, we collect basic information that web browsers and servers typically make available: - Browser type and version - Language preference - Referring site - Date and time of each visitor request - Operating system - Internet Protocol (IP) addresses (anonymized after 30 days) **Purpose:** To understand how visitors use our Website, improve our Services, and monitor security. ### Information from Platform Users #### Account Information When you create an account: - Business name and authorized representative name - Business email address and phone number - Company details and VAT number (for billing) - Time zone and language preferences #### Service Data When using the Platform, we process: - Messages and conversations from connected channels (WhatsApp, Telegram, Instagram, Facebook, Email) - Files and attachments shared through the Platform - Customer interaction data and conversation history - Workflow configurations and automation settings - Catalog and product information you upload #### Usage Information We automatically collect: - Features accessed and usage patterns - Performance metrics and error reports - Login times and session duration - API calls and integration usage #### Payment Information Payment processing is handled by Tap Payments, our PCI-DSS compliant payment processor. We store only: - Payment method type (last 4 digits) - Billing address and VAT details - Transaction IDs for reference **We never store complete credit card numbers, CVV codes, or other sensitive payment details.** ### Information We Do Not Collect We do not intentionally collect: - Sensitive personal information (health data, religious beliefs, political opinions, sexual orientation) - Biometric or genetic data - Government identification numbers (except VAT for business purposes) - Information from children under 18 years of age **Age Restriction:** Our Services are not intended for children under 18. If we learn a user is under 18, we will suspend the account pending age verification and may terminate if verification is not provided within 30 days. --- ## Legal Basis for Processing Your Information We process your information based on: **1. Performance of Contract:** To provide the Services you've subscribed to, process transactions, provide customer support, and fulfill our contractual obligations. **2. Legitimate Interests:** To: - Improve and develop our Services - Ensure platform security and prevent fraud - Send service-related communications - Conduct analytics and measure performance - Protect our legal rights and comply with legal obligations **3. Consent:** For: - Marketing communications (you can opt-out anytime) - Non-essential cookies and analytics - Beta features and optional services **4. Legal Obligations:** To comply with applicable laws, regulations, legal processes, or governmental requests in Bahrain, Saudi Arabia, and other GCC countries where we operate. --- ## How We Use Your Information We use collected information to: - Provide, maintain, and improve the Platform - Process payments and manage subscriptions - Send transactional emails (account notifications, receipts, alerts) - Provide customer support and respond to inquiries - Monitor and analyze usage patterns and trends - Detect, investigate, and prevent security incidents and fraud - Comply with legal obligations and enforce our Terms of Service - Send marketing communications (with your consent - you may opt-out) --- ## How We Protect Your Information ### Security Measures We implement industry-standard security measures designed to protect your information, which may include: - **Encryption:** AES-256 encryption at rest, TLS 1.3 in transit - **Access Controls:** Multi-factor authentication, role-based permissions - **Infrastructure Security:** Firewalls, DDoS protection, VPN isolation - **Monitoring:** Security monitoring, intrusion detection, automated alerts (subject to availability) - **Regular Reviews:** Periodic security assessments and testing as determined by our security team **Important Limitations:** - Security measures are subject to change based on evolving threats and industry standards - We cannot guarantee absolute security or prevention of all unauthorized access - Specific security protocols may be modified without notice to maintain effectiveness - Third-party security services are subject to their respective terms and availability ### Data Hosting Your data is hosted on: - **Primary Infrastructure:** Hostinger servers in EU-Central region (ISO 27001 certified) - **Backup Storage:** Backblaze B2 in EU-Central region (SOC 2 Type II certified) - **CDN:** CloudFlare for performance and DDoS protection ### Data Breach Response In the event of a data breach affecting your personal information, we will: - Contain and investigate the incident immediately - Notify affected users without undue delay and in compliance with applicable law (typically within 72 hours where feasible, subject to the nature and complexity of the breach) - Inform relevant authorities as required by law - Provide information about the breach impact and our response - Implement measures to prevent recurrence **Note:** Notification timelines may vary based on investigation complexity, law enforcement requirements, and the nature of the breach. We prioritize timely communication while ensuring accuracy and compliance with legal obligations. --- ## Sharing Your Information ### Service Providers We share information only with essential service providers under strict data processing agreements. Current providers include, but are not limited to: - **Tap Payments:** Payment processing (PCI-DSS Level 1 compliant) - **Hostinger:** Infrastructure hosting (ISO 27001, SOC 2) - **Backblaze:** Backup storage (SOC 2 Type II) - **CloudFlare:** CDN and security services (ISO 27001) - **WhatsApp Business API:** Message delivery (when you connect WhatsApp) - **Other Messaging Platforms:** Only when you explicitly connect these services - **Other service providers:** As necessary to provide, secure, and improve the Platform **Important:** - This list may change without notice as we update our infrastructure - A current list is available at www.cxcoast.com/subprocessors - All service providers are bound by appropriate data protection agreements ### Legal Disclosure We may disclose information when: - Required by valid legal process, court order, or subpoena - Necessary to protect rights, property, or safety of CXCoast, our users, or the public - Required to detect, prevent, or address fraud or security issues - Necessary to enforce our Terms of Service - Required to comply with law enforcement or government requests ### Business Transfers If CXCoast is involved in a merger, acquisition, or sale of assets: - We will provide 30 days advance notice where feasible - You can download your data and close your account before transfer - Any successor must honor this Privacy Policy or obtain your consent to changes ### What We Never Do We do not: - Sell or rent your personal information - Share your data for third-party advertising purposes - Transfer data without appropriate safeguards - Use your customer conversation data to train third-party general AI models without explicit consent --- ## International Data Transfers Your data may be transferred to, processed, or stored in countries other than your country of residence, including but not limited to Bahrain, European Union member states, and other jurisdictions where our service providers operate. **Data Protection Measures:** - We implement appropriate safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized transfer mechanisms - We maintain transfer impact assessments where required - We select service providers with appropriate data protection commitments **Important Limitations:** - Data protection laws vary by jurisdiction and may be less stringent than your local laws - We cannot control or prevent government access to data in jurisdictions where our servers or service providers operate - Data localization requirements may change, and we may need to modify data storage locations without notice - Transfer mechanisms may change based on legal developments **Your Acceptance:** By using the Platform, you acknowledge and accept that your data may be transferred internationally and processed in countries with different data protection standards. --- ## Your Privacy Rights Under applicable law (including Bahrain Law No. 30 of 2018 on Personal Data Protection and GDPR), you have the right to: - **Access:** Obtain a copy of your personal data - **Rectification:** Correct inaccurate or incomplete data - **Erasure:** Request deletion ("right to be forgotten") - **Portability:** Receive your data in a machine-readable format - **Restriction:** Limit how we process your data - **Objection:** Object to certain processing activities - **Withdraw Consent:** Revoke consent at any time (does not affect prior processing) - **Lodge Complaints:** File complaints with supervisory authorities ### Exercising Your Rights To exercise your rights: - **Email:** legal@cxcoast.com - **Response time:** Within 5 business days - **Completion:** Within 30 days (may extend up to 60 days for complex requests, with notice) - **Cost:** Free (reasonable fee may apply for excessive, repetitive, or manifestly unfounded requests) **Limitations on Rights:** - Requests must be reasonable in frequency (typically no more than once per quarter for the same request) - We may require identity verification before processing requests - We may decline requests that would violate confidentiality obligations, legal restrictions, or rights of others - Audit rights do not include access to our security measures, source code, or confidential systems --- ## Data Retention We retain data according to the following schedule: - **Active Accounts:** As long as your account is active and in good standing - **After Cancellation:** Up to 12 months or as required by applicable law, regulations, tax obligations, or legal requirements (whichever is longer) - **Backup Data:** May persist in backup systems for up to 90 days after primary deletion - **Security Logs:** 90 days or as required by law - **Financial Records:** As required by tax and financial regulations (typically 7-10 years in the GCC region) - **Analytics Data:** Anonymized after 30 days, may be retained indefinitely in aggregate form - **Legal Holds:** As required by law enforcement, litigation, or regulatory requests **Important Notes:** - Deletion timelines are estimates and may be extended due to technical, legal, or operational requirements - Some data may persist in backup systems beyond stated retention periods - You may request deletion, but we reserve the right to retain data where required by law or legitimate business interests - Complete deletion from all systems (including backups) may take up to 90 days - We are not obligated to delete data we are legally required to maintain --- ## Cookies and Tracking ### Types of Cookies We Use **Essential Cookies:** Required for platform functionality (session management, security). These are automatically enabled. **Analytics Cookies:** First-party only, to improve our Services: - Usage patterns and feature adoption - Performance metrics - Error tracking **Marketing Cookies:** Only with your consent: - Campaign effectiveness - Conversion tracking ### Managing Cookies You can: - Disable cookies in your browser settings - Use our cookie preference center (if available) - Opt-out of analytics at any time **Implied Consent:** By continuing to use the Platform after viewing our cookie notice, you consent to essential and analytics cookies. You may withdraw consent at any time. **Note:** Disabling essential cookies may impact functionality. ### Do Not Track We respect Do Not Track (DNT) signals and do not track users across third-party websites. We don't permit third-party tracking beyond basic analytics necessary for platform operation. --- ## Communications ### Service Communications (Required) You will receive: - Account notifications and security alerts - Service updates and maintenance notices - Transaction receipts and billing statements **These are required for account operation and cannot be opted out.** ### Marketing Communications (Optional) With your consent, we may send: - Product updates and newsletters - Tips and best practices - Special offers and promotions **Unsubscribe:** You can opt-out anytime by clicking the unsubscribe link in emails or contacting legal@cxcoast.com. --- ## Third-Party Services When you connect third-party services (WhatsApp, Facebook, Instagram, Telegram, etc.): - You're subject to their privacy policies - We access only necessary data for integration functionality - You can revoke access anytime through Platform settings - We don't store third-party platform passwords or credentials **We are not responsible for third-party privacy practices.** --- ## AI and Machine Learning We may use artificial intelligence and machine learning technologies to enhance the Platform, including: - Spam and security threat detection - Response suggestions and automation - Sentiment analysis and conversation categorization - Performance optimization and error detection ### Data Usage for AI **Platform Improvement:** We may use aggregated, anonymized data to improve Platform functionality. This does not include identifiable customer conversation content. **Security & Compliance:** We may analyze data using AI to detect spam, abuse, security threats, or Terms violations as necessary for platform security. **Optional AI Features:** When you explicitly enable AI integrations (e.g., OpenAI, Dialogflow), your data may be shared with those providers subject to their terms and your configuration. **No Training on Your Conversations:** We do not use identifiable customer conversation content to train third-party general-purpose AI models without your explicit consent. However, we may use anonymized, aggregated data for Platform improvement. ### AI Limitations - We cannot guarantee AI accuracy, completeness, or fitness for any particular purpose - AI-generated content may be inaccurate, biased, or inappropriate - You are responsible for reviewing and validating AI-generated outputs - We are not liable for decisions made based on AI suggestions - AI features are provided "as-is" without warranties - We may modify or discontinue AI features at any time **Your Control:** You control which AI features to enable and may disable them through Platform settings. --- ## Legal Process and Government Requests We may disclose your information in response to: - Valid subpoenas, court orders, or warrants - Government or regulatory requests - Law enforcement investigations - Legal obligations under applicable law **Notice:** We will attempt to notify you of legal requests for your data unless: - Prohibited by law or court order - We believe notification would be counterproductive - The request involves imminent threat to life or safety - Notice would compromise an investigation **Cost Reimbursement:** You agree to reimburse us for reasonable costs (including legal fees) incurred in responding to legal process related to your account, unless the request arises from our own misconduct. --- ## Liability Limitations **Cross-Reference to Terms:** Our liability for privacy-related matters is limited as set forth in our Terms of Service. **We are not liable for:** - Data breaches caused by your failure to maintain account security or credential confidentiality - Third-party data processor failures beyond our reasonable control - Disclosure required by law or valid legal process - Privacy violations caused by your misuse of the Platform - Data loss if you fail to export data before account termination or maintain your own backups **Maximum Liability:** Our total liability for all privacy-related claims is capped as specified in our Terms of Service. **User Responsibility:** You are responsible for: - Maintaining the confidentiality of your credentials - Implementing appropriate security measures on your end - Ensuring your use of the Platform complies with applicable privacy laws - Backing up your data regularly --- ## Changes to This Policy We may update this Privacy Policy from time to time: - **Material changes:** 30 days advance notice via email where feasible - **Minor changes:** Effective immediately upon posting - **All changes posted at:** www.cxcoast.com/privacy - **Continued use after changes constitutes acceptance** **Your Options:** If you do not agree to material changes, you may terminate your account before the changes take effect. --- ## Contact Information **Data Protection Officer:** C X Coast Technology Solutions & Consulting W.L.L. Attn: Data Protection Officer Al Raya, Office 51, Building 1025 Road 3621, Seef, Kingdom of Bahrain **Email:** legal@cxcoast.com **Phone:** +973 3509 8852 **Website:** www.cxcoast.com --- ## Supervisory Authorities ### Bahrain: **Personal Data Protection Authority** Email: info@pdpa.gov.bh Website: www.pdpa.gov.bh ### For EU Residents: You may contact your local supervisory authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en --- ## Dispute Resolution **Individual Disputes Only:** You agree to resolve disputes with CXCoast on an individual basis and waive any right to participate in class actions, class arbitrations, or representative proceedings. **Arbitration:** Any disputes arising from this Privacy Policy or our data practices shall be resolved through binding arbitration in accordance with the laws of Bahrain, as set forth in our Terms of Service. --- ## Policy Interpretation **Language Versions:** This Privacy Policy is provided in English, Arabic, and Russian. In case of any discrepancies, the **English version shall prevail**. **Headings:** Section headings are for convenience only and do not affect interpretation. **Conflicts:** If any provision conflicts with our Terms of Service, the Terms of Service shall prevail regarding liability, warranties, and dispute resolution. **Entire Agreement:** This Privacy Policy, together with our Terms of Service, constitutes the entire agreement regarding privacy and data protection and supersedes all prior privacy notices or statements. **Bahrain PDPL Compliance:** This Privacy Policy complies with Bahrain Law No. 30 of 2018 concerning Personal Data Protection. --- **Last Updated:** October 20, 2025 **Effective Date:** November 1, 2025 **Version:** 1.0 © 2024-2025 C X Coast Technology Solutions & Consulting W.L.L. All rights reserved.