Privacy Policy
Pathora ("pathora.net")
Effective Date: 26 April 2026
Last Updated: 26 April 2026
1. Introduction
This Privacy Policy explains how Pathora ("Platform", "we", "us", "our"), operated by [Company Legal Name] and registered in the Kingdom of Saudi Arabia, collects, uses, shares, and protects your personal data.
This Policy applies to all users of pathora.net, including Mentors and Mentees, and to any personal data collected through the Platform's websites, mobile applications, and APIs.
We are committed to compliance with:
- Saudi Arabia Personal Data Protection Law (PDPL), Royal Decree No. M/19 dated 9/2/1443H and its implementing regulations
- EU General Data Protection Regulation (GDPR) Articles 15 and 17, to the extent applicable to users in EU member states
2. Data Controller
[Company Legal Name]
Registered Address: [Registered Address, Riyadh, Saudi Arabia]
Email: [[email protected]]
For EU users, the Data Controller may appoint an EU representative. Contact us at the email above.
3. Data We Collect
3.1 Account and Profile Data
| Data | Collected from | Purpose |
|---|---|---|
| Full name | Registration form | Account identity |
| Email address | Registration form | Authentication, transactional email |
| Phone number (optional) | Profile settings | Account recovery, contact reveal |
| Profile photo | Profile settings | Public profile display |
| Bio and professional background | Profile settings | Mentor discovery |
| Preferred language and locale | App settings | Localized experience |
3.2 Mentor Verification Data
Mentors are required to submit additional documentation:
| Data | Purpose | Retention |
|---|---|---|
| Government-issued photo ID | Identity verification | Until account deletion + 5 years |
| Business registration / commercial licence | Professional verification | Until account deletion + 5 years |
| Proof of income or professional credentials | Platform integrity | Until account deletion + 5 years |
Verification documents are stored with restricted access and are not shared with other users.
3.3 Session and Booking Data
| Data | Source | Purpose |
|---|---|---|
| Session request details | User input | Session facilitation |
| Booking timestamps | Cal.com | Scheduling confirmation |
| Session status (pending, completed, cancelled) | Platform | Service delivery |
| Session notes or goals (if provided) | User input | Session context |
3.4 Messaging Data
Messages sent through the Platform (pre-booking intro messages and in-session messages) are stored and used to facilitate the mentorship relationship and to investigate disputes.
3.5 Payment Data
Pathora does not store full card numbers or CVV codes. Payment processing is handled by Moyasar. We retain:
| Data | Purpose | Retention |
|---|---|---|
| Transaction ID | Payment reconciliation | 7 years (legal requirement) |
| Amount and currency | Invoicing and tax records | 7 years |
| Payout status and timestamps | Mentor disbursement records | 7 years |
| Refund history | Dispute resolution | 7 years |
3.6 Reviews and Ratings
Reviews submitted by Mentees are associated with your account and displayed publicly on Mentor profiles. We retain reviews unless a content policy violation is established or an account is deleted.
3.7 Technical and Usage Data
| Data | Source | Purpose |
|---|---|---|
| IP address | Server logs | Security, fraud prevention |
| Browser type and device information | Server logs | Platform optimisation |
| Page views and click events | Plausible Analytics | Aggregate usage analysis |
| Session identifiers and cookies | Supabase Auth | Authentication state |
| Error reports and stack traces | Sentry | Bug detection and resolution |
Plausible Analytics is used for privacy-preserving, cookieless analytics. No personal identifiers are passed to Plausible.
3.8 Communications Data
We retain records of support communications (emails, in-app messages with our team) for a period of 3 years.
4. Legal Basis for Processing
Under PDPL (Saudi Arabia)
We process personal data on the following bases under the PDPL:
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Contractual necessity / consent |
| Session booking and facilitation | Contractual necessity |
| Payment processing and disbursement | Contractual necessity / legal obligation |
| Mentor identity verification | Legitimate interest (platform integrity) |
| Marketing communications | Explicit consent (opt-in) |
| Legal record retention | Legal obligation |
| Fraud and abuse prevention | Legitimate interest |
| Aggregate analytics (Plausible) | Legitimate interest |
Under GDPR (EU users, where applicable)
| Processing activity | Legal basis (GDPR) |
|---|---|
| Account and session management | Art. 6(1)(b) — performance of contract |
| Payment and financial records | Art. 6(1)(c) — legal obligation |
| Fraud prevention and security | Art. 6(1)(f) — legitimate interests |
| Marketing with consent | Art. 6(1)(a) — consent |
| Aggregate analytics | Art. 6(1)(f) — legitimate interests |
5. How We Use Your Data
We use personal data to:
- Create and manage your account
- Match Mentees with suitable Mentors
- Enable booking, session delivery, and messaging
- Process payments and manage Mentor payouts
- Verify Mentor identity and credentials
- Send transactional emails (booking confirmations, receipts, session reminders)
- Detect, investigate, and prevent fraud, abuse, and policy violations
- Comply with legal and regulatory requirements
- Improve Platform features using aggregated, anonymised analytics
- Respond to support requests and disputes
We do not sell your personal data to third parties.
6. Third-Party Processors
We share personal data with the following sub-processors only to the extent necessary for service delivery:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database hosting and authentication | All account and session data, verification documents | EU (Frankfurt, Germany) |
| Cal.com | Session scheduling and calendar sync | Name, email, booking times | EU / US |
| Moyasar | Payment processing | Payment card data, transaction amounts, account holder name | KSA |
| Postmark | Transactional email delivery | Email address, name, email content | US |
| Plausible Analytics | Privacy-preserving usage analytics | Page URL, referrer, device type (no PII) | EU |
| Sentry | Error tracking and monitoring | Anonymised error logs, stack traces | US |
Each processor is contractually bound to process data only as instructed, maintain appropriate security, and comply with applicable law.
For Supabase: data is stored in EU (Frankfurt). Users in Saudi Arabia should be aware that personal data may be transferred to and stored in the EU. Such transfers are made under appropriate contractual safeguards.
For US-based processors (Postmark, Sentry): transfers occur under standard contractual clauses or equivalent safeguards.
7. Data Retention
We retain personal data for as long as necessary to provide the service and meet legal obligations:
| Data category | Retention period |
|---|---|
| Account and profile data | Duration of account + 30 days after deletion |
| Session and booking data | 3 years after session date |
| Messages | 2 years after session date |
| Payment and financial records | 7 years (KSA commercial records requirement) |
| Mentor verification documents | Until account deletion + 5 years |
| Support communications | 3 years |
| Server and security logs | 90 days |
| Anonymised analytics data | Indefinite (no personal data) |
When a retention period expires, data is securely deleted or anonymised. Data subject to ongoing legal disputes or regulatory investigations may be retained beyond standard periods until resolution.
8. Data Subject Rights
8.1 Rights Under PDPL (All Users)
Under Saudi Arabia's Personal Data Protection Law (PDPL), you have the right to:
- Access (PDPL Art. 18(1)): Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete personal data
- Deletion (PDPL Art. 18(4)): Request deletion of your personal data, subject to retention obligations
- Objection: Object to processing of your personal data in certain circumstances
- Withdrawal of consent: Withdraw consent at any time where processing is based on consent
8.2 Additional Rights for EU Users (GDPR)
If you are located in an EU member state, you additionally have the right to:
- Data portability (Art. 20): Receive your data in a structured, machine-readable format
- Erasure ("right to be forgotten") (Art. 17): Request erasure of your personal data where one of the specified grounds applies
- Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances
- Lodge a complaint with your local Data Protection Authority
8.3 Exercising Your Rights via API
To exercise your data access and deletion rights programmatically:
Data Export (access request):
Returns a JSON file containing all personal data held on your account, including profile data, session history, messages, and payment records (excluding full payment card numbers which are not stored).
Account and Data Deletion:
Permanently deletes your account and all associated personal data, subject to data we are legally required to retain (e.g., financial records). Deletion is irreversible. You will receive a confirmation email upon successful deletion.
8.4 Manual Requests
You may also submit requests by email to [[email protected]]. We will verify your identity before processing the request and respond within 30 days (or within the timeframes required by applicable law). Where a request is complex or numerous, we may extend this period by a further 60 days and will inform you accordingly.
We will not charge a fee for data access requests unless they are manifestly unfounded or excessive.
9. Cookies and Similar Technologies
Pathora uses:
| Technology | Purpose | Can be disabled? |
|---|---|---|
| Session cookies (Supabase) | Authentication state — required to stay logged in | No (required for service) |
| Preference cookies | Language and locale settings | Yes (via browser settings) |
| Plausible Analytics | Cookieless, privacy-preserving usage analytics — no personal data | N/A (no cookies used) |
We do not use advertising cookies or third-party tracking cookies.
10. Children's Privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly. Please contact us at [[email protected]] if you believe we have inadvertently collected data from a minor.
11. Security
We implement appropriate technical and organizational security measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) for all data transmitted between your browser and our servers
- Encryption at rest for databases and stored files
- Role-based access controls limiting data access to authorised personnel
- Regular security reviews and monitoring via Sentry
- Mentor verification document storage with restricted, audited access
No system is completely secure. If you discover a security vulnerability, please report it to [[email protected]].
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities in accordance with applicable law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before the revised Policy takes effect. The "Last Updated" date at the top of this Policy reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.
13. Contact
For privacy-related enquiries, data subject requests, or complaints:
Privacy Officer — Pathora
Email: [[email protected]]
Website: https://pathora.net
If you are not satisfied with our response, you have the right to lodge a complaint with:
- Saudi Arabia: Saudi Data and Artificial Intelligence Authority (SDAIA) — https://sdaia.gov.sa
- EU: Your national Data Protection Authority
This Privacy Policy was last reviewed and approved on 26 April 2026.