Privacy Policy

Alzayani Guard · Last updated: 4 June 2026

Controller: Alzayani Security W.L.L, P.O. Box 23933, Manama, Kingdom of Bahrain. Contact / Data Protection Officer: privacy@marqab.app.

1. Scope

This policy covers the Alzayani Guard mobile application (used by security guards), the Operations Console (used by Alzayani staff), and the Client Portal (used by client organisations). It explains what personal data we process, why, who it is shared with, how long we keep it, and your rights under the Bahrain Personal Data Protection Law (Law No. 30 of 2018, the “PDPL”).

2. What we collect

Identity & employment (guards): full name, CPR number (national ID), phone number, staff number, role, employment type/start date, and employment-contract documents.

Location: GPS coordinates captured at shift check-in to confirm presence at the assigned site, and periodic location “beacons” while on an active shift (for live supervision and SOS response).

Photos & images: check-in photos (anti-fraud presence, uniform, and identity verification), enrolled reference photos, ID documents, profile photos, and photos attached to incident/hazard reports.

Audio: short voice notes sent to other guards on duty at your site.

Health-related data: sick-leave / medical certificates you upload and pre-shift fitness attestations.

Device & usage data: device push token, network state, and — only with your consent (see §6) — app-usage statistics during a shift.

3. Device permissions

  • Camera — take the check-in photo and capture incident/hazard photos.
  • Location — verify presence at the site at check-in; live supervision and SOS while on shift.
  • Microphone — record voice notes to teammates on site.
  • Photo library — attach existing photos to incident reports / HR uploads.
  • App-usage access — activity/liveness signal during a shift; see §6.
  • Phone — place emergency/SOS calls.

4. How we use your data

Shift verification, anti-fraud and uniform checks, guard safety and SOS escalation, scheduling and coverage, incident/hazard handling, HR and compliance reporting to clients, and operational analytics. Our legal bases are the employment relationship / performance of contract, our legitimate interest in workforce security operations, legal obligations, and — where required (e.g. monitoring, biometric and health data) — your explicit consent.

5. Automated analysis (AI)

Some features use AI (Anthropic Claude) to assist staff: check-in photo verification analyses your check-in photo for person-present, in-uniform, and identity vs your reference photo; text features summarise incidents, generate the daily operations brief and compliance narratives, assess coverage risk, and power an internal staff assistant.

Identity matching is a review aid, not a sole automated decision — a human operator reviews flagged results. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human review.

6. Monitoring & personal devices

The app-usage / activity monitoring operates only after your explicit, revocable consent, given through an in-app consent screen. You may decline it, or withdraw it later from Settings, at any time without losing access to core shift functions.

7. Who we share it with

  • Alzayani operations staff — on a role-restricted basis.
  • Client organisations — limited, per-site read access to coverage at their own sites only, via the Client Portal.
  • Service providers (data processors): Supabase (database, file storage, authentication), Vercel (hosting), Anthropic (AI analysis of photos and text), Resend (email delivery of compliance reports), Google Firebase (push notifications). We do not sell your personal data.

8. International transfers

Some processors operate outside the Kingdom of Bahrain (e.g. the United States). Where personal data is transferred abroad, we rely on your consent and on contractual safeguards with each processor, as required by the PDPL.

9. How long we keep it

  • Check-in photo images: 7 days, then automatically deleted (the verification result is kept as an audit record).
  • Voice notes: about 1 hour, then automatically deleted.
  • Location beacons / live activity events: short-lived (rolling purge).
  • Check-in records & attendance: 24 months.
  • Incident & hazard records: 7 years.
  • Identity/employment records, ID & contract documents: duration of employment + 24 months.
  • Health / sick-leave certificates: duration of employment + 12 months.

10. Your rights (PDPL)

You may access, rectify, erase, or restrict/object to processing of your personal data, withdraw consent (where processing is consent-based), and lodge a complaint with the Bahrain Personal Data Protection Authority. To exercise any right, contact privacy@alzayanisecurity.com.

11. Security

Access is role-restricted and enforced at the database level (row-level security), traffic is encrypted in transit (HTTPS/TLS), file access uses short-lived signed links, and sensitive staff actions (e.g. media views, report exports) are recorded in an access audit log.

12. Children

This is a workforce application and is not directed to children.

13. Changes & contact

We will post changes here and update the “last updated” date. Questions: privacy@alzayanisecurity.com.