Privacy Policy
This Privacy Notice explains how SAHM Information Technology ("SAHM", "we") collects, processes, and protects personal data in line with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) and its Implementing Regulations, as well as obligations under the Digital Government Authority (DGA) and the National Data Management Office (NDMO) within Vision 2030.
1. Data Controller
The data controller is SAHM Information Technology, Riyadh, Kingdom of Saudi Arabia.
Privacy contact: info@sahm.sa
Phone: +966 53 113 0434
2. Categories of Personal Data Processed
- Full name, job title, and organization.
- Contact details (email address and mobile number).
- Content of inquiries and form submissions.
- IP address, browser type, operating system, and analytics usage data.
- Cookies and session identifiers (see our Cookie Policy).
3. Lawful Basis for Processing
We rely on one of the following lawful bases under Article 5 of the PDPL:
- Explicit consent — for marketing communications and newsletters.
- Contractual necessity — to deliver consulting services we have agreed to.
- Legitimate interest — to operate, secure, and improve the website.
- Legal obligation — to comply with KSA regulatory requirements.
4. Purposes of Processing
- Responding to inquiries and providing proposals or consultations.
- Delivering contracted projects to government and private-sector clients.
- Improving user experience and measuring site performance.
- Sending marketing content where consent is given.
- Meeting legal obligations and maintaining records.
5. Retention Periods
- Inquiry and form submissions: retained for two (2) years from last contact.
- Marketing list data: retained until consent is withdrawn.
- Contractual and accounting records: retained for the periods required by law.
- Analytics logs: retained for no longer than thirteen (13) months.
6. Your Rights as a Data Subject
Under PDPL Articles 8 to 11, you have the right to:
- Be informed about the lawful basis and purposes of processing.
- Access a copy of your personal data.
- Rectify inaccurate or incomplete data.
- Erase data when no longer necessary.
- Portability — receive your data in a machine-readable format.
- Object to processing based on legitimate interest or for marketing.
- Withdraw consent at any time, without retroactive effect.
To exercise these rights, contact info@sahm.sa. We will respond within thirty (30) days of receiving your request. You also have the right to file a complaint with the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa.
7. Cross-Border Transfers
We host operational data within the Kingdom of Saudi Arabia or within the European Union, using providers that meet protection levels equivalent to those required by KSA law. Where transfer outside the Kingdom is necessary, we comply with Article 29 of the PDPL and rely on appropriate contractual safeguards.
8. Sharing With Third Parties
We do not sell personal data. We may share limited data with: cloud infrastructure providers, analytics tools (e.g. Google Analytics), government bodies upon lawful request, and accredited advisors bound by equivalent confidentiality.
9. Information Security
We apply technical and organizational controls aligned with the National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC), including encryption in transit, access management, backups, and incident monitoring.
10. Breach Notification
In the event of a breach affecting your personal data, we will notify the competent authority and affected data subjects within the legally mandated timeframes. To report a security incident, contact security@sahm.sa.
11. Updates to This Policy
We review this notice periodically and when applicable laws change. Updates take effect from the date of publication on this page; for material changes we will notify you through an appropriate channel.
12. Contact
For privacy inquiries: info@sahm.sa | Riyadh, Kingdom of Saudi Arabia.