Privacy Policy

    Effective Date: March 1, 2026 | Last Updated: May 12, 2026

    1. Introduction

    Exomations ("we," "us," or "our") is an enterprise iPaaS (Integration Platform as a Service) for automation and orchestration operated from the Kingdom of Saudi Arabia. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use our platform, website, APIs, and related services (collectively, the "Service").

    This policy is designed to comply with the Saudi Arabia Personal Data Protection Law (PDPL - Royal Decree M/19, issued 9/2/1443H), the European Union General Data Protection Regulation (GDPR - Regulation (EU) 2016/679), and other applicable international data protection regulations.

    By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

    2. Data Controller

    Exomations acts as the Data Controller for personal data collected through the Service. For the purposes of the PDPL and GDPR, the responsible entity is:

    Entity: Exomations

    Location: Kingdom of Saudi Arabia

    Email: privacy@exomations.com

    Data Protection Inquiries: dpo@exomations.com

    3. Personal Data We Collect

    We collect the following categories of personal data:

    3.1 Information You Provide Directly

    • Account Information: Full name, email address, username, organization name, and password (stored in hashed form only).
    • Billing Information: Payment card details are processed and tokenized by our third-party payment processor (PayTabs). We store only the last four digits of your card number and a payment token for recurring billing. We do not store full card numbers.
    • Communication Data: Information you provide when contacting our support team, submitting feedback, or participating in surveys.
    • Connection Credentials: API credentials, authentication tokens, and connection configurations for third-party services you integrate with (e.g., ERP systems, CRM platforms). These are encrypted at rest using enterprise-grade encryption.

    3.2 Information Collected Automatically

    • Usage Data: Flow execution counts, success/failure rates, API call metrics, feature usage patterns, and plan utilization statistics.
    • Technical Data: IP addresses, browser type and version, device type, operating system, access timestamps, referring URLs, and session duration.
    • Audit Logs: Records of user actions within the platform including login attempts, resource creation/modification/deletion, and administrative changes. These logs include user ID, action type, resource affected, IP address, and timestamp.

    3.3 Data Processed on Your Behalf

    When you create and execute automation flows, the Service processes data that passes through your configured workflows (trigger payloads, API responses, transformed data). This data is processed solely for the purpose of executing your flows and is retained according to your plan's data retention period.

    4. Legal Basis for Processing

    We process your personal data on the following legal bases:

    • Contract Performance (PDPL Art. 5, GDPR Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, execute your automation flows, and fulfill our contractual obligations.
    • Consent (PDPL Art. 6, GDPR Art. 6(1)(a)): Where you have provided explicit consent, such as for marketing communications or optional analytics. You may withdraw consent at any time.
    • Legitimate Interest (GDPR Art. 6(1)(f)): Processing necessary for our legitimate business interests, including service improvement, fraud prevention, security monitoring, and platform analytics, where such interests are not overridden by your rights.
    • Legal Obligation (PDPL Art. 5, GDPR Art. 6(1)(c)): Processing required to comply with applicable laws, regulations, or lawful governmental requests, including Saudi tax and commercial regulations.

    5. How We Use Your Data

    We use collected data for the following purposes:

    • To create and manage your account and tenant organization
    • To provide, maintain, operate, and improve the Service
    • To execute automation flows and process workflow data on your behalf
    • To process payments, manage subscriptions, and handle billing operations
    • To enforce plan limits, usage metering, and rate limiting
    • To send transactional communications (account verification, password resets, billing receipts, service notifications)
    • To provide customer support and respond to inquiries
    • To monitor platform security, detect fraud, and prevent unauthorized access
    • To generate anonymized, aggregated analytics for service improvement
    • To comply with legal obligations, regulatory requirements, and lawful government requests
    • To enforce our Terms of Service and protect our rights, property, or safety

    6. Data Security

    We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

    • Encryption at Rest: All sensitive credentials, connection configurations, and API keys are encrypted using enterprise-grade encryption with unique security parameters per value.
    • Encryption in Transit: All data transmitted between your browser and our servers is protected using TLS (Transport Layer Security) encryption.
    • Password Security: User passwords are never stored in plaintext. They are cryptographically hashed using industry-standard one-way hashing algorithms before storage.
    • API Key Security: API keys are displayed only once at creation and stored as cryptographic hashes. They cannot be recovered or viewed after initial generation.
    • Access Controls: Role-based access control (RBAC) with five permission levels ensures that users can only access data and features appropriate to their role.
    • Audit Logging: All significant actions are logged in an immutable, append-only audit trail for security monitoring and compliance purposes.
    • Infrastructure Security: Our infrastructure employs firewalls, intrusion detection, regular security patches, and industry-standard cloud security practices.

    7. Tenant Data Isolation

    Exomations is a multi-tenant platform where each organization (tenant) operates in a logically isolated environment. Every database query, API request, and workflow execution is scoped exclusively to the authenticated tenant. Data belonging to one tenant is never accessible to, shared with, or visible to any other tenant. This isolation extends to connection credentials, flow configurations, execution history, user data, and audit logs.

    8. Data Sharing and Disclosure

    We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:

    • Payment Processors: We share billing information with PayTabs (our payment gateway, headquartered in Saudi Arabia) for payment processing and card tokenization. PayTabs is PCI DSS compliant.
    • Third-Party Integrations (At Your Direction): When you configure connections to external services (ERP systems, CRM platforms, messaging providers), your encrypted credentials are used solely to execute your configured flows. We do not share these credentials with any party other than the service you have explicitly connected to.
    • AI Services: AI-powered features (flow generation, node recommendations, the in-app Co-Pilot, and error diagnosis) are available only inside the authenticated web application — they are not exposed through our public API. When you invoke an AI feature in-app, your prompt and the relevant flow context are sent to our AI service provider (currently OpenAI, accessed through Replit AI Integrations) for processing. We do not include encrypted credentials, payment data, or full execution payloads in AI requests; sensitive values referenced in flow context are redacted before being sent.
    • Legal Requirements: We may disclose personal data if required to do so by law, regulation, legal process, or governmental request, including requests from Saudi Arabian authorities under applicable law.
    • Business Transfers: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections described in this policy.
    • Protection of Rights: We may disclose data when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

    9. Data Residency and International Transfers

    Exomations is operated from the Kingdom of Saudi Arabia and our default posture is to keep tenant data — including account records, flow definitions, connection credentials, execution history, audit logs, and billing records — stored and processed within Saudi Arabia. Payment processing is handled by PayTabs, a Saudi-headquartered, SAMA-licensed gateway. In the limited cases below, data may be transferred to servers or service providers located outside the Kingdom:

    • AI processing services for flow generation features
    • Cloud infrastructure providers for hosting and data redundancy
    • Third-party services you explicitly connect to through the platform

    When personal data is transferred outside the Kingdom of Saudi Arabia, we ensure that appropriate safeguards are in place in accordance with the PDPL (Article 29), including:

    • Verifying that the receiving country provides an adequate level of data protection
    • Implementing standard contractual clauses or equivalent legal mechanisms
    • Ensuring the transfer is necessary for the performance of our contract with you
    • Obtaining your explicit consent where required

    For transfers subject to GDPR, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions as the legal mechanism for cross-border data transfers.

    10. Data Retention

    We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law:

    Data TypeRetention Period
    Account InformationDuration of account + 30 days after deletion request
    Execution History (Starter)7 days
    Execution History (Pro)14 days
    Execution History (Enterprise)30 days
    Audit LogsDuration of account + 1 year
    Billing Records7 years (Saudi commercial law requirement)
    Connection CredentialsUntil connection is deleted by user
    Support Communications2 years after resolution

    Upon account deletion or termination, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes such as fraud prevention or dispute resolution.

    11. Your Rights

    Under the PDPL, GDPR, and other applicable data protection laws, you have the following rights:

    11.1 Rights Under Saudi PDPL

    • Right to Be Informed (Art. 9): You have the right to know what personal data we collect, why we collect it, and how it is processed.
    • Right of Access (Art. 10): You may request access to your personal data that we hold.
    • Right to Correction (Art. 10): You may request correction of inaccurate or incomplete personal data.
    • Right to Destruction (Art. 10): You may request the destruction of your personal data when it is no longer needed for the purpose for which it was collected.
    • Right to Withdraw Consent (Art. 6): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

    11.2 Additional Rights Under GDPR (for EU/EEA Residents)

    • Right to Erasure ("Right to Be Forgotten"): You may request deletion of your personal data under certain circumstances.
    • Right to Restriction of Processing: You may request that we limit the processing of your data in certain situations.
    • Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
    • Right to Object: You may object to the processing of your personal data based on legitimate interests.
    • Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you.
    • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (in the EU/EEA or Saudi Arabia's SDAIA as applicable).

    11.3 Self-Service Data Subject Tools

    Account owners and admins can exercise the most common rights directly from the application without contacting us:

    • Data export (right of access / portability): Request a full export of your tenant's data — including account profile, flows, executions, and audit logs — from the Settings area of the application. The export is delivered as a structured, machine-readable archive.
    • Account & tenant deletion (right to erasure): Initiate deletion of your account and tenant from Settings. Deletion is queued, confirmed by email, and completed within 30 days, subject to the legal retention windows in Section 10.
    • Correction: Update your profile, organization details, and team membership at any time from the Settings pages.

    For rights that cannot be exercised in-app (for example, restriction of processing, objection to legitimate-interest processing, or complaints about the self-service tools themselves), please contact us at privacy@exomations.com. We will respond within 30 days (or sooner if required by applicable law) and may request verification of your identity before acting on your request.

    12. Cookies and Tracking Technologies

    We use essential cookies and local storage to maintain your session, store authentication tokens, and remember your preferences. These are strictly necessary for the Service to function and cannot be disabled.

    We do not use:

    • Third-party advertising cookies
    • Cross-site tracking technologies
    • Social media tracking pixels
    • Third-party analytics services that share data with advertisers

    You can manage cookies through your browser settings. However, disabling essential cookies may prevent the Service from functioning properly.

    13. Children's Privacy

    The Service is not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly. If you believe we have inadvertently collected data from a minor, please contact us at privacy@exomations.com.

    14. Third-Party Links

    The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

    15. Data Breach Notification

    In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

    • Notify the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware of the breach, as required by the PDPL
    • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights
    • For EU/EEA data subjects, notify the relevant supervisory authority within 72 hours as required by GDPR Article 33
    • Document the breach, its effects, and remedial actions taken

    16. Changes to This Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website with a revised "Last Updated" date. For significant changes that affect how we process your personal data, we will provide prominent notice through the Service or via email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

    17. Governing Law

    This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the competent courts in the Kingdom of Saudi Arabia. For data subjects in the European Union/European Economic Area, nothing in this policy limits your rights under the GDPR or your ability to bring claims before your local data protection authority or courts.

    18. Contact Us

    If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

    General Privacy Inquiries: privacy@exomations.com

    Data Protection Officer: dpo@exomations.com

    Mailing Address: Exomations, Kingdom of Saudi Arabia

    We aim to respond to all legitimate requests within 30 calendar days. In certain circumstances, it may take us longer if your request is particularly complex or you have made a number of requests, in which case we will notify you and keep you updated.

    This Privacy Policy was last reviewed and updated on May 12, 2026. For the Terms of Service, please visit our Terms of Service page.

    We use cookies to enhance your experience, analyze site traffic, and for security purposes. By continuing to use our platform, you consent to our use of cookies in accordance with our Privacy Policy.