Privacy & Confidentiality Policy
- Effective date
- June 12, 2026
- Last updated
- June 12, 2026
- Version
- v2.0 — Production Ready
- Geographic scope
- Kingdom of Saudi Arabia
- System type
- Internal Workforce System — Managed Access
- Regulatory framework
- PDPL (SDAIA) • Apple App Store • Google Play
Section 1
Introduction & System Nature (Managed Access)
Osool360 is committed to protecting the data and information of authorized users. The application is an internal, unified workforce system for facility management and field assessments. It is not available for public registration or self-service account creation.
Access is granted exclusively to approved employees and inspectors through pre-provisioned, centrally managed login credentials (Managed Accounts — Email + Password), issued by the operating organization and governed by role-based access control (RBAC).
Notice: This application does not support self-registration. All accounts are created and managed centrally by the Information Technology team of the operating organization.
Section 2
Data Processed by the Platform
A) Pre-issued Professional Identity Data
- Full name of the inspector or consultant
- Institutional email address assigned by the operating organization
- Job title and access permissions granted under the assigned RBAC role
B) Field Assessment Data (Assessments & Responses)
- Digital form responses, multi-select answers, and completion percentages
- Technical notes and numeric ratings linked to the inspected facility
C) Media & Technical Attachments
- Photographs and field reports submitted to document quality standards and non-conformance cases
Upload mechanism: Files are uploaded through a dedicated, separated File Upload API, stored in an isolated cloud environment, and linked to assessment records using globally unique identifiers (UUIDs) only — ensuring data isolation and preventing unauthorized access.
D) Technical & Security Data
- IP address for security monitoring and field inspection quality assurance
- Operating system type (Android / iOS)
- Crash logs to improve application stability and performance
Section 3
Legal Basis & Processing Purposes
Personal data is processed in accordance with the Saudi Personal Data Protection Law (PDPL), issued by the Saudi Data & AI Authority (SDAIA), and for the following defined operational purposes:
- Executing operational tasks and field inspection rounds assigned to approved employees and inspectors
- Documenting the real-time technical and engineering status of buildings and facilities (capacity, area, number of classrooms, and related attributes)
- Compliance with contracts and internal policies of operating and beneficiary organizations, including the Ministry of Education and Tatweer Buildings Company (TBC)
- Digital security assurance and verification of authorized use through GPS coordinate validation during assessments
Section 4
Data Sharing & Protection
Commercial Processing Prohibition
User data is never sold, rented, or shared with any commercial or marketing entity under any circumstances.
National Cloud Hosting
All data is hosted and stored within secure cloud environments that comply with national data sovereignty requirements inside the Kingdom of Saudi Arabia.
Technical Safeguards
- End-to-end encryption in transit via TLS / HTTPS
- Encryption of data at rest in databases and cloud storage systems
- Comprehensive audit logs to track field operations and system access
- Granular RBAC — each user can access only the facilities assigned to their role
Limited Legal Sharing
Data is shared with external parties only in the following cases:
- Officially approved beneficiary organizations (Ministry of Education, Tatweer Buildings Company — TBC) under signed operating contracts
- Licensed cloud service providers operating within the Kingdom of Saudi Arabia
- Judicial or government authorities when required by a binding legal order
Section 5
Data Management & Employee Rights
Because accounts are centrally managed by the operating organization, employee rights under PDPL (access, correction, and data updates) are exercised by contacting the Information Technology department directly — not through self-service modification within the application.
Data is retained while operational accounts remain active or as required by applicable contracts and regulations. Upon service termination or end of the contractual relationship, personal data is permanently and securely deleted within the legally prescribed timeframe.
| Legal Right | Details & Mechanism |
|---|---|
| Right to Be Informed | To know the legal basis for data collection and how data is processed |
| Right of Access | To view stored personal data and obtain a copy |
| Right to Rectification | To request correction of inaccurate data (job title, email address, etc.) |
| Right to Erasure | To request deletion when the operational purpose ends or the employment relationship ends, unless retention is required by contract |
Section 6
Privacy Policy Updates
We reserve the right to update this policy to reflect technical changes or legislative amendments issued by SDAIA and other regulatory authorities. In the event of a material change, authorized users will be notified through an in-app notice on the main interface or via their registered institutional email address.
Section 7
Contact & Privacy Management
For technical or regulatory inquiries regarding privacy and security, or to exercise any legal rights:
- Official email: osool@omranconsult.com
- Support channel: Internal ticketing system / IT department of the operating organization