Privacy Policy & PDPL Compliance Notice

Be Smart Global, LLC ("DocReport KSA", "we", "our", or "us") operates the DocReport KSA platform. This Regulatory Privacy Policy is a legally binding B2B agreement specifically tailored for licensed healthcare providers, clinics, and medical centers in the Kingdom of Saudi Arabia (KSA).

This policy outlines our strict compliance with the Saudi **Personal Data Protection Law (PDPL)** enacted via **Royal Decree No. M/197** dated 25/2/1443H, its Executive Regulations, and specific electronic medical records regulations mandated by the **Saudi Ministry of Health (MOH)** and the **Council of Cooperative Health Insurance (CHI)**.

DocReport KSA is operated by Be Smart Global, LLC, a Delaware Limited Liability Company (Delaware File No. 10620833). Our registered office is located at:

For all regulatory, legal, or Data Protection Officer (DPO) inquiries, please reach out to our global compliance team at info@be-smart-business.de.

To strictly satisfy Saudi Arabian geographical data residency laws (which strictly prohibit patient health and medical information from being transferred outside the borders of the Kingdom of Saudi Arabia in cleartext form), DocReport KSA does not operate a standard cloud databases system. Instead, we utilize a **Zero-Trust, Zero-Knowledge client-side compliance suite**:

• Local Browser-Side Redaction: Before clinical dictation text or audios are sent to our secure, sandboxed AI engines, our local scripts automatically strip all Protected Health Information (PHI) and patient-identifiable elements (such as names, national Iqama IDs, phone numbers, and dates of birth). The browser replaces this data with secure, localized tokens (e.g., `[KSA_PATIENT_NAME_1]`).
• Local Re-identification: The raw patient identities are never dispatched across our network. They are preserved strictly in the local memory of the physician's browser. The completed clinical summary is re-identified back into readable form only when returned to the local browser window.
• Zero-Knowledge Client-Side Encryption: Any clinical reports stored in the database are encrypted in your local browser using an AES-256-GCM practice-level cryptokey. This key is generated and stored strictly on your local device. Our servers only receive and store unreadable, high-entropy ciphertext. We do not have the technical ability to decrypt or read your patients' medical documentation.

We process data under two distinct categories:

• Practitioner Administrative Data (Account Info): We collect the clinician's full name, professional email, billing credentials, medical license number, and clinic/hospital metadata. This is processed securely via Stripe.
• Anonymized Medical Metadata: We process anonymized clinical procedural lists, suggested CPT codes, billing values, and redacted clinical descriptions to assist in generating Nafis HL7/FHIR payloads and insurance appeals.

Under the Saudi PDPL, data subjects typically maintain the right to request the destruction or erasure of their personal data. However, **licensed medical practices in KSA are subject to strict Ministry of Health (MOH) and Health Informatics regulations which mandate that clinical records, patient files, and SOAP notes must be preserved for a minimum of 10 to 15 years.**

Accordingly, clinical record retention mandates under MOH guidelines **supersede** standard data subject deletion requests. Subscribers are fully responsible for managing and maintaining these compliance periods within their local EHR systems. When a practitioner terminates their DocReport KSA account, all stored encrypted ciphertext blobs will be purged from our cloud servers within 30 days of subscription termination, and the practice's local cryptographic key remains solely on the practice's physical machines.

Licensed practitioners using the DocReport KSA platform on behalf of their practices have the following rights regarding their administrative profiles:

• Right to Know: The right to be informed about the legal basis and purposes of data processing.
• Right of Access: The right to request a copy of their account administrative records.
• Right to Rectification: The right to update or correct inaccurate administrative details.
• Right to Withdraw Consent: The right to withdraw consent for marketing or auxiliary data processing.