Privacy Policy
Last updated: April 2026
1. Data Controller
Osool (osool.basem.ai), operated by [Basem] at basem@basem.ws.
2. Data We Collect
We collect only what you provide or what is generated automatically to operate the service:
- Email address and password (Argon2id-hashed — never readable in plain text)
- Locale preference, base currency, and Hijri Hawl start date
- Asset data you enter: names, tickers, quantities, prices, categories, dates
- Valuation records (price history for your assets)
- Zakat statement snapshots (saved calculations)
- IP addresses in server access logs (for security and operational purposes)
3. Purpose of Processing
We process your data exclusively to provide you with a personal wealth-tracking and Zakat-calculation service. We do not use your data for any commercial or advertising purpose.
4. Legal Basis
The legal basis is your consent (PDPL Art. 6 — Saudi Personal Data Protection Law). Processing ceases immediately upon account deletion.
5. Data Storage & Security
- Data is stored in PostgreSQL on a dedicated server located in Paris, France (cross-border transfer under PDPL Art. 29)
- Passwords are Argon2id-hashed with a per-user salt (never stored in plain text)
- All connections are encrypted over HTTPS (Caddy + Let's Encrypt)
- Data access is restricted to the controller
6. Third-Party Data Processors
We use limited third-party services to fetch market prices. No personal data is sent to these services:
| Service | Purpose | What is sent |
|---|---|---|
| yfinance / Yahoo Finance | Stock prices | Ticker symbols only (AAPL, 2222.SR …) — no quantities or values |
| exchangerate.host | FX rates | No personal data |
| metals.live | Gold spot price (Nisab) | No personal data |
7. Data Retention
Data is retained until you delete your account. Upon account deletion, all data is immediately and permanently erased from the database (no soft-delete backup). Server access logs are retained for a maximum of 90 days.
8. Your Rights under PDPL
- Access Right to access your data → Settings → Export my data (JSON download)
- Rectification Right to correct your data → edit assets and settings at any time
- Erasure Right to delete your data → Settings → Delete my account
- Withdrawal Deleting your account equals withdrawal of consent and cessation of processing
- Complaint Right to lodge a complaint with SDAIA (Saudi Data & AI Authority) at sdaia.gov.sa
- Objection To exercise any of these rights or object to a specific processing activity, email basem@basem.ws.
9. Cookies
| Name | Purpose | Type |
|---|---|---|
| osool_session | Authentication session | Functional |
| osool_csrf | CSRF protection | Security |
| osool_locale | Language preference | Functional |
We use no analytics, tracking, or advertising cookies.
10. No Sale or Sharing
We do not sell, rent, or share your personal data with any third party for commercial purposes.
11. Children
This service is not intended for users under 18 years of age. If you become aware that a minor has submitted data, contact us immediately for deletion.
12. Policy Changes
If we make material changes to this policy, we will notify you via a banner on your next login.
13. Contact
For any PDPL inquiry or to exercise your rights, contact us at basem@basem.ws.