Your data, kept in the Kingdom.

1Who we are

Σigmix, inc. ("Σigmix", "we", "us" or "our") operates the Σigmix platform — a suite of Arabic‑first, KSA‑sovereign AI tools sold to companies in Saudi Arabia and the wider GCC, directly under the Σigmix brand and through reseller brands on their own domains. We are based in Riyadh, Kingdom of Saudi Arabia, and act as the merchant of record and data controller for the account information described in this policy.

For any privacy question, request or complaint, contact us at contact@sigmix.ai.

2What we collect

We collect only what we need to provide, secure and bill the service:

• Account details — name, work email, company name, role, and the credentials used to sign in. For paid accounts we also hold billing and tax details (such as company VAT/CR identifiers and invoice addresses) needed to issue ZATCA‑compliant invoices.
• Usage and telemetry — records of how the service is used: tools opened, actions taken, credit reservations and settlements, API requests, timestamps, device and browser type, approximate location derived from IP, and diagnostic logs used to keep the platform reliable and secure.
• Content you submit — the prompts, files, recipient lists, survey responses and other inputs you provide to a tool, together with the outputs it returns. This is processed to deliver the feature you asked for.
• Cookies and similar technologies — small identifiers stored in your browser to keep you signed in and to understand aggregate usage (see section 3).
• Support communications — the messages, attachments and contact details you share when you email us or use in‑product support, kept so we can help you and improve the service.

3Analytics & cookies

We use a small number of cookies and similar technologies, in two categories:

• Essential cookies — required for the platform to work: keeping you authenticated, maintaining your session and remembering basic preferences such as language and currency. These cannot be switched off without breaking the service.
• Analytics cookies — used to understand how the site and tools are used so we can improve them. We use Google Analytics (GA4) for aggregate web analytics, alongside our own first‑party analytics that runs on our in‑Kingdom infrastructure. Analytics data is used in aggregate to measure traffic, performance and conversion — not to build advertising profiles, and we do not sell it.

You can manage or block cookies through your browser settings. Blocking analytics cookies will not stop you from using the platform; blocking essential cookies will.

4How we use your data

We use personal data to:

• Provide, operate and maintain the platform and the specific tools you use.
• Authenticate you, manage your account, seats and entitlements, and enforce usage caps and rate limits consistently across every surface.
• Reserve and settle usage credits, process purchases, and issue tax‑compliant invoices and receipts.
• Keep the service secure — detecting, preventing and investigating abuse, fraud and security incidents.
• Provide support and respond to your requests.
• Understand and improve how the platform is used, and develop new features.
• Send service and transactional messages, and — where permitted — relevant product updates you can opt out of at any time.
• Meet our legal, tax and regulatory obligations.

We rely on the lawful bases recognised under the PDPL, including performance of our contract with you, our legitimate business interests, your consent where required (for example, optional analytics or marketing), and compliance with legal obligations.

5Data residency

Σigmix is sovereign by design. The platform core and customer data are hosted on infrastructure inside the Kingdom of Saudi Arabia. For sovereign workloads, your data — including the content you submit and the outputs generated — stays in‑Kingdom at rest and in transit, and inference runs on in‑Kingdom endpoints.

Some capabilities are offered on a clearly labelled Global tier that uses non‑resident infrastructure. This is never a default: it is opted into per tenant, with the residency trade‑off shown in the product, and a sovereign tool never silently falls through to a non‑resident provider.

6Sharing & disclosure

We do not sell your personal data. We share it only in the limited circumstances below:

• Service providers (processors) — a small set of vetted vendors who help us run the platform (for example, cloud hosting, payment processing, our certified ZATCA invoicing provider, email delivery and analytics). They act only on our instructions, under contract, and only to the extent needed to perform their service.
• Resellers and partners — where you access Σigmix through a white‑label partner brand, that partner may receive the account and usage information needed to administer and bill your account.
• Legal and safety — where we are required by applicable law, regulation or valid legal process, or to protect the rights, property or safety of Σigmix, our customers or the public.
• Business transfers — in connection with a merger, acquisition or sale of assets, subject to the protections in this policy.

7Security

We protect your data with controls that are part of the platform, not bolted on:

• Encryption — data is encrypted in transit (TLS) and at rest, including backups.
• Tenant isolation — every tenant is fenced at two layers at once: database Row‑Level Security and application‑level company filtering, with per‑transaction tenant context. No path bypasses both.
• Least privilege — access to systems and data is restricted on a need‑to‑know basis, using non‑superuser roles and scoped, rotatable credentials that are never stored in plaintext.
• Auditability — actions and money events are logged to support monitoring and investigation.

No method of transmission or storage is perfectly secure, but we work continuously to protect your data and to respond promptly if an issue arises.

8Your rights under the PDPL

Subject to the conditions and exceptions in Saudi Arabia's Personal Data Protection Law, you have the right to:

• Access — be informed about, and obtain a copy of, the personal data we hold about you.
• Correction — ask us to correct data that is inaccurate, incomplete or out of date.
• Deletion — ask us to delete your personal data where it is no longer needed or where you withdraw consent, subject to our legal and record‑keeping obligations.
• Objection & withdrawal of consent — object to certain processing and withdraw any consent you previously gave, without affecting processing already carried out.

To exercise any of these rights, email contact@sigmix.ai. We will verify your identity and respond within the timeframes required by applicable law. If you have an unresolved concern, you may also contact the competent Saudi data protection authority.

9Retention

We keep personal data only for as long as it is needed for the purposes set out in this policy, and then delete or anonymise it. Account and content data is retained while your account is active and for a reasonable period afterwards. Billing, tax and invoicing records are kept for the longer periods required by Saudi tax and commercial law. Financial ledgers reference opaque account identifiers, so personal data can be scrubbed on request without breaking the integrity of those records.

10International transfers

For sovereign workloads, your data is processed inside the Kingdom and is not transferred abroad. Where you opt a tenant into the Global tier, or where a limited processor operates outside the Kingdom, any transfer is made only in line with the PDPL and with appropriate safeguards in place to protect your data.

11Children

Σigmix is a business platform intended for use by organisations and is not directed at children. The service is not intended for anyone under the age of 18, and we do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us so we can remove it.

12Changes to this policy

We may update this policy from time to time to reflect changes to the service, our practices or the law. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the platform or by email. Your continued use of the service after an update means you accept the revised policy.

13Contact us

If you have any questions about this policy or how we handle your personal data, contact us at contact@sigmix.ai.