Privacy Policy

> **DRAFT — NOT LEGALLY REVIEWED — Cowork-authored content pending.** > Do not deploy until reviewed by licensed Iraqi counsel (Kazm / AMERELLER). > Clauses marked [LAWYER REVIEW] require Iraqi/KRG jurisdiction-specific input. --- # [brand_name] Privacy and Data Policy **Version:** 1.1-draft **Effective date:** Upon customer acceptance at checkout **Jurisdiction:** Republic of Iraq / Kurdistan Regional Government, Erbil **Last updated:** 2026-05-07 --- ## 1. What We Collect When you use [brand_name] — via our website, configurator, WhatsApp, or customer portal — we may collect the following: | Category | Data points | |---|---| | **Identity** | Full name; national ID number (if required for warranty claim) | | **Contact** | WhatsApp number, phone number | | **Location** | Delivery address; GPS coordinates (provided via checkout map pin or WhatsApp location share) | | **System specifications** | System size (kW), phase (1-phase / 3-phase), load profile, roof type, shading data entered into the configurator | | **Order data** | Products selected, quantities, prices, payment method, Order Confirmation details | | **Payment records** | SuperQi transfer references, payment confirmation; we do not store payment card data | | **AI conversation history** | WhatsApp conversation logs with Sara (sales AI) and Yusuf (post-sale AI), retained for service continuity, quality assurance, and compliance | | **Site photos** | Images submitted for warranty claims or installation assessment | | **Device / browser** | IP address, browser type, session cookies — only when using the website (no analytics at launch) | --- ## 2. Why We Collect We use your data to: 2.1 **Fulfil your order** — process payment, arrange delivery to your location, and schedule installation. 2.2 **Provide after-sales service** — manage warranty claims, respond to support requests via WhatsApp, and maintain service continuity between AI agents and your history. 2.3 **System design accuracy** — your configurator inputs are used to engineer the correct system size, single-line diagram (SLD), and component list. 2.4 **Regulatory compliance** — retain financial records as required by Iraqi tax and commercial law. 2.5 **Marketing communications** — only if you have explicitly opted in (see Section 8). Never by default. --- ## 3. AI Agent Access and Processing [brand_name] operates AI agents that process your personal data as part of service delivery: 3.1 **Sara** (sales and configurator AI): accesses your name, WhatsApp number, location, system specifications, and conversation history to provide solar quotations, configure orders, and answer product questions. 3.2 **Yusuf** (post-sale and support AI): accesses your name, order history, delivery address, system specifications, and conversation history to manage warranty, support, and escalations. 3.3 Both agents operate under human oversight and within [brand_name]-defined policies. They will disclose their AI nature when directly asked. 3.4 Conversation logs are retained for **service continuity** (your history is preserved across sessions), **quality assurance**, and **compliance**. Logs are stored in Odoo and subject to the retention policy in Section 5. 3.5 [LAWYER REVIEW — Iraqi regulation on AI-processed personal data is emerging. This disclosure aligns with best-practice transparency but should be reviewed once the Iraqi Personal Data Protection Law is enacted.] --- ## 4. How We Share Your Data [brand_name] applies a strict data-minimisation policy when sharing data with platform partners: | Recipient | What they receive | When | |---|---|---| | **Vendors** | Product IDs and order quantities ONLY — never your name, phone, or address | Upon order confirmation | | **Installers** | Your name, phone number, and site address | 24 hours before scheduled installation | | **Carriers** | Your delivery address only | 24 hours before scheduled delivery window | | **Payment processors** | Payment transaction data under their own privacy terms | At time of payment | | **Odoo.sh (hosting)** | All platform data as infrastructure provider | Continuous (data processor role) | **[brand_name] does not sell, rent, or broker customer personal data to any third party.** [LAWYER REVIEW — data processor agreements with Installers and Carriers should be formalised under a data processing addendum. Review before market launch.] --- ## 5. Storage and Security 5.1 **Infrastructure:** All data is stored in Odoo hosted on **Odoo.sh** (Odoo's managed cloud, EU-region servers). Odoo.sh is ISO 27001 compliant. 5.2 **Encryption:** Data is encrypted in transit (TLS 1.3) and at rest. 5.3 **Access controls:** Only [brand_name] authorised staff and AI agents with an operational need may access personal data. Access is role-based and logged. 5.4 **Retention:** - Active customer records: retained for the life of your account plus 7 years post-last-order (warranty and tax compliance). - AI conversation logs: retained for 3 years then anonymised. - Deleted accounts: data anonymised within 90 days of deletion request, subject to legal hold obligations. 5.5 **Breach response:** In the event of a data breach affecting your information, [brand_name] will notify affected customers via WhatsApp within 72 hours of becoming aware, and will notify competent authorities as required by law. [LAWYER REVIEW — Iraqi Law on Electronic Signatures and Transactions (Law No. 78 of 2012) and emerging personal data protection legislation. Confirm 72-hour breach notification aligns with applicable Iraqi requirements.] --- ## 6. Cookies and Website Tracking 6.1 **At launch:** [brand_name]'s website uses only **essential session cookies** required for cart functionality and customer portal login. No third-party advertising or analytics cookies are set. 6.2 **Future analytics (Phase 2+):** When website analytics is introduced, a cookie consent banner will be displayed before any non-essential cookies are set, and this policy will be updated accordingly. 6.3 **WhatsApp:** WhatsApp interactions are subject to WhatsApp / Meta's own privacy policy in addition to this policy. [LAWYER REVIEW — Iraqi e-commerce and telecommunications regulations on cookie consent. Confirm whether a consent banner is legally required at launch even for essential cookies.] --- ## 7. Your Rights You have the following rights regarding your personal data: | Right | How to exercise | Timeline | |---|---|---| | **Access** | Request a copy of all data we hold about you | We respond within 30 days | | **Correction** | Request correction of inaccurate or incomplete data | We respond within 14 days | | **Deletion** | Request deletion of your data (subject to legal retention obligations) | We respond within 30 days; some records may be retained for legal compliance | | **Marketing opt-out** | Stop marketing messages at any time | Immediate on request | | **Data portability** | Request your data in a standard machine-readable format | We respond within 30 days | To exercise any right: message [brand_name] via **WhatsApp (+964 750 004 3303)** or through your **customer portal** at [brand_name].odoo.com/my. [LAWYER REVIEW — Iraqi data subject rights are not yet codified in a comprehensive data protection law. These rights are provided as a best-practice commitment. Review once Iraqi Personal Data Protection Law is enacted. Also check whether the Iraqi Communications and Media Commission (CMC) has issued relevant guidance.] --- ## 8. Marketing Opt-In 8.1 **Default: OFF.** [brand_name] does not send promotional or marketing messages unless you have explicitly opted in. 8.2 **How to opt in:** Check the marketing consent checkbox at checkout. You may also opt in later by messaging [brand_name] via WhatsApp. 8.3 **What you may receive if opted in:** Solar promotions, product launches, educational content about solar energy, seasonal offers. 8.4 **How to opt out:** Message [brand_name] via WhatsApp or unsubscribe via any marketing message. Opt-out is immediate. Opting out of marketing does not affect service notifications (order status, warranty alerts, installation scheduling). --- ## 9. Children and Minors 9.1 [brand_name] services are intended for individuals aged **18 and above** only. We do not knowingly collect personal data from individuals under 18. 9.2 If a parent or guardian wishes to place an order on behalf of a household, the account must be registered in the adult's name, and the adult accepts these terms and the Privacy Policy on behalf of the household. 9.3 If we become aware that we have inadvertently collected data from a minor without appropriate consent, we will delete that data promptly. [LAWYER REVIEW — Iraqi Child Protection Law requirements; confirm whether a technical age-gate mechanism is required at checkout.] --- ## 10. Cross-Border Data Transfers 10.1 **Currently:** All customer data is processed on Odoo.sh infrastructure (EU-region servers). No transfers to Iraq-external third parties occur at this time, other than Odoo.sh as infrastructure provider. 10.2 **Phase 3 MENA expansion:** Future expansion to Gulf or other MENA markets may involve data transfers to jurisdictions outside Iraq. This policy will be updated and customers notified before any such transfer occurs. 10.3 **EU data:** If [brand_name] receives data from EU-resident individuals (e.g., diaspora customers), those individuals may have additional rights under EU GDPR. [brand_name] will comply with applicable law. [LAWYER REVIEW — cross-border data transfer requirements under future Iraqi Personal Data Protection Law; GDPR adequacy position for Iraq TBC; review before any MENA expansion or EU customer engagement.] --- ## 11. Dispute Resolution and Governing Law 11.1 This Policy is governed by the laws of the **Republic of Iraq** and, where applicable, the **Kurdistan Regional Government**. 11.2 Disputes relating to this Policy will first be addressed through direct negotiation. If unresolved within 30 days, disputes will be submitted to binding arbitration in Erbil. 11.3 These terms are issued in Arabic and English. In case of conflict, the **Arabic version prevails** for Iraqi-domiciled customers. [LAWYER REVIEW — same arbitration clause as Customer ToS Section 11; confirm consistency and recommend specifying arbitration body (e.g., BCCK or ICC Iraq).] --- ## 12. Policy Updates 12.1 [brand_name] may update this Privacy and Data Policy at any time. The version in force at the time of your purchase governs that transaction. 12.2 **Material changes** (new data uses, new third-party sharing, new AI agents) will be communicated to existing customers via WhatsApp at least 14 days before taking effect. 12.3 Your continued use of [brand_name] after the effective date of an update constitutes acceptance of the updated Policy. --- ## 13. Contact For privacy questions, rights requests, or data concerns: **WhatsApp:** +964 750 004 3303 **Portal:** [brand_name].odoo.com/my **Email:** hello@[brand_name].com *(secondary channel; WhatsApp preferred)* --- *[brand_name] — Powering Iraq's solar transition.* --- ## Document History | Version | Date | Author | Notes | |---|---|---|---| | 1.0-draft | 2026-04-26 | Cowork / Claude Code | Initial EN+AR draft | | 1.1-draft | 2026-05-07 | Cowork / Claude Code | Migrated to docs/legal/ structure; Sorani + Bahdini added as separate files |