Skip to main content
HAiCapita
HomeSolutionsServicesPricingCollaborateContactDownload
Get started

Legal

Privacy Policy

How HAiCapita, an Egypt-based controller serving the MENA region, collects, uses and protects personal data — aligned with GDPR, Egypt’s PDPL and Saudi Arabia’s PDPL.

Last updated: 2026-06-12 · Governed by the laws of the Arab Republic of Egypt

Note: this document contains substantive, real content but is pending final legal-counsel review. For a legally binding agreement, please contact us.

1. Controller and scope

HAiCapita, established in the Arab Republic of Egypt, is the controller of the personal data described here when you visit our websites or hold a HAiCapita account. When we process personal data inside your workspace on your instructions (for example employees you enrol in HAiPhish or HAiLms), your organisation is the controller and we are the processor under our Data Processing Addendum.

2. Data we collect

When you register or use the platform, we collect:

Account and contact data
Your name, work email, organisation name and the jurisdiction you select at sign-up, plus authentication identifiers managed by our identity provider (Keycloak).
Verification data
One-time codes sent to your email (and optionally SMS) to confirm ownership; only a salted digest of each code is stored, never the code itself.
Usage and device data
Log and audit metadata generated as you operate the platform — actions taken, timestamps, and a device fingerprint used only to enforce one trial per device.
Workspace content
The governance, risk, compliance, training and simulation records you create — held under your organisation’s control as Customer Data.

3. Why we process it, and our lawful basis

  • To provide and secure the Services and your account — performance of our contract with you.
  • To verify identity and prevent abuse (one-time codes, trial-device checks) — our legitimate interests in protecting the platform.
  • To send essential service and security communications — performance of our contract and legitimate interests.
  • To meet legal, regulatory and audit obligations — compliance with a legal obligation.
  • Any non-essential analytics or cookies — only with your consent, which you can withdraw at any time.

4. Where your data lives

Structured records are stored in our own PostgreSQL databases, and files and objects in our own MinIO object storage — both operated by HAiCapita, not a third-party storage cloud. Data is encrypted in transit (TLS) and at rest. We host with MENA-region data residency for our managed service, and we offer a fully air-gapped, on-premises deployment for customers who must keep all data inside their own infrastructure.

5. Sub-processors

We keep the list of third parties that process personal data on our behalf deliberately small. For our managed service these are:

SendGrid (Twilio)
Transactional email delivery — verification codes and essential service notices. SendGrid processes the recipient address and message routing data only.
Cloudflare
Network edge, DNS and secure tunnel that fronts our service — it processes connection metadata to route and protect traffic. It is not used as a data store.

Air-gapped on-premises deployments use no external sub-processors. We notify customers of material changes to this list before they take effect.

6. Retention

We keep account data for as long as your account is active and for a limited period afterwards to meet legal and audit obligations, then delete or anonymise it. Verification codes expire within minutes. Audit records are written to a tamper-evident, hash-chained log and retained for the period your compliance obligations require. You can request export or deletion at any time.

7. Your data-subject rights

Depending on where you are, you have rights under the EU/UK GDPR, Egypt’s Personal Data Protection Law (Law No. 151 of 2020) and Saudi Arabia’s Personal Data Protection Law. These broadly include the right to:

  • access the personal data we hold about you and obtain a copy;
  • correct inaccurate data and complete incomplete data;
  • request erasure (subject to legal-hold and retention rules);
  • object to or restrict certain processing, and withdraw consent for consent-based processing;
  • data portability, and to lodge a complaint with your supervisory authority.

To exercise any right, email [email protected]. If your data sits inside an organisation’s workspace, we may direct your request to that organisation as the controller and assist them in responding. We aim to respond within the timeframe the applicable law requires (commonly 30 days).

8. How we protect data

We apply encryption in transit and at rest, role-based access control, multi-factor authentication for administrators, network isolation behind Cloudflare, and a tamper-evident audit trail. Our current security posture is self-assessed and we are working towards external certification — see our Trust page for an honest, up-to-date account. In the event of a personal-data breach that is likely to affect you, we will notify the relevant controller and, where we are the controller, affected individuals and authorities without undue delay and within the timeframes the law requires.

9. Cookies

We use strictly necessary cookies to keep you signed in and the site working. Non-essential cookies are only set with your consent, captured through the cookie banner. See our Cookie Policy for details and how to change your choice.

10. Changes and contact

We may update this policy as our practices or the law evolve, and will revise the date above. For privacy questions, or to reach our data-protection contact, email [email protected] — HAiCapita, Egypt.

For any question about this document or how we handle your data, email us at [email protected] — HAiCapita, Egypt.

PrivacyTermsDPACookiesTrust