Privacy Policy — PageSense

Who We Are

PageSense is an AI-powered enterprise document intelligence platform developed and operated by Empowering Energy (trading as ESAP AI) (CR No. [Insert CR Number]). We help organizations upload, extract, index, and query their enterprise documents with evidence-backed sources — bilingual Arabic and English, at scale.

Our Role: Data Processor

PageSense operates exclusively in a B2B enterprise context. Your organization is the Data Controller — you determine which documents are uploaded and who uses the platform. Empowering Energy (trading as ESAP AI) acts solely as a Data Processor, processing document data only on your organization's behalf and strictly under your documented instructions.

Data Sensitivity Notice

Unlike voice-processing platforms, PageSense does not inherently collect Sensitive Personal Data. However, the documents your organization uploads may contain personal or sensitive data — such as HR records, financial statements, contracts with personal details, medical documents, or government forms. The sensitivity classification depends entirely on the content your organization uploads.

Your organization, as Data Controller, is responsible for:

Classifying documents by sensitivity before upload (Public, Internal, Confidential, Restricted).
Ensuring all documents are lawfully held and authorized for AI processing.
Informing Data Subjects whose personal data appears in uploaded documents, where required by PDPL.

What Data We Process

Uploaded Document Content: PDF, JPG, and PNG files containing enterprise documents (contracts, policies, reports, records, forms).
OCR-Extracted Text: Text extracted from documents using AI-powered OCR engines (Classic PaddleOCR, Qwen VL 2B/9B, DeepSeek, Chandra).
Vector Embeddings: Numerical vector representations of document chunks generated using BGE-M3 models, stored in Qdrant and/or PGVector databases.
User Queries: Natural language questions submitted by authorized users about document content in Arabic and/or English.
AI-Generated Answers: LLM-generated responses with page-level citations and source references.
Document Metadata: File names, page counts, processing status, language, upload timestamps, chunk counts, OCR engine used.
User Account Data: Names, emails, job titles, company affiliation, access roles (Admin, Client Admin, Client Main).
Usage and Analytics Data: Login timestamps, queries submitted, documents accessed, session durations.

Why We Process Your Data

Purpose	Lawful Basis
Document ingestion, OCR extraction, and indexing	Performance of contract
AI-powered question-answering and retrieval	Performance of contract
User authentication and role-based access	Performance of contract
Platform security and unauthorized access prevention	Legitimate interest
Service quality improvement and analytics	Legitimate interest
Legal and regulatory compliance	Legal obligation

We never process data for advertising, profiling, or any purpose outside the contracted scope.

How We Use AI

PageSense uses AI for OCR text extraction, vector embedding generation, semantic retrieval, and grounded question-answering.
All AI-generated answers are assistance tools — not final records, legal interpretations, or binding conclusions.
Every AI output includes page-level citations so users can verify against original source documents.
AI answers should always be reviewed against the original document before use in formal decisions.
We do not use your organization's documents, extracted text, or queries to train AI models without explicit written consent.
We maintain full documentation of OCR engines, embedding models, retrieval algorithms, and LLM providers used.

Data Sharing and Sub-Processors

Provider	Purpose	Location
Cloud Hosting Provider	Infrastructure, storage, and compute	USA
LLM Provider (e.g., Google Gemini)	AI question-answering and response generation	USA
Vector Database Provider (e.g., Qdrant)	Vector storage and semantic retrieval	USA
Analytics Platform	Anonymous usage analytics	USA

30 days' advance notice for any sub-processor changes. Right to object included.

Cross-Border Data Transfers

SDAIA-approved Standard Contractual Clauses (SCCs).
Completed Transfer Risk Assessments filed with NDMO.
Encrypted transmission and storage at all international points.
Contractual prohibition on secondary use.

Your Organization's Rights Under PDPL

Access: Copy of all personal data held (documents, extracted text, queries, answers).
Correction: Fix inaccurate metadata or document information.
Deletion: Specific documents, all extracted text and associated embeddings, or all data.
Portability: JSON or PDF export.
Objection: Object to processing not in DPA.
Restriction: Restrict processing during dispute.
Audit: Evidence of PDPL compliance.

Contact: privacy@esap.ai — Response within 30 days.

Data Retention

Data Type	Retention Period
Uploaded documents (original files)	Duration of contract, then deleted on termination
OCR-extracted text	Contract duration + 6 months
Vector embeddings	Contract duration + 6 months
User query logs	12 months
AI-generated answers and citations	12 months
Document metadata	Contract duration + 1 year
User account data	Contract duration + 1 year
Security and access logs	6 months

30-day data export window on termination. Permanent deletion confirmed in writing.

Data Security

AES-256 encryption at rest for all documents, extracted text, and embeddings.
TLS 1.3 encryption in transit.
Multi-tenant data isolation — each Client's document collections and embeddings are fully separated.
Role-based access controls with three distinct levels (Admin, Client Admin, Client Main).
Vector database access is restricted to authorized application services only.
Regular security audits and vulnerability assessments.
72-hour SDAIA breach notification and immediate client notification.

Contact and Complaints

Empowering Energy — Data Privacy Team.

privacy@esap.ai · rag.esap.ai/privacy

Complaints may be directed to SDAIA at sdaia.gov.sa.