Legal

Privacy Policy

Effective 2026-05-14

Slingshot LLC (“we”, “us”) takes the privacy of personal data seriously. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our websites and our Nexus services (collectively, the “Services”). It is intended to align with the Saudi Personal Data Protection Law (the “PDPL”), the EU General Data Protection Regulation (the “GDPR”), and similar laws where they apply.

This Policy applies to two different roles. When we process personal data about you as a visitor to our websites or a contact of our business, we act as the controller (or equivalent). When we process personal data on behalf of a customer business inside their Nexus workspace, we act as the processor (or equivalent) and our processing is also governed by the Data Processing Addendum.

1. Personal data we collect

We collect personal data in the following categories:

• Account data. Name, email, phone, role, profile photo, password hash, organization name, and workspace identifiers.
• Billing data. Billing address, VAT number where applicable, payment method tokens issued by our payment gateway (we do not store full card numbers), and payment history.
• Workspace content. Records you create or upload inside Nexus (contacts, leads, quotes, invoices, projects, files, messages, documents). This is Customer Data under our Terms; you control it.
• Communications. Messages you send us by email, chat, or in-app, and recordings of any support calls you consent to.
• Technical data. IP address, browser and device identifiers, user-agent strings, language, time zone, pages visited, actions performed, and timestamps. We log this for security, audit, abuse prevention, and product improvement.
• Cookies and similar. First-party cookies for session authentication, workspace selection, and security. We do not use third-party advertising trackers.

2. How and why we use personal data

We process personal data for the following purposes:

• Provide the Services. Create and authenticate accounts, run workspaces, deliver Modules you have subscribed to, send transactional emails (e.g., magic links, receipts, password resets, support replies).
• Billing. Charge fees, process payments through our payment gateway, issue tax-compliant invoices, and pursue overdue amounts.
• Security and abuse prevention. Detect, investigate, and block unauthorized access, fraud, and abuse; maintain audit logs.
• Improve the Services. Analyse usage, fix bugs, develop new features. Where we use individual-level data for product analytics, we minimize it and retain only as long as needed.
• Marketing. Send product updates and offers to customers and prospects who have opted in or where allowed by law. You can unsubscribe at any time from the link in our emails.
• Compliance and legal claims. Comply with laws, respond to lawful requests from authorities, establish or defend legal claims, enforce our agreements.

3. Legal bases (for GDPR-covered data subjects)

Where GDPR applies, we rely on the following bases:

• Contract. Providing the Services to you or your employer.
• Legitimate interests. Operating, securing, and improving the Services; preventing fraud; understanding how our products are used; protecting our rights. We balance these interests against your rights and freedoms.
• Legal obligation. Complying with tax, accounting, and other mandatory requirements.
• Consent. Where required, including for certain marketing communications. You may withdraw consent at any time without affecting prior processing.

4. Sharing and disclosure

We share personal data only as described below:

• Subprocessors and service providers. Vetted vendors that help us run the Services (hosting, email delivery, payments, error monitoring, customer support tooling). We maintain a current list of subprocessors at /subprocessors and contractually require them to protect personal data.
• Customer business. If you are a member of a workspace owned by another organization, we share your activity in that workspace with that organization, which acts as the controller of that data.
• Authorities. Where required by law, court order, or to protect our rights, safety, or property; we will challenge overly broad requests where appropriate.
• Business transfers. In connection with a merger, acquisition, or sale of all or part of our business, subject to confidentiality.

We do not sell personal data, and we do not share personal data with third parties for their own advertising purposes.

5. International transfers

We are based in Slingshot LLC, registered in Jordan and the Kingdom of Saudi Arabia. Personal data may be processed in countries outside your home country, including the European Union and other locations where our subprocessors operate. When we transfer personal data outside the Kingdom of Saudi Arabia, we follow PDPL transfer rules and the conditions imposed by SDAIA. When we transfer personal data outside the EEA, we rely on Standard Contractual Clauses or other safeguards required by the GDPR.

6. Retention

We keep personal data only as long as needed for the purposes above. Specifically:

• Account and workspace data. For as long as the workspace is active. After a workspace is deleted, we retain backups for up to 90 days, and we may retain limited identity data for as long as legally required.
• Billing records. Retained for the period required by tax and commercial law (typically up to 10 years).
• Audit logs. Retained for the retention window configured by the workspace administrator (typically 12–36 months).
• Marketing data. Retained until you opt out, plus a short suppression record so we honour your preference.

7. Your rights

Subject to local law, you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have data erased where there is no overriding ground to keep it.
• Restrict or object to certain processing.
• Receive a portable copy of certain data.
• Withdraw consent where processing is based on consent.
• Complain to your supervisory authority. In the Kingdom of Saudi Arabia, this is the Saudi Data & AI Authority (SDAIA).

To exercise any right, write to hit@eslingshot.com. We will respond within 30 days (extendable where allowed by law). We may need to verify your identity before acting.

If you are a member of a workspace owned by another organization (your employer or another customer), we will refer your request to that organization, which controls the data, and assist where required.

8. Security

We implement technical and organizational measures appropriate to the risk, including TLS in transit, encryption at rest where applicable, role-based access controls, audit logging, network isolation, regular backups, and least-privilege administrative access. No system can guarantee absolute security; we will notify affected parties of qualifying breaches as required by law.

9. Children

The Services are intended for businesses and are not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have, contact us and we will delete it.

10. Cookies and tracking

We use first-party cookies that are necessary to operate the Services, including authentication and workspace selection. We do not use third-party advertising or re-targeting cookies. We use minimal first-party analytics to understand aggregate product usage; you may decline these where offered by your browser or jurisdiction-specific banner.

11. Changes

We may update this Privacy Policy from time to time. For material changes we will notify the account owner by email and update the “Effective” date above. Continued use of the Services after the new effective date is your acceptance of the updated Policy.

12. Contact

Privacy questions, data-subject requests, breach notifications, and operational issues all go to:
hit@eslingshot.com
Postal: Slingshot LLC, Jordan and the Kingdom of Saudi Arabia

Version 2026-05-14. See the legal index for the full pack.