Privacy Policy

S4kan is a white-label residential-compound platform operated by S4kan FZE LLC ("S4kan", "we", "us"). We provide compound management software to residential-compound operators ("compound admins") and the residents of those compounds.

The S4kan mobile app (iOS bundle ID and Android package com.s4kan.app) and the web app at s4kan.com share a single backend.

Contact: hello@s4kan.com.

We collect the minimum data needed to operate the compound services. Each category below is linked to your account and used only for app functionality, never for advertising or tracking.

• Account identifiers — Supabase user ID, email address (if you sign up with email), phone number (if your compound uses SMS / WhatsApp for verification).
• Profile data — full name, profile photo (if you choose to upload one), unit / building you are assigned to by your compound admin.
• Identity documents — iqama (Saudi Arabia residency permit) and / or passport, only when your compound admin enables identity verification. Stored in a private Supabase Storage bucket; visible only to your compound's admins. Retention is configurable per compound (90, 180, 365 days, or until you request deletion).
• Bookings, guest invitations, complaints — records of facility reservations, the guest passes you create, and the maintenance / amenity complaints you file.
• Gate events — when you or a guest enter or leave the compound, security personnel record a timestamp + the credential used (pass code, plate number, biometric match). These events are retained for compound-security and dispute-resolution purposes (see "Retention" below).
• Push tokens — Expo push tokens from your device, used only to send notifications you've opted into (booking approvals, gate alerts, announcements).
• Authentication metadata — sign-in timestamps, session activity, and minimal anti-abuse signals.

We do not collect: precise device location, contact lists, browsing history outside our app, advertising identifiers, or biometric data (Face ID / Touch ID is performed on-device by your operating system and never leaves the device).

• To run the features you use (bookings, guests, gate, etc.).
• To send notifications you've opted into through your chosen channels (push, email, WhatsApp, Telegram, SMS).
• To authenticate you and keep your account secure, including detecting unusual sign-in activity.
• To respond to compound-admin actions (approving a booking, checking in your guest at the gate).
• To comply with applicable law and resolve disputes (audit logs, gate events).

We do not sell or rent personal data. We do not use personal data for cross-app advertising. We do not profile you for third-party marketing.

• Your compound admin — sees what you submit to S4kan (bookings, complaints, identity documents if uploaded, profile fields). They do not see data from other compounds.
• Other residents of your compound — only see what you choose to share publicly (e.g. your name on a shared booking).
• Security personnel at your compound — see the gate-relevant subset (your unit, your active guest passes, your pass code).
• Service providers we use — strictly functional, listed below. Each receives only what it needs to perform the service.

Service providers

• Supabase (database + authentication + storage) — primary data processor. Located in EU / US.
• Twilio (SMS + WhatsApp Business API) — receives your phone number and the message body when an SMS or WhatsApp notification is sent.
• Resend / SMTP provider (transactional email) — receives your email address when an email notification is sent.
• Telegram (Bot API, optional) — receives your Telegram chat ID if you link Telegram in Settings.
• Expo Push (FCM + APNs) — receives the push token associated with your device and the message body when a push is dispatched.
• OCR provider (Google Cloud Vision or compound-configured equivalent) — receives only the image of your iqama / passport at the moment of upload, for text-extraction. Images are not retained by the OCR vendor.

• Profile data — kept while your account is active. On deletion, your profile row is tombstoned and all personally-identifying columns are redacted within a single database transaction.
• Identity documents — retained for the duration set by your compound admin (typically 90, 180, or 365 days), or until you request deletion.
• Gate events + administrative audit logs — retained for security and compliance purposes for at least two years from the event date, even after account deletion. These records do not contain your contact information after deletion (they reference the tombstoned profile by ID only).
• Bookings / guest invitations — completed records retained for two years (operational + dispute resolution). Active records are cancelled / revoked on account deletion.

Subject to applicable law (PDPL in Saudi Arabia, GDPR in the EU/EEA, equivalent regimes elsewhere), you have the right to:

• Access and download a machine-readable export of your personal data — available in-app via Settings → Data export, or by emailing hello@s4kan.com.
• Correct inaccurate data — most fields are self-service; for fields you cannot edit, email us.
• Delete your account and personal data — available in-app on iOS and Android (Profile → Delete account), on the web (Settings → Delete account), and at s4kan.com/account/delete. Deletion permanently erases your profile, cancels active bookings, revokes guest invitations, and prevents future sign-ins to the deleted account. Some records (gate events, audit logs) are retained as described in section 5.
• Withdraw consent for optional channels (push, Telegram, etc.) at any time via Settings → Notifications.
• Lodge a complaint with your local data protection authority.

We protect your data with industry-standard measures:

• All network traffic is encrypted with TLS 1.2+ (HTTPS only).
• Mobile sign-in tokens are stored in the iOS Keychain or Android Keystore.
• Database access is governed by row-level security policies; residents of one compound cannot read data from another.
• Identity documents are stored in a private Supabase Storage bucket; access requires a short-lived signed URL.
• Two-factor authentication is available for compound-admin accounts and required for super-admin accounts.

S4kan operates from Saudi Arabia. Our infrastructure (Supabase, Vercel, Twilio, Expo, Telegram) is hosted on US and EU regions. Personal data may be transferred outside your country of residence. We rely on standard contractual clauses and the equivalent transfer mechanisms in the jurisdictions that require them.

S4kan is not directed at children under 13. We do not knowingly collect data from children. Compound admins are responsible for ensuring residents under 18 use the app under parental supervision.

We will update the "Last updated" date at the top of this page when this policy changes. Material changes will be announced in the app and via email to the address on file.

Questions, requests, or complaints about how we handle your data: hello@s4kan.com.

Postal: S4kan FZE LLC, Riyadh, Saudi Arabia.