Privacy policy

Last updated · 2026-04-25

This policy explains how Diwan (الديوان), operated by Bin Haider Darwish Printing & Designing S.P.C. (BHD Group, Muscat, Oman), handles personal data. We aim to be plain, brief, and conservative.

1. What we collect

Account data: name, email, phone (for OTP), tenant role, language preference.
Workspace content: meetings, decisions, documents, member records, audit log entries, whatever your tenant chooses to store.
Operational logs: request IP, user-agent, timestamps, action type. Used for security and debugging only.
OTP delivery: we hand off the code to email provider or to BHD's Dardasha (WhatsApp Business) gateway for delivery. The code expires within minutes.

We do not collect biometric data, payment-card numbers (Paymob handles those when billing lands), or location data.

2. What we do with it

We use it to run your Diwan tenant. That is it. We do not sell data, share it with advertisers, train models on it, or aggregate it across tenants for resale.

3. Per-tenant isolation

Every tenant's data lives in its own directory and is read/written through tenant-scoped paths enforced by middleware + AsyncLocalStorage. Tenants cannot read each other's data. Operators can, for support; that access is logged in the audit trail.

4. Data residency

Cloud SaaS data is hosted on a Hostinger VPS in the EU front-ended by Cloudflare (Muscat edge). Custom-domain customers run on the same Cloud infrastructure. On-prem customers' data lives entirely on their servers; we never see it.

5. Retention

We keep your tenant data for as long as your subscription is active. After termination you have 30 days to export. After that, we delete from primary storage; backups roll off within a further 30 days.

6. Your rights

You can request a full export, correction, or deletion of your personal data at any time via the contact form. We respond within 7 business days.

7. Sub-processors

Cloudflare (DNS, edge, TLS termination)
Hostinger (VPS hosting)
Mail provider for OTP email delivery (BHD's own SMTP relay where possible)
BHD Dardasha (WhatsApp OTP)
Paymob (payment processing, when billing is enabled, Phase 8)

8. Cookies

We set a session cookie after login (HttpOnly, Secure, SameSite=Lax) and a language preference cookie. We do not use third-party tracking or analytics cookies.

9. Children

Diwan is for institutional use. We do not knowingly collect data from children under 16.

10. Changes

We post material changes here and notify tenant admins by email. Continued use after notice means acceptance.

11. Contact

Data Protection contact: use the contact form (subject "DPO") · BHD Group, Muscat, Sultanate of Oman.