Privacy Policy

Your privacy matters. This policy explains what data MICO360 collects, how we use it and the rights you have over it — governed by the laws of the Sultanate of Oman.

1. Overview

MICO360 ("we", "us", "our"), operated by Prolens Projects LLC, a company registered in the Sultanate of Oman, takes commercially reasonable steps to protect personal data we receive. This Privacy Policy explains what we collect, how we use it and what choices you have when using the MICO360 platform, websites, mobile applications and related services (collectively, the "Service").

In plain English: We collect only what we need to run the platform and we never sell your data. The Service is provided "as is" with no responsibility for any data accuracy, business decision or downstream use — please see our Terms & Conditions for the binding disclaimers, limitation of liability, governing law and indemnities. By using the Service, you accept the allocation of risk set out in those Terms and in this Policy.

This Policy is issued in the English language. In the event of any conflict between this Policy and any translation, the English version shall prevail to the maximum extent permitted by applicable law.

2. Scope, controllers & processors

This Policy applies to our websites (including mico360.com), mobile applications and all services we operate. We make the following clear allocation of roles, which the customer expressly accepts:

  • Customer-uploaded data (employee records, payroll, HR documents, etc.): MICO360 acts strictly as a data processor on behalf of the customer, who is and remains the data controller and is solely responsible for the lawful basis, accuracy, consent collection, employee notices and onward use of such data under the laws of its own jurisdiction.
  • Visitor, prospect and account-holder data: we act as the controller only to the extent strictly necessary to operate the website, deliver the Service and respond to enquiries.

Where MICO360 is a processor, the customer warrants that it has obtained all necessary consents, notices and lawful bases under Sultani Royal Decree No. 6/2022 (Oman Personal Data Protection Law) and any other applicable laws of its operating jurisdiction (including but not limited to UAE Federal Decree-Law No. 45/2021, KSA Personal Data Protection Law issued by Royal Decree M/19 of 2021, Bahrain Law No. 30/2018, Qatar Law No. 13/2016 and Kuwait Data Privacy Protection Regulation 2021) before submitting personal data to the Service.

3. Data we collect

3.1 Data you give us

  • Account data: name, email, phone, company, role, password (hashed and salted).
  • Billing data: billing address, VAT/tax registration number, payment method (processed by our payment provider — we do not store full card numbers).
  • Support data: messages, attachments and screenshots you send us.
  • Customer content: employee records, payroll data, documents, attendance logs, certificates, inspection records and other information uploaded by customers and their authorised users.

3.2 Data we collect automatically

  • Device & browser information, IP address, time zone, pages viewed, referring URL.
  • Log data, error traces, security events and product analytics events.
  • Cookies and similar technologies (see section 8).

3.3 Data from third parties

We may receive data from integration partners (e.g., banks, biometric devices, accounting tools, identity providers) when you choose to connect them. MICO360 has no responsibility for the accuracy, lawfulness or privacy practices of those third-party sources.

4. How we use your data

We use personal data to:

  • Provide, secure, maintain, improve and operate the Service.
  • Process transactions, issue invoices and handle taxes (including VAT under Royal Decree 121/2020).
  • Communicate product updates, security notices and support replies.
  • Send marketing emails (only with your consent — you can opt out any time).
  • Detect fraud, debug bugs, prevent abuse and improve product performance.
  • Comply with legal, tax, regulatory and law-enforcement obligations of the Sultanate of Oman and any other jurisdiction whose laws apply to our operations.

We process personal data on the following lawful bases recognised under Sultani Royal Decree No. 6/2022 (Oman Personal Data Protection Law) and equivalent GCC privacy laws:

  • Performance of contract — to provide the Service you have requested.
  • Legitimate interests — to operate, secure and improve the platform, prevent fraud and recover debts.
  • Legal obligation — to comply with tax, accounting, anti-money-laundering, sanctions screening and other statutory duties under the laws of the Sultanate of Oman and other applicable jurisdictions.
  • Consent — for marketing communications and any optional features; you may withdraw consent at any time without affecting prior lawful processing.

The customer is solely responsible for identifying the correct lawful basis under its own jurisdiction's labour, payroll, social-insurance and data-protection laws (including, where applicable, Oman Labour Law issued by Royal Decree 53/2023) for any employee or third-party data it processes through the Service.

6. Customer responsibilities

The customer acknowledges and agrees that, as data controller for any personal data uploaded to the Service, it bears sole responsibility for:

  • Providing all required employee privacy notices and obtaining all consents required by Oman PDPL or any other applicable national law before uploading personal data.
  • The accuracy, completeness, legality and quality of all Customer Content.
  • Configuring the Service (including roles, permissions, retention and integrations) appropriately for its own compliance obligations.
  • Securing access credentials issued to its users; MICO360 bears no responsibility for misuse of credentials shared, lost or compromised by the customer or its users.
  • Honouring data-subject rights requests from its own employees, contractors or job applicants; MICO360 will assist as a processor on reasonable written request.
  • Reporting any personal-data breach it becomes aware of to MICO360 and to the competent regulator within the statutory timeline of its jurisdiction.

The customer indemnifies MICO360 against any claim arising out of its failure to discharge these responsibilities, as further set out in our Terms & Conditions.

7. Sharing & sub-processors

We do not sell personal data. We share it only with carefully vetted sub-processors that help us run the Service, including cloud hosting, email delivery, analytics and payment processing. A current list of sub-processors is available on request at info@mico360.com. By using the Service, the customer is deemed to have given general written authorisation to engage these sub-processors; MICO360 will give reasonable notice of material changes.

We may also disclose data:

  • When required by a court order, regulator or other lawful authority of the Sultanate of Oman or any other jurisdiction whose laws apply.
  • To comply with sanctions, anti-money-laundering, counter-terrorism financing or export-control requirements.
  • To protect the rights, property, safety or interests of MICO360, our users or the public.
  • In connection with a merger, acquisition, financing, reorganisation or sale of all or part of our business, subject to confidentiality protections.

8. Cookies & tracking

We use a small number of cookies and similar technologies to run the site and remember your preferences (e.g., theme, language). You can clear or block these at any time from your browser settings. Blocking essential cookies may impair certain features.

9. Data retention

We keep personal data only for as long as needed to deliver the Service and comply with legal obligations:

  • Active accounts: for the life of the subscription.
  • Customer content after cancellation: 90 days, then permanently deleted (unless longer retention is required by law, regulator order, or pending legal proceedings).
  • Billing records: up to 10 years for tax and commercial-records compliance under the laws of the Sultanate of Oman (including the Commercial Companies Law issued by Royal Decree 18/2019 and applicable tax regulations).
  • Security & audit logs: up to 24 months.
  • Marketing data: until you unsubscribe or 24 months of inactivity.

Where the customer instructs MICO360 to retain data longer or shorter than the above, the customer bears all risk and responsibility for that instruction.

10. International transfers

Customer data is primarily stored in ISO 27001 certified data centres located in the GCC region, with primary hosting in the Kingdom of Bahrain and/or the United Arab Emirates. Where we transfer data outside the GCC (e.g., to process analytics, technical support, or to a sub-processor located abroad), we do so under safeguards recognised under Royal Decree 6/2022 (Oman PDPL) and the customer's applicable national law, including:

  • Adequacy findings issued by the competent Omani authority, where available.
  • Approved standard contractual clauses (including, where applicable, the European Commission's Standard Contractual Clauses) and equivalent safeguards adopted by GCC regulators.
  • Explicit consent from the data subject where required.

By using the Service, the customer acknowledges and agrees to such transfers and undertakes to obtain any further consent required from its own employees and data subjects.

11. Security

Our operations are certified to ISO 9001 (Quality Management) and ISO/IEC 27001 (Information Security Management), with annual independent audits. Additional controls include:

  • TLS 1.3 encryption in transit, AES-256 at rest.
  • Role-based access control with just-in-time elevation.
  • Continuous vulnerability scanning and annual penetration testing.
  • Daily encrypted backups with 30-day point-in-time recovery.
  • Incident response with 72-hour breach notification to regulators where required by law.

No security measure is impenetrable. MICO360 does not warrant absolute security and accepts no responsibility for security breaches caused, contributed to or facilitated by the customer, its users, its devices, its networks or any third party. The customer is responsible for implementing appropriate device, network and endpoint security on its side.

12. Your rights

Subject to and to the extent granted by your jurisdiction's privacy law (including Oman PDPL, UAE PDPL, KSA PDPL and equivalents), you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion ("right to be forgotten"), subject to legal retention obligations.
  • Restrict or object to processing.
  • Data portability — receive a copy of your data in a structured format.
  • Withdraw consent at any time (without affecting prior lawful processing).
  • Lodge a complaint with your local supervisory authority — for Oman, the competent authority designated under Royal Decree 6/2022.

To exercise any of these rights, email info@mico360.com. We respond within 30 days, subject to identity verification and any extension permitted by applicable law. If you are an employee of a MICO360 customer, please address your request first to your employer (the data controller); we will assist as a processor on the controller's instruction.

13. Children's privacy

MICO360 is a business platform not directed to children under 18, and we do not knowingly collect personal data from them. If you believe a child has provided us with data, please contact us and we will delete it promptly.

14. Data Processing Addendum (DPA)

Enterprise customers may request a signed Data Processing Addendum on the standard MICO360 form. Email info@mico360.com. MICO360 reserves the right to refuse non-standard addenda or to charge a reasonable fee for negotiating bespoke privacy terms.

15. Limitation of responsibility

While we take commercially reasonable measures to safeguard personal data, to the maximum extent permitted by applicable law MICO360 accepts no responsibility for, and the customer expressly assumes the risk of:

  • the accuracy, completeness, legality or lawful basis of any personal data, payroll input, employee record, document or any other information submitted by the customer, its users or any third-party integration;
  • any business decision, payroll output, tax filing, regulatory return, calculation or report generated using the Service;
  • any unauthorised access resulting from credentials shared, lost, leaked or compromised by the customer or its users, or from the customer's own devices, networks, browsers or endpoints;
  • the actions, omissions, security practices, privacy policies or solvency of any third-party services that the customer chooses to integrate with the Service (banks, payment gateways, biometric devices, accounting tools, identity providers and the like);
  • any breach, leak, loss or unauthorised disclosure caused, contributed to or facilitated by the customer's failure to discharge its controller obligations under section 6 above;
  • any indirect, incidental, special, consequential, exemplary or punitive damages arising from your use of, inability to use, or reliance on, the Service or any data therein.

The customer's use of the Service is also governed by the binding limitation of liability in our Terms & Conditions, which caps MICO360's aggregate liability and which the customer expressly accepts as a reasonable allocation of risk reflected in the pricing.

16. Governing law & jurisdiction

This Privacy Policy and any non-contractual obligations arising from or connected with it are governed by, and shall be construed in accordance with, the laws of the Sultanate of Oman, including (without limitation) Royal Decree 6/2022 (Personal Data Protection Law), Royal Decree 69/2008 (Electronic Transactions Law), Royal Decree 12/2011 (Cybercrimes Law) and Royal Decree 18/2019 (Commercial Companies Law).

Any dispute, claim or controversy arising out of or relating to this Policy shall be submitted to the exclusive jurisdiction of the competent courts of Muscat, Sultanate of Oman, save that MICO360 reserves the right at its sole option to bring proceedings in any other competent jurisdiction where the customer is located, has assets, or has caused damage. The customer irrevocably waives any objection to the venue or convenience of Omani courts.

17. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date above tells you when. Material changes will be notified by email or in-product notice at least 14 days before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

18. Contact

For any privacy-related question, please contact:

MICO360 — operated by Prolens Projects LLC
Muscat, Sultanate of Oman
Email: info@mico360.com

Severability: if any provision of this Policy is held invalid or unenforceable by a competent court, that provision shall be limited to the minimum extent necessary and the remaining provisions shall remain in full force and effect.