Skip to content
← Back to sign in

Privacy Policy

Version 2026-05-22 · Last updated 22 May 2026

This page is a starter template. The operator deploying NextEAM is responsible for replacing this copy with their actual Privacy Policy, reviewed against PDPL and any local jurisdiction-specific privacy laws, before commercial launch.

1. What we collect

We collect the information you provide when you create a workspace or accept an invitation (name, email, role) plus the operational records you store in the product (assets, work orders, attachments). We do not collect biometric or sensitive financial data.

2. Lawful basis

We process your personal data under the consent you give when you accept these terms. Tenant administrators may additionally process personal data under the legitimate interest of operating their organisation.

3. Your rights under PDPL

4. Data residency

Each operator chooses the hosting region. KSA-resident deployments keep all workspace data inside Saudi Arabia.

5. Sub-processors

We use the following sub-processors to deliver NextEAM. Each processes personal data only on our documented instructions and is bound by a data-processing agreement covering confidentiality, security, and breach-notification obligations consistent with PDPL Art. 17:

Sub-processorPurposeRegion
Alibaba Cloud (Aliyun)Compute, storage, managed database (primary infrastructure)Riyadh, KSA
Microsoft 365 / Exchange OnlineTransactional email delivery (invitations, password resets, system notifications)EU / global Microsoft regions
Anthropic, OpenAIAI features (optional per tenant; PII-masked prompts)USA

For the broader compliance posture and procurement artifacts, see our trust and security page. The current sub-processor list is published with the Data Processing Agreement and is available on request via dpo@nexteam.me. We notify tenant administrators 30 days before adding or replacing any sub-processor that processes personal data on behalf of customer workspaces.

5a. Data Processing Agreement (DPA)

We publish a Data Processing Agreement aligned to PDPL obligations. The DPA is signed with every paying tenant and is available on request to qualified enterprise prospects. Request a copy via dpo@nexteam.me — we respond within two business days.

6. Breach notification

In the event of a personal data breach we notify the Saudi Data & AI Authority (SDAIA) within 72 hours per PDPL Article 22, and notify affected tenant administrators in the same window. Our internal response procedure follows a documented runbook covering detection, containment, severity classification, regulator and customer notification, and post-incident review.

7. Data Protection Officer

Next Tech Corporation has designated a Data Protection Officer (DPO) responsible for PDPL compliance, data-subject rights handling, and oversight of processing activities.

DPO contact: dpo@nexteam.me · Next Tech Corporation, Riyadh, Kingdom of Saudi Arabia.

The DPO is reachable for data-subject rights requests (access, rectification, deletion, consent withdrawal), questions about how your personal data is processed, and breach disclosures. We aim to respond within 30 days as required by PDPL Art. 4.

8. Contact

For tenant-administrator-routed questions, contact your tenant administrator. For DPO matters, write directly to dpo@nexteam.me.