Legal
Privacy Policy
Last updated: 19 May 2026
Translations below are provided for convenience. The English and Arabic registered versions prevail.
Data controller: Digital Intelligence Office For Research and Development — Unified No. 7053228958 — Al-Khobar, Saudi Arabia — Contact: hello@digi.sa
NDGP registration: 3260006269 — verified Data Controller with the Saudi Data & AI Authority (SDAIA).
This policy explains how we collect, process, and protect your data when you use Story-Weaver (the "Service"). We comply with the Saudi Personal Data Protection Law (PDPL, Royal Decree M/19) and its implementing regulations, and with the requirements of the Saudi Data & AI Authority (SDAIA).
1. Data we collect
Account data
When you create an account we collect your email address, an optional display name, and a hashed password (we never see or store the plain text). We do not collect your phone number, postal address, or any government identifier.
Reading data
As you use the Service, we store your reading progress (which story you're on, which scene you last viewed), your favourites, and your language and theme preferences. This is how the app picks up where you left off.
Support & subscriptions
If you submit a support ticket we store the subject and body so an admin can reply. If you subscribe to launch updates we store your email and an unsubscribe token. Both are deleted on request.
Payment data (when payments go live)
Card data is processed directly by a payment gateway licensed by the Saudi Central Bank (SAMA). Your full banking details never pass through Story-Weaver's servers. We retain only the transaction ID, amount, and status for invoicing.
Usage data
We collect aggregated, anonymised usage data (pages visited, features used, error logs) to improve the Service. We do not use advertising trackers or third-party marketing cookies.
2. What we do not collect
- We do not collect user-supplied photos of any kind. Story illustrations are created in advance by our content team and stored in the catalogue.
- We do not collect data from or about children. Accounts are created and used by adults aged 18+. The Service does not include child profiles, child photo uploads, or any feature that processes a child's personal data.
- We do not collect precise location, device fingerprints, or advertising identifiers.
- We do not profile users for resale or share data with ad networks.
3. Purposes and legal basis
- Providing and improving the personalised story service (explicit consent).
- Processing payments and issuing invoices, when payments go live (contract performance).
- Sending account-related notices (contract performance).
- Complying with Saudi laws and ZATCA e-invoicing requirements when applicable (legal obligation).
4. Service providers and processing locations
To operate the Service we rely on the following categories of certified data processors under binding data-processing agreements:
- Cloudflare — hosting, edge runtime (Workers/Pages), D1 database, R2 object storage, CDN, DDoS protection. Processing in the EU-East region; CDN edges are multi-region.
- Apple & Google — in-app purchases on iOS and Android (when payments go live). We receive a transaction confirmation only.
- Moyasar — SAMA-licensed payment gateway for web card payments in Saudi Arabia (when payments go live).
- ZATCA-approved e-invoicing — for tax-compliant invoices (Saudi Arabia, when payments go live).
- (Optional) Telegram — only the title and body of public announcements we choose to broadcast. No subscriber list or user data is shared.
Note: Story illustrations and narration audio are produced in advance by our internal content pipeline. Personal data from user accounts is not sent to third-party AI providers.
You have the right to request a specific list of the named data processors handling your personal data. Contact hello@digi.sa.
5. Security
We apply industry-standard controls: TLS 1.3 in transit, encryption at rest, strict row-level isolation in our database, hashed passwords (PBKDF2), and audited access controls on the admin interface.
6. Data retention
- Account data: retained as long as your account is active.
- Reading progress and favourites: retained as long as your account is active. Deleted with the account.
- Support tickets: retained for up to 2 years after resolution for legal records, then deleted.
- Email subscriptions: retained until you unsubscribe (one-click link in every email when email is wired) or request deletion.
- Billing and payment records (when payments are live): retained for the period required by Saudi accounting and tax regulations (typically 10 years), with unnecessary personal data removed.
- Account deletion: when you request deletion, your account is marked deleted immediately. After a 14-day grace period for recovery, your email, name, reading progress, favourites, and support history are permanently purged by an automated nightly job.
7. Your PDPL rights
Under the Personal Data Protection Law you have the right to:
- Access your personal data — download everything we hold on your account from the admin or via email request.
- Correct or update it from your account settings.
- Request deletion (subject to legal limits for billing records).
- Object to or restrict processing.
- Withdraw consent at any time.
- Lodge a complaint with the competent authority (SDAIA) if you believe your rights have been infringed.
To exercise any of these rights, open a support ticket at /support with the subject "Data Rights Request", or download your data from Account → My data. We respond within 30 days.
8. Cookies
We use only essential cookies (login session, language and UI preferences). We do not use advertising trackers or third-party marketing cookies. See our Cookie Policyfor the full list.
9. Policy updates
We will notify you of any material changes at least 30 days before they take effect, by email.
10. Contact
For any inquiry or complaint, open a support ticket at /support. For formal data-rights requests, include "Data Rights Request" in the ticket subject.