Privacy Policy

Last updated: 5 July 2026

This is a starting template aligned to UAE Federal Decree-Law No. 45 of 2021 (PDPL). Please have it reviewed by a qualified lawyer before relying on it.

This Privacy Policy explains how Sash ("we", "us") handles personal data in connection with the Sash HRMS platform, websites and mobile apps (the "Service").

Our two roles

As a controller for our own business contacts — e.g. sign-up leads, account admins, and website visitors. As a processor for the employee HR data that our customers put into the Service; that data is controlled by the customer (the employer), and we process it on their instructions.

Data we handle

How we use it

To provide, secure and improve the Service; to create and manage accounts; to send transactional emails (verification, password resets, notifications); to provide support; to bill for the Service; and to comply with legal obligations.

Sharing & sub-processors

We do not sell personal data. We use trusted providers to run the Service, including: Hetzner (cloud hosting), Cloudflare (DNS/security/email routing) and Resend (transactional email). These providers process data only to provide their service to us.

Retention

We keep Customer Data for as long as the account is active. After a trial or subscription ends, data is retained during a grace/read-only period and then, for accounts that remain unpaid, permanently deleted after approximately 120 days (with prior warning emails). Customers can request export or deletion at any time.

Security

We use encryption in transit (HTTPS), access controls, per-tenant data isolation, hashed passwords, and an immutable audit log. No system is perfectly secure, but we take reasonable measures to protect data.

Your rights

Subject to applicable law (including the UAE PDPL), you may request access to, correction of, or deletion of your personal data, and may object to or restrict certain processing. For employee HR data, please contact your employer (the controller); we will support them in responding. For our own controller data, contact us below.

International transfers

Our servers may be located outside the UAE (currently in the EU). Where data is transferred across borders, we take steps to ensure an appropriate level of protection. Customers who require in-country hosting can request an on-premise or UAE-region deployment.

Cookies

The app uses only essential browser storage needed to keep you signed in and remember preferences. The marketing site uses minimal, essential cookies.

Changes & contact

We may update this policy and will notify material changes. Questions or requests: info@sasherp.com.

← Back to homeTerms of Serviceinfo@sasherp.com