Privacy Policy – Morning Report Dashboard

    Your data belongs to you. We process it only to deliver the service.
    We never sell, share without consent, or use your data to train AI models.
  

1. Who We Are

The Morning Report Dashboard ("Platform", "we", "us") is operated by the Platform Provider as a SaaS solution for oilfield drilling report management, serving operators, drilling contractors, and service companies worldwide. This Privacy Policy applies to all users of the Platform including employees, contractors, and client-organisation users.

2. Data We Collect

2.1 Account & Identity Data

Full name, work email address, and hashed password
Job role and organisation name
Account creation date and last-active timestamp
MFA enrolment status (TOTP secrets are encrypted at rest using AES-256)

2.2 Operational & Report Data

Uploaded PDF daily drilling reports and their parsed structured data
Well and rig metadata: names, depths, dates, NPT events, personnel lists
AI-generated analysis results tied to your organisation's data
Actions performed on reports (view, edit, export)

2.3 Session & Technical Logs

IP address and user-agent string at login
Session creation, heartbeat, and revocation timestamps
API access logs (action, resource, timestamp) stored in the immutable audit log
Failed login attempts (IP-level, not linked to specific accounts)

2.4 Consent Records

Date, IP, and version of Terms acceptance
Cookie consent choices and withdrawal records

3. Purpose of Processing

Purpose	Data Used
Authenticating users and maintaining secure sessions	Email, password hash, IP, session token
Delivering drilling report data and analytics	Report data, rig/well metadata
Generating AI-powered well-end and NPT analysis reports	Report data (only on explicit user request)
Billing and subscription management	Organisation ID, plan tier
Security monitoring and incident response	Audit logs, security events, IP addresses
Compliance with Saudi PDPL and NCA ECC	Consent records, terms acceptance, audit trail

4. Legal Basis for Processing

Under the Saudi Personal Data Protection Law (PDPL, Royal Decree M/19 dated 09/02/1443H), we rely on:

Contractual necessity – to provide the service you have subscribed to
Consent – for optional features such as AI processing and analytics cookies
Legitimate interests – for security monitoring, fraud prevention, and audit logging
Legal obligation – to retain records as required by Saudi law

5. Storage Location & Data Residency

    
    Default storage region: Saudi Arabia (sa-riyadh)

    All data is stored within the Kingdom of Saudi Arabia by default, in compliance with PDPL Article 29.
    Enterprise customers may configure an alternative approved region (UAE, EU, US) through Privacy Settings
    after written agreement with the platform operator.

No personal data is transferred outside Saudi Arabia without your explicit consent or a legal obligation, in accordance with PDPL Article 29 cross-border transfer rules.

6. Retention Policy

Data Category	Default Retention	Auto-Purge
Audit logs	2 years (730 days)	No (manual review required)
Session data	90 days (revoked sessions)	Yes
Drilling report data	10 years (3,650 days)	No
Cookie consent records	1 year	No
Security events	2 years	No
AI-generated reports	3 years (1,095 days)	No

Managers may adjust retention policies per category from the Admin → Compliance panel. Minimum retention is 30 days for any category. On account deletion, personal identity data is anonymised immediately; audit and security logs are retained for the configured period.

7. Data Sharing

We do not sell, rent, or share your personal data with third parties without explicit consent.

Limited disclosure may occur in these circumstances:

Intra-organisation: data is visible only to users within your client organisation (multi-tenant isolation enforced at the database and API layer)
Platform staff: managers with the appropriate role can view aggregate usage data; they cannot read another organisation's operational data
AI service providers: when you explicitly request an AI-generated report, the relevant structured data is sent to a third-party AI API. See Section 8.
Legal obligation: if required by Saudi law, court order, or competent authority

8. AI Usage Disclosure

We never use your data to train AI models.

AI features (well-end reports, NPT analysis) are opt-in per request — no data is sent to AI APIs unless you explicitly click "Generate AI Report".
Your data is sent to a third-party AI API solely to generate the requested analysis. It is processed under the provider's data processing terms and is not used for model training.
You can disable all AI processing globally in Privacy Settings. This blocks AI API calls for your account entirely.
AI-generated content is clearly marked in the UI and is stored in your organisation's isolated cache only.

9. Your Rights Under PDPL

Under the Saudi Personal Data Protection Law, you have the following rights, exercisable through Privacy Settings or by contacting us:

Right	How to Exercise
Access – obtain a copy of all your data	`GET /api/user/export` or Privacy Settings → Export My Data
Correction – update inaccurate data	`PUT /api/user/update` or Profile page
Erasure – delete your account and anonymise PII	Privacy Settings → Delete My Account (requires typed confirmation)
Withdraw consent – revoke AI or analytics consent	Privacy Settings → toggle off
Objection – object to processing	Contact DPO (see Section 13)

We will respond to rights requests within 30 days as required by PDPL Article 15.

10. Security Controls

The Platform implements the following technical and organisational security measures aligned with NCA Essential Cybersecurity Controls (ECC-1:2018):

Passwords hashed with bcrypt (cost factor 12+); minimum 12-character policy enforced
JWT sessions with short expiry (24h default), single-session enforcement, and revocation
MFA via TOTP (RFC 6238) available to all users; TOTP secrets encrypted at rest (AES-256/Fernet)
Role-Based Access Control (RBAC): Manager / Worker / Client / Client Admin
All API responses include security headers: CSP, X-Frame-Options, X-Content-Type-Options, HSTS
Login rate limiting: 10 attempts per IP per 15 minutes
Immutable audit log for all significant actions; retained 2 years
Security event detection with admin alerting for critical events
Multi-tenant data isolation enforced at query level (client_org_id scoping)

11. Cookies

We use the following cookie/storage categories:

Category	Purpose	Can be declined?
Necessary	Authentication token (localStorage), CSRF protection	No – required for service
Analytics	Usage statistics (page views, feature usage)	Yes – default off
Preferences	UI settings (theme, language)	Yes

You can manage cookie preferences through the banner or at Privacy Settings.

12. Changes to This Policy

We will publish a new versioned policy when material changes are made. You will be required to review and accept the updated policy before accessing the Platform. The change history is maintained in the system and accessible to platform administrators.

13. Contact & Data Protection Officer

For privacy inquiries, rights requests, or complaints:

Data Protection Officer (DPO): Platform IT Governance
Email: privacy@platform.local
Address: Dhahran, Eastern Province, Kingdom of Saudi Arabia 31311

You also have the right to file a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) / National Data Management Office (NDMO) if you believe your rights have been violated.