Privacy Policy

1. Who we are

KPILoop is a software-as-a-service platform that helps organizations define, track, and improve key performance indicators across multiple levels of a company. Our service includes role-based dashboards for administrators, managers, employees, and executives; KPI cycle management; analytics and reporting; and AI-assisted insights generated through Google Gemini to help users identify trends, risks, and follow-up actions.

The legal entity responsible for this processing is KPILoop.com — Tech and Administration Services, located at RURI2795 Riyadh, Al Remal, Kingdom of Saudi Arabia. Depending on your relationship with us, we may act as a data controller (for account and billing data we decide how to use) or as a data processor (when organizational customers use KPILoop to process employee performance data under their own instructions).

2. Scope of this policy

This policy applies when you visit our public pages, sign up for a free trial, create an account, buy a subscription, contact support, or otherwise interact with KPILoop. It also applies when an employer or client organization creates your user profile and grants you access to the platform as part of a performance program.

This policy does not override contractual arrangements between KPILoop and enterprise customers, and it does not apply to third-party services that have their own privacy notices. Where external providers are integrated into our service, such as payment processing or cloud infrastructure, their privacy practices may also apply to data handled directly by those providers.

3. Categories of personal data we collect

We collect data directly from you, from your organization, from your device, and from service logs.

3.1 Identity and account information

• Full name, work email address, role/title, and organization details.
• Account credentials and login metadata (for example timestamps and login success/failure records).
• Subscription plan, trial status, account ownership and administrator assignments.

3.2 Performance and organizational data

• KPI definitions, targets, weights, scoring models, notes, and cycle histories.
• Manager feedback, employee updates, progress comments, and objective outcomes.
• Department structures, role hierarchies, and dashboard visibility settings.

3.3 Payment and transaction data

• Billing contact data, invoice references, subscription status, and transaction identifiers.
• Payment method tokens and payment event metadata provided by Moyasar.
• Fraud-prevention and charge-risk signals required to validate transactions.

KPILoop does not store raw full card numbers or card verification values on its own servers. Payment credentials are processed by Moyasar in accordance with its regulated payment environment.

3.4 Usage, diagnostics, and technical data

• IP address, browser type, device details, timezone, and language preferences.
• Feature usage events, session activity, API request logs, and performance telemetry.
• Cookie identifiers and similar technologies described in our Cookie Policy.

4. How we collect personal data

We collect information in four primary ways. First, we collect information you submit directly, such as registration forms, profile edits, support messages, and legal requests. Second, we collect data from organizational administrators who configure user accounts and assign performance structures.

Third, we collect system-generated data as you interact with KPILoop, including logs required for security, reliability, product improvement, and auditability. Fourth, we receive data from trusted partners and processors, including Moyasar for payment events and Google Cloud infrastructure services used to host and operate our application.

5. Purposes of processing

We process personal data to provide, secure, improve, and lawfully operate KPILoop.

• To create and manage accounts, authenticate access, and enforce role-based permissions.
• To operate KPI dashboards, reporting tools, score calculations, and workflow notifications.
• To generate AI-assisted content and analysis through Google Gemini features requested by users.
• To process subscriptions, invoices, and payment events via Moyasar.
• To provide onboarding and support, including responding to privacy and security requests.
• To monitor platform performance, prevent abuse, detect fraud, and investigate incidents.
• To comply with legal obligations in the Kingdom of Saudi Arabia and other applicable frameworks.
• To maintain records necessary for financial reporting, tax, and dispute management.

We do not sell personal data to data brokers. We do not profile individuals for third-party advertising.

6. Legal bases for processing

Where applicable laws require a legal basis, we rely on one or more of the following: contract performance, legitimate interests, legal obligation, and consent. Contract performance applies when we must process data to provide your account, subscription, and platform functions. Legitimate interests apply to security hardening, service reliability, internal analytics, and fraud prevention where these interests are proportionate and do not override your rights.

Legal obligation applies to mandatory accounting records, regulatory requests, and lawful enforcement demands. Consent applies where required for non-essential cookies or optional communications. You may withdraw consent at any time, but withdrawal does not affect processing already performed before withdrawal.

Additional rights for users in Europe are described in our GDPR notice.

7. AI features and Google Gemini processing

KPILoop includes AI-powered features designed to summarize KPI status, highlight trends, suggest follow-up actions, and help managers prepare fair, data-grounded reviews. These features are powered through Google Vertex AI (Gemini) integrations running within our controlled cloud workflows in the us-central1 region. Direct identifiers are sanitized from inputs before transmission to the model.

AI outputs are generated from data submitted to the feature by authorized users. We configure access controls so users only access data they are allowed to view within their role and organizational scope. AI-generated suggestions are assistive tools and are not automatic final decisions within the meaning of GDPR Article 22. Organizations remain responsible for human review and final employment or compensation decisions derived from KPI data.

Organization administrators can disable AI processing for their tenant at any time from organization settings. When disabled, KPILoop blocks all AI feature calls server-side and the UI surfaces a disabled state. Cached AI responses are retained for 24 hours and request logs for 30 days; no long-term retention of AI output occurs beyond display. We recommend customers avoid entering unnecessary sensitive personal data into open-text KPI fields.

8. Cookies and related technologies

We use essential and analytics-related technologies to maintain sessions, secure accounts, understand product usage, and improve reliability. Essential cookies are required for login, navigation, and core account functions. Analytics and preference technologies help us evaluate performance, identify bottlenecks, and improve user experience.

You can read full details, including cookie categories, retention windows, and controls, in our Cookie Policy.

9. Sharing and disclosure of data — sub-processors

We share data only where necessary for service delivery, security, law, or contractual obligations. Our current sub-processors are:

• Google Cloud (Firebase, Vertex AI): Hosting, Firestore database, authentication, and AI inference. Regions: nam5 (multi-region US) and us-central1 (Vertex AI). Covered by Google Cloud DPA and EU Standard Contractual Clauses.
• Moyasar: Payment processing and subscription charges. Region: Saudi Arabia. DPA in place. KPILoop does not store raw card data.
• Sentry (Functional Software GmbH): Error monitoring and performance telemetry. Region: EU. Loaded only after analytics consent is granted. DPA + SCCs in place.
• SendGrid (Twilio Inc.): Transactional email delivery (invites, password reset, DSR notifications). Region: US. DPA + SCCs in place.
• Legal and regulatory disclosures: Where required by law, court order, or legitimate authority request.
• Business transfers: In merger, acquisition, financing, or reorganization scenarios, subject to confidentiality and lawful transfer safeguards.

We do not share personal data with advertisers for cross-site behavioral targeting and we do not operate a third-party ad network business model. A current list of sub-processors is published at https://kpiloop.com/legal/sub-processors and we provide at least 30 days' notice of material changes to enterprise customers.

10. International transfers

KPILoop is based in the Kingdom of Saudi Arabia, and our infrastructure may involve processing in multiple jurisdictions where our subprocessors operate. When we transfer personal data across borders, we implement contractual and organizational safeguards appropriate to the data category and applicable law.

Safeguards may include contractual data protection clauses, access restrictions, least-privilege design, encryption in transit and at rest, and documented processor oversight. Enterprise customers may request a current list of key subprocessors through support channels.

11. Data retention

We retain personal data for as long as needed to provide services, fulfill contractual obligations, maintain security records, and meet legal or accounting requirements. Specific retention periods are:

• Active account and KPI records: retained during the subscription period.
• Account deletion requests: soft-deleted immediately, then permanently erased 30 days later via an automated cron job. Authentication is disabled at the moment the request is received.
• Consent records (audit trail): retained for 3 years after account deletion to demonstrate lawful consent under GDPR Article 7.
• Billing and invoice records: retained 7 years to satisfy Saudi tax law obligations.
• AI request/response cache: 24 hours. AI execution logs: 30 days.
• DSR export archives: 7 days from generation, then auto-deleted from Firebase Storage.
• Sentry error monitoring data: 90 days (Sentry default).
• Transactional email queue records: 30 days after send.

Once retention periods expire and no lawful basis remains, data is deleted, anonymized, or irreversibly de-identified in line with operational constraints.

12. Data security

We use technical and organizational controls intended to protect personal data against unauthorized access, loss, disclosure, alteration, and misuse. Controls include access management, role-restricted dashboards, encrypted transport channels, secure infrastructure configurations, monitoring, and incident response procedures.

No internet-based system is completely risk-free. If a security incident affects personal data, we will take reasonable steps to investigate, contain, and remediate the issue, and we will provide notices where required by law or contract.

13. Your rights and choices

Under GDPR and analogous frameworks you have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), object to processing (Art. 21), and request portability (Art. 20) of your personal data. You also have the right to withdraw consent at any time and to lodge a complaint with your supervisory authority. Some rights are subject to legal exceptions, identity verification, and technical feasibility.

If your account was created by your employer or organization, you should first contact your internal administrator, because that organization is the controller for your performance data and KPILoop acts as processor under their instructions. We will support controller-directed requests under applicable Data Processing Agreements. You can submit access and erasure requests directly from your account settings; small exports are returned inline and larger archives are delivered via a signed URL with a 7-day expiry.

To exercise rights directly with KPILoop, contact us at privacy@kpiloop.com. We respond to verified requests within 30 days as required by GDPR Article 12(3).

14. Children's data

KPILoop is intended for professional and organizational use and is not directed to children. We do not knowingly collect personal data from children in connection with consumer-facing educational or social services. If you believe a child has provided personal data to KPILoop inappropriately, please contact us so we can review and take appropriate action.

15. Third-party links and integrations

Our website and application may include links to third-party resources, documentation, or integration endpoints. If you follow external links, the third party's terms and privacy policies apply to your interaction with that external service. We are not responsible for third-party privacy practices outside our controlled systems.

16. Changes to this policy

We may update this policy to reflect legal, technical, or operational developments. When changes are material, we will update the 'Last updated' date and provide additional notice where appropriate. The latest published version governs current processing practices.