Privacy Policy
Version 1 · Effective 4 July 2026
1. Who we are
Kaabium, Qatar operates Kaabium Kompass (kaabium.ai). Contact for anything in this policy: [email protected].
2. What we collect
Your diagnostic answers and problem description; your language and country; technical basics (browser type, a salted hash of your IP address — never the raw address); your email when you choose to give it; purchase records (handled by Paddle — we never see card details); and your feedback.
3. Why we use it
To generate and deliver your diagnosis and files; to deliver purchases and run your library; to keep the service secure; and — with your explicit consent at the email gate — to improve and train Kaabium’s diagnostic system using your inputs and results.
4. Legal bases
Consent (training use — you can withdraw it anytime by emailing us); contract (delivering what you asked for or bought); legitimate interest (security, fraud prevention, basic product analytics).
5. How long we keep it
Identifying details (email, technical identifiers) are removed from diagnostic records after 24 months. Anonymized diagnostic content may be retained to keep improving the system. Purchase records are kept as financial records.
6. Who we share it with
Processors only, each doing one job: Cloudflare (hosting), Anthropic (your diagnostic inputs are processed by an AI provider to generate your diagnosis), Paddle (payments, as merchant of record), Resend (transactional email). We never sell personal data and use no advertising technology.
7. International transfers
Our processors operate in the US/EU under their standard contractual safeguards. By using the service you understand your data is processed in those locations.
8. Your rights
Access, correction, deletion, and consent withdrawal — email [email protected] and we handle it within 30 days. Deletion removes your identity from our records; already-anonymized training data cannot be re-linked to you.
9. Qatar PDPPL & GDPR
We work to the grain of Qatar’s Personal Data Privacy Protection Law (Law No. 13 of 2016): purpose limitation, minimization, and safeguards. Visitors from the EEA additionally have their GDPR rights as described above.
10. Children
The service is for businesses and is not directed at anyone under 18.