Privacy policy

Introduction

Welcome to the privacy policy of مولكم. We are a Saudi company providing ecommerce solutions and we are committed to protecting user privacy to high international standards.

This policy applies to:

Merchants: who use our platform to create and manage stores.
Customers: who shop from stores built on our platform.
Visitors: who browse our website.

Data we collect

We collect different types of data to provide and improve our services:

Account data

Full name and email address
Phone number and address
Business name (for merchants)
Payment information (encrypted and protected)

Usage data

Order and transaction history
Products added or updated
Your interactions with platform features
Pages visited and time on site

Technical data

IP address and browser type
Operating system and device type
Cookies
Geolocation (with your permission)

Content you provide

Product images and descriptions
Logos and trademarks
AI-generated content
Messages and notes

How we use your data

We use your data for the following purposes:

Providing services Create and manage your account, process orders, enable payments.
Improving your experience Personalize content, suggest features, improve the UI.
Communicating with you Important updates, order notifications, and support.
Security and protection Detect fraud, prevent abuse, protect your rights and ours.
Analytics Understand how services are used to keep improving them.
Legal compliance Meet applicable laws and regulations.

We will not use your data for direct marketing without your explicit consent.

Legal basis for processing

We process personal data on the following legal bases:

Contract performance Data needed to deliver the services you requested (store setup, orders).
Consent Where you explicitly agree to processing for specific purposes (e.g., marketing).
Legitimate interests To improve services, prevent fraud, and keep the platform secure.
Legal obligation When the law requires us to process data (e.g., taxes and invoices).

Meta Tech Provider commitments

Mollkom is a Meta-registered Tech Provider serving merchants who need to build storefronts, connect Facebook and Instagram accounts, run and manage ad campaigns, and auto-reply to customer messages. As part of this role we make the following commitments to you and to Meta:

We never request more Meta permissions than are strictly required to power the feature you yourself enabled (principle of least privilege).
We never share, sell, or reuse your access tokens for any other merchant — every merchant has isolated tokens stored in a tenant-scoped row.
Access tokens are encrypted at rest (AES-256) and we proactively refresh long-lived tokens before expiry so your service does not silently break.
We comply with Meta Platform Terms, Developer Policies, and Data Use Policy, and we honor any advertising restrictions Meta places on content or audiences.
When you remove the app from your Facebook account ('Apps and Websites' → Remove), our server receives a Deauthorize ping over HTTPS with a verified HMAC-SHA256 signature, and deletes the related access tokens and connections within seconds.
When you submit a 'User data deletion request' from Facebook, our server receives the signed request, deletes data linked to your Meta App-Scoped User ID, and returns a Confirmation Code starting with 'mollkom-del-' which you can use to track the deletion via Meta itself.
We run periodic security reviews of our Meta integration and respond to any App Review or security inquiries from Meta within the timeframes their policies set.

Data security

We take strong measures to protect your data:

Encryption Data encrypted in transit (TLS 1.3) and at rest (AES-256).
Authentication Multi-factor authentication and hashed passwords.
Monitoring Continuous monitoring for threats and suspicious activity.
Limited access Data access is limited to authorized staff.
Backups Regular backups stored securely across locations.
Testing Periodic security testing and ongoing updates.

Your responsibility: You must keep your password secret and notify us immediately of any unauthorized access.

Your rights

Under Saudi PDPL and GDPR principles, you have the following rights:

Right of access Request a copy of personal data we hold.
Right to rectification Correct inaccurate or incomplete data.
Right to erasure Request deletion of your personal data ('right to be forgotten').
Right to portability Receive your data in a machine-readable format.
Right to object Object to certain processing activities.
Right to restrict processing Request limits on how we use your data.
Right to withdraw consent Withdraw consent where processing is consent-based.

How to exercise rights: email privacy@mollkom.com and we will respond within 30 days.

Data deletion

We give you four separate ways to delete your data from Mollkom — choose whichever fits your situation:

1. Disconnect a single social account

From your store dashboard → Settings → Integrations → pick the account (Facebook, Instagram, TikTok, WhatsApp, YouTube, X, Snapchat) → click 'Disconnect'. This removes only the access tokens and the page / ad account / Pixel / catalog data tied to that channel. The rest of your store data (products, orders, other social channels) stays untouched.

2. Delete your full Mollkom account (Self-service)

From your store dashboard → Settings → Account → 'Delete account', type the confirmation word and click Delete. The system runs a single atomic transaction that deletes: your stores and everything cascading from them (products, orders, shipping settings and themes, Meta / Instagram / TikTok / WhatsApp / YouTube / X / Snapchat accounts and their tokens, ad accounts, Pixels, catalogs), your profile, your roles, your team members, push notification tokens (mobile + web), notification preferences, store customers, storage files (images and attachments), and finally your auth user record (auth.users). All technical error logs and AI usage logs are anonymized (user_id stripped) — analytics signals stay, but no link back to you. An audit row is written to account_deletion_events so platform super-admins can later prove deletion to regulators.

3. Email request

Email your deletion request from the address registered on your account to privacy@mollkom.com and we will respond within 30 days max. This option is useful if you cannot sign in (e.g., lost password or device). We verify your identity before executing.

4. Request via Meta (User data deletion request)

If you previously enabled the Meta integration, from your Facebook settings ('Settings & privacy' → 'Settings' → 'Apps and websites' → pick the Mollkom Merchant app → 'Remove') you can request data deletion. Meta forwards the signed request to our server, which immediately deletes everything linked to your Meta App-Scoped User ID: access tokens, connected Facebook pages, Instagram accounts, ad accounts, Pixels, catalogs, webhook events. Our server returns a Confirmation Code starting with 'mollkom-del-' which you can use to track the request.

What is kept and not deleted?

Invoices and financial transaction records: kept 7 years (regulatory tax requirement — Zakat, Tax and Customs Authority).
Technical error logs and AI usage logs: anonymized — user_id is stripped but the row body is kept for performance tuning and bug detection.
The deletion audit row itself (account_deletion_events): kept to prove deletion to regulators later. It contains user_id, deletion timestamp, and store count — no access tokens, no store content.

Official Meta callback endpoints:

Data Deletion Request: https://xpqboxafsvkwejwufdam.supabase.co/functions/v1/meta-data-deletion-callback
Deauthorize: https://xpqboxafsvkwejwufdam.supabase.co/functions/v1/meta-deauth-callback

Cookies

We use cookies to improve your experience:

Necessary Required for the site to work (login, cart).
Functional Remember preferences (language, settings).
Analytics Help us understand how you use the site.
Marketing Used to show relevant ads (only with consent).

Managing cookies: you can adjust browser settings; disabling some cookies may affect functionality.

Data retention

We retain data for the following periods:

Data type	Retention period
Account data	For the life of the account + 1 year
Transaction records	7 years (legal requirement)
Support records	3 years from last contact
Analytics data	26 months
Cookies	Depends on cookie type (1 day - 2 years)

After retention ends, we delete or irreversibly anonymize data.

International data transfers

As a Saudi company serving customers globally, we may need to transfer data outside Saudi Arabia:

Transfer safeguards:

Transfer only to jurisdictions with adequate protection.
Use approved standard contractual clauses (SCCs).
Ensure recipients meet the same protection standards.
Encrypt all data in transit.

For EU users: we follow GDPR transfer requirements and approved EU Commission mechanisms.

Children's privacy

Our services are not directed at children under 18, and we do not knowingly collect their data.

If you are a parent or guardian and believe your child provided personal data, contact us at privacy@mollkom.com and we will delete it promptly.

Policy updates

We may update this policy from time to time to reflect changes in practices or law.

We will publish updates on this page with a new date.
For material changes, we will email a notice.
Continued use means you accept the updated policy.
We encourage you to review this page periodically.

Contact us

If you have privacy questions or concerns, contact us:

Data protection officer (DPO) privacy@mollkom.com
General support support@mollkom.com
Address Kingdom of Saudi Arabia

We aim to respond to privacy inquiries within 30 days.

Right to complain: If you are not satisfied with our response, you may lodge a complaint with the competent authority (Saudi Data & AI Authority - SDAIA).