1. About PDPL
KSA's Personal Data Protection Law was issued by Royal Decree M/19 (1444H) and is supervised by the Saudi Data and AI Authority (SDAIA). It applies to anyone processing personal data of individuals residing in the Kingdom.
2. Controller & representative
Data Controller: CD4CD · Dal Holding, Al Olaya District, Riyadh, Saudi Arabia.
Data Protection Officer: [email protected].
3. Lawful basis for processing
- Contract performance: deliver the service you signed up for.
- Legitimate interest: platform safety, fraud prevention, aggregated product improvement.
- Consent: marketing emails, analytics cookies (when accepted).
- Legal obligation: invoice retention (ZATCA — 10 years).
4. Data residency
In-Kingdom residency Primary database and hot-path event processing run on servers inside Riyadh. Backups are kept in Frankfurt under approved contractual safeguards — they can be disabled on formal request.
5. Data subject rights
Per PDPL Article (4), you have the right to:
- Access your personal data.
- Receive a machine-readable copy.
- Rectify or delete it.
- Withdraw consent.
- File a complaint with SDAIA.
All available via /dashboard/settings or [email protected]. Max response time: 30 days.
6. Breach notification
In case of any breach affecting your personal data we commit to:
- Notify SDAIA within 72 hours of discovery.
- Notify you directly by email if your data is affected.
- Publish an incident report on /status within 7 days.
7. Contact SDAIA
If you are not satisfied with our response you may contact the Saudi Data and AI Authority:
- Website: sdaia.gov.sa
- Hotline: 1933