Legal
Privacy Policy
Last updated: 30 May 2026
Sastemny is operated by Sastemny (“we”, “us”, “our”). For Egypt, we process personal data in connection with merchants who use our workspace software and related services. This Privacy Policy explains what personal data we collect, why we process it, who we share it with, how long we keep it, and the rights available to you under Egyptian law and applicable international standards. It is separate from our Terms of Service and is provided in plain language as required by the Executive Regulations to Law No. 151 of 2020.
This policy is provided for transparency. It does not constitute legal advice. Merchants using Sastemny remain responsible for privacy notices and consents they owe to their own customers.
1. Roles: controller and processor
For account, billing, security, and platform operation data, Sastemny acts as a data controller (or “data user” under Egyptian law) determining the purposes and means of processing.
For personal data your customers submit through connected channels (WhatsApp, Instagram, Facebook, storefront checkout), you—the merchant—are typically the controller. We process that data on your documented instructions to deliver inbox, orders, Kayan AI, wallet, and related features. Where Egyptian law requires a written processing agreement, our Terms of Service and data-processing terms incorporated therein describe those instructions.
2. Scope and Egyptian law
This policy applies to visitors of sastemny.app, eg.sastemny.app, support.sastemny.app, workspace users, waitlist sign-ups, and API integrators.
We align our practices with Egypt’s Personal Data Protection Law No. 151 of 2020 and its Executive Regulations (Ministerial Decree No. 816 of 2025), including transparency, purpose limitation, data minimisation, accuracy, security, and retention limits. Where you are located outside Egypt, additional laws may also apply; we honour valid data-subject requests to the extent required.
3. Categories of personal data we collect
Identity and contact: name, business name, work email, phone, country, role, and language preferences.
Account and authentication: credentials (stored hashed), session tokens, workspace identifiers, audit logs of sign-in events.
Business and commerce: catalog, orders, customers, conversations, payment references, wallet balances, shipping details, and integration settings you configure.
Technical: IP address, device/browser type, timestamps, error diagnostics, and security signals (fraud prevention, rate limiting).
Billing: subscription plan, invoices, payment method metadata from Paymob—we do not store full card numbers.
Communications: support tickets, emails, and feedback you send us.
AI (Kayan): prompts, generated replies, and action logs needed to operate copilot features you enable.
4. Purposes and lawful bases (PDPL Article 6)
We process personal data only for declared, lawful purposes, including: providing and securing the service; onboarding and account administration; processing subscriptions; enabling channel integrations; operating Kayan within your settings; customer support; product improvement and aggregated analytics; compliance with law; and defending legal claims.
Depending on the activity, our lawful bases include: performance of a contract with you; compliance with a legal obligation; your consent (where required, e.g. optional marketing or non-essential cookies); legitimate interests (e.g. fraud prevention, service reliability) balanced against your rights; or other bases permitted under Egyptian law.
Sensitive personal data (if ever processed) requires stricter safeguards and, where applicable, explicit written consent. We do not intentionally collect health, biometric, or children’s data except as you submit in ordinary commerce messages.
5. How we collect data
Directly from you when you register, configure integrations, upload catalog data, or contact support.
Automatically through cookies, logs, and APIs when you use the marketing site or workspace.
From third-party platforms you connect (e.g. Meta) subject to their permissions and webhooks.
From payment providers (Paymob) when you complete checkout or payouts.
7. Cross-border transfers
Your data may be processed in Egypt and in other countries where our infrastructure or subprocessors operate. When personal data is transferred outside Egypt, we implement safeguards required under the PDPL and Executive Regulations, which may include adequacy assessments, standard contractual clauses, explicit consent where mandated, or other approved mechanisms.
You may request information about transfer safeguards by contacting privacy@sastemny.app.
8. Retention
We retain personal data only as long as necessary for the purposes described, including: active account data for the life of your subscription plus a reasonable wind-down period; financial and tax records as required by applicable law (often up to five years in Egypt for accounting evidence); security logs for a limited period; and support correspondence for case resolution.
When you delete data in the workspace or close your account, we purge or anonymise within commercially reasonable timelines, subject to backups and legal holds.
9. Security measures
We apply encryption in transit (TLS), access controls, tenant isolation, logging, and vulnerability management. Details are summarised in our Security page. No method is 100% secure; you must protect your credentials and device access.
10. Your rights
Under Egyptian law and our global practices, you may have the right to: access your personal data; request correction of inaccurate data; request deletion where processing is no longer necessary or consent is withdrawn (subject to legal exceptions); object to or restrict certain processing; withdraw consent where processing is consent-based; and receive a copy of data you provided in a portable format where technically feasible.
To exercise rights, email privacy@sastemny.app from your registered work email. We may verify your identity. We respond within timelines required by applicable law (the PDPL and Regulations set expectations for timely handling).
Personal Data Protection Center (PDPC) — Egypt Ministry of Communications and Information Technology. You may lodge a complaint with the PDPC if you believe your rights under Law No. 151 of 2020 have been infringed.
11. Personal data breaches
If we become aware of a personal data breach likely to affect your rights, we will investigate, mitigate harm, and notify the PDPC within 72 hours where required, and notify affected merchants without undue delay when the breach is likely to result in risk to individuals.
12. Children
Sastemny is a business platform not directed at children under 18. Merchants must not use the service to knowingly collect children’s data without guardian consent as required by law. If you believe a child’s data was submitted improperly, contact privacy@sastemny.app.
13. Changes to this policy
We may update this policy to reflect legal, technical, or product changes. We will post the revised version with a new “Last updated” date. Material changes affecting existing customers will be communicated through the workspace or email where appropriate.
14. Contact
Data protection enquiries: privacy@sastemny.app
General legal: legal@sastemny.app
Security incidents: security@sastemny.app