How we handle your information.

Etqan Books collects information you give us directly: business details, financial documents (receipts, invoices, bank statements), email, phone number, and anything else you send through the portal or via WhatsApp.

We use this information solely to deliver bookkeeping services for you. We do not sell your data, share it with advertisers, or use it to train AI models.

Documents are stored on Google Firebase. Sensitive financial data is encrypted in transit (HTTPS) and at rest by the cloud provider.

You can request a full export or permanent deletion of your data at any time by emailing your account manager. We retain records for 7 years to comply with Saudi tax-record retention norms unless you specifically request earlier deletion.

We comply with Saudi Arabia's Personal Data Protection Law (PDPL). If you believe your data has been mishandled, contact us first; you may also file a complaint with the Saudi Data & AI Authority (SDAIA).

By using Etqan Books, you agree we'll perform bookkeeping work on your behalf based on the documents and information you provide. The accuracy of your books depends on the completeness of what you send — we'll flag missing items but can't fabricate transactions.

Fees, scope, and turnaround are set in your service agreement. Either party can end the engagement with 30 days' notice. We hand over a clean export of your books on departure regardless of who initiated.

We're a bookkeeping firm, not licensed tax advisers, lawyers, or auditors. Any tax filing or legal positioning is the client's own decision. We are not currently licensed for ZATCA Phase 2 e-invoicing on your behalf.

We're liable for our own errors up to the fees you've paid us in the prior 12 months. We're not liable for losses caused by your delays in providing information, third-party software outages, or events outside our reasonable control.

Authentication: every account uses email + password with rate limiting and password-reset flows. Sessions expire after 7 days of inactivity.

Access control: role-based custom claims (admin / company) and per-document Firestore security rules ensure a client only ever sees their own data.

Audit trail: every meaningful action (document verified, report delivered, invoice issued) is logged with the actor's identity and timestamp; exports available on request.

Backups: Firestore data is backed up by Google's infrastructure with weekly snapshots exported to separate cold storage.

Reporting a vulnerability: email the team and we'll respond within 2 business days.