Privacy Policy

How ARIA collects, uses, stores, and protects personal data under KSA's Personal Data Protection Law (PDPL).

2026-Q2.previewEffective at current version·PrivacyTermsCookiesDisclosures

This Policy explains how ARIA ("we") handles personal data when you use our consumer advisory, institutional terminal, or admin surfaces. It is governed by KSA PDPL and applicable sub-processor DPAs. For the authoritative Arabic version, see the Arabic language toggle — the Arabic text governs in case of conflict per KSA regulatory expectation.

1. Data we collect

  • Identity — name, email, phone, Nafath-verified ID for Pilot and Production accounts
  • Household — income, expenses, debt, savings for consumer advisory (consent-gated)
  • Activity — sign-in times, surfaces visited (truncated IP per PDPL proportionality)
  • Institutional — project inputs, memos, committee votes (tenant-isolated)
  • Consent — every grant and withdrawal in an append-only ledger

2. How we use it

  • To deliver the services you request (contractual basis)
  • To fulfill legal obligations (e.g., SDAIA register, ZATCA invoicing in production)
  • With explicit consent — marketing, SMS, WhatsApp, data-sharing with partners

3. Data residency

Primary storage in AWS me-south-1 (Bahrain). Backups in-region. Cross-border transfers only to documented sub-processors with executed DPAs; current list available under "Sub-processors" in the consent footer of every page.

4. Retention

  • Active account data — for the life of the account plus 12 months
  • Audit trail — 7 years (ZATCA / regulatory compatible)
  • Marketing consent withdrawals — indefinitely, append-only
  • Truncated access logs — 12 months

5. Your PDPL rights

  • Access — export everything we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion (subject to legal retention)
  • Portability — structured machine-readable export
  • Withdrawal — revoke any consent purpose one-click from Settings → Privacy
  • Or use the public DSAR form at /legal/data-rights if you don't have an account

6. DPO contact

Contact our Data Protection Officer at dpo@aria.sa. In production we publish a named DPO; during client review workspaces, the DPO is a fractional engagement through the onboarding pack.

7. Automated decisions + AI

ARIA uses Claude (Anthropic) for rationale generation and scoring explanations under a prompt-hash cache. You can request human review of any Safety Score or Confidence Score. We never make binding financial commitments on your behalf without explicit confirmation.

8. Changes to this Policy

Material changes trigger a version bump and a re-consent modal for authenticated users. Superseded versions remain linked for historical reference.