Privacy Policy | Cedar Link SAL – XOM Smart Services
Legal Document

Privacy Policy

Effective: February 1, 2026 Last Updated: February 1, 2026 Version: 1.0

Cedar Link SAL (“Cedar Link,” “we,” “our,” or “us”), operating the XOM Smart Services platform, is committed to protecting your privacy. This Privacy Policy explains what personal information we collect, why we collect it, how it is used, and your rights as a data subject under Lebanese law and international data protection standards, including GDPR principles.

Article 01

Introduction

Cedar Link SAL is a digital operational infrastructure company registered in Lebanon, headquartered in Tripoli. We provide citizens, residents, and Lebanese expatriates worldwide with seamless access to official administrative services through our XOM Smart Services platform — including Mukhtar services, Civil Registry processing, Traffic Management coordination, and translation and legalization services.

This Privacy Policy applies to:

  • All users of the XOM mobile application (iOS and Android)
  • All visitors to our web portal and website (www.cedarlink.com)
  • Lebanese expatriates and diaspora members using remote services from abroad
  • Service providers using our institutional dashboard (Mukhtars, Civil Registry officers, Traffic Management personnel)
  • Any individual whose personal data we process in connection with our services

By using our platform, you agree to the collection and use of your information as described in this policy. If you do not agree, please discontinue use of our services.

Article 02

Information We Collect

2.1 Information You Provide Directly

  • Identity Information: Full legal name, date of birth, nationality, Lebanese ID number, passport number
  • Contact Information: Phone number, email address, residential address (Lebanon and/or abroad)
  • Civil Status Data: Marital status, family registry number, place of registration, family record details
  • Vehicle Information: Vehicle registration number, license plate, vehicle type (for traffic services)
  • Documents: Copies of identity documents, family records, or official documents you upload to complete a transaction
  • Payment Information: Transaction reference numbers processed through OMT, Wish Money, Visa, or Mastercard (we do not store full card details)
  • Account Credentials: Username and encrypted password for your XOM account

2.2 Information We Collect Automatically

  • Device identifiers (device type, operating system, app version)
  • IP address and approximate geographic location
  • Log data: pages visited, features used, session duration
  • Crash reports and performance diagnostics
  • Language preferences and accessibility settings

2.3 Information from Third Parties

  • Government institution confirmations (Mukhtars, Civil Registry, Traffic Management) to verify document authenticity
  • Payment processors confirming successful transactions
  • Translation and legalization service partners
Note on Sensitive Data: Some information we process — such as civil status, family records, and national ID numbers — is considered sensitive. We apply heightened protection standards to all such data and collect it only when strictly necessary to fulfil your requested service.
Article 03

How We Use Your Information

3.1 Service Delivery

  • Processing your official transaction requests (Mukhtar, Civil Registry, Traffic)
  • Routing requests to the correct authority and tracking their progress
  • Verifying identity and document authenticity with relevant institutions
  • Delivering completed documents digitally or coordinating physical delivery worldwide
  • Processing secure payments for services rendered

3.2 Communication

  • Sending real-time notifications on transaction status (SMS, email, push notifications)
  • Responding to your support requests and inquiries
  • Administrative communications about your account or services
  • Notifying you of changes to services, terms, or this privacy policy

3.3 Platform Improvement

  • Analysing platform usage to improve user experience
  • Debugging and fixing technical issues
  • Developing new features and service offerings

3.4 Legal Compliance

  • Maintaining complete audit trails of all transactions as required by Lebanese law
  • Responding to lawful requests from government authorities
  • Fraud prevention and security monitoring
  • Enforcing our Terms of Service

3.5 Analytics (Aggregated & Anonymised)

  • Generating anonymised statistics about service usage to improve operations
  • Providing aggregated insights to government partners for service improvement
Article 04

Data Sharing & Disclosure

We do not sell your personal data. We share your information only in the following circumstances:

4.1 Government & Institutional Partners

To complete your requested service, we share relevant information with the specific Lebanese institution handling your transaction — such as the relevant Mukhtar, Civil Registry department, or Traffic Management organization. This sharing is inherent to our service and forms the operational basis of your engagement with us.

4.2 Service Providers

  • Payment processors (OMT, Wish Money) — for transaction authorisation only
  • Cloud hosting providers (AWS/DigitalOcean) — operating under strict data processing agreements
  • SMS and email notification providers — for communication delivery only
  • Certified translation and legalization partners — when you request these services

All third-party processors are bound by contractual obligations to protect your data and process it solely for specified purposes.

4.3 Legal Requirements

We may disclose your information if required by applicable Lebanese law, court order, or lawful government request. Where legally permissible, we will notify you of such disclosure.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of Cedar Link SAL assets, your personal data may be transferred. We will provide advance notice and clarify your rights in that event.

We will never share your data with advertising networks, data brokers, or any party for commercial marketing purposes without your explicit consent.
Article 05

Data Security

We implement enterprise-grade security measures to protect your personal information:

  • Encryption: AES-256 encryption for stored data; TLS 1.3 for all data in transit
  • Payment Security: PCI-DSS compliant payment processing; raw card data is never stored on our servers
  • Access Controls: Multi-factor authentication; role-based access; least-privilege principles across all systems
  • Infrastructure: Enterprise firewall; automated threat detection; 24/7 system monitoring
  • Document Storage: Encrypted, access-controlled S3 storage with automated backups
  • Audit Logging: All data access events are logged and regularly reviewed

Despite our robust measures, no system is completely immune. In the event of a breach posing risk to your rights, we will notify affected users within 72 hours of becoming aware, in accordance with applicable law.

Article 06

Data Retention

We retain your personal data only as long as necessary:

  • Active Account Data: Retained for the duration of your account and 5 years thereafter
  • Transaction Records: Retained for 10 years to comply with Lebanese administrative and financial record-keeping requirements
  • Document Copies: Retained for 7 years post-transaction for audit and legal compliance
  • Communication Logs: Retained for 3 years
  • Payment Records: Retained for 7 years per financial regulations
  • Deleted Accounts: Personal identifiers anonymised within 90 days; transaction records may remain in anonymised form
Article 07

Your Privacy Rights

You have the following rights regarding your personal data. Contact us at privacy@cedarlink.com to exercise any right — we respond within 30 days.

👁️

Right to Access

Request a copy of all personal data we hold about you.

✏️

Right to Rectification

Request correction of inaccurate or incomplete personal data.

🗑️

Right to Erasure

Request deletion of your personal data, subject to legal retention obligations.

⏸️

Right to Restriction

Request that we limit how we process your data in certain circumstances.

📦

Right to Portability

Receive your data in a structured, machine-readable format.

🚫

Right to Object

Object to processing of your data for analytics or certain other purposes.

Some rights may be limited where processing is required by law or to complete a government-mandated transaction. We will always explain any limitation clearly.

Article 08

Cookies & Tracking Technologies

Our web portal uses cookies and similar technologies to ensure functionality and improve your experience.

Types of Cookies We Use

  • Strictly Necessary: Required for platform functionality (login sessions, security tokens). Cannot be disabled.
  • Functional: Remember language preferences, saved settings, and session state.
  • Analytics: Anonymised usage data to improve platform performance. You may opt out at any time.

We do not use advertising or behavioural tracking cookies for marketing purposes. Manage cookie preferences through your browser settings. Disabling non-essential cookies will not impact core service functionality.

Article 09

International Data Transfers

Cedar Link SAL serves Lebanese citizens and expatriates worldwide. Your data may be processed on servers located in the EEA or the United States through our cloud providers (AWS/DigitalOcean).

Where we transfer personal data internationally, we ensure appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by relevant authorities
  • Data processing agreements requiring equivalent protection standards
  • Technical and organisational security measures applied consistently across all regions

For expatriates using our services from abroad: your personal data is processed in Lebanon and on our secure international cloud infrastructure. No data is transferred to or stored in your country of residence without your explicit knowledge, and where required by local law, your consent.

Article 10

Children & Minors

Our platform is not directed at children under the age of 18. We do not knowingly collect personal information directly from minors. Parents or legal guardians may use our platform to process official documents on behalf of minors (e.g., birth certificates, family records). In such cases, the parent or guardian is the account holder and accepts responsibility for submitted data.

If you believe a child’s data has been submitted without parental authorisation, contact us immediately at privacy@cedarlink.com.

Article 11

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this page
  • Notify registered users via email or in-app notification
  • Where required by law, seek your renewed consent

Your continued use of XOM Smart Services following notification of changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Article 12

Contact & Data Protection

For all privacy-related inquiries, data subject requests, or concerns about how we handle your personal information, please contact:

  • Cedar Link SAL – Data Protection
  • Email: privacy@cedarlink.com
  • General Inquiries: info@cedarlink.com
  • Address: Cedar Link SAL, Tripoli, Lebanon
  • Response Time: We aim to respond to all privacy requests within 72 hours.

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country of residence.