Privacy Policy

Syasa (“Syasa”, “we”, “our”, or “us”) is a policy management platform built for Saudi organisations. We are committed to protecting your personal data in accordance with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia (Royal Decree No. M/19, as amended) and its implementing regulations.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights as a data subject. By accessing or using Syasa, you acknowledge that you have read and understood this Policy.

The data controller responsible for your personal data is:

We collect the following categories of personal data:

• Identity & contact data: first name, last name, email address, phone number, and country code — collected when you register or submit a request.
• Professional data: job title, company name, company industry, and company size — collected to tailor the platform to your organisation's compliance needs.
• Account & usage data: login credentials, session tokens, feature usage, policy drafts created, approval actions, and audit log entries generated within the platform.
• Communications data: messages you send us via email, WhatsApp, or our contact forms, including support requests and newsletter sign-ups.
• Technical data: IP address, browser type, operating system, device identifiers, and access timestamps — collected automatically via logs and cookies.
• Consent records: a timestamped record of your acceptance of this Policy and our Terms of Service.

We do not intentionally collect sensitive personal data (as defined under the PDPL) unless required by law or with your explicit consent.

We process your personal data for the following purposes and on the following legal bases:

We do not sell your personal data. We share it only in the following circumstances:

• Service providers: trusted third-party vendors (cloud hosting, AI model providers, email delivery, analytics) who process data on our behalf under binding data processing agreements.
• Your organisation: account administrators within your organisation can access data related to your account and policies created within your workspace.
• Legal authorities: when required by a valid court order, regulatory directive, or obligation under Saudi law.
• Business transfers: in connection with a merger, acquisition, or asset sale, subject to the same privacy protections.

Any international transfer of personal data outside the Kingdom of Saudi Arabia is conducted only where adequate protections are in place as required by the PDPL and its regulations.

We retain your personal data only for as long as necessary for the purposes set out in this Policy, or as required by applicable law:

• Active accounts: retained for the duration of your subscription plus a 90-day grace period after termination.
• Audit logs and policy records: retained for a minimum of five (5) years to meet regulatory and governance requirements.
• Marketing data: retained until you withdraw consent or unsubscribe.
• Support communications: retained for two (2) years from the date of the interaction.

After the applicable retention period, we securely delete or anonymise your data.

Under the PDPL and its implementing regulations, you have the following rights with respect to your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right of correction: request that inaccurate or incomplete data be corrected.
• Right of erasure: request deletion of your data where there is no lawful basis for continued processing.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to object: object to processing based on legitimate interests where your fundamental rights override those interests.
• Right to data portability: receive your data in a structured, commonly used format where technically feasible.

To exercise any of these rights, contact us at privacy@syasa.sa. You also have the right to lodge a complaint with the Saudi Data and AI Authority (SDAIA).

We use essential cookies required for the platform to function (authentication tokens, session management, language preference). We use analytics cookies to understand how users interact with our platform and improve the experience.

You can control non-essential cookies through your browser settings. Disabling essential cookies will affect platform functionality.

We implement technical and organisational measures including encryption in transit (TLS) and at rest, role-based access controls, audit logging, and regular security assessments aligned with the NCA Essential Cybersecurity Controls (ECC). If you believe your account has been compromised, contact us immediately at privacy@syasa.sa.

Syasa is a business-to-business platform. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

We may update this Policy from time to time. We will notify you of material changes by email or prominent notice on the platform at least 30 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated Policy.