Privacy Policy

Welcome to Mursalai. We are an AI-powered chatbot platform designed exclusively for medical clinics in the Gulf Cooperation Council (GCC) region. Our service automates patient communication through WhatsApp, including appointment booking, inquiries, and follow-up messages. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our services, including our WhatsApp Business chatbot integration powered by the Meta (WhatsApp Business API) platform. By using Mursalai, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our services.

2.1 Information from Patients (End Users) When patients interact with a clinic's Mursalai chatbot on WhatsApp, we may collect: • WhatsApp phone number and display name • Messages sent to the chatbot (text content, voice note transcriptions) • Appointment requests, booking details, and scheduling preferences • Health-related inquiries submitted voluntarily by the patient • Conversation timestamps and message status (sent, delivered, read) • Device and platform metadata provided by WhatsApp Business API 2.2 Information from Clinics (Business Customers) When a clinic subscribes to Mursalai, we collect: • Clinic name, address, and contact information • WhatsApp Business Account (WABA) credentials and phone number • Authorized representative name and email address • Billing and payment information (processed securely via third-party providers) • Clinic configuration data (working hours, services, FAQ content) • Usage data and analytics related to chatbot performance 2.3 Automatically Collected Data We automatically collect certain technical data including: • IP addresses and access logs • API request and response data • Error logs and system performance data • Webhook delivery confirmations from Meta/WhatsApp

3.1 To Provide Our Service • Process and respond to patient messages on behalf of the clinic • Book, confirm, reschedule, or cancel appointments • Send automated follow-up and reminder messages • Route complex queries to clinic staff when needed 3.2 To Operate and Improve Mursalai • Monitor system performance and uptime • Detect and prevent technical errors or abuse • Improve AI response accuracy and conversation quality • Generate anonymized analytics for clinic dashboard 3.3 For Communication • Send service updates, maintenance notices, and billing information to clinics • Respond to support requests from clinics or patients • Comply with legal obligations or regulatory requirements 3.4 What We Do NOT Do • We do NOT sell patient data to any third party • We do NOT use patient conversations for advertising purposes • We do NOT share identifiable patient data across different clinics • We do NOT use patient health information to train public AI models

4.1 WhatsApp Business API Mursalai operates through the Meta WhatsApp Business API. By using our service, you acknowledge that: • Message data flows through Meta's infrastructure • Meta's own Privacy Policy and Terms of Service apply to WhatsApp usage • End-to-end encryption applies to messages between users and WhatsApp Business accounts • Business-initiated messages are subject to WhatsApp Business Policy 4.2 Meta Platform Compliance Mursalai is a registered WhatsApp Business Solution Provider. We comply with: • Meta's Platform Terms and Developer Policies • WhatsApp Business Policy • Meta's guidelines for health and medical communications • Restrictions on sending unsolicited promotional messages 4.3 Opt-In and Opt-Out Patients can opt out of chatbot communications at any time by: • Sending 'STOP' or 'إيقاف' to the clinic's WhatsApp number • Contacting the clinic directly to request removal • Blocking the clinic's WhatsApp number Upon opt-out, we will cease sending messages within 24 hours and flag the number as opted-out in our system.

5.1 Storage Location Patient conversation data is stored on secure servers located in the GCC region or compliant cloud infrastructure (AWS / Google Cloud) with data residency options available for Saudi Arabia and UAE. 5.2 Retention Period • Active conversation data: retained for 12 months from last interaction • Appointment and booking records: retained for 3 years (medical record compliance) • Anonymized analytics: retained indefinitely • Billing records: retained for 7 years (tax compliance) Data is securely deleted after the retention period expires. 5.3 Security Measures We implement industry-standard security measures including: • AES-256 encryption for data at rest • TLS 1.3 encryption for data in transit • Role-based access control — only authorized personnel access patient data • Regular security audits and penetration testing • Incident response procedures with 72-hour breach notification

6.1 We Share Data Only When Necessary We may share information with: • The clinic whose chatbot the patient is using (their own patient data) • Meta/WhatsApp as required to deliver messages through their API • Cloud infrastructure providers (AWS, Google Cloud) under data processing agreements • Payment processors for billing (Stripe, HyperPay) — no patient data shared • Legal authorities when required by applicable law 6.2 No Third-Party Advertising We do not share any patient or clinic data with advertising networks, data brokers, or marketing platforms. This includes Meta's advertising systems — patient data from our chatbot is not used for ad targeting.

7.1 Patient Rights Patients have the right to: • Request access to their personal data we hold • Request correction of inaccurate data • Request deletion of their data ('right to be forgotten') • Request restriction of processing • Withdraw consent at any time • File a complaint with the relevant data protection authority To exercise these rights, patients should contact the clinic directly, or email us at: privacy@mursalai.com 7.2 Clinic Rights Clinics (as data controllers) may: • Export all patient conversation data at any time via dashboard • Request full data deletion upon contract termination • Configure data retention periods within allowed ranges • Access audit logs of all data access events

Our service is designed for adult patients communicating with medical clinics. We do not knowingly collect personal data from children under the age of 13 (or 16 in applicable jurisdictions) without verified parental consent. Clinics serving pediatric patients are responsible for obtaining appropriate parental consent before using Mursalai for minor patient communication.

Patient messages may contain health-related information, which is classified as Special Category Data under applicable data protection laws (including Saudi Arabia's PDPL and UAE's PDPL). We treat all health-related information with the highest level of protection: • Strict access controls — only clinic staff can view patient conversations • No profiling or automated decisions based on health data • No sharing with insurance companies, pharmaceutical companies, or other third parties • Clinics are responsible as data controllers for obtaining patient consent

• Saudi Arabia: Personal Data Protection Law (PDPL) — Royal Decree M/19 • UAE: Federal Decree-Law No. 45 of 2021 on Personal Data Protection • Kuwait: Law No. 20 of 2014 on Electronic Commerce • Bahrain: Personal Data Protection Law 2018 • Qatar: Law No. 13 of 2016 on Personal Data Protection We comply with all applicable local data protection laws in the regions where we operate.

We may update this Privacy Policy periodically. When we make material changes, we will: • Notify clinic administrators via email at least 30 days before changes take effect • Post the updated policy on mursalai.com/privacy • Update the 'Last Updated' date at the top of this document Continued use of Mursalai after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions, requests, or concerns: • Email: privacy@mursalai.com • Website: mursalai.com/privacy • WhatsApp: Available via mursalai.com/contact • Response: We respond to all privacy requests within 5 business days