Last updated: June 2, 2026
SuitsIndex ("we," "us," or "our") is committed to protecting the privacy of our users and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) where it applies. This Privacy Policy explains what personal data we collect, why we collect it, our legal bases for processing, how long we keep data, which third parties process data on our behalf, and your rights.
1. Data Controller and Data Protection Contact
For the purposes of GDPR and other applicable privacy laws, the data controller is:
SuitsIndex (operated by Zarafah Technologies)
Zahran Street, Amman, 11183, Jordan
Data Protection contact — for all privacy enquiries, data subject rights requests, and GDPR-related matters, contact:
Email: info@suitsindex.com (subject line: "Data Protection")
Phone: +962 79 690 690 1
Postal address: Zahran Street, Amman, 11183, Jordan
We will respond to data subject requests within one (1) month, as required by GDPR, unless an extension is permitted by law.
2. Roles: Controller and Processor
When we act as data controller: We determine how and why we process personal data relating to account holders, website visitors, billing contacts, and individuals who contact us directly.
When we act as data processor: When you use SuitsIndex to store client, case, court, or matter information, your law firm or organization is the data controller for that information, and we process it on your behalf under our Data Processing Agreement (DPA). You must have a valid lawful basis before storing any personal data in the application.
3. What We Collect and Why
The table below lists the personal data we collect, why we collect it, and whether it is required.
| Data category | Examples | Why we collect it |
|---|---|---|
| Account and identity data | Name, email, phone number, organization name, job title, login credentials | To create and manage your account, authenticate you, and provide the SuitsIndex service |
| Billing and payment data | Billing address, subscription plan, transaction records | To process subscriptions, invoices, and payment for paid plans |
| Client and case data (uploaded by you) | Client names, contact information, case details, court records, documents, correspondence | To enable law firm case management, document storage, billing, and reporting features you use |
| WhatsApp messaging data (when feature enabled) | Client phone numbers, message content about case progress | To send WhatsApp notifications to your clients about their case status, as configured by your firm |
| Communications data | Name, email, subject, and message from our contact form or support requests | To respond to your enquiries and provide customer support |
| Service and usage data | IP address, browser type, device information, log files, pages visited, feature usage | To operate, secure, and improve the platform; detect fraud and troubleshoot issues |
| Cookies and similar technologies | Session identifiers, preference settings, analytics data (where enabled) | To keep you logged in, remember settings, and understand site usage (see Section 10) |
We do not sell personal data. We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Legal Basis for Processing (GDPR)
Under GDPR, we may only process personal data when a valid legal reason exists. The table below maps each data category to our lawful basis when we act as data controller.
| Data category | Legal basis (GDPR Art. 6) | Explanation |
|---|---|---|
| Account and identity data | Performance of a contract (Art. 6(1)(b)) | Necessary to provide the service you signed up for |
| Billing and payment data | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) | Necessary to process payments and meet tax/accounting obligations |
| Client and case data (uploaded by you) | Determined by your organization as Controller | We process on your instructions only; you must have your own lawful basis (contract, legal obligation, legitimate interests, or consent) |
| WhatsApp messaging data | Performance of a contract (Art. 6(1)(b)) on our part; your organization must have a lawful basis as Controller | Necessary to deliver the WhatsApp notification feature you enable for your clients |
| Communications data | Legitimate interests (Art. 6(1)(f)) or performance of a contract (Art. 6(1)(b)) | To respond to your enquiries and support requests |
| Service and usage data | Legitimate interests (Art. 6(1)(f)) | Platform security, fraud prevention, and service improvement |
| Marketing communications | Consent (Art. 6(1)(a)) | Only where you have opted in; you may withdraw consent at any time |
| Non-essential cookies | Consent (Art. 6(1)(a)) | Where required by law before placing non-essential cookies |
If you are a law firm using SuitsIndex, you must not store client names, contact details, or case information unless your organization has documented a valid lawful basis. When that legal reason no longer applies, you must delete or anonymize the data.
5. Third-Party Processors
We use trusted third-party service providers ("processors" or "sub-processors") to help operate SuitsIndex. They may only process personal data on our instructions and must protect it under contractual obligations consistent with GDPR.
Microsoft Corporation (Microsoft Azure)
What they process: All data stored in and transmitted through the SuitsIndex application, including account data, client/case data, documents, and logs
Why: Cloud hosting, storage, backups, and infrastructure for the application
Location: Data may be processed in Azure regions configured for our deployment
Privacy information: Microsoft Privacy Statement
Meta Platforms / WhatsApp (WhatsApp Business Platform)
What they process: Client phone numbers and message content when your firm uses the WhatsApp case-update feature
Why: To deliver WhatsApp notifications to your clients about case progress
Location: Data may be processed in countries where Meta/WhatsApp operates
Privacy information: WhatsApp Privacy Policy | Meta Privacy Policy
We may also use processors for payment processing and email delivery. A full list of sub-processors relevant to client/case data is maintained in our Data Processing Agreement. We will update this policy if we add or change material processors.
6. How We Share Information
Beyond the processors listed above, we may share personal data with professional advisers (lawyers, auditors), authorities when required by law, or successors in a merger or acquisition. We do not sell personal data.
7. Data Retention Periods
Under GDPR Article 5(1)(e) (storage limitation), we keep personal data only for as long as necessary for the purposes described in this policy and while a valid lawful basis still exists. The periods below are maximum retention periods for active systems unless a longer period is required by law, for the establishment, exercise, or defence of legal claims, or for unresolved disputes.
When retention ends, we delete or anonymize personal data. Erasure requests may be refused only where GDPR Article 17(3) permits continued retention (for example, compliance with a legal obligation or legal claims).
| Data category | Retention period | Lawful basis for retention |
|---|---|---|
| Account and identity data | For the duration of your active account, plus up to 30 days after account closure on active systems | Contract (Art. 6(1)(b)); legitimate interests for brief post-closure wind-down (Art. 6(1)(f)) |
| Billing and payment records | For the period required by applicable tax, accounting, and commercial law (typically at least 2 years and up to 7 years depending on jurisdiction), and no longer than necessary | Legal obligation (Art. 6(1)(c)); contract (Art. 6(1)(b)) |
| Client and case data (uploaded by you) | For the duration of your subscription while you retain it; deleted from active systems within 90 days of a verified deletion request or account termination, unless you export it sooner | Processed on your instructions as Controller; we retain only as long as needed to provide the service |
| WhatsApp messaging data | On our systems: only for the time needed to send the message and maintain delivery records (up to 30 days). Once sent, message data is processed by Meta/WhatsApp under their own retention policies | Contract (Art. 6(1)(b)); your organization must have a separate lawful basis as Controller |
| Contact form and support communications | Up to 2 years from the date of the enquiry, unless an open support case, dispute, or legal claim requires longer retention | Legitimate interests (Art. 6(1)(f)); contract (Art. 6(1)(b)) |
| Service logs and usage data | Up to 12 months, unless a security investigation, incident, or legal compliance requires longer retention | Legitimate interests (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)) |
| Backup copies | Up to 90 days after deletion from active systems, after which backups are overwritten in the normal course. Account or other data may therefore persist in backups for up to 90 days after active-system deletion | Legitimate interests for disaster recovery and security (Art. 6(1)(f)) |
Important: We delete data when it is no longer needed for its original purpose unless another lawful basis requires continued retention. Billing records in particular may be kept longer than other categories because tax and accounting laws often require extended retention. As data controller for client and case data, your law firm is responsible for defining when that data must be deleted based on your own lawful basis and professional obligations.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data, including hosting on Microsoft Azure, access controls, authentication, encryption in transit (TLS/SSL), backups, and monitoring. No method of transmission or storage over the internet is completely secure.
9. International Data Transfers
Personal data may be processed in Jordan and in other countries where our processors operate, including outside the EEA and UK. Where GDPR requires safeguards, we rely on Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms. Contact our Data Protection contact for more information.
10. Cookies and Similar Technologies
We use strictly necessary cookies for login and security, functional cookies for preferences, and analytics cookies where enabled and permitted by law. You can manage cookies through your browser settings. Non-essential cookies require consent where required by law.
11. Your Rights
If you are in the EEA, UK, or a jurisdiction with similar rights, you have the following rights regarding personal data we control:
Right of access — request a copy of the personal data we hold about you and information about how we process it.
Right to erasure — request deletion of your personal data where there is no compelling reason for us to continue processing it. We may refuse erasure where GDPR Article 17(3) applies, including where retention is necessary for compliance with a legal obligation (such as tax records), the establishment, exercise, or defence of legal claims, or other permitted exceptions.
Right to data portability — receive personal data you provided to us in a structured, commonly used, machine-readable format, and request transfer to another controller where processing is based on consent or contract and carried out by automated means.
You also have the right to rectification (correct inaccurate data), restriction of processing, objection to processing based on legitimate interests or for direct marketing, and withdrawal of consent where processing is based on consent.
How to exercise your rights: Email info@suitsindex.com with the subject line "Data Subject Request" and describe your request. We may ask you to verify your identity. We respond within one (1) month.
If you are a client of a law firm using SuitsIndex: Your law firm is likely the data controller for your client/case data. Contact them first to exercise your rights. We will assist them as processor where required under our DPA.
Right to complain: You may lodge a complaint with a supervisory authority in your country of residence, place of work, or place of alleged infringement.
12. California Privacy Rights (CCPA)
California residents may have rights to know, delete, and opt out of the sale of personal information. We do not sell personal information. Contact our Data Protection contact to exercise CCPA rights.
13. Children's Privacy
Our services are for professional users and are not directed at children under 16. We do not knowingly collect personal data from children. Contact us if you believe a child has provided data and we will delete it.
14. Third-Party Links
Our website may link to third-party sites. We are not responsible for their privacy practices.
15. Do Not Track Signals
We do not currently respond to "Do Not Track" browser signals.
16. Changes to This Privacy Policy
We may update this policy from time to time. Material changes will be posted here with an updated date. Where required by law, we will provide additional notice.
17. Contact Us
For privacy questions or to exercise your rights, contact our Data Protection contact:
Email: info@suitsindex.com
Address: Zahran Street, Amman, 11183, Jordan
Phone: +962 79 690 690 1
Related documents: Terms of Service | Data Processing Agreement