PRIVACY NOTICE 

Personal Data Protection Law (PDPL) — Kingdom of Saudi Arabia 

Legal Tracks  |  Version 1.0  |  25 February 2026 

 

About this Notice 

This Privacy Notice is issued by Legal Tracks in compliance with the Saudi Personal Data Protection Law (PDPL), Royal Decree No. M/19 dated 9/2/1443H, and its Implementing Regulations. It describes how we collect, use, store, and protect your personal data, and explains the rights available to you. 

 

1. Who We Are — Controller Identity 

For the purposes of the Saudi PDPL, the Data Controller responsible for your personal data is: 

 

Company Name 

Legal Tracks 

Registered Address 

IBDAA Tower, Seventh Floor, King Fahd Street, Riyadh City, Kingdom of Saudi Arabia 

Privacy Contact 

[email protected] 

Website 

www.legaltracks.sa 

 

Our role: We act as Data Controller when we determine the purposes and means of processing your personal data. Where we process data on behalf of a business client, we act as Data Processor under their documented instructions. 

 

2. Scope and Application 

This Notice applies to personal data collected and processed by Legal Tracks through: 

  • Our website at www.legaltracks.sa 

  • Direct interactions, enquiries, and communications 

  • Our legal and compliance services 

  • Recruitment and employment processes 

 

This Notice does not apply to third-party websites or services linked from our platforms. 

 

3. What Is Personal Data 

Personal Data means any data — regardless of its source or form — that leads to identifying a natural person, or makes it possible to identify them, directly or indirectly. This includes name, identification number, contact details, location data, online identifiers, and any characteristics specific to that person's physical, psychological, economic, cultural, or social identity (Saudi PDPL, Art. 1). 

Sensitive Personal Data includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. Such data is subject to stricter controls under the PDPL. 

 

4. Categories of Personal Data and Retention Criteria 

In accordance with PDPL Article 17, we retain Personal Data only for as long as necessary for the stated purposes, or as required by applicable Saudi law. The table below sets out the retention criteria for each data category: 

 

Data Category 

Examples 

Retention Criteria 

Contact and Identity Data 

Name, email, phone, organisation, job title 

Retained for the duration of the professional or contractual relationship and thereafter for the applicable statutory limitation period under Saudi law, or as required by regulatory obligations. 

Technical and Usage Data 

IP address, browser type, pages visited, timestamps 

Retained for a limited period necessary to ensure the security, integrity, and performance of our systems, unless required for investigation, regulatory compliance, or legal proceedings. Following that period, such data is securely deleted or anonymized. 

Communications Data 

Emails, messages, enquiries, support requests 

Retained for the duration necessary to respond to the relevant enquiry or manage the related engagement, and thereafter in accordance with applicable limitation periods and legal obligations. 

Contractual / Transaction Data 

Contract details, invoices, transaction records 

Retained for the duration of the contractual relationship and thereafter in accordance with applicable Saudi commercial and tax recordkeeping requirements, and as necessary to address potential legal or professional liability claims. 

 

Upon expiry of the applicable retention period determined in accordance with the criteria above and any applicable legal or regulatory requirement, Personal Data is securely deleted, destroyed, or irreversibly anonymized using appropriate technical and organizational measures. 

5. How and Why We Use Your Data — Purposes and Legal Bases 

We process Personal Data only where a lawful basis under the Saudi PDPL applies: 

 

Purpose 

Legal Basis (PDPL) 

Respond to enquiries and provide requested services 

Performance of a contract / steps taken at your request 

Operate and secure our website and systems 

Legitimate interest, provided that such interest does not prejudice the rights and interests of the Data Subject 

Comply with legal and regulatory obligations 

Legal obligation 

Send service-related communications 

Performance of contract / consent 

Marketing and promotional communications 

Consent (opt-in) — you may withdraw at any time 

Analytics and service improvement 

Legitimate interest 

Auditing, dispute resolution, and legal claims 

Legal obligation / legitimate interest 

 

Withdrawing consent: Where processing is based on consent, you may withdraw it at any time by contacting [email protected]. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. 

 

6. Your Rights as a Data Subject 

Under the Saudi PDPL and its Implementing Regulations, you have the following rights: 

 

Right to Access: Request confirmation of whether we process your personal data and obtain a copy of it. 

Right to Correction: Request correction of inaccurate or incomplete data we hold about you. 

Right to Deletion / Destruction: Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where the legal basis no longer applies, subject to applicable retention obligations. 

Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. 

Right to Object: Object to processing in cases permitted under the PDPL and its Implementing Regulations, including direct marketing 

Right to Data Portability: Request your data in a structured, commonly used format where technically feasible and applicable under PDPL. 

Right to Lodge a Complaint: Lodge a complaint with the Saudi Data and AI Authority (SDAIA) / National Data Management Office (NDMO) at sdaia.gov.sa if you believe your rights have been violated. 

 

How to Exercise Your Rights 

Submit your request in writing to: [email protected] 

We will respond within 30 days of receipt. We may require identity verification before processing your request. 

 

7. How We Protect Your Data — Security Measures 

We implement appropriate technical and organizational measures to protect Personal Data against unauthorised access, loss, misuse, alteration, or disclosure, in accordance with PDPL Article 19. 

 

Technical Controls: 

  • Encryption of personal data in transit (TLS/HTTPS) and at rest where applicable 

  • Role-based access controls and least-privilege permissions 

  • Security monitoring, logging, and audit trails 

  • Vulnerability assessments and penetration testing 

 

Organizational Controls: 

  • Internal data protection policies and procedures 

  • Staff training and awareness on data protection obligations 

  • Data Processing Agreements (DPAs) with all third-party processors 

  • Incident response and data breach notification procedures 

 

Data Breach Notification: “In the event of a personal data breach that may cause damage to Personal Data or to Data Subjects, we will notify the competent authority within the timeframe prescribed by the PDPL and its Implementing Regulations. Affected individuals will be notified where required by law. To report a suspected breach: [email protected]. 

 

8. Where We Store Your Data 

Personal Data is primarily stored and processed within the Kingdom of Saudi Arabia. Where limited cross-border processing or storage is required for technical, security, or service continuity purposes, such transfers are conducted in accordance with Article 29 of the PDPL and its Implementing Regulations, with appropriate safeguards applied. 

 

Location 

Purpose 

Status 

Kingdom of Saudi Arabia 

Primary hosting and all data processing 

Data remains within the Kingdom — no international transfer 

 

Should any future international transfer become necessary, it will be conducted strictly in accordance with PDPL Article 29 and the Implementing Regulations, with appropriate safeguards applied. 

 

9. Third Parties Who Process Your Data 

We may share Personal Data with trusted service providers supporting our operations (such as hosting, security, and analytics providers), professional advisers where necessary, or where required by applicable law. 

We require all external processors to operate under appropriate Data Processing Agreements and safeguards consistent with the requirements of the Saudi PDPL. 

We do not sell personal data to third parties. 

 

10. Cookies 

We may use cookies to operate the website, remember your preferences, and analyse usage. You can manage or delete cookies through your browser settings. 

Blocking certain cookies may affect website functionality. Third-party cookies are governed by the relevant third party's own privacy policy. 

For questions about our cookie practices, contact us at [email protected]. 

 

11. Children's Data 

Our services are directed at business users and are not intended for children. We do not knowingly collect Personal Data from individuals under 18 years of age. If you believe we have inadvertently collected data from a minor, please contact us at [email protected] and we will delete it promptly. 

 

12. Updates to This Notice 

We may update this Notice from time to time to reflect changes in our practices or applicable law. The current version is always available at www.legaltracks.sa/privacy. 

We will notify you of material changes by email or by posting a notice on our website. 

Version: 1.0  |  Last updated: 25 February 2026