Privacy Policy

Skyline Cloud Email (the "Service") is operated by Skyline Solutions, a company organized under the laws of the Kingdom of Saudi Arabia, with its principal place of business in Riyadh. References in this Policy to "Skyline," "we," "us," or "our" mean Skyline Solutions.

For the purposes of the Saudi Personal Data Protection Law (Royal Decree No. M/19 of 9/2/1443H, as amended) and its Implementing Regulations, Skyline acts as the Data Controller of the personal data we collect directly from account holders (administrators), and as a Processor of the personal data contained inside customer mailboxes (the "Customer Content") on behalf of the customer organization that owns the mailbox.

Our Data Protection Officer (DPO) can be reached at dpo@alskyline.com. Other privacy-related correspondence may be sent to legal@alskyline.com.

We deliberately collect only the data we need to operate the Service, bill you for it, secure it, and meet our legal obligations. The categories below are exhaustive — if a category is not listed here, we do not collect it.

Account & contact information (Data Controller role):

• Identity: full name, the email address you sign up with, your selected password (stored only as a salted bcrypt hash — never in plaintext, never recoverable).
• Organization: the legal name of your organization, your tax identification number (VAT) where required for ZATCA-compliant invoicing, and your Commercial Registration (CR) number if provided.
• Contact: a billing email, an optional secondary technical contact, and an optional phone number for security alerts.
• Authentication: 2FA secrets (TOTP) or registered WebAuthn / FIDO2 public keys, recovery codes (hashed), and the OAuth provider identifier when you sign in via Google, Microsoft, or Apple.

Service operational data (Processor role for Customer Content):

• Mailbox metadata: the list of mailboxes you create, the domains you connect, alias and forwarder definitions, quota usage figures, and DNS verification state.
• Mail flow logs: SMTP envelope information for messages routed through our MTAs (sender, recipient, queue identifier, size, timestamp, accept / reject / quarantine outcome, sending IP). The body of a message is processed only transiently in the spam / antivirus pipeline and is never persisted to log storage.
• Customer Content: the messages and attachments stored inside your mailboxes. We treat this as your data — we do not read it, we do not index it for advertising, we do not train any model on it, and we do not share it with third parties.

Billing data:

• Invoice records, plan selection, billing cycle, ZATCA-compliant tax invoice fields (TIN, VAT amount, QR code).
• Payment-card data is never stored on Skyline systems. Card numbers, CVV, and expiry dates are tokenized at the payment processor (Moyasar / Neoleap) and we receive only a non-reversible token plus the last four digits.

Security & operational telemetry:

• IP address and User-Agent of every authentication attempt (success or failure).
• Audit log of administrative actions taken on the account: mailbox created, password reset, 2FA enrolled, billing plan changed, etc. — with actor identity, timestamp, source IP, and target object.
• Anonymized performance metrics (request latency, queue depth) used to operate the platform.

Each category of data is collected for a specific, declared purpose. The legal basis under PDPL Article 6 is shown alongside each purpose.

• To deliver the Service — provision your mailboxes, route your mail, enforce your quotas, restore from backup, and respond to your support requests. Legal basis: performance of contract.
• To bill you and meet our tax obligations — issue ZATCA-compliant invoices, retain accounting records for the period required by Saudi tax law, and reconcile payments with our payment processors. Legal basis: performance of contract; compliance with legal obligation.
• To secure the Service — detect brute-force login attempts, identify abusive senders, and investigate incidents. Legal basis: legitimate interest of Skyline and its customers in operating a secure service; compliance with legal obligation.
• To respond to lawful requests from competent authorities — produce records on receipt of a properly issued order from the Saudi Data and Artificial Intelligence Authority (SDAIA), the Communications, Space & Technology Commission (CST), or a court of competent jurisdiction. Legal basis: compliance with legal obligation.
• To improve the Service — using only aggregated, non-identifying telemetry (e.g. percentile request latency). We do not use Customer Content for any improvement purpose. Legal basis: legitimate interest, with safeguards.

What we do not do. We do not sell personal data. We do not run advertising on the Service. We do not use Customer Content to train any artificial-intelligence model — neither our own nor any third party's. We do not profile users for behavioural advertising.

All Customer Content (mailboxes, attachments, calendars, contacts) and all primary operational data (account records, audit logs, billing records) are stored on infrastructure physically located inside the Kingdom of Saudi Arabia.

Specifically, the Service runs on Oracle Cloud Infrastructure's Riyadh region (me-riyadh-1), an OCI region that operates from data centers within Saudi territory. Encrypted off-site backups are described in the SLA and below.

No Customer Content leaves the Kingdom in the ordinary course of operating the Service. The narrow, customer-controlled exception is described in "International transfers" below.

Access to personal data inside Skyline is restricted on a strict need-to-know basis and is logged.

• You (and the users you authorize on your tenant) — full access to your own data through the portal, IMAP / SMTP, EWS, and MAPI endpoints.
• Skyline operations and support staff — limited, audited access only when necessary to deliver support you have requested or to resolve a service incident. Every administrative impersonation event is recorded in the audit log with actor, timestamp, target, and reason. Where technically possible, support tooling shows mailbox metadata (counts, sizes, last-login) without exposing message bodies.
• Sub-processors — listed in the next section. Each is bound by a written agreement that imposes confidentiality, security, and purpose-limitation obligations equivalent to those in this Policy.
• Competent Saudi authorities — only on receipt of a valid, lawful order. Where we are not legally prohibited from doing so, we will notify the affected customer before disclosing.
• No one else. We do not sell or rent personal data, and we do not share it with marketing partners.

We engage a small set of carefully selected third parties to operate the Service. As of the date of this Policy these are:

• Oracle Cloud Infrastructure (Saudi Arabia) — compute, block storage, and network services in the Riyadh region. Hosts all primary application data and Customer Content.
• Backblaze B2 (United States) — encrypted off-site backup storage. Backups are encrypted with the age file-encryption format using a public key whose private half is held only by Skyline. Backblaze never holds the decryption material.
• Cloudflare, Inc. — DNS, anti-DDoS, and TLS termination at the network edge for the marketing site. Customer mail traffic and the authenticated portal do not proxy through Cloudflare; they connect directly to OCI Riyadh.
• Moyasar / Neoleap — PCI-DSS Level 1 payment processors authorized by the Saudi Central Bank (SAMA) for Mada, Visa, Mastercard, Apple Pay, and STC Pay transactions. Card data is tokenized at the processor.
• ip-api.com — IP-to-country lookup used to display the country of origin for login events in your security log. We send only the IP address; no other identifier is shared.

We will notify customers by email at least 30 days before adding a new sub-processor or materially changing how an existing one is used. The current list is also published on the Trust page.

• Active mailbox content — retained for as long as your account is active. You are in control: deleting a message in your mailbox removes it from our primary stores within seconds and from our backups within the backup retention window described below.
• Account records and audit logs — retained for 1 year from the date of the event, after which they are aggregated to non-identifying counters and the originals are deleted.
• Encrypted backups — rolling 30-day retention. Older backups are cryptographically destroyed by deleting the relevant per-snapshot key.
• Billing and tax records — retained for the period required by Saudi tax law (currently 10 years under Article 66 of the VAT Implementing Regulations).
• Closed accounts — when you close your account, we retain your data for 30 days in case you change your mind. After 30 days, all Customer Content and account records (other than the billing records noted above) are irrevocably deleted from primary storage and will roll out of backups within a further 30 days.

The Saudi Personal Data Protection Law gives you the following rights over your personal data. We honour each of them and will not charge you for exercising them.

• Right to be informed — to know what data we hold and how it is processed (this Policy is part of how we satisfy that right).
• Right of access — to obtain a copy of the personal data we hold about you in a structured, commonly used format.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to have your personal data deleted, subject to overriding legal obligations (for example tax-record retention).
• Right to restriction of processing — to have processing limited while a dispute is resolved.
• Right to data portability — to receive your mailbox content in a portable format (we support full IMAP export and standards-based .mbox / .eml archives on request).
• Right to object — to object to processing carried out on the basis of legitimate interest.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out beforehand.
• Right to lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) if you believe we have mishandled your data.

To exercise any of these rights, write to dpo@alskyline.com. We will acknowledge your request within 5 business days and respond in full within 30 days, extendable once by a further 30 days for unusually complex requests (you will be told if this applies and why).

In the ordinary course of operating the Service we do not transfer Customer Content outside the Kingdom of Saudi Arabia. The Service is engineered with Saudi data residency as a primary design constraint.

Two narrow exceptions exist, and both are under your control:

• Encrypted off-site backups at Backblaze B2 (United States). Backups are encrypted with the age format before they leave the Saudi region. The Backblaze provider stores ciphertext only and cannot read mailbox content. The decryption key is held exclusively by Skyline inside the Kingdom and is also stored on offline media.
• Customer-initiated transfers — for example, when you connect a third-party tool that pulls mail to a service hosted abroad, when you forward mail to an external address, or when you migrate mail in or out of the Service. These transfers are at your direction and on your authority.

Where a transfer of personal data outside the Kingdom is required by Saudi law (for example, in response to a lawful order), we will rely on a transfer mechanism authorized by SDAIA and will document it in your audit log to the extent legally permissible.

A fuller description is on the Trust page. In summary:

• Encryption at rest (AES-256) for mailboxes, attachments, backups, and database volumes.
• Encryption in transit (TLS 1.3) for all customer-facing endpoints; opportunistic and explicit-MTA-STS TLS for inbound and outbound mail.
• Mandatory two-factor authentication for all Skyline staff with administrative access. WebAuthn / FIDO2 hardware keys are required for production database access.
• Immutable, append-only audit log for every administrative action.
• Quarterly internal and annual external penetration tests; vulnerabilities are tracked to remediation in a documented timeline.
• A security disclosure programme — please report findings to security@alskyline.com.

If we become aware of a personal-data breach that is likely to result in harm to you, we will notify SDAIA without undue delay and in any event within 72 hours of becoming aware, as required by the PDPL Implementing Regulations.

We will also notify each affected customer directly, by email to the registered administrator address, with a description of the nature of the breach, the categories and approximate volume of data affected, the measures we have taken or propose to take, and a contact point for further information.

We use a small number of cookies and equivalent storage to operate the portal — most of them are strictly necessary (session, CSRF), one is a locale preference, and one is a theme preference. We do not run third-party analytics or advertising cookies on the authenticated portal.

See the Cookie Policy for the full table of cookies, their lifetimes, and how to disable them.

The Service is intended for business use. It is not directed to children, and we do not knowingly collect personal data from a person under the age of 18. If you believe a minor has created an account, please contact dpo@alskyline.com and we will delete the account and any associated personal data.

We will revise this Policy from time to time. The two dates at the top show when the current text became effective and when it was last edited.

Where a revision is material — for example, the addition of a new sub-processor, a new category of data, or a change to a retention period — we will provide notice by email to the registered administrator address at least 30 days before the revision takes effect, and we will publish a summary of the change on this page.

Continued use of the Service after a revision takes effect constitutes acceptance of the revised Policy. If you do not accept a material change, you may terminate the Service in accordance with the Terms of Service.

• Data Protection Officer: dpo@alskyline.com
• General legal correspondence: legal@alskyline.com
• Security disclosures: security@alskyline.com
• Postal address: Skyline Solutions, Riyadh, Kingdom of Saudi Arabia.

If you are not satisfied with our response, you have the right to lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA).