Privacy Policy

Skori is a mobile application operated by Skori, a company based in the Kingdom of Saudi Arabia. As the operator of this app, Skori acts as the data controller responsible for processing your personal data in accordance with the Saudi Personal Data Protection Law (PDPL), issued by Royal Decree No. M/19. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have under applicable Saudi law. Data Protection Contact: • Privacy inquiries: privacy@skoriapp.com • General support: support@skoriapp.com

We believe in full transparency. We explicitly do NOT: • Collect your location or GPS data • Collect health or biometric data • Collect your contacts or phone data • Engage in cross-app tracking • Use your data for advertising purposes • Sell your personal data to any third party • Process sensitive personal data as defined by PDPL (racial or ethnic origin, religious beliefs, health data, biometric data, genetic data, or criminal records)

When You Create an Account Data collected: email address (if signing up with email), display name (optional), Google profile information (name, email) if signing in with Google, or Apple ID name and email if signing in with Apple. Legal basis: Performance of our user agreement (Art. 6(2) PDPL). When You Scan a Product Data collected: barcode and timestamp of each scan. Up to 1,000 recent scans stored in the cloud; up to 100 cached locally. Legal basis: Performance of our user agreement (Art. 6(2) PDPL). When You Save a Product Data collected: a list of barcodes corresponding to your saved/favorite products (up to 500 items). Legal basis: Performance of our user agreement (Art. 6(2) PDPL). When You Use the AI Chat Assistant Data collected: your chat messages are sent to OpenAI's servers to generate a response. Chat messages and conversation history are stored persistently in your account on Skori's servers (Firebase). You can view, rename, and delete your conversations at any time. Data usage: anonymized and de-identified chat data may be used to train and improve AI models used by Skori. All personally identifiable information is removed before any training use. Legal basis: Consent (Art. 5(1) PDPL). The AI chat is optional. If you do not consent to data storage and training use, do not use the AI chat feature. When You Use Product Image Analysis Data collected: images of nutrition labels and ingredient lists from your product submissions. Sent to Anthropic's Claude Vision API for extraction; not stored by Skori beyond the processing pipeline. Legal basis: Consent (Art. 5(1) PDPL). Image analysis only occurs when you submit a product. When You Submit a Product Data collected: product name, brand, nutrition information, and photos. This data becomes part of Skori's product database. Personal attribution is deleted upon account deletion; the product data itself is retained as a public resource. Legal basis: Legitimate interest (Art. 6(4) PDPL). When You Submit a Bug Report Data collected: description of the issue, optional photo, device information (platform, app version, build number). Legal basis: Legitimate interest (Art. 6(4) PDPL). App Analytics and Crash Reporting Data collected: anonymous usage analytics via Firebase Analytics (session counts, feature usage, screen views), and crash reports via Firebase Crashlytics (crash reports, device diagnostics). Analytics data is aggregated and not tied to personally identifiable information. Legal basis: Legitimate interest (Art. 6(4) PDPL).

Skori stores certain preferences locally on your device using SharedPreferences (Android) and UserDefaults (iOS). Data stored locally includes: • Language preference • Theme settings • Local scan cache (up to 100 recent scans) This data never leaves your device unless you explicitly sync it to the cloud.

To provide our services, Skori uses third-party providers that may process your personal data outside the Kingdom of Saudi Arabia. These transfers are limited to the minimum data necessary and are conducted with appropriate safeguards in compliance with the PDPL and the Regulations on Personal Data Transfers Outside the Kingdom.

By using Skori, you acknowledge that your personal data may be transferred to and processed in countries outside Saudi Arabia.

Skori uses AI-powered features that involve sending data to servers outside Saudi Arabia. AI Chat Assistant Powered by OpenAI. When you send a message in the chat, it is transmitted to OpenAI's servers to generate a response. Chat messages and conversation history are stored persistently in your account on Skori's servers (Firebase). Anonymized and de-identified chat data may be used to train and improve AI models used by Skori. See OpenAI's privacy policy. Product Image Analysis Powered by Anthropic's Claude Vision API. When you submit a product with photos, those images are sent to Anthropic's servers to extract nutrition facts and ingredient information. Images are used solely for data extraction and are not retained by Skori beyond the processing pipeline. The AI chat feature is entirely optional. You may use Skori fully without using the AI chat. If you do not consent to data storage and AI training use, do not use the AI chat feature. The data shared with AI providers is limited to what is strictly necessary for the feature to function.

We obtain your consent as follows: • Account creation: By creating an account, you consent to the data processing described in this policy. • Device permissions: For features requiring camera access (barcode scanning, product photo submission), your device's native permission system will request access before the feature can be used. You may revoke these permissions at any time via your device settings. • AI features: Using the AI chat or submitting product images constitutes consent to processing by the respective AI providers. • Withdrawal of consent: You may withdraw consent at any time by deleting your account (Settings → Delete Account) or contacting privacy@skoriapp.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We retain your personal data only for as long as necessary: • Account data: Retained while active; deleted within 30 days of account deletion request. • Scan history: Up to 1,000 cloud entries / 100 locally; deleted upon account deletion. • Saved/favorite products: Up to 500 items; deleted upon account deletion. • AI chat messages: Stored persistently in your account while active. Deleted upon conversation deletion or account deletion. Anonymized data previously incorporated into training datasets cannot be individually retrieved or deleted. • Product submissions: Product data retained permanently (public resource). Personal attribution deleted upon account deletion. • Bug reports: Retained for up to 12 months after resolution, then deleted. • Analytics data: Aggregated and anonymized; retained for up to 24 months. • Inactive accounts: Accounts inactive for more than 3 years may be deleted with prior notification to your registered email.

We implement industry-standard security measures: • Encryption in transit (TLS/HTTPS) for all data transmitted between your device and our servers • Encryption at rest for stored data via Firebase's security infrastructure • Access controls limiting who within Skori can access personal data • Regular review of our data practices and third-party integrations No method of transmission over the internet is 100% secure and we cannot guarantee absolute security.

In the event of a personal data breach that may cause harm to your data or rights: • We will notify the competent authority (SDAIA) within 72 hours of becoming aware of the breach, in accordance with PDPL requirements. • We will notify affected individuals without undue delay if the breach is likely to result in significant harm to them.

As a data subject under Saudi Arabia's Personal Data Protection Law, you have the following rights: Right to be informed — You have the right to know what personal data we collect, why, and how it is used. This Privacy Policy fulfills that right. Right of access — Request a copy of the personal data we hold about you. How to exercise: Contact privacy@skoriapp.com. Right to correction — Request correction of inaccurate or incomplete personal data. How to exercise: Settings → Edit Profile, or contact privacy@skoriapp.com. Right to deletion — Request deletion of your personal data. How to exercise: Settings → Delete Account, or contact privacy@skoriapp.com. Right to data portability — Request your personal data in a clear, readable format. How to exercise: Contact privacy@skoriapp.com. Right to object — Object to processing of your personal data in certain circumstances. How to exercise: Contact privacy@skoriapp.com. Right to withdraw consent — Withdraw consent for optional features (AI chat, image analysis) at any time by discontinuing use or deleting your account. Right to restrict processing — Request restriction of processing in certain circumstances. How to exercise: Contact privacy@skoriapp.com. Right to lodge a complaint — If you believe your rights have been violated, you may lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa. We will respond to all data subject requests within 30 days of receipt.

Skori is not intended for unsupervised use by individuals under 18 years of age. If you are under 18, your parent or legal guardian must review and agree to this Privacy Policy on your behalf before you use our services. We do not knowingly collect personal data from individuals under 18 without valid parental or guardian consent. If we become aware that we have collected personal data from an individual under 18 without appropriate consent, we will take steps to delete such data promptly. Note: Skori's content is rated suitable for all ages on app stores (3+). The age restriction in this section relates specifically to data processing consent as required under Saudi law. If you are a parent or guardian and believe your child's data has been collected without consent, contact privacy@skoriapp.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, app features, or legal requirements. When we make changes: • We will update the "Last updated" date at the top of this policy. • We will notify users through the app for any material changes. Your continued use of Skori after changes constitutes acceptance of the updated policy.

This Privacy Policy is governed by the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19 and its Implementing Regulations, as overseen by the Saudi Data & Artificial Intelligence Authority (SDAIA).

For privacy-related inquiries, data subject requests, or complaints: Data protection inquiries: privacy@skoriapp.com General support: support@skoriapp.com Data deletion: Settings → Delete Account, or email privacy@skoriapp.com Regulatory authority: Saudi Data & Artificial Intelligence Authority (SDAIA) https://sdaia.gov.sa