Policies

Privacy Policy

Last updated: 13 May 2026

This policy explains what we collect, why, and how you can control it. Written in plain language, readable end-to-end in under 10 minutes.

1. Who we are

CD4CD is a platform owned by Dal Holding, registered in Saudi Arabia. Our HQ is in Al Olaya District, Riyadh. We act as the Data Controller for everything you share with us via cd4cd.com and its apps.

2. Data we collect

Data you provide

  • Account: name, email, password (hashed with Argon2id).
  • Links and QR: the original URL, custom alias, tags, dates, optional password.
  • Bio page: display name, bio text, images, links, chosen theme.
  • Payment: cardholder name and last 4 digits — stored as a Moyasar token. We never see the full PAN.

Data collected automatically

  • Click / scan events: timestamp, device class, OS, language, country (via Cloudflare).
  • IP addresses: HMAC-SHA256 hashed on the fly (see §5).
  • Headers: User-Agent for bot detection and platform safety.

3. How we use it

  • Run the service: route you to the right destination, show your analytics, issue invoices.
  • Safety: phishing prevention, rate-limiting, brand-impersonation checks, Google Web Risk, Llama Guard 3.
  • Improvement: understand which features are used — aggregated only, never tied to an identifiable person.
  • Communication: transactional emails (signup, invoice) and security alerts. Marketing is opt-in and revocable in /dashboard/settings.

4. Who we share with

We do not sell your data. Ever. We share it only with operational processors under signed DPAs:

  • Moyasar (KSA) — payment processing.
  • Cloudflare (Global) — CDN, WAF, Turnstile.
  • Resend (US/EU) — transactional email.
  • Google Web Risk — URL safety lookups (URL hash only, no identifying data).

For a lawful order (court warrant, prosecutor demand) we disclose the minimum strictly required and notify you when law permits.

5. IP addresses & hashing

Distinct policy We do not store raw IP addresses. We HMAC-SHA256 them with a daily-rotating salt and discard the original. Today's clicks cannot be cross-referenced with yesterday's even if the DB leaked.

6. Cookies

  • Strictly necessary: session cookies (cd4cd_access, cd4cd_refresh) — cannot be opted out.
  • Preference: chosen locale.
  • Analytics: no Google Analytics, no third-party trackers on the critical path. Clicks are logged in our own database.

KSA and EU visitors see a consent banner — based on cf-ipcountry.

7. Retention

  • Click events: 30 days detailed + 24 months aggregated only.
  • Security logs: 90 days.
  • Account data: indefinite, or until you request deletion.
  • Invoices: 10 years (ZATCA tax requirement).

8. Your rights

Under KSA PDPL and EU GDPR you have the right to:

  • Access: download all your data from /dashboard/settings → Export my data.
  • Rectification: edit your details at any time.
  • Deletion: delete your account from the same page. Everything is gone within 30 days.
  • Objection / withdrawal: revoke marketing consent.
  • Portability: machine-readable JSON export.

For requests or complaints, email [email protected]. We reply within 7 business days.

9. International transfers

Production servers run in Riyadh (KSA). Backups in Frankfurt (Germany) — covered by GDPR Standard Contractual Clauses.

10. Security measures

  • TLS 1.3 in transit.
  • Databases encrypted at rest (AES-256).
  • Passwords hashed with Argon2id (no MD5, no SHA1, no bcrypt).
  • Cloudflare WAF, rate-limits on every endpoint.
  • Independent annual security audit.
  • Responsible disclosure program — email [email protected].

11. Changes to this policy

We may update this policy. Material changes are emailed 30 days in advance. The date at the top reflects the latest revision.

12. Contact us

Data Protection Officer: [email protected]
Postal: CD4CD · Dal Holding, Al Olaya District, Riyadh, Kingdom of Saudi Arabia.