Privacy Policy

Last updated: 6/10/2026

1. Who we are

FawtaraX is an electronic invoicing platform operated for businesses in the Sultanate of Oman. We process invoice and customer data on behalf of our tenants (the "Controllers") and act as a Data Processor under the Oman Personal Data Protection Law (PDPL, Royal Decree 6/2022).

2. Data we process

• Account data: name, email, phone, role, password hash.
• Tenant data: company name, VAT number, CR number, tax card, address, activity.
• Invoice data: buyer & seller identifiers, line items, VAT, totals, hash chain, OTA clearance identifiers.
• Technical data: IP, user agent, audit log entries.

3. Purpose & legal basis

We process data to (a) deliver the invoicing service, (b) comply with Oman Tax Authority (OTA) regulations including the 10-year retention requirement, and (c) provide audit trails. The legal basis is contract performance and legal obligation.

4. Retention

Invoice records are retained for 10 years from issuance, as required by OTA. Account data is retained while the account is active and for 90 days after deletion.

5. Sub-processors

• Supabase (database & auth) — EU / global regions.
• Cloudflare (edge compute & CDN).
• Oman Tax Authority Fawtara endpoints (clearance).

6. Cross-border transfers

Where data is processed outside Oman, we rely on contractual safeguards equivalent to PDPL requirements. Customer-identifying invoice records remain accessible from Oman.

7. Your rights

You may request access, correction, deletion, or export of your personal data by contacting privacy@fawtara.daftari.app.

8. Security

See our Security page for technical and organisational measures.

9. Contact

Data Protection Officer: dpo@fawtara.daftari.app