Last Updated: April 2026
Iltizam ("we", "our", "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and the rights you have over your information. It reflects all platform controls as of April 2026.
We collect information you provide directly when you register, create a company profile, add employees, or contact us. This includes company name, VAT numbers, employee nationality data, iqama numbers, and contact details. We also automatically collect log data such as IP addresses, browser type, and usage timestamps.
Your data is used exclusively to provide the Iltizam compliance management service. We use it to calculate compliance scores, generate alerts, produce reports, and power the AI Advisor. We do not sell, rent, or share your data with third parties except as described in this policy.
All sensitive data is encrypted at rest using AES-256-CBC encryption via Laravel Crypt. This includes employee iqama numbers (national IDs), ZATCA credentials, webhook signing secrets, and government portal credentials — none of these are stored in plaintext. Passwords are hashed using bcrypt (cost 12). Data in transit is protected by TLS 1.2+. HTTP sessions are encrypted and use strict SameSite cookie policy. Security response headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are applied on all responses. Access is role-based and protected by two-factor authentication (TOTP) with replay-attack prevention.
We retain your data for as long as your subscription is active. After account termination, your data is retained for 90 days before secure deletion. Audit logs are retained for 2 years for compliance purposes. You may request earlier deletion by contacting support.
Iltizam integrates with OpenAI for the AI Compliance Advisor (requires explicit consent — see Section 8), Amazon S3 for file storage (encrypted at rest with no public-read access), and ZATCA APIs for e-invoicing. Each third-party service operates under its own privacy policy.
You have the right to access, correct, export, or delete your personal data at any time. To exercise these rights, contact your account administrator or reach us at privacy@iltizam.com. For companies in Saudi Arabia, these rights align with the Personal Data Protection Law (PDPL) — Royal Decree M/19 of 1443H. For UAE companies, they align with Federal Decree-Law No. 45 of 2021.
Iltizam maintains a complete audit trail of security-relevant events including logins, logouts, failed login attempts, two-factor authentication events, and all data create/update/delete operations. Logs capture the user identity, action type, affected record ID, IP address, and before/after values. These records are available to platform administrators and are retained for 2 years.
The AI Compliance Advisor uses OpenAI (GPT-4) to generate compliance guidance. Before the Advisor sends any data to OpenAI, you are presented with a Data Processing Notice and must give explicit consent. Only anonymized, aggregate data is transmitted — compliance score, employee counts by nationality tier, and compliance item titles. No personal data (employee names, iqama numbers, IDs, or salaries) is ever sent to OpenAI. You may withdraw consent at any time via your profile settings. This mechanism is designed to meet the cross-border data transfer requirements of the Saudi PDPL.
For privacy inquiries, contact us at privacy@iltizam.com or write to: Iltizam Compliance Platform, Riyadh, Saudi Arabia.