PDPL Notice
Our commitments under the Kingdom of Saudi Arabia's Personal Data Protection Law.
v0.1-dummy·PrivacyTermsCookiesDisclosures
This Notice is a concise summary of how we align with PDPL. For the full legal text governing how we handle personal data, see the Privacy Policy.
1. Lawful bases
- Contract — providing the service you've signed up for
- Legal obligation — SDAIA register, ZATCA invoicing, audit retention
- Explicit consent — marketing, SMS, WhatsApp, optional analytics
2. Data subject rights
- Access (export)
- Rectification
- Erasure
- Portability
- Object / restrict processing
- Withdraw consent at any time
All rights are exercisable from Settings → Privacy inside the app, or by writing to our DPO contact in the footer.
3. Cross-border transfer posture
Primary data in AWS me-south-1 (Bahrain). Cross-border transfers to documented sub-processors only, under executed DPAs, and logged in our sub-processor register.
4. Breach notification
We notify SDAIA within 72 hours of confirming a reportable breach, and affected tenant admins within 4 hours for SEV-1 (see Security).
5. DPO
Our DPO (see footer) is the accountable contact for PDPL matters. In Preview, DPO functions run on a fractional engagement; from Beta onwards a named DPO is contractually engaged per BRP-03 / BRP-04.