Privacy Policy

Qiass complies with the United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its Executive Regulations issued by the UAE Data Office.

For schools registered in other jurisdictions, the equivalent local framework applies and is displayed in this policy at the school level: KSA PDPL (SDAIA), Egypt PDPL (Law 151 of 2020), Jordan Personal Data Protection Law (24/2023), and US state privacy regimes (CCPA and equivalents).

1. Data controller

Qiass ("we", "us", "the platform"). Data Protection Officer: dpo@qiassapp.com.

2. Data we collect

• Account data: name, email, phone, role (admin / principal / teacher / student / parent / HOD).
• School data: school name, timezone, default language, logo.
• Academic data: assignments, submissions, grades, standardized assessment results, skill and outcome progress.
• Wellbeing data: mood entries, stress / motivation / focus assessments — collected with student consent and withdrawable at any time.
• Usage data: login records, IP addresses, browser fingerprints, in-app actions, for security and analytics.
• Billing data: invoice number, amount, payment status. We do not store credit-card numbers.

3. Lawful bases

• Explicit consent for wellbeing data.
• Contract performance with the subscribing school for core LMS services.
• Legitimate interest for security, fraud detection, and platform improvement.
• Legal obligation for tax and accounting record retention.

4. Purposes

We process data exclusively to: deliver LMS services, run AI-assisted grading, enable teacher / student / parent communication, surface performance analytics, monitor academic burnout signals, issue invoices, and meet legal obligations.

5. Retention

• Active account data: for the duration of the subscription + 12 months after cancellation.
• Student academic records: 7 years (academic verification + compliance).
• Wellbeing data: 12 months, or until the student requests deletion.
• Billing records: 10 years (Saudi tax obligation).
• Security audit logs: 24 months.

6. Where data is processed

Core school data is stored in data centers within Saudi Arabia or the GCC region. Personal data is not transferred outside the approved geographic region except with the school's explicit consent and in accordance with SDAIA requirements.

7. Sub-processors

We rely on a limited set of vendors, each under contractual commitment:

• Google Gemini — AI engine (grading, content generation, chat).
• Moyasar — Payment processing in Saudi Riyal.
• Email provider (Postmark / Resend / AWS SES) — transactional notifications.
• AWS / hosting provider — server hosting + backup storage.
• Sentry — Error monitoring and performance metrics (with PII redacted).

8. Your rights under PDPL

• Right of access to your personal data.
• Right to rectification if inaccurate.
• Right to erasure ("right to be forgotten").
• Right to data portability.
• Right to object to specific processing.
• Right to restrict processing.

To exercise any of these rights, email dpo@qiassapp.com; we respond within 30 days.

9. Minors (students under 18)

We collect minor students' data only on the basis of the school's contract acting in loco parentis. Parents have full rights to access, correct, and delete their child's data. We do not show advertising to minor students and do not share their data with third parties for marketing purposes.

10. Cookies

We only use strictly-necessary session cookies (such as the Sanctum token). We do not use advertising tracking cookies.

11. Security measures

We use TLS 1.2+ for all communication, Bcrypt for password hashing, three-layer school data isolation (database, ORM scope, HTTP middleware), rate limiting, daily encrypted backups, and quarterly security reviews.

12. Complaints

If you believe our processing of your data is inconsistent with the UAE PDPL, you may file a complaint with the UAE Data Office via u.ae. Schools in other jurisdictions are routed to the equivalent authority — SDAIA (KSA), Egyptian Data Protection Center (EG), Personal Data Protection Council (JO), or state attorneys general (US).

13. Changes

We notify school principals of any material change at least 30 days before the effective date, by email and an in-app banner.

Effective date: 30 April 2026 • Version 1.0