Privacy Policy

1. What We Collect | ما نجمعه

Saddid collects the following data to deliver our services:

• Identity data: Name, email address, organization name, and professional role.
• Assessment data: Saddid Score assessment answers, dimension scores, and maturity results.
• Purchase data: Product purchase records processed through Stripe (we do not store card numbers).
• Communication data: Messages submitted via our contact form.
• Technical data: IP address, browser type, and device information (collected only with your consent).

2. Legal Basis for Processing | الأساس القانوني للمعالجة

Under the Saudi Personal Data Protection Law (PDPL), we process your data based on the following legal grounds:

• Consent (PDPL Article 6): Analytics cookies and marketing communications require your explicit consent, which you may withdraw at any time.
• Contract performance (PDPL Article 7): Identity, assessment, and purchase data are necessary to deliver the services you have requested.
• Legal obligation (PDPL Article 8): Certain financial records are retained as required by Saudi commercial law.
• Legitimate interest (PDPL Article 9): Service improvement and security monitoring, balanced against your privacy rights.

3. Why We Collect It | لماذا نجمعه

• Scoring: To calculate and deliver your Saddid Score and maturity assessment.
• Service delivery: To provide advisory, consulting, and digital transformation services.
• Communication: To respond to inquiries and share relevant updates with your consent.
• Product delivery: To fulfill digital product purchases and provide access to purchased materials.

4. How We Store Your Data | كيف نخزن بياناتك

• Application data is stored in Supabase with encryption at rest and in transit (AES-256, TLS 1.3). Data is hosted in a secure cloud region.
• Payment data is processed by Stripe, a PCI DSS Level 1 compliant payment processor. Saddid does not store credit card numbers.
• Assessment data is retained for up to 24 months from the date of submission.
• Purchase records are retained for 10 years in accordance with Saudi commercial law requirements.
• Consent records are retained for 7 years as audit evidence per PDPL compliance requirements.

5. Data Retention Schedule | جدول الاحتفاظ بالبيانات

6. Your Rights Under PDPL | حقوقك بموجب نظام حماية البيانات الشخصية

Under the Saudi Personal Data Protection Law (PDPL), you have the following rights:

• Right of Access (Article 14) — حق الوصول: Request a copy of all personal data we hold about you, including processing purposes and recipients.
• Right to Correction (Article 15) — حق التصحيح: Request correction of inaccurate or incomplete personal data.
• Right to Data Portability (Article 16) — حق نقل البيانات: Receive your personal data in a structured, machine-readable JSON format.
• Right to Erasure (Article 17) — حق الحذف: Request deletion of your personal data when processing purpose has been fulfilled or consent withdrawn.
• Right to Object (Article 18) — حق الاعتراض: Object to processing of personal data for direct marketing or automated decision-making.
• Right to Restrict Processing (Article 19) — حق تقييد المعالجة: Request restriction of processing while accuracy or lawfulness is contested.

We will respond to all rights requests within 30 days.

7. Cross-Border Data Transfers | نقل البيانات عبر الحدود

Your data may be transferred outside the Kingdom of Saudi Arabia for the following purposes:

• Cloud hosting: Application data is stored on Supabase infrastructure. Supabase employs AES-256 encryption at rest and TLS 1.3 in transit.
• Payment processing: Stripe processes payment data under PCI DSS Level 1 compliance.
• Email delivery: Resend delivers transactional emails. No personal data beyond email addresses is shared.

All cross-border transfers comply with PDPL Article 29 requirements. We ensure adequate protection through contractual safeguards and data processing agreements with all third-party processors.

8. Cookie Policy | سياسة ملفات تعريف الارتباط

Saddid uses minimal cookies, and only with your explicit consent:

• Analytics cookies: We use Plausible Analytics, a privacy-first analytics service that does not use cookies or collect personal data. Analytics tracking is only enabled if you accept cookies via the consent banner.
• Essential cookies: Session cookies required for authentication and security (not tracked, no consent required).
• Consent cookie: A single cookie ("saddid-consent") records your consent preference.

You can update your cookie preferences at any time. Declining analytics cookies does not affect your ability to use Saddid.

9. Data Breach Notification | الإخطار بخرق البيانات

In the event of a personal data breach that poses a risk to your rights and freedoms, Saddid will notify the Saudi Data & Artificial Intelligence Authority (SDAIA) within 5 business days and affected individuals without undue delay, in accordance with PDPL requirements. Notifications will include the nature of the breach, categories of data affected, likely consequences, and remedial measures taken.

10. Exercise Your Rights | ممارسة حقوقك

You can exercise your data protection rights through the following channels:

• Automated: Use the Privacy API in your account settings to export your data (right of access) or request deletion (right to erasure).
• Email: Contact privacy@saddid.com for any rights request, complaint, or question.
• Regulator: You may lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) if you believe your data protection rights have been violated.

11. Contact | تواصل معنا

We provide two separate channels for privacy and compliance inquiries. Use the address that matches your request:

• Individual data rights / privacy questions: For individual data subjects exercising PDPL rights (access, correction, erasure, portability) — email privacy@saddid.com.
• Regulatory compliance / audit inquiries: For organizations, auditors, and regulators requesting compliance attestations, audit documentation, or control evidence — email compliance@saddid.com.

General inquiries: hello@saddid.com