Privacy Policy

1. Scope

This Policy covers the public marketing website (nitaq.ai), the waitlist, pre-launch enquiries, and the account-level data we process to operate the Nitaq Agentic Gateway on behalf of enterprise customers.

Where your organisation has signed a separate Customer Agreement or Data Processing Agreement with Nitaq, that agreement governs how we process your tenant's operational data as a data processor. This Policy addresses our own role as a data controller for website visitors, waitlist members, and account administrators.

2. Information we collect

Website and waitlist — when you browse nitaq.ai or submit the waitlist form, we collect your work email address, any details you enter in free-text fields, plus limited technical data (IP address, user agent, pages viewed, referrer, timestamps) and strictly necessary cookies.

Commercial enquiries — if you speak with our team about a pilot or deployment, we collect contact details, employer, role, country, regulatory context (e.g. SAMA, NCA, PDPL, HIPAA), and the use cases you describe.

Account and admin data — if your organisation becomes a customer, we collect organisation name, administrator names and emails, assigned roles, API keys, connector identifiers, and billing contacts.

Gateway operational metadata — when the Connector is deployed inside your infrastructure and exchanges MCP traffic with the Gateway, we receive operational metadata about each call: tenant, connector ID, agent identity, tool name, timestamp, latency, status (allow/deny), and policy decision reasons. This telemetry is used to run the service, enforce governance, and generate audit logs.

What we deliberately do not receive — per our Data Boundary Commitment, the raw contents of MCP tool responses, the credentials the Connector uses to call your enterprise systems, and the underlying records returned by those systems remain inside your infrastructure. The Gateway does not read or store that data.

3. Data Boundary Commitment

Nitaq is designed so that sensitive enterprise data stays on customer infrastructure. The Connector is deployed inside your network, discovers MCP servers locally, enforces policies (OPA) at the edge, and opens a single outbound-only WebSocket tunnel to the Gateway. No inbound firewall changes are required.

Credentials your Connector uses to reach internal systems (databases, core banking, HR, healthcare systems, custom MCP servers) are held locally and never transmitted to Nitaq. The Gateway sees enough metadata to route, authorise, and audit a call — not the underlying records or secrets.

This boundary is a product commitment, not just a privacy promise: it is enforced by the architecture itself. See the Data Boundary document we publish with our technical documentation for the precise list of what crosses the control plane and what does not.

4. How we use information

To operate and secure the marketing site, respond to enquiries, manage the waitlist, and invite members to previews or pilots.

To run the Gateway service: authenticate connectors and agents, enforce OPA policies, write audit logs, compute agent competency and alert scores, and produce dashboards for your administrators.

To send service-related communications (onboarding, incident notices, material changes, legal notices) and, where you have opted in, product updates.

To improve the Gateway, Connector, Bridge, Dashboard, and CLI through aggregated or anonymised analytics, and to carry out research and development on MCP tooling, policy, and alert rules.

To meet legal, regulatory, and contractual obligations — including cooperating with SDAIA, SAMA, NCA, and other competent authorities where required.

5. Legal basis under PDPL

We rely on your consent (waitlist sign-up, marketing), performance of a contract (customer agreements, responding to pre-sale enquiries), compliance with legal obligations (tax, accounting, lawful requests), and our legitimate interests (security, fraud prevention, service improvement) as lawful bases under the PDPL.

You may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing performed beforehand.

6. Sharing and disclosure

Sub-processors — we use vetted infrastructure and software providers to operate the service, including cloud hosting (e.g. AWS, GCP), managed PostgreSQL, NATS messaging, email delivery, and analytics. Each is bound by contract to confidentiality and appropriate security controls. A current list of sub-processors is available on request or through our customer agreement.

AI providers — the Agentic Gateway is designed so that your organisation uses its own AI provider credentials (Anthropic, OpenAI, Google, etc.) against its own accounts. Nitaq does not resell AI inference and does not share your prompts or responses with AI providers on your behalf beyond what is required to route an authorised MCP call.

Authorities — we may disclose information to competent authorities in the Kingdom of Saudi Arabia (SDAIA, SAMA, NCA, courts) or in another jurisdiction where a valid legal request applies. We review each request and disclose only what is required by law.

Corporate transactions — if Nitaq is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to PDPL requirements and the terms of this Policy.

7. International transfers

Where personal data is transferred outside the Kingdom of Saudi Arabia — for example, to regional cloud hosting or an international sub-processor — we apply the safeguards required under the PDPL and its Implementing Regulations, including destination-jurisdiction adequacy assessments and appropriate contractual or technical protections. Customers with KSA-residency requirements can request details of data residency options in their Customer Agreement.

8. Retention

Waitlist records are retained until you ask us to remove them or until the product generally launches and we migrate you to a customer account.

Gateway operational metadata and audit logs are retained for the period specified in the Customer Agreement and at minimum for the period required by applicable regulation (for regulated sectors such as banking, this is typically several years).

We delete or anonymise personal data when it is no longer needed for the purpose it was collected, subject to legal hold or regulatory retention duties.

9. Security

Security controls include — outbound-only Connector-to-Gateway tunnel (no inbound firewall exposure for your network), API key authentication, JWT-based dashboard auth with org-scoped multi-tenancy, OPA policy enforcement at both Gateway and Connector, pre-execution Guards for sensitive tool calls, encryption in transit, encrypted storage, least-privilege access inside Nitaq, and continuous logging and monitoring of the control plane.

No system is perfectly secure. We encourage customers to apply defence in depth inside their own environments and to review our published security architecture before deployment.

10. Your rights

Subject to the PDPL, you have the right to be informed about how we process your data, to access your data, to request correction of inaccurate data, to request destruction of data that is no longer needed, to withdraw consent, and to lodge a complaint with SDAIA.

To exercise these rights, write to privacy@nitaq.ai. If your data is held on behalf of an enterprise customer (e.g. as an employee of a bank using Nitaq), please raise the request with your organisation first; we will support them in responding to you.

11. Enterprise use only

Nitaq is an enterprise infrastructure product intended for institutional buyers — Saudi financial institutions, government entities, healthcare enterprises, and similar regulated organisations. It is not a consumer service, is not directed at children, and is not suitable for personal or household use. If you believe we have received data from a source that does not meet this criterion, contact us and we will remove it.

12. Cookies

We use strictly necessary cookies to run the site and, where applicable, privacy-preserving analytics to understand usage in aggregate. We do not use advertising cookies. You can control cookies in your browser settings; disabling strictly necessary cookies may break parts of the site.

13. Changes

We may update this Policy from time to time. Material changes will be announced on the website and, for customers, communicated through the Dashboard or direct notice. The "Effective date" at the top indicates when this version was last updated.

14. Contact

Privacy enquiries: privacy@nitaq.ai. General contact: hello@nitaq.ai. Governing law: the law of the Kingdom of Saudi Arabia.