Privacy Policy

Version 3.0.0 · Effective 2026-05-28

This Privacy Policy explains what Arafa (operated by Abtikarat Louis Trading and Services WLL, "we", "us") collects about you, how we use it, and what you can do about it. Arafa is a professional social network for residents of the GCC (Qatar, Saudi Arabia, UAE, Kuwait, Oman, Bahrain). By using Arafa you agree to this policy.

This document is written in plain language on purpose. If anything is unclear, email privacy@arafa.qa and we will explain.

1. What we collect

  • Your phone number (for authentication via OTP).
  • Your profile data: display name (English and Arabic), profile photo, cover image, country, profile type (Business / Professional / Student), bio, profession, university or company, social links you choose to publish.
  • Business profile fields: CR number, TL number, category, operating hours.
  • Posts, comments, agapes (likes) and other content you create.
  • Messages — encrypted end-to-end with AES-256-GCM. We hold the encrypted ciphertext but cannot read the contents.
  • Order and payment metadata for any purchases (SADAD handles the actual card data — we never see it).
  • Technical signals: IP address, device fingerprint, browser type — used only for security (rate limiting, bot detection, GCC-only access).

2. What is public by default

The whole point of Arafa is to be seen by other professionals. The following profile fields are visible by default to any authenticated user inside the GCC, and to verified search engine crawlers (Googlebot, Bingbot, DuckDuckBot, etc.) for SEO discoverability:

  • Display name (EN + AR), profile type, country.
  • Profile avatar and cover image.
  • Bio (EN + AR).
  • Social links and contact methods you explicitly marked as public.
  • Business profile: category, hours, address, services. Professional profile: profession, company. Student profile: university, major.

You can adjust per-field visibility in Settings → Privacy. Items you mark as Private are never returned by our public APIs.

3. How we protect your images

We take image protection seriously, but we are also honest about what is technically possible:

  • Every profile image is served from a server-side proxy. Direct URLs are signed with a short time-to-live token: 5 minutes for free accounts, 24 hours for premium accounts.
  • Anti-scraping rate limits cap how many images one IP can request per minute.
  • Our GCC-only edge firewall blocks requests from outside the Gulf, from datacenter IPs, from VPNs and from Tor.
  • Browser-proof tokens stop headless scripts from harvesting images at scale.
  • Right-click is disabled on profile and post images. This is a small speed-bump, not real protection.

Honest disclaimer: We cannot stop someone who can already see your profile from taking a screenshot, holding up a camera, or otherwise capturing the image on their screen. No website on the public internet can. By keeping your profile visible you accept that other Arafa users may save your avatar / cover / public posts for personal reference. Bulk harvesting and republication is a separate matter — that is prohibited under our Terms of Service and we will pursue it.

4. What we do NOT do

  • We do not sell your data — not to advertisers, not to brokers, not to anyone.
  • We do not share your data with third parties for machine-learning, model training, or behavioral profiling.
  • We do not serve content to non-GCC IPs. The platform is technically unreachable from outside the Gulf.
  • We do not load third-party trackers, analytics pixels, or ad networks (no Google Analytics, no Facebook Pixel, no TikTok Pixel, no LinkedIn Insight Tag).
  • We do not read or log the contents of your messages — they are encrypted end-to-end before they leave your device.
  • We do not store your payment card numbers. SADAD handles cards directly and is PCI DSS certified.

5. About screenshots

We cannot prevent users with legitimate viewing access from taking screenshots. By making your profile visible, you accept that other Arafa users may save your profile image and public data for personal reference. Bulk harvesting, republication, dataset compilation, or any use of Arafa data to train an AI model is prohibited and gives us standing to act against the offender (see our Terms of Service).

If you discover that someone has copied your Arafa profile photo to a third-party site, use the in-app form at /app/report-stolen-image and we will help you generate a DMCA / takedown request to the host.

6. Your rights under Qatar PDPPL (Law No. 13 of 2016)

Arafa is governed by Qatar Law No. 13 of 2016 on Personal Data Privacy Protection (PDPPL). Under it you have the right to:

  • Access — request a copy of all data we hold about you (Settings → Privacy → Download my data).
  • Correct — edit any field on your profile at any time, or email privacy@arafa.qa for fields you cannot self-edit.
  • Delete — delete your account (Settings → Account → Delete account). Permanent deletion completes within 30 days.
  • Withdraw consent — at any time, by deleting your account or restricting visibility.
  • Object to processing — for any specific use not strictly necessary for the service, email privacy@arafa.qa.
  • Complain — to the Compliance and Data Protection Department at the Ministry of Communications and Information Technology of Qatar.

7. Where your data lives

Arafa is hosted on a dedicated Contabo VPS in Europe (datacenter located in Germany). The server is operated by Abtikarat Louis Trading and Services WLL.

  • In transit: every connection uses TLS 1.3 (Let’s Encrypt certificates, auto-renewed).
  • At rest: messages are E2E encrypted with AES-256-GCM (per-conversation keys); other database content is on encrypted backups. Disk-level encryption (LUKS) on the live VPS is on our roadmap and tracked publicly.
  • Access to the host is restricted by SSH key on a non-standard port with fail2ban; only the founder has shell access.

8. How long we keep your data

  • Active accounts: as long as the account is open.
  • Deleted accounts: profile data and content are permanently deleted within 30 days of your deletion request.
  • Encrypted backups: rolling 30-day window. Older backups are securely destroyed.
  • Legal acceptance audit log (terms / privacy acceptances): kept indefinitely as a compliance record, even after account deletion.
  • Payment records: 7 years (Qatari commercial law).

9. Authentication and session metadata

To keep your account secure and to spare you from logging in every day, we collect a small amount of authentication-related data:

  • Your phone number in E.164 format — verified via Firebase Phone Authentication (provided by Google LLC, United States). It is used only for one-time OTP delivery and to enforce account uniqueness; we do not use it for marketing.
  • Session metadata stored alongside each refresh token — kept for 30 days OR until the session is revoked, whichever comes first:
    • Session ID (a UUID, used internally only).
    • IP address at the time of issuance (used for the device-binding check described in our Terms).
    • User-Agent string identifying your browser or app build.
    • Issuance and last-used timestamps.

This data is not shared with any third party. We use it only to: validate that your session is still active, detect fraud (such as impossible-travel between distant geographies in a short time), and power the "Active Sessions" view you see in Settings.

Right to erasure: deleting your account purges all session metadata within 30 days. You may also request immediate erasure of all session records at any time by emailing support@arafa.qa.

10. Message retention and deletion

Message bodies are encrypted in transit (TLS 1.3) and end-to-end at the application layer (AES-256-GCM with per-conversation keys). Encrypted ciphertext is stored on Arafa servers in Qatar.

Default retention

When no participant has an active Chat Deleted-View subscription at the time of deletion: when a sender deletes a message within 40 seconds, the encrypted body is wiped from the database within one (1) hour. Metadata (sender, timestamp, [Deleted] placeholder) is preserved so the conversation thread is coherent. The encrypted body cannot be recovered.

Retention while a participant has Chat Deleted-View active

The encrypted body is retained indefinitely for the duration of that participant's active subscription window, and is decryptable only by participants. When the subscription ends, the corresponding retention rights end. A daily cleanup job removes encrypted bodies for messages that no longer have any active retention grant.

Your data subject rights (Qatar PDPPL Article 11)

You may at any time request full deletion of your account. This wipes ALL message bodies you sent, regardless of any other participant's subscription state. This is the only way to defeat a subscriber's retention right. Full-account deletion is irreversible.

Lawful disclosure

Arafa may disclose conversation contents in response to a lawful order issued by a competent Qatari court. Disclosure is limited to messages that remain in the system; messages wiped under the default retention path are unrecoverable and cannot be disclosed. All disclosures are logged and the affected participants are notified within twenty-four (24) hours unless the order prohibits notice.

12. Contact us

Questions, requests, or complaints about your privacy:

Email: privacy@arafa.qa
Operator: Abtikarat Louis Trading and Services WLL, Doha, Qatar
Website: arafa.qa

13. Version and changes

Current version: 3.0.0
Effective date: 2026-05-28

When we materially change this Privacy Policy, we bump the version number. The next time you log in to Arafa you will be asked to read and re-accept the new version. We keep an immutable audit log of every acceptance — your IP, your user agent, the version you saw, and a SHA-256 hash of the exact text. You can ask for your record at any time.