Privacy & Personal Data Protection Policy

Compliant with the Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19 — Last updated: February 2026

Table of Contents

  1. Data Controller Identity
  2. Supervisory Authority
  3. Scope of This Policy
  4. Legal Basis for Processing
  5. Data We Collect
  6. Purposes of Processing
  7. Consent
  8. Data Subject Rights
  9. Data Retention
  10. Data Security
  11. Data Breach Notification
  12. Data Sharing
  13. Cross-Border Data Transfers
  14. Cookies & Tracking
  15. Children's Data
  16. Data Protection Officer
  17. Policy Changes
  18. Complaints

1. Data Controller Identity

XiKey ("we", "us", "the Company") is the data controller responsible for processing your personal data in accordance with the Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19, dated 9/2/1443H, and its Implementing Regulations.

Controller: XiKey

Address: King Road Tower, Jeddah, Kingdom of Saudi Arabia

Email: [email protected]

Commercial Registration: Jeddah, Kingdom of Saudi Arabia

2. Supervisory Authority

The competent authority supervising the enforcement of the Personal Data Protection Law is the Saudi Data & Artificial Intelligence Authority (SDAIA), pursuant to Council of Ministers Resolution No. 292.

Supervisory Authority: Saudi Data & Artificial Intelligence Authority (SDAIA)

Website: sdaia.gov.sa

National Platform: dgp.sdaia.gov.sa

3. Scope of This Policy

This policy applies to all personal data processed through:

  • The XiKey website (xikey.com)
  • XiKey Point of Sale (POS) system
  • Inventory Management system
  • Accounting and Financial Reporting system
  • Branch Manager system
  • Licensing and technical support services
  • ZATCA/Fatoorah integration services

We process your personal data based on the following legal grounds under Article 5 of the PDPL:

  • Consent: When you voluntarily provide your information via contact forms or free trial requests
  • Contractual Necessity: To provide licensing, technical support, and update services
  • Legal Obligation: Compliance with ZATCA e-invoicing requirements and tax obligations
  • Legitimate Interest: Improving our services and ensuring system security (does not apply to sensitive data)

5. Personal Data We Collect

We collect only the data necessary to achieve specified processing purposes (data minimization principle):

a) Website Data

  • Contact information: Name, email, phone number, company name
  • Language and browsing preferences
  • Cookie data (with your consent)

b) XiKey System Data (Stored Locally)

  • Employee data: Name, ID number, employment information
  • Customer data: Name, contact information, purchase history
  • Transaction data: Invoices, payments, returns
  • Financial data: Journal entries, financial reports

Important Note: XiKey operates on-premise. Your business data is stored exclusively on your own servers within the Kingdom of Saudi Arabia. We do not transfer or store transaction, customer, or employee data on our servers.

c) Licensing Data

  • Activation keys and licensed device information
  • License verification logs

6. Purposes of Processing

We process your personal data for the following purposes only:

  • Providing and operating XiKey system services
  • Managing software licenses and activation
  • Providing technical support and troubleshooting
  • Sending product updates and security notifications
  • Compliance with ZATCA e-invoicing requirements
  • Compliance with legal and regulatory requirements in the Kingdom
  • Improving our services and products (aggregated data only)

In accordance with Article 6 of the PDPL, we obtain your explicit consent before:

  • Collecting your personal data via website forms
  • Sending marketing or promotional messages
  • Using non-essential cookies

You have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, contact us at [email protected].

8. Data Subject Rights

Under Articles 4 and 14-19 of the PDPL, you have the right to:

Right to Be Informed

To be informed of our identity, processing purposes, legal basis, retention period, and your rights before data collection

Right of Access

To request a copy of your personal data in a readable format

Right to Rectification

To request correction or updating of inaccurate or incomplete data

Right to Deletion

To request deletion of your data when no longer necessary or upon consent withdrawal

Right to Restriction

To request restriction of processing during dispute resolution

Right to Withdraw Consent

To withdraw your consent at any time through available channels

Right to Refuse Marketing

To refuse receiving direct marketing materials

Right to Complain

To file a complaint with SDAIA within 90 days of discovering a violation

Right to Compensation

To claim compensation for damages resulting from PDPL violations before competent courts

To exercise any of your rights, please contact our Data Protection Officer at: [email protected]. We will respond to your request within 30 days.

9. Data Retention

We retain your personal data only for the period necessary to achieve processing purposes or as required by law:

Data Type Retention Period Basis
Contact form data 12 months Business purpose
License data License duration + 1 year Contract performance
E-Invoices (ZATCA) 6 years Legal obligation (ZATCA regulations)
Support records 3 years Legitimate interest
Financial records 7 years Legal obligation (Tax regulations)

10. Data Security

We implement the necessary organizational, administrative, and technical measures to protect your personal data, in accordance with the National Cybersecurity Authority (NCA) controls:

  • SSL/TLS encryption for all communications
  • Data encryption at rest and in transit
  • Multi-level Role-Based Access Control (RBAC)
  • Complete audit trail for all operations
  • Automatic encrypted backups
  • Protection against unauthorized access
  • Regular security review of systems

11. Data Breach Notification

In the event of a personal data breach posing a risk to your rights and freedoms, we commit to the following under Article 20 of the PDPL:

Notify SDAIA: Within 72 hours of discovering the breach
Notify Affected Individuals: Within 72 hours in clear, simple language including breach description, risks, and protection measures
Documentation: Document breach reports, corrective actions, and supporting evidence

12. Data Sharing with Third Parties

We do not sell your personal data. We share data only in the following cases, ensuring third parties maintain equivalent protection levels:

  • ZATCA/Fatoorah platform: Submitting e-invoice data as required by regulations
  • Authorized support partners: With your prior consent and a written contract binding them to data protection
  • Government authorities: When there is a legal obligation or court order

13. Cross-Border Data Transfers

In accordance with Article 29 of the PDPL and the Regulation on Personal Data Transfer Outside the Kingdom:

  • XiKey operates on-premise and does not transfer business data outside the Kingdom
  • If any cross-border transfer is needed, we ensure adequate protection as assessed by SDAIA
  • We commit to using SDAIA-approved standard contractual clauses when necessary

14. Cookies & Tracking Technologies

Our website uses the following types of cookies:

  • Essential: Language preferences and browsing session (no consent required)
  • Functional: Display mode (dark/light) and interface preferences

We do not use marketing or third-party tracking cookies. We do not use Google Analytics or any external tracking tools.

15. Children's Data

XiKey is a business system designed for companies and institutions. We do not knowingly collect personal data from individuals under 18 years of age. If we discover that data of a child has been collected without parental consent, we will delete it immediately.

16. Data Protection Officer (DPO)

XiKey has appointed a Data Protection Officer in accordance with PDPL requirements. You can contact the DPO regarding any inquiries or requests related to your personal data:

Data Protection Officer

Email: [email protected]

Address: King Road Tower, Jeddah, Kingdom of Saudi Arabia

17. Policy Changes

We may update this policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes via email or a prominent notice on our website. The date of the last update is stated at the top of this page.

18. Complaints

If you are not satisfied with how we handle your personal data, you can:

  1. Contact our DPO at [email protected]
  2. File a complaint with SDAIA within 90 days of discovering a violation via the National Data Governance Platform: dgp.sdaia.gov.sa
  3. File a compensation claim before the competent courts in Jeddah

Regulatory References

  • Personal Data Protection Law - Royal Decree No. M/19, dated 9/2/1443H
  • Implementing Regulations of the PDPL
  • Regulation on Personal Data Transfer Outside the Kingdom (2025)
  • AI Ethics Principles - SDAIA (2023)
  • AI Adoption Framework - SDAIA (2025)