1. Introduction
SAFO ('we', 'us', 'our') operates the AutoSuite platform available at safo.ae. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.
We are committed to protecting your privacy and ensuring full transparency about how we handle your data. This policy applies to all users of AutoSuite, including garage owners, technicians, administrators, and any other individuals who interact with our platform or website.
This Privacy Policy complies with the following privacy frameworks and regulations:
- EU General Data Protection Regulation (GDPR) — for users in the European Union
- California Consumer Privacy Act (CCPA) — for users in California, USA
- UAE Data Protection Law — Federal Decree-Law No. 45 of 2021
- GCC Privacy Standards — applicable Gulf Cooperation Council guidelines
By using AutoSuite or visiting safo.ae, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our services.
Questions About This Policy?
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact our Privacy team at privacy@safo.ae. We respond within 30 days.
2. Information We Collect
We collect information in several ways: information you provide directly, information collected automatically, and information received from third parties. The following subsections detail each category.
2.1 Information You Provide Directly
When you use AutoSuite, we collect information you voluntarily provide to us, including:
- Account registration — Your name, email address, phone number, and company name when you create an account
- Service usage — Job cards, customer data, invoices, and other records you create within the AutoSuite platform
- Support communications — Emails, chat messages, or other correspondence you send to our support team
- Demo or trial requests — Your name, company name, and contact information when requesting a product demo or free trial
- Blog newsletter signup — Your email address when subscribing to our newsletter or blog updates
- Feature requests — Feedback form submissions, product suggestions, and other user-generated content you choose to share
2.2 Information Collected Automatically
When you visit our website and use AutoSuite, we automatically collect certain technical information about your interaction with our services:
- Log data — IP address, browser type and version, pages visited, time and date of visits, referring URLs, and session duration
- Device information — Device type (desktop, mobile, tablet), operating system, browser version, and screen resolution
- Cookies and tracking — Small data files stored on your device; see the Cookies & Tracking section below for full details
- Analytics — Google Analytics data including pages visited, time on site, user flow, and general interaction patterns
- Usage data — Features used within AutoSuite, job cards created, reports generated, and other platform activity metrics
2.3 Information from Third Parties
We may receive information about you from third-party sources to supplement or validate information we already hold:
- SMS and email providers — Delivery confirmation, bounce rates, and open statistics from messaging services
- Integrations — If you connect AutoSuite with QuickBooks, Xero, or other third-party tools, we receive only the data you explicitly authorize during the integration setup
- Social media — Basic profile information if you choose to sign in using a social media account (e.g., Google)
- Analytics platforms — Aggregated, non-identifying usage trends and market data
2.4 Sensitive Data — What We Do NOT Collect
We Do NOT Collect the Following Sensitive Data
SAFO does not collect, store, or process the following categories of sensitive personal information:
- Credit card numbers or full payment card data (payments processed by PCI-compliant payment gateways only)
- Passport numbers, Emirates ID numbers, or national identification numbers
- Health information, medical records, or biometric data
- Passwords in readable form (all passwords are hashed and salted — they are never accessible to our team)
- Social security numbers or equivalent national identifiers from any country
- Religious or political views, racial or ethnic origin, or trade union membership
3. How We Use Your Information
We use the information we collect only for legitimate, disclosed purposes. The table below outlines each purpose along with the legal basis under which we process your data and how long we retain it for that purpose.
| Purpose | Legal Basis | Retention Period |
|---|---|---|
| Provide AutoSuite service | Contract | Duration of subscription |
| Customer support & troubleshooting | Contract | 2 years after last contact |
| Security & fraud prevention | Legitimate interest | 3 years |
| Marketing & newsletters | Consent (opt-in) | Until unsubscribed |
| Product improvement & analytics | Legitimate interest | Aggregated only |
| Legal compliance & regulatory requirements | Legal obligation | Per law requirement |
We use your information to improve AutoSuite features based on usage patterns and customer feedback. We share aggregated insights — not personal data — with our internal team to guide product development decisions. Individual user data is never shared for this purpose.
Marketing emails and newsletters are sent only if you have explicitly opted in during sign-up or through your account preferences. You may unsubscribe at any time by clicking the unsubscribe link included in every marketing email, or by emailing privacy@safo.ae.
We Never Sell Your Data
SAFO does not sell, rent, or trade your personal data to any third parties for their own marketing or commercial purposes. We share information only when you explicitly authorize it, when required by applicable law, or with service providers who assist us in operating AutoSuite under strict data processing agreements.
4. Data Sharing & Third Parties
4.1 When We Share Data
We share your personal data only in the following clearly defined circumstances:
- You explicitly authorize it — For example, when you authorize a QuickBooks or Xero integration, we share the relevant financial data with that service as directed by you
- Required by law — For example, in response to a valid legal order, court subpoena, or lawful government request from competent authorities
- Service providers — For example, email delivery providers and cloud hosting companies that require access to certain data in order to provide their services to us on your behalf
- Business transfer — For example, if SAFO is acquired, merged with, or transfers its business to another entity, your data may be transferred to the acquirer. We will notify you in advance and give you the opportunity to export or delete your data
- Aggregated or anonymized data — For example, publishing statistics like 'most popular features' or 'average customer ROI' that cannot be used to identify any individual user
We explicitly do NOT share your data in these ways:
- Personal data with advertising or marketing companies for their use
- Customer data with competitors or industry third parties
- Any data with third parties for their own marketing or commercial purposes
4.2 Service Providers We Work With
We work with a limited number of carefully vetted service providers. Each provider is bound by a data processing agreement and is permitted to use your data only as necessary to perform their contracted services:
| Service Provider | Purpose | Data Shared | Privacy Standard |
|---|---|---|---|
| Google Cloud | Server hosting & infrastructure | Account data, platform data | SOC 2 Type II certified |
| Google Analytics | Usage analytics | Anonymized page views | GDPR-compliant |
| Zoho Flow | Integration middleware | Only authorized data | Your authorization controls |
| WhatsApp Business | Customer messaging | Messages only | WhatsApp's privacy policy |
| SendGrid | Transactional email delivery | Email address, message content | GDPR compliant |
4.3 International Data Transfers
Your data may be processed in multiple countries, including the UAE, United States, and countries within the European Union, depending on the service providers and infrastructure we use. When data is transferred internationally, we ensure the following safeguards are in place:
- Standard Contractual Clauses (SCCs) for EU-compliant data transfers
- Equivalent privacy protections applicable across all regions where data is processed
- Your explicit consent to international transfers as documented in this Privacy Policy
- Compliance with applicable local data residency laws and regulations
If you are located in the European Union or European Economic Area, we have Standard Contractual Clauses (SCCs) in place with all service providers involved in US-based processing to ensure your data is protected to EU standards.
5. Data Retention
5.1 While Your Account Is Active
For as long as you maintain an active subscription with SAFO, we retain the following categories of data:
- Account data — Retained for the full duration of your customer relationship with us
- Service data — Job cards, invoices, customer records, and other platform content retained for the full duration of your subscription
- Support communications — Retained for 2 years after your last support interaction to enable continuity of service
- Analytics data — Aggregated and anonymized after 24 months; individual-level data is not retained beyond this period
5.2 After Your Account Is Closed or Deleted
Following account closure or a deletion request, we apply the following retention schedule:
- Personal data — Deleted within 30 days of a valid deletion request, subject to legal obligations
- Backups — Backup copies retained for up to 90 days for emergency disaster recovery purposes only, then securely destroyed
- Aggregated or anonymized data — May be retained indefinitely as it cannot be used to identify you
- Legal holds — If data is subject to an active legal obligation or pending litigation hold, it will be retained until the obligation is resolved
5.3 Special Cases & Legal Requirements
Certain categories of data must be retained for longer periods to comply with UAE and international legal and regulatory requirements:
| Data Category | Retention Period | Reason |
|---|---|---|
| Financial records | 7 years | UAE legal compliance requirement |
| Tax records | 7 years | UAE Federal Tax Authority requirement |
| Audit logs | 7 years | Security and compliance |
| Invoice data | 7 years | Accounting and regulatory requirement |
5.4 Your Right to Deletion & Data Export
You have the right to request deletion of your personal data at any time. Upon receiving a valid deletion request, we will delete your data within 30 days, unless one or more of the following exceptions applies:
- Legal obligations require us to retain the data for a specified period
- You hold an active, paid subscription that has not yet been cancelled
- Retention is necessary for the prevention or investigation of fraud or security incidents
- The data is required for the resolution of a pending dispute or legal claim
To request data deletion, please email privacy@safo.ae from your registered account email address with the subject line "Data Deletion Request". Your data export window is 30 days from the date of your cancellation notice — we encourage you to export your data before submitting a deletion request.
6. Your Rights
Depending on your location, you have specific legal rights regarding your personal data. We are committed to honoring these rights in full and without undue delay.
6.1 GDPR Rights (If You Are in the EU)
If you are located in the European Union or European Economic Area, the General Data Protection Regulation grants you the following rights:
- Right to access — Request a copy of all personal data we hold about you
- Right to correction — Request that we fix any inaccurate or incomplete personal data
- Right to deletion — Exercise your 'right to be forgotten' and request erasure of your personal data
- Right to restrict processing — Request that we limit how we use your data under specific circumstances
- Right to data portability — Receive your personal data in a structured, machine-readable format (e.g., JSON or CSV)
- Right to object — Object to the processing of your data for direct marketing, profiling, or legitimate interest purposes
- Right to withdraw consent — Cancel your email marketing subscription or any consent-based processing at any time
- Right to lodge a complaint — Contact your national data protection supervisory authority if you believe your rights have been violated
6.2 CCPA Rights (If You Are in California)
If you are a California resident, the California Consumer Privacy Act grants you the following rights:
- Right to know — Know what categories and specific pieces of personal information we collect about you
- Right to delete — Request deletion of your personal information, subject to certain exceptions
- Right to opt-out — Opt out of the sale of personal information (note: SAFO does not sell personal data)
- Right to non-discrimination — Not be penalized or receive inferior service for exercising your CCPA rights
- Right to correct — Request correction of inaccurate personal information we hold about you
6.3 UAE Rights (If You Are in the UAE)
If you are located in the United Arab Emirates, the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection grants you the following rights:
- Right to access — Request access to your personal data that we hold
- Right to rectification — Request correction of inaccurate or outdated personal data
- Right to erasure — Request deletion of your personal data under appropriate circumstances
- Right to restrict processing — Request that we limit processing of your personal data in certain situations
- Right to lodge a complaint — File a complaint with the UAE Data Protection Bureau if you believe your rights have been violated
6.4 How to Exercise Your Rights
To exercise any of the rights described above, please email privacy@safo.ae with the following information:
- Your full legal name
- Your registered account email address
- Which specific right you are exercising
- A clear description of your request
We will acknowledge your request promptly and respond within 30 days. There are no fees for exercising your rights. We may request identity verification to protect your data from unauthorized access requests.
Example Requests
- "I want to export all my data" → We will compile and send a ZIP archive containing all data we hold about you in standard formats
- "Delete my account and all associated data" → We will initiate deletion after the 30-day data export window to give you time to retrieve your records
- "What data do you have about me?" → We will send a complete data inventory listing all categories and specific pieces of personal information we hold
7. Security & Encryption
We take the security of your data seriously. SAFO implements comprehensive technical, organizational, and administrative measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
7.1 Technical Security Measures
The following security controls are implemented across the AutoSuite platform and infrastructure:
- AES-256 encryption — All data at rest is encrypted using industry-standard AES-256 encryption
- TLS 1.3 encryption — All data in transit is protected using Transport Layer Security (TLS) 1.3
- Role-based access control (RBAC) — Internal access to customer data is strictly limited by role and business need
- Two-factor authentication (2FA) — Available for all user accounts; mandatory for administrator-level accounts
- Audit logging — All significant system actions and data access events are logged and retained for security review
- Regular security audits — External, independent third-party security audits conducted on a scheduled basis
- Penetration testing — Regular penetration tests performed by qualified security professionals
- 24/7 infrastructure monitoring — Continuous automated monitoring of all systems for anomalous activity
- Incident response procedures — Documented and tested incident response plan for timely breach notification and remediation
- Data backups — Daily encrypted backups with a 90-day retention window for disaster recovery
7.2 Industry Certifications & Compliance
SAFO maintains the following industry certifications and compliance standards to validate the effectiveness of our security program:
- SOC 2 Type II — Independently audited report verifying our security, availability, and confidentiality controls
- ISO 27001 — International standard for information security management systems
- GDPR compliant — Full compliance with EU General Data Protection Regulation
- CCPA compliant — Full compliance with California Consumer Privacy Act
7.3 Security Vulnerability Reporting
If you discover a potential security vulnerability in AutoSuite or our website, we encourage responsible disclosure. Please report all security concerns to security@safo.ae. Upon receiving your report, we will:
- Acknowledge receipt of your report within 24 hours
- Investigate and work on remediation as a priority
- Credit you publicly (with your consent) for responsible disclosure
- Request that you do not publicly disclose the vulnerability until we have issued a fix
We are grateful to security researchers who help us keep AutoSuite safe for all users.
8. Cookies & Tracking
8.1 What Are Cookies?
Cookies are small text files placed on your device (computer, tablet, or mobile) by websites you visit. They are widely used to make websites function properly, work more efficiently, and provide reporting information to website owners. Cookies help us remember your login session, your preferences, and how you interact with our services, so we can provide you with a personalized and seamless experience.
8.2 Cookies We Use
The following table lists the specific cookies used by SAFO and the AutoSuite platform:
| Cookie Name | Purpose | Type | Duration |
|---|---|---|---|
session_id |
Keep you logged in during your session | Essential | Until you log out |
user_preferences |
Remember your account settings and UI preferences | Functional | 1 year |
ga4_* |
Google Analytics 4 usage tracking | Analytics | 2 years |
marketing_campaign |
Track which marketing channel or ad brought you to the site | Marketing | 30 days |
theme_preference |
Remember your dark/light mode display choice | Functional | 1 year |
language_setting |
Remember your preferred language selection | Functional | 1 year |
8.3 Types of Cookies
We use four categories of cookies on our website and platform:
- Essential cookies — Required for the basic operation of the website and platform. These include session management, security tokens (CSRF protection), and authentication. Without these, AutoSuite cannot function correctly.
- Functional cookies — Enable enhanced functionality and personalization such as your language preference, theme selection (dark/light mode), UI layout choices, and timezone settings. Disabling these may reduce your experience quality.
- Analytics cookies — Used to understand how visitors interact with our website and platform. Provided by Google Analytics 4, these collect aggregated and anonymous data including page views, session duration, and navigation paths. No personal data is shared with analytics providers.
- Marketing cookies — Used for retargeting and remarketing through platforms such as Google Ads and Facebook Ads. These help us show relevant SAFO advertisements to people who have previously visited our website. You can opt out of these at any time.
8.4 Your Cookie Choices
Browser Settings: You can control and manage cookies through your browser settings. Most browsers allow you to refuse all cookies, accept only certain types, or delete cookies after each session. Please note that blocking essential cookies may limit or prevent access to core AutoSuite functionality.
Opt-Out Tools: You can opt out of Google Analytics tracking using the official Google Analytics Opt-Out Browser Add-on at tools.google.com/dlpage/gaoptout. For Facebook Ads, you can manage your ad preferences through your Facebook account settings.
SAFO honors the Do Not Track (DNT) browser signal. When we detect a DNT signal, we disable non-essential analytics and marketing tracking automatically.
9. International Data Transfers
As a cloud-based platform serving customers globally, your data may be transferred to and processed in countries other than your country of residence, including the United Arab Emirates, the United States, and countries within the European Union. We recognize that different countries have different privacy laws, and we take your privacy protection seriously regardless of where data is processed.
When we transfer data internationally, we ensure the following safeguards are always in place:
- GDPR adequacy decisions — We transfer data to countries recognized by the European Commission as providing adequate protection where applicable
- Standard Contractual Clauses (SCCs) — For transfers not covered by adequacy decisions, we use EU-approved Standard Contractual Clauses with all receiving parties
- Binding corporate rules — Internal policies that ensure consistent data protection standards across all entities and jurisdictions
- Your consent — By accepting this Privacy Policy and using AutoSuite, you explicitly consent to the international transfer of your data as described herein
Your Consent
By using AutoSuite and accepting this Privacy Policy, you acknowledge and consent to the transfer of your information to the UAE, US, EU, and any other countries where our service providers operate. We ensure your data receives equivalent protection in all jurisdictions.
10. Children's Privacy
AutoSuite is a professional business-to-business (B2B) SaaS platform intended solely for use by adults operating or working in automotive repair and garage management businesses. Our services are not directed at, designed for, or intended for use by children.
Under 13: We do not knowingly collect, solicit, or process personal information from children under the age of 13. If we discover that we have inadvertently collected personal information from a child under 13, we will delete that information from our systems immediately and without delay. If you believe we may have collected information from a child under 13, please contact us immediately at privacy@safo.ae so we can investigate and take appropriate action.
Ages 13–18: Individuals between the ages of 13 and 18 may use AutoSuite only with the documented consent and active supervision of a parent or legal guardian. By allowing a minor to use our services, the parent or guardian accepts responsibility for the minor's compliance with this Privacy Policy and all applicable terms of service.
If you are a parent or guardian and believe your child has registered an account or provided us with personal information without your consent, please contact us at privacy@safo.ae. We will promptly investigate and, where appropriate, delete the information and close the account.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will notify you through the following channels:
- Email notification — We will send an email to your registered account email address describing the key changes
- Website banner — A prominent notice will be displayed on our website (safo.ae) for at least 30 days after the change takes effect
- In-app notification — A notification will be displayed within the AutoSuite platform when you next log in
Your continued use of AutoSuite after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with the updated policy, you may close your account and request deletion of your data before the effective date.
We recommend reviewing this policy periodically to stay informed about how we protect your information. The date at the top of this page indicates when it was last updated.
11.1 Update History
| Date | Version | Summary of Changes |
|---|---|---|
| April 18, 2026 | 1.0 | Initial publication of SAFO AutoSuite Privacy Policy |
12. Contact Us
We are committed to addressing your privacy concerns promptly and transparently. Please use the appropriate contact channel below based on the nature of your inquiry.
12.1 Privacy Questions
For general questions about this Privacy Policy, how we handle your data, or any privacy-related concerns, please contact our Privacy team:
- Email: privacy@safo.ae
- Response time: Within 30 days of receiving your inquiry
- Subject line: Include "Privacy Question" in your subject line to ensure faster routing
12.2 Data Subject Requests
To exercise any of your data rights (access, correction, deletion, portability, objection), please submit a formal Data Subject Request:
- Email: privacy@safo.ae
- Subject line: "Data Subject Request — [Your Right]" (e.g., "Data Subject Request — Deletion")
- Response time: Within 30 days; we may ask for identity verification to protect your data
12.3 Security Issues
To report a potential security vulnerability, data breach, or any security-related concern:
- Email: security@safo.ae
- Response time: Within 24 hours for all security reports
- Please include: A detailed description of the vulnerability, steps to reproduce, and any supporting evidence (screenshots, logs)
12.4 General Support
For non-privacy-related product support, billing questions, or general inquiries:
- Support email: support@safo.ae
- Help Center: safo.ae/help
- Contact form: safo.ae/contact
- FAQs: safo.ae/faqs
12.5 Where We Operate
SAFO AutoSuite is operated by:
- Legal entity: SAFO FZE
- Jurisdiction: United Arab Emirates
- Official correspondence: legal@safo.ae (for formal legal inquiries and official mail address requests)
Official Mail Address
We do not publish our physical office address on this website. To obtain our official registered address for legal or formal correspondence purposes, please email legal@safo.ae.