Privacy policy.
Last updated: June 15, 2026. This policy explains how Yexa Pro collects, processes, and protects your personal data when you use our website and platform.
1. Introduction and scope
Yexa Pro («we», «us») is a WhatsApp Business SaaS platform for GCC markets. We are committed to protecting your privacy in accordance with the Saudi Personal Data Protection Law (PDPL) and recognized international standards.
This policy applies to: (a) visitors of yexa.pro and marketing pages; (b) dashboard and application users; (c) end recipients whose data you process through your account — you act as Data Controller and we act as Data Processor on your behalf.
By using the Platform or creating an account, you acknowledge that you have read and understood this policy. If you do not agree, please do not use our services.
2. Data controller and contact
Data Controller for your account and organization data: Yexa Technologies Co. Ltd — Riyadh, Saudi Arabia.
Data Protection Officer: privacy@yexa.pro
For privacy inquiries or to exercise your rights: privacy@yexa.pro — we respond within 30 days as required by PDPL.
3. Legal basis for processing
- Contract performance: delivering the service, subscription management, support, and billing.
- Consent: marketing communications, non-essential cookies, and processing beyond contract scope at your request.
- Legitimate interests: platform security, fraud prevention, aggregated non-identifiable analytics.
- Legal obligation: accounting records, lawful requests from competent authorities.
4. Categories of data we collect
We collect the following depending on how you interact with us:
- Identity & account: full name, email, phone, organization name, job title, password (hashed), optional profile photo.
- Subscription & billing: plan, renewal dates, transaction history, wallet balance — card numbers are not stored (PCI-DSS payment provider).
- Usage & technical: IP address, browser/device type, OS, login logs, pages visited, session IDs, error logs.
- WhatsApp & messaging: conversations, contacts, templates, media, delivery/read status — under your authorization via Meta.
- Communications: support messages, call recordings with consent, survey feedback.
- Recruitment (when applying): CV, LinkedIn, and information you voluntarily provide.
5. Sources of data
- Directly from you during registration, account setup, or contact.
- Automatically via cookies and similar technologies (see Cookie Policy).
- From Meta (WhatsApp Cloud API) when connecting your business number.
- From authorized team members within your organization.
- From trusted service providers (sub-processors) under data processing agreements.
6. Purposes of use
- Platform delivery: inbox, campaigns, automation, AI, analytics, team management.
- Billing, wallet management, and service communications.
- Technical support and user experience improvement.
- Security: breach detection, abuse prevention, identity verification.
- Compliance with Meta/WhatsApp Business policies and regulatory requirements.
- Marketing our services with your consent — opt out anytime.
- Research and development using aggregated anonymized data.
7. End-user data (your contacts)
When you send messages through your account, recipient data (names, phone numbers, message content) is processed on your behalf. You are responsible for obtaining lawful consent and complying with applicable data protection laws.
We process this data only per your instructions and applicable DPA. We do not use it for our own marketing.
8. Data sharing and disclosure
We do not sell your personal data. We share it only as necessary:
- Meta Platforms, Inc. — WhatsApp Business API messaging.
- Cloud infrastructure providers (e.g. AWS) — secure hosting in the Gulf region where possible.
- Payment processors — subscriptions and wallet top-ups.
- Email and notification providers — transactional and alert messages.
- Legal and audit advisors — under confidentiality obligations.
- Government authorities — when legally required or under binding court order.
- Merger or acquisition — with prior notice and equivalent protection.
9. Sub-processors
We maintain an updated sub-processor list at yexa.pro/security. Enterprise customers receive 30 days notice before adding new sub-processors. All sub-processors are bound by DPAs and contractual security standards.
10. International transfers
Core data is stored and processed in the Gulf region (Saudi Arabia / Bahrain / UAE) per hosting configuration.
Meta/WhatsApp services may require processing outside your region. We rely on contractual safeguards (SCCs), Meta policies, and your implicit consent by using WhatsApp.
For additional international transfers beyond core service scope, we obtain explicit consent or apply SDAIA-approved safeguards.
11. Retention periods
- Account data: subscription period + 90 days after termination (unless earlier deletion requested).
- WhatsApp conversations: per your settings (default 24 months) — reducible or deletable on request.
- Billing records: 10 years per Saudi accounting requirements.
- Security and access logs: 12 months.
- Marketing data: until opt-out or 24 months from last interaction.
- After expiry: secure deletion or anonymization where permitted by law.
12. Security measures
We implement appropriate technical and organizational measures including: encryption in transit (TLS 1.2+) and at rest for sensitive data, multi-tenant isolation, role-based access control (RBAC), 2FA for admin accounts, encrypted backups, continuous monitoring, and periodic penetration testing.
No system is 100% secure. In case of a breach affecting your rights, we notify you and SDAIA within 72 hours per PDPL when notification criteria are met.
13. Your rights under PDPL
To exercise: email privacy@yexa.pro with proof of identity. We may refuse repetitive, unfounded, or privacy-invasive requests.
- Right to be informed about collection and purposes.
- Right of access to your personal data.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure (deletion) subject to legal and contractual obligations.
- Right to restrict processing in cases provided by law.
- Right to data portability in a structured, machine-readable format where applicable.
- Right to object to direct marketing processing.
- Right to withdraw consent at any time without affecting prior lawful processing.
14. Children's privacy
Our services are business-oriented and not directed at anyone under 18. If we learn we collected a child's data without parental consent, we delete it promptly.
15. Cookies and tracking
We use cookies and similar technologies. See our Cookie Policy at /cookies. You can manage preferences in your browser settings.
16. Marketing communications
We may send product updates and offers with your consent. Unsubscribe via email link or by contacting us. Essential service messages (billing, security, account alerts) do not require separate consent.
17. Changes to this policy
We may update this policy for legal or technical changes. Material changes are announced via email or in-app notice 30 days in advance. The «Last updated» date reflects the current version.
18. Complaints and supervisory authority
If unsatisfied with our response, you may file a complaint with the Saudi Data & AI Authority (SDAIA) through official channels.
Direct contact: privacy@yexa.pro | Riyadh, Saudi Arabia