PDPL Notice
Our commitments under the Kingdom of Saudi Arabia's Personal Data Protection Law.
2026-Q2.previewEffective at current version·PrivacyTermsCookiesDisclosures
This Notice is a concise summary of how we align with PDPL. For the full legal text governing how we handle personal data, see the Privacy Policy.
1. Lawful bases
- Contract — providing the service you've signed up for
- Legal obligation — SDAIA register, ZATCA invoicing, audit retention
- Explicit consent — marketing, SMS, WhatsApp, optional analytics
2. Data subject rights
- Access (export)
- Rectification
- Erasure
- Portability
- Object / restrict processing
- Withdraw consent at any time
All rights are exercisable from Settings → Privacy inside the app, or by writing to our DPO contact below. Or use the public DSAR form at /legal/data-rights if you don't have an account.
3. Cross-border transfer posture
Primary data in AWS me-south-1 (Bahrain). Cross-border transfers to documented sub-processors only, under executed DPAs, and logged in our sub-processor register.
4. Breach notification
We notify SDAIA within 72 hours of confirming a reportable breach, and affected tenant admins within 4 hours for SEV-1 (see Security).
5. DPO
Contact our Data Protection Officer at dpo@aria.sa. In Client Demo, DPO functions run on a fractional engagement; from Pilot onwards a named DPO is contractually engaged through the DPO onboarding pack.