Legal
Privacy Notice
Last updated: 18 May 2026
Who We Are
Profectus (profectus.sa) is a KSA AI governance advisory operating under Saudi law. We provide structured AI governance engagements to Saudi private sector organisations.
What We Collect
Contact name, company name, role, email address, and questionnaire responses submitted via the scorecard or contact form. We do not collect any other personal data.
How We Use It
To respond to enquiries, generate your scorecard report, and — only with your explicit consent — to contact you about our services. We do not sell, licence, or share personal data with third parties for their own purposes.
Legal Basis
Processing is based on Article 6(4) of the Executive Regulations of the Personal Data Protection Law (PDPL): data collected directly from the individual for a purpose they have initiated. Marketing communications require explicit consent, which you may withdraw at any time by emailing privacy@profectus.sa.
Sub-Processors
We use the following third-party processors. All personal data transferred outside Saudi Arabia is governed by Standard Contractual Clauses in the form approved by SDAIA.
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting & serverless compute | USA |
| Make.com (Celonis SE) | Workflow automation & notifications | Czech Republic |
| HubSpot Inc. | CRM & contact management | USA |
| Cloudflare Inc. | CDN, DNS, bot protection, CAPTCHA | USA |
Where AI-assisted portal features are active, additional processors apply:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic PBC | AI model inference | USA |
| Supabase Inc. | Database & authentication | USA |
| Clerk Inc. | User identity management | USA |
Retention
| Data Category | Period | Basis |
|---|---|---|
| Contact enquiries | 12 months | Legitimate interest |
| Scorecard responses | 30 days | Purpose fulfilment |
| Engagement records | 5 years | ZATCA — statutory minimum |
| Invoice data | 5 years | ZATCA Article 66 |
| Security logs | 30 days | Operational necessity |
| Marketing consent records | 3 years or until withdrawn | PDPL consent accountability |
Your Rights
Under PDPL Articles 4–8 and the Executive Regulations, you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion
- Object to processing
- Data portability — receive your data in a machine-readable format
We will respond within 30 days. To exercise any right, contact privacy@profectus.sa. If you are dissatisfied with our response, you may lodge a complaint with SDAIA via the National Data Governance Platform at ndgp.sdaia.gov.sa.
No Cookies
This website does not use cookies or tracking scripts of any kind. No analytics platform is installed. No consent banner is required.
Changes to This Notice
We may update this notice periodically. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated by email where we hold your address.
Privacy Contact
For any privacy-related request, enquiry, or complaint, please contact: privacy@profectus.sa