Awriri Privacy Policy

2.1 Data Collected from Public Sources (Pre-Registration)

Before you register, we may collect and aggregate professional information about you from publicly available sources (such as hospital directories, health portals, booking platforms, and public social media profiles). This data includes:

• Name and professional title
• Medical specialty and qualifications
• Place of practice (clinic/hospital name and address)
• Publicly available patient reviews and ratings
• Publicly listed professional contact information

2.2 Data You Provide Directly (Post-Registration)

When you claim your profile or register for an account, we collect:

• Identity verification documents (e.g., government ID, professional license) processed securely via our verification partners
• Direct contact information (email address, mobile number)
• Billing and payment information
• Any additional professional details you choose to add to your profile
• Patient contact details (only if you utilize our review generation features, in which case you warrant you have obtained necessary patient consents)

2.3 Data Collected from Meta Platforms (Facebook, Instagram, and Messenger)

When you choose to connect your Facebook Page or Instagram Business account to Awriri, we collect data from the Meta Graph API under the permissions you grant during the official Meta OAuth login flow. The specific permissions Awriri requests, the data each permission gives us access to, and the purpose for which that data is used are listed below.

2.3.1 Instagram permissions

• instagram_basic — gives Awriri access to your Instagram Business account identifier, username, profile picture, biography, follower count, and the list of your published media. We use this to generate AI recommendations so that profile can be improved.
• instagram_content_publish — allows Awriri to publish photos, videos, and captions to your Instagram Business account on your behalf. We use this only when you create a post inside Awriri and explicitly schedule or publish it.
• instagram_manage_comments — allows Awriri to read comments on your Instagram posts and reply to them on your behalf. We use this so you can moderate and respond to patient comments from inside Awriri without switching to the Instagram app.
• instagram_manage_insights — allows Awriri to read post-level and account-level analytics for your Instagram Business account, including impressions, reach, profile views, follower demographics, and engagement metrics. We use this to power the analytics dashboard and to compute the social media component of your digital presence score.
• instagram_manage_messages — allows Awriri to read and send direct messages from your Instagram Business inbox. We use this so you can review and respond to patient enquiries from inside Awriri.

2.3.2 Facebook Page permissions

• pages_show_list — gives Awriri access to the list of Facebook Pages you manage. We use this to let you choose which Page to connect to Awriri.
• pages_read_engagement — allows Awriri to read content posted on your Page, including posts and engagement metrics. We use this to display your Page activity in your Awriri dashboard.
• pages_read_user_content — allows Awriri to read user-generated content on your Page, such as comments and posts left by patients. We use this so you can review patient feedback inside Awriri.
• pages_manage_posts — allows Awriri to create, edit, and delete posts on your Page on your behalf. We use this only when you create or schedule a post inside Awriri.
• pages_manage_engagement — allows Awriri to publish comments and replies on your Page on your behalf. We use this so you can respond to patient comments from inside Awriri.
• read_insights — allows Awriri to read Page insight metrics including impressions, reach, and follower growth. We use this to power your analytics dashboard and to compute the social media component of your digital presence score.

2.3.3 Messenger permission

• pages_messaging — allows Awriri to send and receive Messenger messages on behalf of your connected Facebook Page. We use this so you can review and reply to patient enquiries received via Messenger from inside Awriri.

2.3.4 Additional feature

• Business Asset User Profile Access — allows Awriri to read basic profile fields (name, profile picture, identifier) for users who engage with your Page or Instagram account, so we can use them to generate AI Recommendations in order to improve the page.

We only request and collect the permissions listed above. We do not request any permission that grants access to data unrelated to your professional Page or Instagram Business account. You can revoke any of these permissions at any time through your Facebook or Instagram account settings, or by disconnecting your account from inside Awriri.

2.4 Data Collected from X (formerly Twitter)

When you choose to connect your X account to Awriri, we collect data from the X API v2 under the OAuth 2.0 scopes you grant during the official X authorization flow. The specific scopes Awriri requests, the data each scope gives us access to, and the purpose for which that data is used are listed below.

2.4.1 X OAuth 2.0 scopes

• users.read — gives Awriri access to your X profile information, including your username, display name, profile picture, bio, verified status, and account-level public metrics such as follower count, following count, tweet count, and listed count. We use this to display your connected X account inside your Awriri dashboard, to build account-level analytics by snapshotting these public metrics over time, and to compute the social media component of your digital presence score.
• tweet.read — allows Awriri to read tweets you have published, including their text content, attached media, timestamps, and the full set of tweet-level analytics that X exposes to the account owner. These analytics include public metrics (likes, retweets, replies, quote tweets, bookmarks, impressions, and video views), non-public metrics (URL link clicks and user profile clicks attributable to the tweet), and organic metrics (organic impressions and organic engagement totals). We use this data to display your post history, power the per-post analytics inside Awriri, and roll up account-level performance trends in your dashboard.
• tweet.write — allows Awriri to publish tweets, threads, and replies on your behalf. We use this only when you create or schedule a post inside Awriri and explicitly publish it.
• offline.access — allows Awriri to refresh your access token without requiring you to re-authenticate every session. We use this so scheduled posts continue to publish at the time you chose and so analytics keep updating in the background.

We only request and collect the scopes listed above. We do not request access to your direct messages, your private follower list, or any data unrelated to your professional posting activity. You can revoke Awriri’s access at any time through your X account settings (Settings and privacy → Security and account access → Apps and sessions → Connected apps) or by disconnecting your X account from inside Awriri.

2.5 Data Collected from Google Business Profile

When you choose to connect your Google Business Profile to Awriri, we collect data from the Google Business Profile APIs under the OAuth 2.0 scopes you grant during the official Google authorization flow. Awriri’s use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The specific scopes Awriri requests, the data each scope gives us access to, and the purpose for which that data is used are listed below.

2.5.1 Google OAuth scopes

• openid, .../auth/userinfo.email, .../auth/userinfo.profile — give Awriri access to your Google account name, email address, and profile picture. We use these only to identify the Google account you are connecting and to display it inside your Awriri dashboard.
• https://www.googleapis.com/auth/business.manage — gives Awriri access to the Google Business Profile accounts and locations you administer, and lets Awriri read and update profile data, reviews, posts, photos, questions and answers, and performance metrics on your behalf. We use this for the purposes described immediately below.

2.5.2 How we use Google Business Profile data

• Business information — we read your clinic’s name, address, phone number, opening hours, categories, attributes, services, and website so that you can view and edit them from inside Awriri. When you make changes inside Awriri, we write the updated information back to your Google Business Profile on your behalf.
• Reviews — we read patient reviews left on your Google Business Profile so you can view them inside Awriri, generate AI- assisted reply drafts, and publish replies back to Google after you approve them.
• Photos and media — we upload photos and short videos to your Google Business Profile only when you explicitly add them inside Awriri.
• Performance metrics — we read profile views, search impressions, calls, direction requests, website clicks, and photo views to power the analytics dashboard and to compute the local-search component of your digital presence score.

In line with the Google API Services User Data Policy — Limited Use requirements, Awriri does not use Google Business Profile data to serve advertisements, does not sell Google Business Profile data, does not transfer Google Business Profile data to third parties except as necessary to provide or improve user-facing features that are prominent in the Awriri user interface and only with your explicit consent or as required by law, and does not allow humans to read Google Business Profile data except (i) with your affirmative consent for specific items, (ii) as necessary for security purposes, or (iii) to comply with applicable law. You can revoke Awriri’s access at any time at myaccount.google.com/permissions or by disconnecting your Google Business Profile from inside Awriri.

2.6 Data Collected from LinkedIn

When you choose to connect your LinkedIn personal profile and/or your LinkedIn Company Page to Awriri, we collect data from the LinkedIn API under the scopes you grant during the official LinkedIn OAuth login flow. The specific scopes Awriri requests, the data each scope gives us access to, and the purpose for which that data is used are listed below.

2.6.1 Personal profile scopes (Sign In with LinkedIn)

• openid, profile, email — gives Awriri access to your name, profile picture, and email address registered with LinkedIn. We use this to identify you and pre-fill your professional profile inside Awriri.
• r_profile_basicinfo — allows Awriri to read your basic LinkedIn profile fields, such as headline, profile photo, and profile URL. We use this to display your verified LinkedIn presence inside your Awriri dashboard.
• w_member_social — allows Awriri to publish, modify, and delete posts, comments, and reactions on your personal LinkedIn feed on your behalf. We use this only when you create or schedule a post inside Awriri and explicitly choose to publish it to your personal profile.

2.6.2 Company Page scopes (Community Management API)

• r_organization_admin — gives Awriri access to the list of LinkedIn Company Pages you administer, and basic page information such as name, logo, follower count, and page views. We use this to let you choose which Company Page to connect to Awriri and to display your page in your dashboard.
• rw_organization_admin — allows Awriri to read and update administrative information for your Company Page, including organizational details and page configuration. We use this to keep your connected page information accurate inside Awriri.
• w_organization_social — allows Awriri to publish, modify, and delete posts, comments, and reactions on your Company Page on your behalf. We use this only when you create or schedule a post inside Awriri, or when you reply to a comment on one of your Company Page posts from inside Awriri.
• r_organization_social — allows Awriri to read posts published on your Company Page along with comments and reactions on those posts. We use this to display your Page activity in your Awriri dashboard and to allow you to moderate engagement from inside Awriri.

We only request and collect the scopes listed above. We do not request any scope that grants access to data unrelated to your professional LinkedIn presence or the Company Pages you administer. You can revoke any of these scopes at any time through your LinkedIn account settings (Settings & Privacy → Data privacy → Permitted services), or by disconnecting your account from inside Awriri.

3.1 Legitimate Interest (KSA) and Public Data Exemption (UAE)

For the initial collection of your professional data from public sources, we rely on our legitimate commercial interest in creating a comprehensive directory of healthcare professionals (under KSA PDPL) and the exemption for processing data made publicly available by the data subject (under UAE PDPL). We have conducted a Legitimate Interest Assessment to ensure this does not override your fundamental rights.

3.2 Consent

When you claim your profile, register an account, connect your Facebook, Instagram, X, or Google Business Profile account, or opt-in to marketing communications, we process your data based on your explicit, unambiguous consent. For each connected platform, your consent is captured through the official OAuth permission screen presented to you by Meta, X, or Google at the time you connect the account.

3.3 Contractual Necessity

We process your billing and account data to fulfill our contractual obligations to you under our Terms and Conditions.

4.1 Sub-Processors

To deliver our services, we share data with vetted third-party processors who act on our behalf under written data processing agreements:

• Amazon Web Services (AWS) — hosting, storage, and content delivery for images and videos you upload for publishing
• Payment processors — for subscription billing
• Identity verification partners — for professional license validation

These processors are contractually bound to process data only as instructed by Awriri and to maintain confidentiality and security safeguards equivalent to our own. Awriri integrates directly with the Meta Graph API, the X API, and the Google Business Profile APIs, and does not share data received from these platforms with any party other than the processors listed above.

5.1 Global Cloud Infrastructure

Aafyah is based in the UAE. To provide our services reliably and securely, we utilize global cloud infrastructure, primarily Amazon Web Services (AWS). Your data may be transferred to, stored, and processed on servers located in the UAE, the European Union, or other AWS regions globally.

5.2 Transfer Safeguards

When transferring data outside of the Kingdom of Saudi Arabia or the UAE, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs), to ensure your data receives an adequate level of protection. We utilize industry-standard security measures, including AES-256 encryption at rest and TLS 1.3 encryption in transit. Access tokens and refresh tokens for Meta, X, and Google Business Profile are stored encrypted at rest and are accessible only to the Awriri backend services that need them to fulfil your requests.

5.3 Data Retention

We retain your personal data for as long as your Awriri account is active.

For data collected from your connected Facebook Page, Instagram Business account, X account, or Google Business Profile, our retention works as follows:

• Profile information (name, avatar, follower counts, business hours, address, categories) is refreshed from the source platform on demand and is not retained long-term.
• Engagement and insights metrics (impressions, reach, likes, comments, follower growth, profile views, calls, direction requests) are stored as snapshots so we can display historical trends inside your analytics dashboard.
• Posts you publish through Awriri are stored together with their published content and engagement metrics for the lifetime of your account.
• Comments, messages, reviews, and Q&A items you read or reply to through Awriri are retained only for as long as needed to display them in your inbox or moderation view; we do not build a long-term archive of patient conversations.

When you disconnect a Facebook, Instagram, X, or Google Business Profile account from Awriri, we delete all locally cached metrics, comments, messages, reviews, posts, and media metadata for that account within thirty (30) days. When you close your Awriri account, all platform-derived data is deleted within thirty (30) days, except where retention is required to comply with legal obligations.

7.1 Deleting Your Connected Platform Data (Meta, X, and Google Business Profile)

You can delete the data Awriri has collected from your connected Facebook, Instagram, X, or Google Business Profile accounts in any of the following ways: