KSA Compliance

Trust & Privacy

Buyu Marketplace operates under the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia and complies with ZATCA's electronic invoicing and 6-year retention requirements. This page summarises exactly how we collect, retain, minimise, and delete your data — and how you can exercise your rights.

1. Data Retention Tiers

Every entity in our system follows a documented lifecycle: HOT → COLD → PURGED. Hot rows live in our live database; cold rows are encrypted and offloaded to object storage; purged rows are deleted entirely. Thresholds below are the current live policy values and may be tightened (never extended) for individual tenants.

EntityHot (days)Cold (years)Purge (years)
carrier_invoice730 days6 years7 years
order365 days6 years7 years
shipment365 days3 years4 years
pod_attachment365 days6 years7 years
customer_pii365 days1 years2 years

Tax-bound entities (orders, invoices, PODs) follow ZATCA's 6-year floor. Operational data (shipments) and customer PII are minimised faster per PDPL Article 18.

2. Your Rights Under PDPL

Article 16
Right to access

Download a complete copy of your personal and commercial data — profile, orders, shipments, and POD photos — as a single ZIP archive.

Article 17
Right to erasure

Close your account at any time. We strip your name, email, and phone from active systems immediately. Commercial transaction records are retained for the 6-year ZATCA window per legal obligation.

Article 16
Right to rectification

Update incorrect personal data from your profile settings at any time. Tax-relevant edits are versioned so we can prove the historical record to auditors.

Article 24
Right to object

Opt out of marketing communications anytime from your notification preferences. Transactional emails tied to ZATCA-mandated invoices cannot be opted out of while you hold an active account.

3. Self-Serve Privacy Tools

Take control of your data

Buyer/seller accounts can export their data and close their account directly — no support ticket required.

  • • Export ZIP — profile, orders, shipments, POD photos
  • • Close account — soft-close (PII stripped, sign-in revoked) with obligations pre-flight check
  • • Auto-archive after 365-day inactivity, with email warnings at T-30 and T-7

4. ZATCA & Commercial Records

Buyu Marketplace LLC is a registered VAT taxpayer in the Kingdom of Saudi Arabia. ZATCA (the Zakat, Tax and Customs Authority) requires us to retain tax-relevant records for a minimum of 6 years from the date of the transaction. This includes:

  • Tax invoices (B2B carrier-commission invoices, marketplace fees)
  • Order records (line items, totals, VAT amounts)
  • Proof-of-delivery attachments tied to a tax event
  • Audit trails of FATOORA submissions to ZATCA Phase-2

When you close your account, your personal identifiers are removed but a masked record stays in our ledger so auditors can reconcile transactions to a known counterparty.

5. Security Posture

Encryption

TLS 1.3 in transit; AES-256 at rest. PII fields hashed with SHA-256 when minimised.

Access control

Role-based access (RBAC) with super-admin / admin / platform-admin tiers. Optional MFA. Tenant predicates on every query.

Audit trails

All access, edits, archives, and purges land in append-only audit logs retained for 6 years.

6. Contact our DPO

Data Protection Officer
Buyu Marketplace LLC
King Fahd Road, Olaya District, Riyadh 12211, Saudi Arabia
VAT 300000000000003 · CR 1010000000

We will respond to PDPL access / erasure / objection requests within 30 calendar days. You also have the right to file a complaint with SDAIA (the Saudi Data & AI Authority).

Last updated: 2026-07-04 · Document version 1.0

Made with Emergent