Campaign Central

The problem

Balady Business merchants run promotional campaigns — offers, discounts, seasonal pushes. Without a central authority, each campaign goes through its own ad-hoc rollout, scoring, and audience targeting. AI-driven recommendations need access to merchant + customer data, but PDPL forbids most direct exposure of personally-identifying customer details to AI systems.

The architecture

A centralized campaign-management platform with:

• Per-domain databases — one private store per service domain (campaign, subscription, profile), plus a separately secured store for protected-class data. Each service owns and is the only writer to its store; cross-domain queries go through a read-side aggregation layer rather than reaching across stores.
• Per-workflow message queues that isolate event classes (campaign lifecycle, subscription, and profile/preference events) so back-pressure on one class doesn’t stall the others
• A Sanitisation Service mediating between customer-data sources and the AI recommender — it strips identifiers and redacts personal attributes on the way in to the AI tier, and validates AI responses on the way back out before any downstream service consumes them. The protected attributes it swaps in and out live in the separately secured store, so the AI-facing services never hold the raw data themselves.
• POI + GIS integration for location-aware audience targeting
• Notification Hub integration for campaign comms

A backend-for-frontend layer is the only API surface the UI talks to, so backend services can evolve independently while the BFF aggregates and shapes responses for web and mobile clients.

Pattern view — a sanitisation gate removes identifiers and checks consent before any record reaches the AI tier.

Outcome

Merchants get a single canonical surface for campaign management. The sanitisation boundary means AI recommendations are produced from de-identified, consent-checked data rather than raw citizen records — keeping the AI tier inside PDPL constraints by design.