Privacy Policy
v1.0 · Last updated: 2026-05-16 · Index & changelog
This policy explains what Zamala collects about you, why, who we share it with, and what you can do about it. We try to write it in plain language. Where we are required to be precise, we say so.
1. Who runs Zamala
Zamala ("we", "us", "the platform", "the controller") is the operator of this service. Contact: info@zamala.net.
We are based in Germany and serve customers primarily in the Kingdom of Saudi Arabia. EU data protection law (GDPR) applies to our processing operations, and Saudi data protection law (PDPL) applies to our customer relationships.
For requests requiring formal identification of the natural-person or registered-entity data controller (e.g. regulator inquiries, subject-access requests with identity-proof requirements), email info@zamala.net and we will provide the necessary corporate registration details in a direct response.
2. What we collect
When you sign up as a candidate (someone seeking a referral): your name, email, WhatsApp number, the CV you upload, the companies you want a referral to, your current role and years of experience, your expected salary range, your visa or iqama status, and how you heard about us.
When you sign up as a referrer (someone offering paid referrals): your name, corporate email, LinkedIn profile URL, your current employer and role, your tenure, your WhatsApp number, the referral fee you want to charge, your target referral volume, your availability for a verification call, and your consent to our verification process.
When you transact: the amount of money moved, the date, the payment reference, and which other user the transaction relates to. We do not store full card numbers, CVVs, or bank credentials — those are handled by our payment processor (Tap Payments in Phase 2; for Phase 1 manual operations, by your bank and ours).
When you communicate with us: the content of your messages, whether they arrive by email, WhatsApp, or a form.
Automatically: standard server logs (IP address, browser type, page accessed, timestamp) and limited usage analytics via Vercel Analytics. Vercel Analytics is privacy-preserving — it does not use cookies and does not track individuals across sessions.
3. Why we collect it (and our lawful basis)
| Why | Lawful basis |
|---|---|
| Create and manage your account | Performance of a contract (Art. 6(1)(b) GDPR; Art. 6 PDPL) |
| Match candidates to referrers | Performance of a contract |
| Verify referrer identity and employment | Legitimate interest in fraud prevention; performance of contract |
| Process payments and refunds | Performance of a contract; legal obligation (tax, accounting) |
| Send transactional emails (e.g. submission confirmations) | Performance of a contract |
| Send occasional product updates | Consent (you can withdraw at any time) |
| Improve the platform and detect abuse | Legitimate interest |
| Comply with legal obligations (tax records, regulator requests) | Legal obligation |
4. Who we share it with
We use third-party service providers ("processors") to run the platform. Each processor handles only what they need:
| Processor | What they do | Where they process |
|---|---|---|
| Vercel | Hosts the website | United States (EU data residency available) |
| Tally | Captures form submissions | European Union |
| Airtable | Phase 1 operations database | United States |
| Supabase | Phase 2 application database | European Union |
| Stripe | Phase 2 payment processing + identity verification | Ireland (EU) for processing; global |
| Resend (or equivalent) | Sends transactional email | European Union / United States |
| Vercel Analytics | Privacy-preserving usage analytics | European Union |
We do not sell your data to anyone. We do not share it for advertising purposes.
Referrer profile visibility. Each referrer chooses their own visibility level (Tier 1 fully anonymous → Tier 4 fully identified). When candidates browse the marketplace, they see only what each referrer has chosen to display. Names, photos, and LinkedIn URLs appear only for referrers who have explicitly opted in to higher visibility tiers. The default is Tier 2 (employer + role visible, name/photo/LinkedIn hidden). See our Terms for the full tier definitions.
5. Cross-border data transfers
Some of our processors are based outside your country. Where we transfer personal data outside the EU/EEA or KSA, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses, or the equivalent mechanism recognized under PDPL — to ensure your data is protected to a level equivalent to local law.
We are happy to provide more detail on the specific safeguards for any processor on request. Contact us at info@zamala.net.
6. How long we keep it
| Data | Retention |
|---|---|
| Active accounts | While the account is active |
| Inactive accounts | 24 months from last activity, then deleted or anonymized |
| Completed transactions | 7 years from completion (Saudi commercial-records obligation) |
| Disputed transactions | Indefinitely, while the dispute is unresolved, plus 7 years after resolution |
| Marketing-consent records | Until you withdraw consent + 12 months for proof of withdrawal |
| Server logs | 90 days |
If you ask us to delete your data, we will delete what we are legally allowed to delete. We may keep what we are legally obliged to retain (e.g., transaction records for tax purposes).
7. Your rights
You have the right to:
- Access the data we hold about you, and get a copy of it.
- Correct data that is wrong or incomplete.
- Delete your data, subject to our legal retention obligations.
- Restrict how we process your data.
- Port your data to another provider in a structured, machine-readable format.
- Withdraw consent for any processing based on consent, at any time.
- Object to processing based on legitimate interest.
- Lodge a complaint with a data protection authority — the data protection regulator in the country where you live, or the Saudi Data and AI Authority (SDAIA) if you are in KSA.
To exercise any of these, email info@zamala.net. We respond within 30 days. We will not charge you, except in the very rare case where a request is manifestly unfounded or repetitive — and we will explain ourselves before doing so.
8. How we protect your data
We use industry-standard security measures: HTTPS everywhere, encrypted storage with our database providers, two-factor authentication on admin accounts, principle of least privilege for who can see what.
No system is perfectly secure. If there is a personal data breach that risks your rights and freedoms, we will notify you and the relevant regulator within 72 hours of becoming aware of it.
9. Cookies
The landing site at zamala.net does not use tracking cookies. Vercel Analytics — the only analytics tool we use today — works without cookies. If we add anything that requires cookie consent in the future, we will update this policy and show you a cookie banner.
The Phase 2 application will use a session cookie to keep you logged in. That is a strictly-necessary cookie and does not require consent.
10. Children
Zamala is for adults — you must be 18 or older to create an account. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, please tell us at info@zamala.net and we will delete the account.
11. Changes to this policy
We will post updates to this page. Material changes will also be sent to your email if we have one. The "Last updated" line at the top tells you when the current version was published. Older versions are kept in the GitHub repository for transparency.
12. Contact us
- Email: info@zamala.net
- WhatsApp: per the number shown in the website footer
- Postal: a registered business postal address will be added once one is established
Changelog
- v1.0 (2026-05-16): Promoted from v0.1 to operational policy. Founder elected to proceed without engaging independent legal counsel at this stage; recommended future-review items captured in README.
- v0.1 (2026-05-16): Initial draft.