Privacy Policy & PDPL Compliance Notice

Be Smart Global, LLC ("DocReport KSA", "we", "our", or "us") operates the DocReport KSA platform. This Privacy Policy is specifically tailored to clinical practices operating in the Kingdom of Saudi Arabia (KSA) and details our strict compliance with the Saudi **Personal Data Protection Law (PDPL)**, executive regulations, Ministry of Health (MOH) guidelines, and Council of Cooperative Health Insurance (CHI) directives.

DocReport KSA is operated by Be Smart Global, LLC, a Delaware Limited Liability Company (Delaware File No. 10620833). Our registered agent is Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA.

For any legal or compliance inquiries regarding data protection in the GCC, please contact us at: info@be-smart-business.de

To strictly satisfy Saudi Arabian geographic data sovereignty laws (which require patient health and medical information to remain inside KSA borders), DocReport KSA operates a **Zero-Trust, Zero-Knowledge client-side compliance suite**:

• Local Browser Redaction: All Protected Health Information (PHI) and patient-identifiable details (such as names, national IDs/Iqamas, phone numbers, and dates of birth) are automatically redacted in the doctor's local web browser *before* any text leaves the device. Placeholders (e.g. `[KSA_PATIENT_NAME_1]`) are sent to remote processing systems.
• Local Re-identification: Anonymized tokens are re-identified back into readable clinical summaries strictly inside the doctor's browser memory locally. The raw cleartext is never sent to or stored in remote cloud servers.
• Zero-Knowledge Client-Side Encryption: Stored clinical data is encrypted in the browser using an AES-GCM practice cryptokey stored only in the clinic's local device. Our cloud database only sees indecipherable ciphertext blobs (`KSA_SECURE_CIPHER:...`), ensuring no legible health records exit KSA.

We process two categories of information:

• Account & Billing Info: Doctor's name, professional credentials, clinic details, and payment data (processed securely via Stripe).
• Anonymized Clinical Logs: Anonymized procedural CPT codes, SBS numbers, and redacted clinic dictations to compile structured summaries and Nafis HL7/FHIR claims payloads.

All local encryption credentials and re-identification tokens remain strictly on your physical machine. Accounts can be terminated at any time by emailing us. Stored encrypted records will be deleted from our database within 30 days of verification.