Legal · Privacy

Privacy Policy

ZAHR processes some of the most sensitive data a company holds — about its people. This page explains exactly what we collect, why, how we protect it, and the rights you have over it.

Last updated: 26 May 2026 Effective date: 26 May 2026

1. Introduction

ZAHR ("ZAHR", "we", "our", "us") provides a cloud-based Human Resources Information System (HRIS) that helps organizations manage attendance, leave, payroll, documents, and employee self-service. This Privacy Policy describes how we collect, use, disclose, and protect personal data when you visit zahr.cloud or use the ZAHR platform.

By using ZAHR, you agree to the practices described here. If you do not agree, please do not use the service.

2. Who we are

ZAHR is operated by the ZAHR team. For privacy questions, data-subject requests, or security disclosures, contact us at Ahmad@zahr.cloud or by phone at +964 770 895 9550.

Controller vs Processor. When you visit our marketing website, we act as the controller of your data. When your employer uses ZAHR to manage you as an employee, your employer is the controller and ZAHR acts as a processor on their behalf — meaning we follow their instructions and policies.

3. Data we collect

We collect only what is necessary to deliver and improve the service. Categories include:

3.1 Identity & contact data

  • Full name, employee ID, job title, department, manager, work email, phone number
  • Date of birth, gender, marital status, nationality, national ID (where required by law)
  • Emergency contact details

3.2 Employment & payroll data

  • Contracts, job history, salary, allowances, deductions, payslips, bank account information
  • Leave balances, leave requests, attendance records, timesheets, overtime
  • Performance, training, and disciplinary records (only if your employer enables those modules)

3.3 Documents

  • Files you or your employer upload: contracts, IDs, certificates, marriage records, medical notes

3.4 Attendance & location data

  • Punch in / punch out timestamps via web or mobile
  • GPS location at punch time, geofence coverage, location pings while on shift (when enabled by your employer)
  • Device information, IP address, and mock-location detection signals

3.5 Technical data

  • Browser type, device, operating system, time-zone settings, language
  • Log data: pages viewed, actions taken, error reports, approximate location from IP

3.6 Communications

  • Tickets you raise through our internal service desk, messages with HR, support emails

4. How we use data

  • Provide and operate the ZAHR platform and its modules
  • Calculate timesheets, leave balances, accruals, payroll inputs, and produce payslips
  • Authenticate users, prevent fraud, and detect mock-location or unauthorized access
  • Route HR tickets and information-update requests to the correct reviewer
  • Respond to support requests and improve product quality
  • Send transactional emails: approvals, notifications, password resets, security alerts
  • Comply with legal and regulatory obligations, including employment and tax law

We do not sell personal data, and we do not use employee data to train third-party AI models.

5. Legal basis for processing

Depending on your jurisdiction, we rely on one or more of these legal grounds:

  • Contract: processing required to deliver the service your employer purchased.
  • Legal obligation: tax, labor, social-security, and record-keeping laws.
  • Legitimate interest: securing the platform, preventing abuse, and improving features — balanced against your privacy.
  • Consent: for non-essential cookies, marketing communications, and any optional modules your employer enables.

6. Sharing & sub-processors

We share personal data only with:

  • Your employer: as the controller of your employment data, they see what they need to manage you.
  • Sub-processors: vetted vendors who help us run the service (hosting, email delivery, error monitoring, customer support). Each is contractually bound to confidentiality and security.
  • Authorities: when required by law, court order, or to protect rights, safety, and property.

A current list of sub-processors is available on request from Ahmad@zahr.cloud.

7. Data retention

We retain personal data only as long as needed to deliver the service, comply with legal requirements, and resolve disputes. Typical periods:

  • Active employee records: for the duration of employment plus the period mandated by local labor law (usually 5–10 years).
  • Payslips and payroll records: as required by tax and accounting rules in your jurisdiction.
  • Attendance and location pings: 24 months by default; configurable per customer.
  • Marketing-website analytics: up to 14 months.
  • Support tickets: 24 months after closure.

When the retention period ends, data is securely deleted or anonymized.

8. Your rights

Subject to local law, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Erase data we no longer have a legal basis to keep
  • Restrict or object to certain types of processing
  • Port your data to another service in a machine-readable format
  • Withdraw consent where processing is based on it
  • Lodge a complaint with your local data-protection authority

If your employer is the controller (i.e. you are an employee using ZAHR), please direct these requests to your HR department first. We will assist them in fulfilling your request promptly.

9. Security

We protect your data through layered controls:

Encryption

TLS 1.2+ in transit; AES-256 at rest for stored documents and backups.

Access control

Role-based permissions, least-privilege admin access, optional SSO & 2FA for administrators.

Auditing

Every sensitive action — approvals, document access, policy changes — is logged and immutable.

Resilience

Daily encrypted backups, regional redundancy, and tested disaster-recovery procedures.

No system is perfectly secure. If you suspect a breach or vulnerability, please contact us at Ahmad@zahr.cloud immediately.

10. Location data

ZAHR supports geofenced attendance, location pings during shifts, and mock-location detection. These features are opt-in per customer and per employee. They are never enabled silently.

  • Your employer decides whether to require geofencing, background tracking, or location heatmaps.
  • Each employee sees a transparent capability panel inside their account showing which signals are active.
  • Location data is used solely for attendance verification — never for unrelated surveillance.
  • Pings are not collected outside of declared working hours unless your employer explicitly configures it and informs you in writing.

11. International transfers

ZAHR may process data outside your country of residence, including in regions where our cloud infrastructure operates. Where required, we put in place safeguards such as Standard Contractual Clauses, regional data-residency options, and equivalent protections so your data remains protected wherever it travels.

12. Cookies & similar technologies

Our marketing website uses a minimal set of cookies:

  • Essential cookies: session, security, and load-balancing — required for the site to work.
  • Analytics: aggregated, anonymized usage data to improve content (opt-out available).

We do not use cross-site tracking or behavioral advertising cookies. Inside the ZAHR application, we use only the cookies required to keep you signed in and the platform working correctly.

13. Children

ZAHR is a workplace tool and is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced inside the ZAHR platform and via email to administrators at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

15. Contact us

For any question about this policy or how we handle your data: