Privacy Policy

Effective date: 23 April 2026

Version: 1.0

Data controller: OnePrefix for Integrated Solutions ("OnePrefix", "we", "our", "us"), an Egyptian company, operating the ERPGear platform at erpgear.com.

Contact: info@erpgear.com

1. Introduction

This Privacy Policy explains how OnePrefix collects, uses, shares, and protects personal data when you use ERPGear (the "Service"), including our web platform, mobile application, APIs, and related services.

We are committed to protecting personal data in accordance with:

  • Egypt: Law No. 151 of 2020 (Personal Data Protection Law, "Egyptian PDPL")
  • Saudi Arabia: Personal Data Protection Law ("KSA PDPL")
  • UAE: Federal Decree-Law No. 45 of 2021 on Personal Data Protection
  • Other GCC countries: respective national data protection laws
  • EU/EEA: General Data Protection Regulation (GDPR), where applicable

2. Scope of this Policy

This Policy applies to:

  • Tenants: businesses subscribing to ERPGear
  • Authorized users: employees and agents of tenants who access the Service
  • Mobile application users: individuals using the ERPGear mobile app (including field sales reps, drivers, warehouse staff)
  • Website visitors: people who visit erpgear.com or oneprefix.com
  • Data subjects within tenant data: individuals whose personal data tenants process through the Service (employees, customers, suppliers, contacts)

3. Our role under data protection law

3.1 When we are a data controller

We act as a data controller for:

  • Personal data of tenants, authorized users, and mobile app users (account information, billing information, support communications, mobile app identifiers)
  • Personal data of website visitors (cookies, analytics)
  • Personal data of prospects and job applicants

For this data, we decide how and why it is processed, and we are directly responsible to data subjects.

3.2 When we are a data processor

We act as a data processor for:

  • Personal data of employees, customers, suppliers, and contacts that tenants upload, create, or generate through the Service (HR records, customer profiles, supplier data, invoices, etc.)
  • Financial data, tax records, and transactional data of a tenant's business

For this data, the tenant is the data controller. We process it only on the tenant's instructions, in accordance with our Terms of Service and any Data Processing Addendum (DPA) in place.

If you are an individual whose data has been processed by a tenant (e.g., an employee of a business using ERPGear, or a customer whose invoice was generated through ERPGear), and you have questions or requests about your data, please contact that tenant directly. We can forward requests on your behalf if direct contact is not possible.

4. What personal data we collect

4.1 Data you provide directly (as tenant/user)

  • Account data: name, email, phone number, company name, commercial registration, tax/VAT registration number, job title, password (hashed)
  • Billing data: billing address, tax ID, payment card metadata (last 4 digits and expiry — full card details are handled by our payment processors)
  • Communication data: messages sent to our support team, support tickets, survey responses
  • Profile data: profile picture, language, timezone, preferences
  • Verification documents: where required for compliance, we may receive copies of identification documents, commercial registration certificates, or tax certificates

4.2 Data collected automatically (web and mobile)

  • Usage data: features used, timestamps, session duration, query parameters
  • Device data: IP address, browser type and version, operating system, device model, device identifiers
  • Location data (GPS): when mobile app location permission is granted, for van-sales routing, field check-in/check-out, and delivery tracking
  • Camera/photos: for barcode scanning, delivery proof capture, document upload (images are uploaded to the Service)
  • Bluetooth device identifiers: for pairing with thermal printers (Sunmi devices etc.)
  • Push notification tokens: to deliver notifications about orders, approvals, and alerts
  • App version and diagnostics: to provide support and improve the app
  • Cookies and similar technologies: see Section 11

4.3 Data from third parties

  • Payment processors: transaction status and limited billing information
  • Authentication providers: if you sign in via Google, Microsoft, or another provider, we receive basic profile info
  • Tax authorities (ZATCA, ETA, etc.): transmission status of invoices, acceptance codes, rejection reasons, and related regulatory responses

4.4 Customer Data (tenant-controlled)

The Service processes personal data that tenants upload, create, or generate. This may include, depending on the tenant's use:

  • Employee records: names, national ID numbers, contact details, salary, bank account, leave balances, performance data
  • Customer data: names, addresses, contact details, purchase history, outstanding balances, tax IDs
  • Supplier data: names, addresses, contact details, tax IDs, payment terms
  • Financial and transactional data: invoices, purchase orders, payments, journal entries, tax calculations
  • Inventory data: stock levels, movements, serial numbers
  • Documents and files: contracts, PDFs, images, reports

We process Customer Data as a data processor on the tenant's instructions. We do not control the categories of personal data tenants choose to collect.

5. How we use personal data

5.1 For tenants and users (as controller)

We process your personal data to:

  • Provide, operate, and maintain the Service
  • Authenticate you and secure your account
  • Process payments and send invoices
  • Communicate about service updates, security notices, and product changes
  • Provide customer support and training
  • Improve the Service through analytics and user research
  • Detect, prevent, and investigate fraud, abuse, and security incidents
  • Comply with legal obligations, including tax, accounting, regulatory, and anti-money-laundering requirements
  • Send marketing communications (where you have consented or where permitted by law), with an option to opt out at any time

5.2 For mobile app users

In addition to the above, for mobile app users we process data to:

  • Enable offline data entry and sync when connectivity is restored
  • Provide GPS tracking and check-in features (only where enabled by the tenant and with device permission)
  • Send push notifications about orders, approvals, and alerts
  • Connect to thermal printers via Bluetooth
  • Diagnose app crashes and performance issues

5.3 For Customer Data (as processor)

We process Customer Data solely:

  • To provide the Service to the tenant
  • As directed by the tenant through the Service's features
  • To transmit invoice data to ZATCA, Egyptian Tax Authority, or equivalent regulators at tenant direction
  • For security monitoring, backup, and abuse prevention
  • To comply with legal obligations

We do not use Customer Data for our own commercial purposes, for advertising, or to train AI models. We do not access Customer Data except as necessary to operate the Service or upon tenant request for support.

6. Legal basis for processing

Where applicable data protection law requires us to identify a legal basis, we rely on:

  • Contract: to provide the Service you requested
  • Legitimate interest: to improve our Service, prevent fraud, ensure security, send service-related communications, and defend legal claims
  • Consent: for marketing communications, non-essential cookies, mobile app permissions (camera, location, etc.), and other processing where consent is the required basis
  • Legal obligation: to comply with tax, anti-money-laundering, regulatory, and law enforcement requirements
  • Vital interests (rare): to protect the life or physical safety of a person

You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect lawfulness of processing before withdrawal.

7. How we share personal data

We share personal data only with the following categories of recipients:

7.1 Service providers (sub-processors)

We use trusted third-party providers to help us operate. These include:

  • Cloud hosting and infrastructure: providing server, database, storage, and network services
  • Payment processing: payment gateway providers
  • Email delivery: transactional email providers
  • Push notification delivery: for mobile app notifications
  • Analytics and crash reporting: to understand usage and diagnose issues
  • Customer support tooling: help desk and support platforms
  • Map and location services: for location-based features in the mobile app
  • Regulatory integrations: ZATCA, Egyptian Tax Authority, and equivalent platforms (for invoice transmission as directed by tenants)

A current list of sub-processors is available upon request at info@erpgear.com.

7.2 Tenants (where relevant)

If you are an individual whose data has been uploaded to the Service by a tenant (e.g., as an employee or customer), the tenant has access to your data as part of their use of the Service.

7.3 Tax authorities and regulators

Where the Service is used for e-invoicing or regulatory reporting, invoice data and related records are transmitted to the relevant tax authority (e.g., ZATCA Fatoora in Saudi Arabia) at the direction of the tenant.

7.4 Legal and regulatory recipients

We may disclose personal data when required by law, court order, or government request, or to protect the rights, property, or safety of OnePrefix, our tenants, their users, or the public.

7.5 Business transfers

If OnePrefix undergoes a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will provide notice if material changes to the Privacy Policy result.

7.6 We do not sell personal data

We do not sell personal data to third parties.

8. International data transfers

OnePrefix is based in Egypt, with services primarily delivered through data centers in the Middle East / North Africa (MENA) region, including Egypt and the GCC. Through our sub-processors, some processing may occur in countries outside your jurisdiction, including the United States, Ireland, India, and elsewhere.

Where required by law:

  • For transfers outside Egypt, we apply safeguards consistent with Egyptian PDPL (Law No. 151 of 2020) and implementing regulations
  • For transfers outside Saudi Arabia involving KSA tenants, we apply safeguards consistent with KSA PDPL requirements for cross-border transfers
  • For transfers outside the EU/EEA of data subject to GDPR, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission

Tenants with specific data residency requirements may contact info@erpgear.com to discuss enterprise data residency options.

9. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy, or for longer periods where required by law:

  • Account data: for the duration of your subscription + a reasonable period after termination (typically 12 months) for legal and operational reasons
  • Billing and tax records: for the period required by Egyptian tax law (generally 5 years) and applicable local tax laws
  • Customer Data (tenant-controlled): according to tenant instructions; upon account termination, Customer Data is deleted within 60 days from the date of termination request unless the tenant requests earlier deletion or legal retention applies
  • Invoices and financial records (where we act as processor): retained for statutory periods under tax law even after tenant termination (typically 5-10 years depending on jurisdiction)
  • Support and communication logs: 2 years
  • Mobile app diagnostic data: 90 days rolling window
  • GPS location data: retained as long as necessary for the specific feature (typically the active period plus 12 months for audit trail, unless tenant configures otherwise)
  • Marketing data: until consent is withdrawn or you unsubscribe
  • Cookies: per the retention period set in our cookie banner and your browser settings

After retention periods end, data is deleted or anonymized.

10. Your rights

Depending on your location, you may have the following rights:

  • Right to access: request a copy of the personal data we hold about you
  • Right to rectification: ask us to correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): ask us to delete your personal data, subject to legal retention obligations (note: tax and financial records are subject to statutory retention)
  • Right to restrict processing: ask us to limit how we use your data in certain circumstances
  • Right to data portability: receive your data in a structured, commonly used format (you can also export most of your data directly through the Service's export features)
  • Right to object: object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time
  • Right to lodge a complaint: with your local data protection authority (see Section 16)

To exercise any right, contact us at info@erpgear.com. We will respond within 30 days (extendable under law for complex requests).

If you are an individual whose data is processed by a tenant (e.g., employee, customer, supplier), exercise your rights by contacting the tenant directly. If that is not possible, contact us and we will forward your request.

11. Cookies, trackers, and mobile app identifiers

11.1 Cookies (web)

We use cookies and similar technologies to:

  • Keep you signed in
  • Remember preferences and language
  • Secure the Service (e.g., CSRF protection)
  • Analyze usage and performance
  • Deliver relevant marketing (where you have consented)

Types of cookies we use: Strictly necessary (required for the Service to function), Functional (remember your settings), Analytics (help us understand how the Service is used), Marketing (only with your consent).

11.2 Mobile app identifiers

The mobile application may use:

  • Device identifiers (e.g., advertising ID, install ID): for crash reporting, analytics, and license verification
  • Push notification tokens: for delivering notifications
  • App performance SDKs: for diagnostics

You can control these through your device settings (e.g., "Reset advertising ID", "Limit ad tracking").

11.3 Your choices

You can control cookies through our cookie banner (where shown) or your browser settings. You can control mobile app permissions through device settings. Disabling strictly necessary items may affect Service functionality.

12. Security

We implement technical and organizational measures to protect personal data, including:

  • Encryption in transit (HTTPS/TLS) and at rest for sensitive data
  • Role-based access controls with principle of least privilege
  • Regular security audits, penetration tests, and vulnerability assessments
  • Incident detection, response, and notification procedures
  • Vendor due diligence for sub-processors
  • Employee training on data protection and confidentiality
  • Secure development practices and code review
  • Backup and disaster recovery processes

No system is completely secure. If we experience a data breach that is likely to result in a risk to affected individuals, we will notify affected parties and the relevant authorities as required by law.

13. Children's privacy

The Service is intended for business use and is not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact info@erpgear.com and we will delete it.

14. Automated decision-making

We do not make decisions with significant legal or similar effects on you based solely on automated processing, including profiling.

Individual tenants may configure the Service to perform automated approvals, credit checks, or other decisions within their own business processes. Where a tenant configures automated decision-making, the tenant (as data controller) is responsible for complying with applicable data protection law, including providing notice and enabling human review where required.

15. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices, the Service, or the law. Material changes will be notified by email or in-product notice at least 30 days before they take effect for tenants, and where changes affect end-user rights, a notification will be given through the Service.

Continued use of the Service after changes take effect constitutes acceptance.

16. Complaints

If you have concerns about how we handle your personal data, please first contact us at info@erpgear.com so we can try to resolve your concerns directly.

You also have the right to lodge a complaint with:

  • Egypt: the Egyptian Personal Data Protection Center (PDPC), once fully operational under Law No. 151 of 2020
  • Saudi Arabia: the Saudi Data and Artificial Intelligence Authority (SDAIA) — the regulator under KSA PDPL
  • United Arab Emirates: the UAE Data Office
  • Other GCC countries: the respective national data protection authority
  • European Economic Area: your national data protection authority
  • Other jurisdictions: the relevant data protection authority where you reside

17. Contact

For privacy-related questions, requests, or data subject rights:

وان بريفكس للبرمجيات وللحلول التكنولوجية

OnePrefix for Integrated Solutions

Egypt

info@erpgear.com

info@oneprefix.com

For data processing inquiries from enterprise tenants (including requests for a Data Processing Addendum), please specify in your email.

وان بريفكس للبرمجيات وللحلول التكنولوجية

OnePrefix for Integrated Solutions

Egypt

info@erpgear.com | info@oneprefix.com

Last updated: 23 April 2026