بيّن
Agents الأسعار الأسئلة الشائعة
Sign In Get Started

Privacy Policy

Effective date: 22 May 2026 Last updated: 22 May 2026

This Privacy Policy describes how BAYYIN AI ("we", "us", "our", "the Service") collects, uses, stores, and shares Personal Data in connection with our AI-assisted consultation platform.

It is drafted to comply with the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree No. (M/19) of 9/2/1443H and its Implementing Regulations, and is intended to be readable by both data subjects and the Saudi Data and AI Authority (SDAIA).


1. Who we are

Field Value
Controller BAYYIN AI
Contact email ask@bayyin.ai
Mailing address —
Data Protection Officer ask@bayyin.ai

If a translation conflict arises, the Arabic version of this policy governs in the Kingdom of Saudi Arabia.


2. What we collect

We collect only what is necessary to deliver the service. Categories of Personal Data we process:

2.1 Account data

  • Full name, email, phone number (optional)
  • Hashed password (never stored or transmitted in plaintext)
  • Tenant association and role
  • Authentication device identifiers (when 2FA is enabled)

2.2 Conversation data

  • Text of messages you exchange with our AI agents
  • Voice audio when you use voice mode — transcribed in real time and persisted as text; the raw audio is not retained beyond the live session unless you explicitly enable session recording
  • Files you upload (PDFs, images, documents) to the knowledge-base or attach to a session
  • Citations and references the agent returns

2.3 Operational data

  • IP address (truncated to the /24 subnet for analytics; full address logged only in security events)
  • Browser user-agent, locale, time zone
  • Pages visited, features used, error events
  • Billing-related cost events (token counts per request) — not the request body

2.4 What we do NOT collect

  • Precise geolocation
  • Biometric identifiers
  • Health data (unless you choose to share it inside a consultation, which then falls under §2.2)
  • Cross-site tracking cookies

3. Why we collect it (lawful basis)

Purpose PDPL basis Plain-language reason
Provide the service Performance of contract You signed up to use the service
Improve the service Legitimate interest Aggregate analytics so we can fix bugs and prioritise features
Send transactional email Performance of contract Password reset, account verification
Comply with law Legal obligation Tax records, court orders, sanctions screening
Detect fraud and abuse Legitimate interest Rate-limiting, anti-spam, account-takeover protection
Marketing Explicit consent (opt-in only) Newsletter, product announcements — you can unsubscribe at any time

We do not sell Personal Data. We do not share it with advertising networks.


4. Who we share it with

We share Personal Data with a short list of sub-processors strictly to deliver the service:

Sub-processor Role Region
OpenAI, L.L.C. Language model + speech-to-text + embeddings USA
ElevenLabs Inc. Voice synthesis USA
LiveKit Inc. Real-time audio room infrastructure USA / global edge
Cloudflare Inc. DNS, CDN, bot protection (Turnstile) Global edge
Amazon Web Services Backup storage of database snapshots KSA region preferred when available
GoDaddy Operating Co. Transactional email (SMTP) USA

Sub-processors are bound by data-processing agreements and may not use your data for their own purposes. The current list is maintained at https://buytwo.care-buddy.ai/legal/sub-processors.

Cross-border data transfers occur because some sub-processors are based outside the Kingdom of Saudi Arabia. We rely on:

  • Adequate-protection assessments where the destination country has been recognised by SDAIA, OR
  • Standard contractual clauses approved by SDAIA between us and the sub-processor.

5. How long we keep it

Data Retention period
Account record Active life of account + 30 days after deletion request
Conversation transcripts 12 months from creation, then aggregated/anonymised
Uploaded files Until you delete them, or 12 months after account deletion
Voice audio Not retained (transcribed and discarded on session end)
Authentication logs 13 months (legal-defence window)
Billing records 5 years (commercial-record obligation under Saudi law)
Backups 14 days rolling

6. Your rights under PDPL

You have the right to:

  • Be informed of how your data is processed (this document)
  • Access the Personal Data we hold about you
  • Correct inaccurate data
  • Request erasure of your data (subject to legal retention requirements; see §5)
  • Withdraw consent for any processing that relied on consent
  • Restrict or object to certain processing
  • Data portability — receive a machine-readable copy of your data
  • Complain to the regulator (SDAIA) if you believe we have failed in our obligations

To exercise any of these rights, email ask@bayyin.ai or use the in-app "Delete my account" flow under Account Settings. We respond within 30 days as required by the Implementing Regulations.


7. How we protect your data

  • TLS 1.2+ for all traffic in transit
  • Per-tenant data isolation enforced at the database query layer
  • Two-factor authentication available to all users and required for admins
  • Passwords hashed with PBKDF2 (ASP.NET Identity v3)
  • API rate limits to prevent abuse and credential stuffing
  • Daily backups, encrypted at rest, retained 14 days
  • Quarterly review of sub-processor list

If we discover a Personal Data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and SDAIA within 72 hours.


8. Cookies and tracking

We use only strictly necessary cookies and first-party analytics cookies (no third-party tracking, no advertising cookies). See our Cookie Notice for the full list.

You can withdraw cookie consent at any time from the banner at the bottom of any page.


9. Children

The service is not directed to children under 13. If you become aware that a child has provided us with Personal Data without parental consent, please contact us and we will delete the account.


10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes (e.g. new sub-processors, new data categories, new lawful basis) will be communicated to active users at least 30 days in advance via email and an in-app banner.


11. Contact

Questions, concerns, or rights requests:

ask@bayyin.ai

If you are not satisfied with our response, you may file a complaint with the Saudi Data and AI Authority via sdaia.gov.sa.

BAYYIN AI — Understand your rights. Make clear decisions. | ❓ Help | Privacy | Terms | Status | Support | © 2026

Cookies on

We use strictly necessary cookies to make the site work, and (optionally) first-party analytics to improve it. No third-party trackers, no advertising cookies. You can change your choice anytime from the Cookie Notice.

Cookie preferences

Choose which cookies you allow. Strictly-necessary ones can't be disabled — without them, the site won't work.