Maqam← Back home
/ Legal

Privacy Policy

Last updated: 25 April 2026 · Aligned with Saudi PDPL (2023)

Maqam (maqam-ksa.com) is operated under the laws of the Kingdom of Saudi Arabia. This policy explains what personal data we collect, why, and the rights you have under the Personal Data Protection Law (PDPL).

1. Data we collect

  • Account data: full name, email, hashed password, language preference.
  • Profile data: CV text, uploaded documents (CV, motivation letter, diploma, certificates, profile picture), skills, target job titles, preferred cities, salary expectation.
  • Application data: job IDs you applied to, AI-generated cover letters, employer email targets.
  • Authentication tokens: Google OAuth refresh tokens (only when you connect Gmail to send applications natively).
  • Usage metrics: bulk-apply quota, last login, device/browser metadata.

2. Why we collect it

  • To match you with relevant Saudi & Gulf jobs (via Claude Sonnet 4.5).
  • To send tailored cover letters + your CV to employers on your behalf — only with your explicit per-session consent.
  • To provide a private platform inbox (yourname@maqam-ksa.com) so your real email stays hidden.
  • To send saved-search digests via Resend when new matching jobs appear.
  • To bill paid subscriptions via Stripe or Moyasar (we never store card numbers).

3. Your PDPL rights

  • Access — download all your data as JSON from your privacy dashboard.
  • Correction — edit your profile at any time.
  • Erasure — delete your account permanently. All data is removed from our database.
  • Withdraw consent — revoke bulk-apply consent at any time. Past sent applications cannot be recalled (already delivered).
  • Portability — exports are machine-readable JSON.

4. Third-party processors

We share strictly necessary data with:

  • Anthropic (Claude Sonnet 4.5) — anonymized job text + your skills for AI ranking & cover-letter writing.
  • Google (Gmail OAuth) — only the gmail.send scope; we cannot read or modify your inbox.
  • Resend — outbound transactional emails on your behalf.
  • RapidAPI (JSearch, LinkedIn) — public job listings (we send no personal data, only search keywords).
  • Stripe / Moyasar — payment tokens for paid tiers.
  • MongoDB Atlas — encrypted-at-rest data storage in EU/MENA regions.

5. Google API Services disclosure

Maqam's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • We request only the gmail.send scope. We do not read, list, modify, delete, label, archive, or otherwise access your mail content.
  • Access and refresh tokens are stored encrypted at rest in MongoDB Atlas and are never shared with third parties.
  • Tokens travel over TLS 1.2+ server-to-server only; never exposed to the browser.
  • You may disconnect at any time via Profile → Connected Accounts → Disconnect Gmail, or via your Google Account → Security → Third-party access. Revocation is instant.
  • We do not use Gmail data to train machine-learning models.
  • We do not sell, rent, or trade Gmail-derived data.

6. Retention

We retain your data only as long as your account is active. On deletion, all profile, documents, applications, and saved-search records are removed within 30 days. Backups are purged within 90 days. Anonymized aggregate metrics (e.g., total jobs applied platform-wide) may be retained.

7. Contact

Data Protection Officer: dpo@maqam-ksa.com
Postal: Riyadh, Kingdom of Saudi Arabia.
Regulator: Saudi Data and AI Authority (SDAIA) — sdaia.gov.sa.

Made with Emergent