Privacy Policy

This policy explains how Tawthiq collects, uses, stores, discloses, retains, and deletes personal data, and how data subjects may exercise their rights, in line with the Saudi Personal Data Protection Law and its Executive Regulations.

It applies to our website and related digital services available at https://Tawthiqs.app, together with any connected channels we use to deliver the service, support users, or communicate with them.

Tawthiq is a SaaS product for creating privacy policies, cookie policies, and terms of service aligned with the Saudi PDPL.

Controller identity and contact details

Tawthiq acts as the controller for the personal data covered by this policy where we determine the purposes and means of processing.

Entity name: Tawthiq
Privacy and rights contact: contact@tawthiqs.app

Personal data we may collect

We collect and process the personal data required to deliver the service, operate it, and comply with applicable legal requirements, limited to what is necessary for the relevant relationship and use case.

Account and core identity data, such as names, account identifiers, and the data needed to create and manage an account.
Contact data, such as email addresses.
Billing, payment, and subscription data to the extent needed to manage financial consideration and related service obligations.
Workspace, site, and document input data that you provide when configuring a site, answering questionnaires, generating documents, publishing public links, or requesting support.
Technical and security data, such as log data, device or browser information, IP address, session data, and records needed to protect accounts and operate the service.

How we collect your personal data

1. Direct collection

Directly from you when creating an account, completing forms, entering into a contract, making a payment, requesting support, or contacting us.
From the user or account administrator when configuring accounts, permissions, or workspaces inside the service.

2. Indirect collection

From account administrators or workspace members who add users, configure permissions, or enter business and site details into the service.
From billing, payment, hosting, infrastructure, and security providers where that information is needed to operate the service, process subscriptions, prevent abuse, or maintain records.

Whether providing data is mandatory or optional

Some data is mandatory so that we can create accounts, perform the contract, deliver the service, or comply with legal requirements. If it is not provided, all or part of the service may not be available.

Cookies and similar technologies

We do not use cookies or similar technologies except to the limited technical extent needed to operate or stabilise the service where the actual operating setup requires that. If this changes materially, this policy will be updated.

Direct marketing and non-essential messages

We do not use personal data for direct marketing unless that changes in the future. If it does, this policy will be updated and the relevant legal requirements will be met before that processing starts.

Processing activities and legal bases

Below we set out the main processing activities, linking each activity to its purpose, related data categories, and legal basis.

Purpose: Creating accounts, delivering the core service, and managing the relationship with the user or customer. Related data categories: account data, contact data, billing and subscription data Legal basis: Performance of an agreement to which the data subject is a party, or taking steps requested by the data subject before entering into that agreement. Provision status: Providing this data is mandatory to the extent necessary for the stated purpose or the related legal requirement. Potential disclosure or access recipients: Hosting and infrastructure providers; payment providers such as Paddle where relevant. Retention rule: For the duration of the account, then 30 days after account closure, unless a longer period is required by law, dispute handling, backup limits, or security needs.
Purpose: Handling subscriptions, billing, payments, and evidence of financial operations related to the service. Related data categories: billing and subscription data Legal basis: Performance of an agreement to which the data subject is a party, or taking steps requested by the data subject before entering into that agreement. Provision status: Providing this data is mandatory to the extent necessary for the stated purpose or the related legal requirement. Potential disclosure or access recipients: Payment providers such as Paddle. Retention rule: For the duration of the subscription, then for the applicable statutory accounting period.
Purpose: Generating, reviewing, editing, publishing, hosting, or downloading privacy policies, cookie policies, and terms of service based on customer inputs. Related data categories: workspace, site, document input, contact, account, and publication data Legal basis: Performance of an agreement to which the data subject is a party, or taking steps requested by the data subject before entering into that agreement. Provision status: Providing this data is mandatory where it is needed to generate, host, publish, or support the requested document. Potential disclosure or access recipients: Hosting, infrastructure, support, and document-processing providers acting on our behalf where needed to operate the service. Retention rule: For the duration of the account or workspace, then according to the retention rules and deletion process stated below.
Purpose: Securing the service, preventing abuse, maintaining logs, resolving incidents, and protecting accounts and systems. Related data categories: technical, security, account, contact, and usage data Legal basis: Legitimate operational and security needs recognised by applicable law, compliance with legal obligations, and performance of the service agreement where relevant. Provision status: Some technical and security data is necessary to use the service safely and reliably. Potential disclosure or access recipients: Hosting, infrastructure, security, monitoring, and support providers. Retention rule: Kept only for the period reasonably needed for security, troubleshooting, legal, or operational purposes, then deleted or anonymised where appropriate.

We do not later process personal data in a way that conflicts with the purpose for which it was collected unless a valid legal basis exists and the relevant legal requirements are met.

Disclosure of personal data

Access to personal data inside the organisation is limited to those who need it. We may disclose personal data, or permit access to it, only within the limits allowed by law, for the stated purpose, and on a minimum-necessary basis.

Service providers or processors acting on our behalf for hosting, operations, support, payment, maintenance, or similar service-delivery needs, subject to the required contractual and legal controls.
Payment and billing providers to the extent necessary to complete, verify, and process financial transactions.
Payment providers that may be used under the current product setup, such as Paddle.

Controller and processor role allocation

Our role can vary depending on the dataset and the legal or contractual relationship that applies to it.

1. Situations where we act as controller

We act as controller for the personal data that we collect directly to operate the site, application, accounts, billing, communications, support, security, or compliance.

2. Situations where we may act as processor

Where a customer enters business information, site details, or document content relating to its own users, customers, or personnel, we may process that information on the customer’s behalf to provide the requested document-generation, hosting, publishing, or support functions.
In those cases, the customer remains responsible for the accuracy of the inputs, the lawful basis for providing them to the service, and the published document or notice that results from them.

3. Routing of requests by role

Rights requests or complaints relating to data that we control directly should be sent to us through the privacy or complaint channels stated in this policy.
Requests relating to data controlled by one of our customers may need to be directed to that customer, and we may route or handle the request according to the applicable contract and legal role.

Storage, hosting, and transfers outside the Kingdom

Some processing, support, hosting, or enabling services may require personal data to be transferred outside the Kingdom of Saudi Arabia or disclosed to a party outside the Kingdom, but only where a valid legal basis, adequate safeguards, and a minimum-necessary scope are in place under the applicable legal requirements.

Destination or region: European Union Purpose of the transfer or external access: Hosting, infrastructure operations, servers, and backups. Data categories affected: account data, contact data, billing and subscription data Recipient or access-party type: A service provider, infrastructure provider, or specialist support provider outside the Kingdom whose access is limited to what is necessary to operate the service. Legal basis for transfer or disclosure: Where the transfer or external access is necessary to deliver the service, perform a contractual commitment, or operate essential supporting infrastructure, subject to the applicable PDPL transfer conditions and safeguards. Applicable safeguards or controls: Applying adequate measures to preserve the confidentiality of personal data. Frequency: Continuous as part of service operation. Includes remote access from outside the Kingdom: Yes
Destination or region: European Union Purpose of the transfer or external access: Processing payments, subscriptions, and billing related to the service. Data categories affected: billing and subscription data, contact data, account data Recipient or access-party type: A service provider, infrastructure provider, or specialist support provider outside the Kingdom whose access is limited to what is necessary to operate the service. Legal basis for transfer or disclosure: Where the transfer or external access is necessary to deliver the service, perform a contractual commitment, or operate essential supporting infrastructure, subject to the applicable PDPL transfer conditions and safeguards. Applicable safeguards or controls: Applying adequate measures to preserve the confidentiality of personal data. Frequency: Continuous as part of service operation. Includes remote access from outside the Kingdom: Yes

Retention and deletion of personal data

We retain personal data according to defined categories or scenarios, in a way that is proportionate to the purpose of collection and processing and to the legal, contractual, rights-related, or dispute-related obligations attached to it.

Account, identity, and contact data: For the duration of the account, then 30 days after account closure, unless a longer period is required by law, dispute handling, backup limits, or security needs. Reason for retention: Operating accounts, delivering the service, and managing related obligations.
Billing, payment, and subscription data: For the duration of the subscription, then for the applicable statutory accounting period. Reason for retention: Managing financial consideration and evidencing transactions and related financial or legal obligations.
Workspace, site, and document input data: For the duration of the related account or workspace, then according to the account closure, deletion, backup, legal, and dispute limits that apply to the service. Reason for retention: Generating, reviewing, publishing, hosting, supporting, and evidencing customer-requested documents.
Technical, security, and log data: For the period reasonably needed for security, troubleshooting, legal, or operational purposes. Reason for retention: Protecting accounts, investigating abuse or incidents, maintaining service reliability, and meeting legal or contractual obligations.

When the purpose ends or the relevant legal retention period expires, we apply appropriate deletion or anonymisation measures for each category, including what is required for backups within the applicable legal limits.

Data is deleted from active systems once the applicable retention period or purpose ends, subject to backup, legal, security, and dispute-handling limits.

Protection of personal data

We apply appropriate organisational, administrative, and technical measures to protect personal data against loss, damage, unauthorised access, misuse, alteration, or unauthorised disclosure, in a manner proportionate to the nature of the data and the risks of processing.

Encryption of data in transit and, where appropriate, within the relevant environments.

Notification of personal data breaches

If a personal data breach occurs and there is a risk of harm to the data or the data subject, we notify Saudi Data and AI Authority (SDAIA) within no more than 72 hours from becoming aware of the incident, and we complete any missing details as soon as reasonably possible where needed.
If the incident could cause harm to the data subject or conflict with the data subject’s rights or interests, we notify the affected data subject without undue delay in clear language that explains the potential risks, the measures taken, and the relevant contact channel.
The incident contact channel for Tawthiq is contact@tawthiqs.app.

Children’s data

The service is not ordinarily directed at children, and we do not knowingly collect their personal data as part of normal use. If we learn that this happened unintentionally, we will take the appropriate action under the law and the circumstances.

Rights of the personal data subject

Under the Law and the Executive Regulations, the personal data subject may have the following rights, depending on the circumstances:

The right to know how personal data is collected, the legal basis relied on, and the purposes of processing.
The right to access the personal data we hold and review it.
The right to request a clear and readable copy of personal data where technically feasible.
The right to request correction, completion, or updating of personal data.
The right to request deletion of personal data that is no longer needed, within the limits allowed by law.
The right to withdraw consent where processing relies on consent, without affecting prior lawful processing or any other valid legal basis.

The exercise of these rights remains subject to the legal conditions, limitations, and exceptions that may apply, especially where third-party rights, legal obligations, judicial requirements, or security considerations are involved.

How to exercise your rights

Requests to exercise rights, or inquiries related to this policy or personal data processing, may be submitted through the following channels:

Privacy requests email: contact@tawthiqs.app

We may request additional information or documents to verify identity, authority, or the scope of the request before acting on it, in order to protect personal data and prevent unauthorised disclosure.

Target period for complete rights requests: 30 days.

Complaints and objections

If you have a complaint or objection about how we handle personal data, you may first contact us through contact@tawthiqs.app, and we will review and handle the complaint under our internal procedures and the applicable legal requirements.

Target period for complete complaints: 30 days.

If you are not satisfied with the outcome, or if you have a legal right to escalate, you may submit a complaint to Saudi Data and AI Authority (SDAIA). The current Saudi supervisory operating context also references National Data Management Office (NDMO).

Legal references and official sources

Saudi Personal Data Protection Law
Executive Regulations of the Personal Data Protection Law
Guide to Preparing and Developing a Privacy Policy

Updates to this policy

We may update this policy to reflect legal, operational, or technical changes.

Recorded update date: 22 April 2026