Tokra — Privacy Policy

Privacy Policy

How Tokra collects, uses, stores, shares, and protects personal data across our websites, products, services, and APIs.

Effective: 28 Aug 2025 Last Updated: 28 Aug 2025 Presented before collection Contact DPO

1) Who We Are & Scope

Tokra is a technology brand. The data controller for Tokra websites, products, and services is Tokra, LLC (United States).

For privacy requests: privacy@tokra.ai.

This policy explains how we collect, use, store, share, and protect personal data across Tokra websites, products, services, and APIs. It is presented to users before any personal data is collected.

2) Roles (Controller / Processor)

We act as a Controller for account, billing, support, and service communications.

We act as a Processor for customer-provided content processed via Tokra SDKs/APIs; such processing is governed by a Data Processing Addendum (DPA) and our published list of Subprocessors.

3) Categories of Personal Data We Process

  • Account & Contact: name, email, organization, and contact details.
  • Usage & Security: login events, IP address, device/browser identifiers, operational and security logs.
  • Customer Content: text/payloads you or your systems submit to Tokra SDKs/APIs for the agreed purpose.
  • Support: tickets, attachments, diagnostics.
  • Cookies & Similar Technologies: as configured via our Cookie Consent preferences.

Mandatory vs. Optional: Some data is required to deliver core services (e.g., account data). Others are optional (e.g., non-essential analytics/cookies). If required data is not provided, certain features or services may be unavailable.

4) Sources

  • Directly from you (signup, forms, contracts, support).
  • Automatically via operational/security logs.
  • From authorized service providers (e.g., payments, email, monitoring) under binding contracts.

5) Purposes & Legal Bases

  • Provide and operate the services; perform contracts with you.
  • Security and fraud prevention; protect networks and information.
  • Legal compliance, including required retention and responses to competent authorities.
  • Service communications and marketing with your revocable consent where applicable.

If you choose not to provide required data: we may be unable to deliver some services, features, or support.

6) Sharing

We share personal data where necessary with subprocessors such as hosting, email/transactional communication, payments, monitoring, security, and analytics providers. All subprocessors are bound by data protection terms that ensure protections equivalent to ours. We may also share data with competent authorities when legally required.

We do not sell personal data.

7) International Transfers

Personal data may be transferred or processed outside your country for the purposes above. We ensure an equivalent level of protection through approved safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) and conduct Transfer Impact Assessments (TIAs) where appropriate, while applying data minimization.

A product-specific Sovereign Addendum—if executed later in writing between the parties—may impose stricter localization and “no-transfer” terms for the covered product/scope and will prevail for that product (see “Priority of Addenda”).

8) Retention & Deletion

We retain personal data only for the minimum period necessary to meet the stated purposes or legal obligations, then securely delete or anonymize it. Illustrative periods:

  • Usage & security logs: up to 12 months after account termination unless a longer legal period applies.
  • Billing/financial records: up to 5 years or as required by applicable law.

Secure disposal methods include permanent deletion, encryption, or anonymization to prevent re-identification.

9) Security

We apply appropriate administrative, technical, and organizational measures, including access controls, encryption in transit and at rest where feasible, environment segregation, audit logging, and periodic testing. Subprocessors must implement protections equivalent to ours.

10) Your Rights & How to Exercise Them

Subject to applicable laws (including the Saudi PDPL), you may have rights to:

  • Access your personal data and obtain a copy.
  • Rectify incomplete or inaccurate data.
  • Request deletion where data is no longer needed or processing is unlawful.
  • Withdraw consent at any time for processing based on consent.
  • Lodge a complaint with the competent authority in the Kingdom of Saudi Arabia (SDAIA) if we do not address your request satisfactorily.
  • Seek compensation for material or moral harm resulting from violations of applicable data protection laws.

How to submit a request (DSAR): email privacy@tokra.ai. We will respond within applicable timeframes.

11) Marketing & Cookies

We send electronic marketing communications only with your consent and provide easy unsubscribe mechanisms. Non-essential cookies and similar technologies are controlled via our Cookie Consent preferences; they will not load unless and until you opt in.

12) Children

Tokra’s services are not directed to children. Where processing children’s data is legally permitted and necessary, we will obtain required guardian consents and apply heightened safeguards.

13) Data Breach Notification

If a personal data breach occurs, we will notify the competent authority in the Kingdom of Saudi Arabia within 72 hours of becoming aware, and notify affected individuals without undue delay where risks to them exist, following applicable guidance.

14) Related Policies & Documents

15) Priority of Addenda (Product-Specific Terms)

If any product-specific addendum (including a Sovereign Addendum executed later in writing) conflicts with this Privacy Policy, the addendum prevails for that product within its defined scope.

16) Changes to This Policy

We may update this policy from time to time. We will post updates with a clear effective date and, where changes are material, may also notify you via email or in-product notices.

17) Contact

Data Protection Officer (DPO) — Tokra
privacy@tokra.ai

Email DPO
This page is provided for transparency and does not constitute legal advice.