Pristine InfoSolutions LLC is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and safeguard information about you in accordance with Saudi Arabia's Personal Data Protection Law (PDPL), the EU General Data Protection Regulation (GDPR), and all applicable international data protection laws.
Pristine InfoSolutions LLC operates as a Data Controller for personal data collected through our website, services, and business operations. Where we process personal data on behalf of clients as part of service delivery, we act as a Data Processor and process such data strictly under the terms of written Data Processing Agreements.
This Privacy Policy has been drafted to comply with the following data protection laws and regulations, which may apply depending on your location and the nature of our relationship with you:
| Jurisdiction | Applicable Law | Supervisory Authority | Our Obligations |
|---|---|---|---|
| Saudi Arabia | Personal Data Protection Law (PDPL) — Royal Decree M/19 (2021), effective September 2023 and its Implementing Regulations | Saudi Data and Artificial Intelligence Authority (SDAIA) | Lawful basis for all processing; data subject rights; 72-hour breach notification; cross-border transfer controls; DPO designation |
| European Union / EEA | General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 | Relevant national Data Protection Authority (DPA) | All GDPR obligations apply to EU/EEA data subjects regardless of processing location |
| United Kingdom | UK GDPR and Data Protection Act 2018 | Information Commissioner's Office (ICO) | UK GDPR compliance for UK data subjects |
| United Arab Emirates | UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL-UAE) | UAE Data Office | Applicable to UAE-based data subjects and processing activities within the UAE |
| Bahrain | Personal Data Protection Law 2018 (PDPL-BH) | Personal Data Protection Authority (PDPA Bahrain) | Applicable to processing activities involving Bahraini data subjects |
| International (General) | ISO/IEC 27701:2025 Privacy Information Management System | Internal audit and certification body | Pristine maintains ISO 27701 certification as a Privacy Information Management System |
| Data Category | Specific Data Elements | Purpose | Legal Basis (PDPL/GDPR) |
|---|---|---|---|
| Identity Data | Full name, job title, professional designation, employee/consultant identification | Identify and communicate with you throughout the service relationship | Contract performance; Legitimate interests |
| Contact Data | Business email address, telephone number, organisation name, business address | Service delivery communications, enquiry responses, contract administration | Contract performance; Consent (marketing) |
| Financial Data | Invoice details, purchase order numbers, bank account details for payment processing | Billing, invoicing, and payment processing for services rendered | Contract performance; Legal obligation |
| Credentials | Username and password for Client Portal access | Secure access to Pristine client systems and delivery platforms | Contract performance; Legitimate interests |
| Professional Data | Job title, department, professional certifications, security clearance level | Service scoping, personnel deployment, NDA administration | Contract performance |
| Communication Data | Emails, meeting notes, call recordings (where consented), support tickets | Service delivery, issue resolution, and quality assurance | Consent; Legitimate interests |
| Training Data | Enrolment details, examination results, certification records, attendance records | Training programme delivery and certificate issuance | Contract performance; Legal obligation |
Under Saudi PDPL Article 5 and GDPR Article 6, we process personal data only where a lawful basis exists. The following table sets out our lawful bases for each category of processing activity:
| Processing Activity | PDPL Basis | GDPR Basis | Retention Period |
|---|---|---|---|
| Service delivery and contract administration | Contract performance | Art. 6(1)(b) — contract | Duration of contract + 7 years |
| Responding to enquiries and proposals | Legitimate interest; Consent | Art. 6(1)(f) legitimate interest; Art. 6(1)(a) consent | 2 years from last contact |
| Website analytics and performance monitoring | Legitimate interest | Art. 6(1)(f) legitimate interest | 13 months |
| Marketing communications (newsletter, events) | Explicit consent | Art. 6(1)(a) consent | Until consent withdrawn |
| Legal and regulatory compliance (NCA ECC, SAMA reporting) | Legal obligation | Art. 6(1)(c) legal obligation | As required by applicable law |
| Security monitoring and fraud prevention | Legitimate interest; Legal obligation | Art. 6(1)(f); Art. 6(1)(c) | 12 months |
| Dispute resolution and litigation | Legitimate interest; Legal obligation | Art. 6(1)(f); Art. 6(1)(c) | Duration of proceedings + 10 years |
| Training and certification records | Contract performance; Legal obligation | Art. 6(1)(b); Art. 6(1)(c) | 7 years after certification expiry |
Personal data is shared internally within Pristine InfoSolutions LLC on a strict need-to-know basis. Access is controlled through role-based access management aligned to NCA ECC and our ISO 27701 privacy controls.
We engage carefully selected third-party service providers who process personal data on our behalf under binding Data Processing Agreements (DPAs). All processors are required to implement appropriate technical and organisational security measures and may not use personal data for any purpose other than providing the contracted service.
| Processor Category | Purpose | Data Transferred | Location & Safeguards |
|---|---|---|---|
| Cloud Infrastructure Providers | Website hosting, data storage, email systems | Contact and operational data | KSA-region servers where available; Standard Contractual Clauses for cross-border |
| IT Security Platforms | SIEM, EDR, SOC tooling — service delivery | Security event data, log data | KSA-first; data residency agreements in place |
| CRM & Business Systems | Client relationship management, invoicing | Contact and financial data | KSA/GCC-based systems; DPAs in place |
| Analytics Providers | Website performance analytics | Anonymised usage data | Configured to anonymise IP addresses; no profiling |
| Training Platform Providers | Online training delivery | Enrolment and performance data | DPAs in place; no third-party marketing use |
| Legal & Professional Advisors | Legal representation, audit | Relevant data only | Subject to professional confidentiality obligations |
Pristine may disclose personal data without prior notice where required by applicable law, regulation, court order, or lawful governmental authority — including disclosures to the National Cybersecurity Authority (NCA), Saudi Data and Artificial Intelligence Authority (SDAIA), Saudi Central Bank (SAMA), law enforcement authorities, or other competent regulatory bodies. We will notify you of such disclosure requests where legally permitted to do so.
Pristine's primary data processing occurs within the Kingdom of Saudi Arabia. Where cross-border transfers are necessary — for example, when engaging international technology vendors or providing services to clients across the GCC — we implement the following safeguards in compliance with PDPL Article 17 and GDPR Chapter V:
Under Saudi PDPL Articles 4, 6, 7, and 8, and GDPR Articles 12–22, you have the following rights regarding your personal data. To exercise any of these rights, contact our DPO at dpo@pristinesaudi.com. We will respond within 30 days (Saudi PDPL) or one calendar month (GDPR).
| Right | Description | How to Exercise | Response Time |
|---|---|---|---|
| Right of Access | Obtain a copy of all personal data we hold about you, the purposes for which it is processed, and the recipients with whom it has been shared | Submit written request to dpo@pristinesaudi.com with proof of identity | Within 30 days (extendable by further 30 days with notice) |
| Right of Correction | Request correction of inaccurate or incomplete personal data | Written request identifying the inaccuracy and the correct information | Within 30 days; corrections propagated to processors and recipients |
| Right of Deletion | Request erasure of your personal data where: processing was based on consent since withdrawn; data is no longer necessary for its original purpose; processing is unlawful | Written request to dpo@pristinesaudi.com — subject to legal retention obligations | Within 30 days; we confirm deletion or explain any legitimate grounds for retention |
| Right to Withdraw Consent | Where processing is based on consent, withdraw that consent at any time — this does not affect lawfulness of prior processing | Click 'unsubscribe' in marketing emails; or written notice to privacy@pristinesaudi.com | Immediate effect for marketing; processing will cease within 5 business days |
| Right to Object (GDPR) | Object to processing based on legitimate interests or for direct marketing purposes | Written objection to dpo@pristinesaudi.com — we will cease unless we demonstrate compelling legitimate grounds | Immediate cessation of direct marketing; 30 days for legitimate interest objections |
| Right to Data Portability (GDPR) | Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller | Written request to dpo@pristinesaudi.com — applies to data processed by consent or contract | Within 30 days; provided in CSV or JSON format |
| Right to Complain | Lodge a complaint with the competent supervisory authority — SDAIA (Saudi Arabia) or your national DPA (EU/UK) | Saudi Arabia: complaints.sdaia.gov.sa | EU: your national DPA | UK: ico.org.uk | As per supervisory authority's own procedures |
As a cybersecurity firm, data security is central to our operations. We implement technical and organisational security measures commensurate with the sensitivity of the data processed and the risks involved, aligned to ISO/IEC 27001:2022, ISO 27701, and NCA ECC-2:2024 requirements.
We retain personal data for no longer than necessary for the purposes for which it was collected, subject to applicable legal retention requirements under Saudi law, including the Saudi Companies Law, Labour Law, Tax regulations, and sector-specific requirements from NCA and SAMA.
| Data Category | Standard Retention Period | Legal Basis for Extended Retention |
|---|---|---|
| Client contract data and correspondence | Duration of contract + 7 years | Saudi Companies Law; Commercial Courts Law; VAT regulations |
| Financial and billing records | 7 years from creation | Zakat, Tax and Customs Authority (ZATCA) requirements; VAT Law |
| Employment and HR records | Duration of employment + 10 years | Saudi Labour Law; Social Insurance Law |
| Incident response and forensic data | 3 years | NCA ECC evidence requirements; potential legal proceedings |
| Website analytics data | 13 months (rolling) | Cookie Policy and legitimate interest balancing |
| Marketing contact data | Until consent withdrawn + 1 year | PDPL consent requirements |
| Training and certification records | 7 years after certification expiry | Professional certification body requirements; client evidence needs |
| Audit logs and security event logs | 12 months online; 5 years archived | NCA ECC Domain 3; PCI DSS Requirement 10; SAMA Domain 3 |
Upon expiry of applicable retention periods, personal data is securely and permanently deleted or anonymised in accordance with our Data Retention and Disposal Policy, which is reviewed annually.
Pristine reserves the right to update this Privacy Policy at any time to reflect changes in our processing activities, applicable law, or regulatory guidance. When we make material changes, we will:
Your continued use of Pristine's website or services after the effective date of any updated Privacy Policy constitutes your acknowledgement of the updated terms. If you do not accept the changes, you should cease using our services and notify us to exercise your data subject rights.
This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) and its Implementing Regulations issued by SDAIA.
Any dispute, controversy, or claim arising from or in connection with this Privacy Policy, including its interpretation, validity, or any alleged violation thereof, shall be subject to the exclusive jurisdiction of the competent courts of the Kingdom of Saudi Arabia, sitting in Riyadh, unless an alternative dispute resolution mechanism is available under applicable law.
For data subjects in the European Union or United Kingdom, nothing in this clause prevents you from lodging a complaint with your local data protection supervisory authority or pursuing remedies available under the GDPR or UK GDPR.