Privacy Policy

1.1 This Privacy Policy explains how شيبان التقنية المحدودة (Shaiban Technology LLC), trading as Sheba (“Sheba”, “we”, “us”, or “our”), collects, uses, stores, shares, and protects personal data in connection with our website and services.

1.2 Sheba is a technology company incorporated in Yemen and operating across the Arab region, with its primary legal and commercial activities governed by the laws of the Kingdom of Saudi Arabia. Our registered domain is https://www.shaiban.co.

1.3 We provide AI-powered enterprise software and consulting services, including:

• ChatSheba — AI-driven CRM on WhatsApp and web
• Social Sheba — AI marketing assistant, supporting English and Arabic
• Custom AI Systems — agentic AI, document processing, and ERP integrations
• Consulting — strategic AI assessments and roadmaps

1.4 This policy applies to:

• Visitors to shaiban.co
• Enterprise clients and authorized users of our B2B products
• End-users whose data is processed through our platforms on behalf of enterprise clients

2.1 Website Visitors

• Contact form submissions: name, email address, company name, phone number (optional), and message content
• Automatically collected technical data: IP address, browser type and version, operating system, referring URL, pages visited, and session identifiers
• Cookie data — see Section 11 for full details

2.2 ChatSheba End-Users

• Conversation content: text of WhatsApp and web-based messages
• Conversation history and session metadata: timestamps, channel identifiers, and session IDs
• Customer profile data supplied by the enterprise client: name, account numbers, and purchase history
• WhatsApp Business API metadata: delivery status indicators and phone number identifiers

Sheba processes this data as a Data Processor on behalf of enterprise clients — see Section 5 for the Controller/Processor distinction.

2.3 Social Sheba Clients

• Brand assets: logos and visual style guides
• Tone-of-voice materials: copy briefs and editorial guidelines
• Marketing materials: existing content samples and advertising copy
• Authorized user account data: names and email addresses of client team members

2.4 Custom AI System Clients

• Business documents: contracts, invoices, and operational reports
• ERP and operational data: employee records, supplier data, and financial transactions — to the extent such records contain personal data
• Any data provided for the purpose of training or configuring the AI system

For sovereign or on-premise deployments, data remains entirely within the client's own infrastructure. Sheba retains no copies following the conclusion of the engagement.

3.1 Forms and Direct Submissions

• Website contact form
• Client onboarding forms
• Subscription and billing forms
• Email correspondence initiated by you

3.2 Automatic Collection

• Cookies and tracking technologies (see Section 11)
• Server logs: IP address, browser, device type, pages accessed, HTTP response codes, and timestamps
• Analytics tools such as Google Analytics or equivalent platforms

3.3 Client-Provided Data

• Customer data fed into ChatSheba through CRM integrations configured by the enterprise client
• Brand materials uploaded to Social Sheba by authorized client users
• Documents submitted to Custom AI systems as part of system configuration or operation
• Information shared directly during consulting engagements

4.1 Website Contact Form — Purpose: To respond to your inquiry and assess potential collaboration. Legal basis: Your consent (expressed by submitting the form), and our legitimate interest in communicating with prospective clients.

4.2 Website Analytics — Purpose: To understand visitor behavior and improve user experience. Legal basis: Legitimate interest. Where required by applicable law, consent is obtained before setting non-essential cookies.

4.3 ChatSheba End-User Data — Purpose: To power the conversational AI engine — routing messages, generating responses, and maintaining conversation context. Legal basis (as Processor): Contractual obligation under our Data Processing Agreement with the enterprise client who acts as Data Controller.

4.4 Social Sheba — Purpose: To generate AI-assisted content and brand-aligned marketing outputs. Legal basis (as Processor): Contractual performance.

4.5 Custom AI Systems — Purpose: To build, configure, and operate bespoke AI systems as specified in the client agreement. Legal basis (as Processor): Contractual performance and documented client instructions.

4.6 Consulting — Purpose: To conduct AI readiness assessments and provide strategic recommendations. Legal basis: Contractual performance.

5.1 A Data Controller determines the purposes and means of processing personal data. A Data Processor processes personal data on behalf of and under the instructions of a Controller.

5.2 Sheba is the Data Controller for:

• Data collected through our website (contact forms, analytics, cookies)
• Data pertaining to our own employees and contractors
• Authorized user account data for our products

5.3 Sheba is a Data Processor for:

• ChatSheba end-user conversation data (the enterprise client is the Data Controller)
• Social Sheba brand and content materials
• Custom AI System documents and business data
• Internal business data shared during consulting engagements

5.4 Where Sheba acts as a Data Processor, we enter into a written Data Processing Agreement (DPA) with the enterprise client. The DPA covers:

• Scope, nature, and purpose of processing
• Categories of data and data subjects
• Security obligations and technical safeguards
• Sub-processor notification and approval procedures
• Data subject rights request procedures
• Breach notification timelines
• Data deletion or return upon termination

To request a DPA, contact legal@shaiban.space.

We do not sell personal data.

6.1 Meta / WhatsApp Business API — ChatSheba routes messages through Meta's WhatsApp Business API. Message content and associated metadata are transmitted to Meta's infrastructure as part of service delivery. Enterprise clients should review Meta's applicable data use policies for WhatsApp Business.

6.2 AI Foundation Model Providers (e.g., OpenAI, Anthropic, or equivalent) — Queries and conversation snippets may be passed to foundation model APIs during inference. Sheba is model-agnostic and selects providers based on client requirements and performance. We use API configurations that explicitly prohibit providers from using submitted data for model training.

6.3 Cloud Hosting Providers — AWS, GCP, or Azure, depending on deployment requirements and client preferences. All cloud providers are bound by data processing agreements. Region-specific deployment is available to clients with data residency requirements.

6.4 Analytics Providers — Google Analytics or equivalent. Only aggregated and pseudonymized usage data is shared. No raw personal data is transmitted.

6.5 Payment Processors — Billing information is transmitted to payment processors for secure processing. We do not store full payment card details. Our payment infrastructure adheres to PCI-DSS standards.

6.6 Legal and Regulatory Authorities — We may disclose personal data when required by applicable law, court order, or to protect our legal rights and the safety of others.

6.7 Professional Advisors — Lawyers, accountants, auditors, and insurers, who are contractually bound to confidentiality and receive only the minimum data necessary.

7.1 Data collected through our services may be transferred to and processed in countries outside the country of original collection, including the United States, European Union member states, and countries within the GCC region.

7.2 Safeguards — We implement the following measures to protect data during international transfers:

• Contractual protections through Data Processing Agreements or Standard Contractual Clauses (SCCs) with sub-processors
• Sub-processors are selected on the basis of ISO 27001 or SOC 2 certification and the availability of regional data residency options
• Client-directed data residency is available upon request — contact legal@shaiban.space

7.3 GDPR — Where the General Data Protection Regulation applies, we commit to identifying an appropriate legal basis for all processing activities, honoring data subject rights as described in Section 10, and implementing appropriate transfer mechanisms for data leaving the European Economic Area.

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. The following table sets out our specific retention periods by data category.

Technical Measures

• TLS 1.2 or higher for all data in transit
• AES-256 encryption for data at rest
• Role-based access controls and multi-factor authentication (MFA) for all internal systems
• Authenticated and encrypted API connections for all third-party integrations
• Periodic vulnerability assessments and risk-prioritized patching schedules

Organizational Measures

• Data minimization: we collect only what is necessary for the specified purpose
• Privacy and security training for all staff with access to personal data
• Sub-processor security due diligence and contractual security requirements before onboarding
• Documented data breach response procedure with notification within legally required timelines

The following rights are available to you under the Saudi Arabian Personal Data Protection Law (PDPL) and, where applicable, UAE and EU data protection frameworks. These rights apply to data for which Sheba is the Data Controller. For data processed through B2B products where Sheba acts as a Data Processor, please direct your request to the enterprise client who is the Data Controller.

10.2 Right of Access — You may request confirmation of whether we hold personal data about you and receive a copy of that data.

10.3 Right to Correction — You may request correction of any personal data that is inaccurate, incomplete, or out of date.

10.4 Right to Deletion — You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent, or where processing has been unlawful — unless continued retention is required by law.

10.5 Right to Withdraw Consent — Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

10.6 Right to Object — You may object to processing based on our legitimate interests where your particular situation warrants. We will cease processing unless we can demonstrate compelling legitimate grounds.

10.7 Right to Data Portability — You may request your personal data in a structured, commonly used, machine-readable format where technically feasible and where this right is required by applicable law.

10.8 Right to Complain — You have the right to lodge a complaint with the relevant supervisory authority:

• Saudi PDPL: Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa
• UAE: Telecommunications and Digital Government Regulatory Authority (TDRA) at tdra.gov.ae
• EU/EEA: your local data protection authority

We encourage you to contact us first at legal@shaiban.space so we can address your concern directly.

11.1 Cookies are small text files placed on your device by websites you visit. In addition to cookies, we may also use pixel tags and local storage technologies to collect technical and usage data.

11.2 Cookie Types

11.3 Third-Party Cookies — Google Analytics places cookies from the google-analytics.com domain. These are subject to Google's own privacy policy and data use terms, available at policies.google.com.

11.4 Cookie Consent and Opt-Out — On your first visit to our site, a consent banner is displayed for non-essential cookies. You may accept all, reject non-essential cookies, or manage your preferences. You can update your choices at any time via the cookie settings link in the site footer.

You may also control cookies through your browser settings:

• Chrome: Settings → Privacy and Security → Cookies and other site data
• Firefox: Preferences → Privacy & Security
• Safari: Preferences → Privacy
• Edge: Settings → Privacy, search, and services

Disabling certain cookies may affect the functionality and user experience of our website.