Privacy Policy

This Privacy Policy ("Policy") explains how Masader Environmental Solutions and Energy Services S.A.E., a company incorporated under the laws of the Arab Republic of Egypt ("Masader," "we," "us," or "our") collects, uses, discloses, and protects information in connection with Thamaneya (the "Platform"), our software solution for ESG data management, carbon footprint (CFP) calculation, and sustainability reporting.

Thamaneya is operated by Masader. References to "Thamaneya" throughout this Policy refer to the Platform and any related websites, applications, APIs, and services we make available.

We are committed to protecting your privacy and handling your data transparently. By accessing or using the Platform, you acknowledge that you have read and understood this Policy.

This Policy applies to:

• Visitors to our website and landing pages
• Individuals who register for an account, request a demo, or contact us
• Authorized users of customer organizations that subscribe to the Platform
• Any other person who interacts with Thamaneya

This Policy does not cover the privacy practices of third-party websites, services, or integrations linked from the Platform.

For most personal data we collect directly from website visitors and individuals contacting us, Masader acts as the data controller.

When a customer organization uses the Platform to upload or process data about its own employees, suppliers, or other individuals, the customer is the data controller and Masader acts as the data processor, processing such data on the customer's instructions under our customer agreement and any applicable Data Processing Agreement (DPA).

We use information for the following purposes:

• Provide the Platform: create and manage accounts, authenticate users, deliver features, perform ESG and emissions calculations, and generate reports
• Customer support: respond to inquiries, troubleshoot issues, and provide assistance
• Improve and develop the Platform: analyze usage patterns, fix bugs, build new features, and benchmark performance
• Security and integrity: detect, prevent, and respond to fraud, abuse, security incidents, and unauthorized access
• Communications: send service-related notices, updates, and (with your consent or where permitted) marketing communications
• Legal and compliance: comply with applicable laws, respond to lawful requests, and enforce our agreements

Where data protection laws such as the EU/UK GDPR apply, we process personal data on the following legal bases:

• Performance of a contract: to provide the Platform under our customer agreement or terms of use
• Legitimate interests: to operate, secure, and improve the Platform, communicate with users, and grow our business, provided your interests and rights do not override these
• Consent: for optional marketing communications and certain cookies; you may withdraw consent at any time
• Legal obligation: to comply with applicable laws and regulations

For users in MENA jurisdictions (including the UAE PDPL, KSA PDPL, and Egypt's Personal Data Protection Law No. 151 of 2020), we rely on equivalent lawful bases recognized under those laws.

We do not sell or rent personal data. We share information only as described below:

• Service providers (subprocessors): trusted third parties that help us operate the Platform, such as cloud hosting, email delivery, analytics, customer support tools, and payment processors. These providers are bound by contract to protect data and use it only for the services they provide to us. A current list of subprocessors is available on request.
• Customer access: if you are an authorized user of a customer organization, your account activity and data may be visible to that organization's administrators.
• Legal and regulatory: when required by law, court order, or regulatory authority, or to protect the rights, property, or safety of Masader, our users, or others.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.
• With your consent: in any other case where you have given us permission.

The Platform is operated from the Arab Republic of Egypt, and we may transfer, store, and process data in other countries where Masader, our affiliates, or service providers operate. When data is transferred outside your country, we use appropriate safeguards, which may include:

• Standard Contractual Clauses (SCCs) or equivalent mechanisms
• Adequacy decisions where applicable
• Contractual data protection commitments with our service providers

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, including:

• For the duration of your account or our customer relationship
• As needed to provide the Platform and respond to support requests
• As required by applicable law (e.g., tax, accounting, or audit obligations)
• To resolve disputes and enforce our agreements

When data is no longer needed, we will delete or anonymize it. Customer-controlled data is handled in accordance with the applicable customer agreement, including data return and deletion procedures upon termination.

We take the security of your data seriously. We apply technical and organizational measures appropriate to the risks involved, including:

• Encryption of data in transit using industry-standard protocols (TLS)
• Access controls based on the principle of least privilege
• Authentication and account protection measures
• Logging, monitoring, and audit trails
• Regular review of our security practices

No system can guarantee absolute security. While we work to protect your data, we cannot warrant that the Platform will be free from unauthorized access, and you use the Platform at your own risk to that extent.

We use cookies and similar technologies for essential functionality, performance analytics, and (where permitted) marketing. Categories include:

• Strictly necessary: required for the Platform to function (e.g., authentication, security)
• Performance and analytics: help us understand how the Platform is used
• Functional: remember your preferences
• Marketing: used only with your consent in regions that require it

You can manage cookie preferences through your browser settings or, where available, our cookie banner.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: obtain a copy of the personal data we hold about you
• Rectification: correct inaccurate or incomplete data
• Erasure ("right to be forgotten"): request deletion, subject to legal retention requirements
• Restriction: ask us to limit how we process your data in certain circumstances
• Portability: receive your data in a structured, commonly used format
• Objection: object to processing based on legitimate interests, including direct marketing
• Withdraw consent: where processing is based on consent, withdraw it at any time
• Lodge a complaint: with the data protection authority in your jurisdiction

If you are an authorized user of a customer organization, please direct requests concerning customer-controlled data to that organization. We will assist the customer in responding to your request as required by law.

To exercise your rights with respect to data we control, contact us at the address in Section 16.

The Platform is intended for businesses and professional users. It is not directed at children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

The Platform may link to or integrate with third-party services (e.g., ERP systems, identity providers, data sources). This Policy does not apply to those third parties. We encourage you to review their privacy policies before using them.

We may update this Policy from time to time. When we make material changes, we will notify you by posting the updated Policy on the Platform with a new "Last updated" date and, where appropriate, by additional means (such as email). Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

For questions, requests, or concerns about this Policy or our data practices:

If you have an unresolved concern, you may also contact your local data protection authority.