2. DATA WE COLLECT

2.1    Information You Provide Directly. We collect information that you submit to us, including: account and business profile information such as names, professional emails, phone numbers, business names, and business addresses; communications you send to Sabhi such as messages, support requests, and call notes or logs; and operational, shipping, or workflow data that you or your authorized users enter into the platform in the course of using our services.

2.2    Information Collected Automatically. When you use the platform or visit our websites, we automatically collect certain technical and usage information, including device and browser details, IP address, pages or features used, timestamps, and diagnostic logs; cookie identifiers, analytics identifiers, and session metadata associated with your interactions; and approximate location derived from IP for fraud screening, abuse prevention, security, and service quality purposes.

2.3    Information from Third-Party Integrations. If you enable or use integrations, we may receive limited information from selected third parties necessary to provide the integration, including data exchanged with industry systems such as Hollander and Pinnacle or logistics APIs you authorize, and data from CRM and communication providers such as HubSpot and Twilio to support messaging, ticketing, and related workflows. Data received from integrations is limited to what is needed to operate the requested features and is handled in accordance with this Privacy Policy and applicable integration terms.

3. HOW WE USE PERSONAL DATA

3.1    Providing and maintaining the Platform. We use Personal Data to deliver core functionality of the platform, including provisioning environments, enabling enabled integrations, executing user-initiated actions, rendering dashboards, processing configuration changes, and providing customer support.

3.2    Account setup, authentication, and security. We process Personal Data to create and manage accounts, verify authorized users, administer roles and permissions, implement access controls, enable multi-factor authentication, detect unauthorized access, and maintain the integrity and security of systems and data.

3.3    Workflow automation, analytics, and shipping data visibility. We use operational and event data to power workflow automations, provide analytics and reporting, display shipment status and related milestones, and support other features you select within the platform.

3.4    Communication with users (support, updates, service alerts). We use contact and usage information to respond to inquiries, provide ticketing and technical assistance, send transactional notices (e.g., service alerts, policy updates, security notifications), and communicate about requested or related features.

3.5    Improving performance, reliability, and feature development. We analyze aggregated and de-identified usage to troubleshoot, test, and enhance performance, reliability, usability, and new product capabilities, and to develop insights that improve the services.

3.6    Fraud detection, abuse prevention, and compliance with law. We use identifiers, logs, and limited location signals to prevent spam and abuse, investigate anomalies, enforce policies, protect against security incidents, comply with legal obligations, and respond to lawful requests from authorities.

4. LEGAL BASIS FOR PROCESSING

4.1    Performance of contract. We process Personal Data where it is necessary to enter into and perform our contractual obligations with you. This includes creating and managing user accounts, enabling Platform functionality, facilitating workflow automation, providing customer support, and processing payments or subscription billing where applicable.

4.2    Legitimate business interests. We may process Personal Data where it is necessary for our legitimate business interests, provided that such interests are not overridden by your data protection rights. These interests include securing and maintaining the stability of the Platform, preventing fraud and abuse, improving performance, analyzing usage trends, developing and enhancing features, and communicating service-related updates. Where required, we conduct balancing assessments to evaluate whether our interests outweigh potential impacts on your privacy.

4.3    Consent (for cookies and certain analytics, where required). We may rely on your consent for certain types of processing, such as the placement or use of non-essential cookies, analytics tools, or similar tracking technologies where consent is required by law. Where processing is based on consent, you have the right to withdraw your consent at any time through the cookie management settings, browser controls, or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

4.4    Compliance with legal obligations. We process Personal Data where necessary to comply with legal or regulatory requirements, including accounting, taxation, financial reporting, responding to lawful requests, subpoenas, or court orders, preventing or responding to fraud or security incidents, and complying with other obligations arising under applicable laws.

4.5    PIPEDA Consent (Canada) and Withdrawal. For users located in Canada, we process Personal Data primarily on the basis of implied consent in the context of your organization’s use of the Platform for business purposes. In specific circumstances (e.g., certain cookies/analytics or marketing), we may rely on express consent where required by law. You may withdraw consent at any time by adjusting cookie settings or contacting privacy@sabhi.io; however, withdrawal may affect functionality or access to certain features. We will explain any consequences of withdrawal at the time your request is processed.

4.6    Data Processing Addendum. Where Sabhi acts as a Processor on your behalf under GDPR/UK GDPR, we will enter into a Data Processing Addendum (“DPA”) upon request. The DPA includes required processor obligations, Standard Contractual Clauses for international transfers (where applicable), and technical/organizational measures describing Sabhi’s security controls.

5. HOW WE SHARE PERSONAL DATA

5.1    Service Providers / Processors. We may share Personal Data with third-party service providers that perform services on our behalf and support the operation, maintenance, and improvement of the Platform. These service providers act as Processors and are contractually required to (a) process Personal Data only in accordance with our documented instructions, (b) implement appropriate security and confidentiality controls, and (c) not use Personal Data for their own independent purposes. Such service providers include, but are not limited to:

• AWS, which provides hosting, storage, and infrastructure services necessary to operate the Platform.
• Twilio, which provides communications, messaging, and interaction delivery capabilities.
• HubSpot and Zoho, which provide customer relationship management, support desk, and workflow automation tools.
• Meta and Google Analytics, which provide analytics, advertising, performance measurement, and usage tracking solutions.

These providers may have access to Personal Data only to the extent necessary to perform their functions for Sabhi.

5.2    Payment Processors (Payroc / SlimCD). Payment card information and related billing data used for subscription payments or usage-based billing is collected and processed directly by independent third-party payment processors such as Payroc and SlimCD. Sabhi does not store, process, or transmit cardholder data and remains outside the scope of PCI DSS compliance requirements. Your use of payment processors is subject to their separate terms, privacy policies, and merchant agreements. We may receive limited transaction metadata (e.g., status, confirmation, last four digits) to enable Platform functionality and account records.

5.3    Integration Partners. If you enable or authorize integrations, we may share limited data with integration partners to support the features and operational use cases associated with such integrations. This may include industry systems and platforms such as Hollander, Pinnacle, and logistics service APIs used for shipment visibility or workflow automation. Data shared with integration partners is limited to what is reasonably necessary to enable the integration and is handled in accordance with this Privacy Policy and any applicable agreements or user permissions.

5.4    Legal, Compliance, and Safety Requirements. We may disclose Personal Data if required to do so by applicable law, regulation, subpoena, court order, or governmental request. We may also disclose Personal Data if we believe in good faith that such disclosure is reasonably necessary to:

• Comply with legal or regulatory obligations.
• Protect the rights, property, or safety of Sabhi, our users, or the public.
• Prevent or investigate fraud, abuse, misuse, security incidents, or other harmful activity.
• Enforce our agreements or pursue available remedies. Such disclosures will be made only to the extent required or legally permissible.

6. COOKIES AND TRACKING TECHNOLOGIES

6.1    Types of Cookies Used. The Platform uses cookies and similar technologies to support functionality, improve performance, and enhance user experience. These may include:

• Functional cookies that retain preferences and enable core features.
• Analytics cookies that help us understand Platform usage and user interactions.
• Performance and diagnostics cookies that assist with reliability, load distribution, error detection, and optimization.

Where legally required, we will obtain consent before using non-essential cookies.

6.2    Analytics and Interaction Tracking. We use analytics and tracking technologies from providers such as Google Analytics, Meta Pixel, and Twilio to understand usage patterns, measure engagement, and improve messaging delivery and performance. These tools may collect device identifiers, interaction metadata, session activity, and similar usage information across browsing sessions. The data collected may also support aggregated measurement and reporting.

6.3    Opt-Out Settings and Browser Controls. You may control or restrict the use of cookies and tracking technologies through browser settings, device controls, or opt-out mechanisms provided by analytics and advertising providers. Where required by law, we will request consent prior to enabling analytics or tracking technologies. You may also opt out of targeted advertising practices through industry opt-out programs.

6.3.1    Additional Advertising Choices. In jurisdictions where applicable, you may also manage advertising preferences via industry tools such as the Network Advertising Initiative (NAI) or Digital Advertising Alliance (DAA). These choices are browser-specific and device-specific and may reset if you block or delete cookies.

6.4    Do-Not-Track Disclosure. The Platform does not currently respond to browser-initiated “Do-Not-Track” signals. Users may still limit tracking through browser-level cookie and privacy controls, or by adjusting opt-out settings as described above.

6.5    Cookie Consent Banner and Preference Management. Where required by law, we will present a cookie consent banner that enables you to accept or reject non-essential cookies, including analytics and advertising cookies. You may change your cookie preferences at any time through available in-product cookie settings or your browser controls. If you disable non-essential cookies, certain features may not function as intended; strictly necessary cookies will continue to operate to provide the Platform. For EEA/UK users, non-essential cookies will not be set unless and until you provide consent.

6.6    Global Privacy Control (GPC) Signals. Where legally required and technically feasible, we will treat a valid Global Privacy Control (GPC) signal as a request to opt out of cross-context behavioral advertising (“sharing”) for the browser that sends the signal.

7. DATA RETENTION

7.1    Retention tied to business requirements and account lifecycle. We retain Personal Data for as long as is reasonably necessary to operate the Platform, fulfill the purposes for which the information was collected, comply with our legal and contractual obligations, resolve disputes, and enforce our agreements. For active user accounts, Personal Data is retained for the duration of the business relationship.

7.2    Data deletion timelines. Upon account closure, we will delete or de-identify Personal Data within a commercially reasonable period, subject to any longer retention requirements described in this Policy. Certain operational records, system logs, and transaction metadata may be retained for backup, security, fraud prevention, or compliance purposes.

7.3    Archived data and legal hold exceptions. In specific circumstances, data may be retained for extended periods where required by law, regulation, audit requirements, or in connection with a legal claim, investigation, or dispute. When a legal hold is in place, deletion will be delayed until the matter is resolved.

8. DATA SECURITY

8.1    AWS cloud security controls. The Platform is hosted on Amazon Web Services (AWS), which provides enterprise-grade physical and network security controls. AWS maintains industry-recognized security certifications and audit standards, including SOC 2 and ISO 27001.

8.2    Encryption in transit and at rest. Personal Data is protected through encryption technologies while stored on our systems and when transmitted between users and the Platform. Transport Layer Security (TLS) is used for network transmission, and encrypted storage is used for data at rest where applicable.

8.3    Access control and role-based permissions. Access to Personal Data is limited to authorized Sabhi personnel and contractors who require access to perform their duties. System access is managed through account-level permissions, authentication controls, periodic credential reviews, and logging of administrative actions.

8.4    Security responsibilities shared with users. While Sabhi implements security measures for the Platform, users are responsible for maintaining the confidentiality and security of their account credentials, devices, and internal access policies. Users must ensure their teams use secure passwords, follow appropriate access review procedures, and prevent unauthorized sharing of accounts or credentials.

8.5    Incident detection and response. Sabhi monitors for unusual activity and potential security threats. In the event of a confirmed data breach affecting Personal Data, we will notify affected users and regulatory authorities when required to do so under applicable law, along with details regarding remediation steps taken.

8.6    Third-party security dependencies. Because the Platform integrates with third-party processors and logistics partners, data transmitted to those providers is subject to their respective security practices. Sabhi performs reasonable diligence on partner security controls but does not control their systems. Users should review vendor privacy and security practices when enabling integrations.

9.INTERNATIONAL DATA TRANSFERS

9.1    Data stored in the U.S (AWS). Personal Data processed through the Platform is primarily stored and hosted in the United States using AWS infrastructure.

9.2    Cross-border transfers to Canada and other regions. If you access the Platform from outside the United States, your Personal Data may be transferred to and processed in the United States or other countries where our service providers operate. By using the Platform, you acknowledge that your Personal Data may be subject to laws that differ from those in your jurisdiction.

9.3    If GDPR applies - Standard Contractual Clauses (SCCs). For users in the European Economic Area, United Kingdom, or Switzerland, where required, cross-border transfers of Personal Data are made pursuant to lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses or other appropriate safeguards permitted under applicable law.

9.4    Supervisory Contacts and Complaints (EEA/UK/CH). If you are located in the EEA, UK, or Switzerland and believe our Processing of your Personal Data is not compliant, you may lodge a complaint with your local supervisory authority. We encourage you to contact us first at privacy@sabhi.io so we can address your concerns promptly.

10. YOUR RIGHTS AND CHOICES

10.1    Access, update, correct personal data. You may request access to the Personal Data we hold about you or request that inaccuracies be corrected. We may ask for verification to confirm your identity before processing such requests.

10.2    Request deletion / erasure. You may request deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent (if applicable), or where deletion is required by law. Certain data may be retained as permitted or required for legal, tax, security, or business continuity purposes.

10.3    Request export / copy of data. You may request an export or copy of your Personal Data in a structured, commonly used, and machine-readable format, where technically feasible and permitted by law.

10.4    CCPA-specific rights (opt-out of sale/share; non-discrimination). If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA), including: the right to request access to certain categories of Personal Data, the right to request deletion, the right to opt out of the sale or sharing of Personal Data (if applicable), and the right to be free from discriminatory treatment for exercising these rights. Sabhi does not sell Personal Data.

• Right to Opt Out of “Sharing” for Cross-Context Behavioral Advertising. Sabhi does not “sell” Personal Data as defined by the California Consumer Privacy Act (as amended by the CPRA). However, disclosures to analytics and advertising partners (e.g., certain Meta or Google services) may constitute “sharing” for cross-context behavioral advertising under the CPRA. California residents may opt out of such “sharing” at any time by: (a) emailing privacy@sabhi.io with the subject line “CCPA/CPRA Opt-Out,” (b) adjusting cookie preferences via the cookie banner to disable advertising/analytics cookies, and/or (c) enabling a supported Global Privacy Control (GPC) signal in their browser.
• Sensitive Personal Information. Sabhi does not use or disclose sensitive personal information for inferring characteristics or for any purpose beyond those permitted by the CPRA (e.g., security, short-term transient use, or service delivery). California residents may limit use/disclosure of sensitive personal information where applicable by contacting privacy@sabhi.io.
• Authorized Agents; Non-Discrimination. California residents may designate an authorized agent to submit requests on their behalf, subject to verification. Sabhi will not discriminate against you for exercising CPRA rights, including by denying services, charging different prices, or providing a different level of quality.
• Appeal of Denied Requests. If we deny your privacy request (in whole or in part), you may appeal by replying to our decision notice with the subject line “Privacy Request Appeal.” We will review and respond consistent with applicable law.

10.5    Submitting Requests and Identity Verification. You may submit privacy requests by emailing privacy@sabhi.io. To protect security, we may require reasonable verification of identity before processing a request. Verification may include confirming control of the email address associated with your account, providing limited additional information that we already maintain (e.g., last invoice amount or account ID), or submitting a signed declaration under penalty of perjury that you are the account holder. If an authorized agent submits a request, we may require proof of authorization and direct verification by the consumer where permitted by law. We will respond within the time periods required by law and will provide reasons where requests are denied, along with available appeal options.

10.6    Request Timelines and Recordkeeping. We will acknowledge and respond to verifiable privacy requests within the time periods required by applicable law (e.g., generally 30–45 days, subject to permitted extensions). We maintain records of requests and our responses as required by law and for audit and compliance purposes.

11. CHILDREN’S DATA

11.1    Platform not intended for children or consumer use. The Platform is designed for use by businesses and their authorized personnel. It is not intended for personal, household, or consumer use, and it is not directed to children under the age of eighteen (18).

11.2    No knowing collection of children’s personal information. We do not knowingly collect or process Personal Data from children under the age of eighteen (18). If we become aware that Personal Data belonging to a child has been collected without appropriate authorization, we will take reasonable steps to delete such information. If you believe that a child’s information has been provided to us inadvertently, please contact us at the address listed in Section 13.

12. CHANGES TO THIS PRIVACY POLICY

12.1    Notice procedure for updates. We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. If we make material changes, we will provide notice through reasonable means, which may include posting an updated version on our website, sending an email notification, or providing in-product notice.

12.2    Effective date. The effective date of this Privacy Policy will be indicated at the top of the published version. Continued use of the Platform following the effective date of an updated Privacy Policy constitutes acceptance of the revised terms.

13. CONTACT INFORMATION

13.1    Data Protection Officer / Privacy Lead. Sabhi has designated a Privacy Lead to oversee compliance with this Privacy Policy and applicable data protection requirements. You may contact the Privacy Lead with questions or requests regarding this Policy or your Personal Data.

13.2    Email. privacy@sabhi.io

13.3    Mailing address. Sabhi Inc., 201 E KENNEDY BLVD 1210 TAMPA FL 33602, FL 33602

Canadian users may also contact our Privacy Lead at privacy@sabhi.io regarding questions, access requests, or complaints under PIPEDA. Where required, we will identify a Canada-facing representative or provide additional contact details in the posted version of this Policy.