Privacy Policy

 

Privacy Policy — Public Extended Version (PDPL-Compliant)

Entity: Tharwah Human Capital Company (“Tharwah”/“we”)
Effective Date: 21 September 2025
Last Updated: 21 September 2025

This is a publication-ready version — detailed and clear. We kept a friendly tone and plain explanations, while adding details needed by compliance and audit teams, in line with Saudi Arabia’s PDPL, its implementing regulations, and SDAIA guidance.

Introduction, Scope, and Our Commitment

We wrote this policy so you can simply understand what happens to your personal data when you deal with Tharwah—what we collect, why, how we protect it, and what rights you can exercise.

This policy applies to all our channels and services operated inside or outside the Kingdom of Saudi Arabia when we act as the controller. We are committed to PDPL principles: necessity and proportionality, transparency, accuracy, storage limitation, security, and accountability. This is how we work—from feature design, to choosing a provider, to onboarding a new employee. We review and improve our practices regularly and document them to demonstrate compliance.

What Data We Collect and Why (Purposes & Legal Bases)

When you contact us or use our services, we may need some of your information, but we always ask internally: do we really need it? If yes, we collect only the minimum necessary.

Typically: name and contact details (email and mobile), and address if needed; professional information (employer and job title) when you interact with us as a company or apply for a job; and, during service delivery, transaction records such as orders, contracts, invoicing, and payments—only what the process requires.

Technically, general usage data (IP address, device/browser type, session identifiers, cookies and similar technologies) may pass through our systems to keep the website running smoothly and improve performance without collecting unnecessary detail.

Sometimes more sensitive data (e.g., biometric/health data) may be involved. We only process it under strict controls with a clear legal basis, after risk assessment, with restricted access and additional measures such as encryption and rigorous oversight.

Sources are: you directly via forms/messages; your representative; licensed third parties providing necessary data (e.g., identity verification or payment processing); or publicly available sources within legal limits.

Why we process: to provide services and perform contracts; communicate about your requests and updates; comply with legal and supervisory obligations (accounting, taxes, anti-fraud); improve quality and user experience via general, non-intrusive analytics; and direct marketing with your consent with an easy opt-out.

Each purpose has a legal basis: explicit consent (withdrawable), performance of a contract you requested, legal obligation/public interest, legitimate interest (balanced against your rights), or reliance on publicly available data within its limits.

If a new purpose is incompatible with the original, we pause, inform you, and seek your consent when required—no exceptions.

How We Handle Your Data (Security, Cookies, Design, and Retention)

Protection by design: we ask what data is necessary, whether it can be tokenized or anonymized, and who really needs access. We implement least-privilege access controls, MFA at sensitive points, audit logs, encryption in transit (TLS) and at rest where needed, proactive monitoring and alerts, and regular security testing.

Cookies: used to operate the site (sign-in, session security), remember preferences (language, display), and for general performance measurement. Analytics are aggregated and non-intrusive. Marketing cookies run only with your consent and can be withdrawn with one click. Refusing non-essential cookies will not block access to core services.

Retention: we keep data for the shortest time necessary to achieve the purpose or meet legal/contractual obligations, then delete or de-identify it. Example guidance: support tickets up to 24 months; security logs up to 12 months; contracting/billing documents per applicable regulations. We may extend retention for disputes or legal obligations only as necessary and document decisions for periodic review.

Automated decisions: we do not allow algorithms to make decisions that materially affect you without human oversight. Where automated processing may have a significant impact, we provide human review, a right to object, and plain-language explanations of the general logic.

Children and those lacking capacity: we do not target them with our services. If we inadvertently receive a child’s data, we secure and delete it unless the law requires otherwise, applying special care when relying on a guardian’s consent.

Sharing with Others, International Transfers, and Service Providers

We do not sell your data. Delivering modern services involves specialized parties: cloud hosting, payment gateways, email/notification tools, and advanced support. Before engaging any party, we conduct compliance and security assessments and sign a Data Processing Agreement specifying purpose, data nature, processing/storage locations, sub-processors (if any), security instructions, audit rights, confidentiality, and return/destruction mechanisms. We review performance and compliance periodically and reserve the right to terminate on breach.

We may also share data with official/regulatory bodies when required by law, after verifying the legality and scope of the request. International transfers outside the Kingdom occur only when necessary and with appropriate safeguards: adequacy of the destination, approved safeguards (binding contractual clauses, binding corporate rules, trusted certifications), additional security (encryption and restricted access), and, for recurring/sensitive cases, a transfer risk assessment.

Your Rights and How to Exercise Them — Step by Step

Your basic rights: access to your data and a copy in a reasonable format; correction of errors or completion of missing data; destruction in the cases provided by law; withdraw consent where it is the basis; object to or request restriction of certain processing where applicable; and submit a complaint to the competent authority. We encourage you to start with us for faster resolution.

How to exercise: email privacy@tharwah.net and simply state what you need (e.g., “I want a copy of my account data,” “Please correct my phone number,” “Delete my records from Service X”). We will acknowledge receipt, provide a tracking number, and agree on a secure channel for any ID verification. We handle requests seriously and within reasonable timeframes; if complex or multiple requests arrive, we will let you know early if we need an extension and why. No need to use legal terms—describe your need in your own words and we will map it to the correct legal framework.

Marketing emails always include a working “unsubscribe” link, and you can email us to be removed from all lists. If you doubt a message that resembles ours but isn’t from us, forward it for verification and guidance—security is a shared responsibility.

Retention Period

We retain data for the shortest period necessary to achieve the purposes or as required by law. When no longer needed, we delete or de-identify it irreversibly. We may retain for longer where there is a legal obligation or ongoing dispute, and securely destroy the data once the reason ends.

Your Rights under the PDPL

You have the following rights (with proper identity verification):

  • Access/obtain a copy of your data.

  • Rectify/update inaccurate or incomplete data.

  • Destroy/delete data in the cases provided by law.

  • Withdraw consent where consent is the legal basis.

  • Object to/restrict certain processing where applicable.

  • Complain to the competent authority—while we prefer you contact us first for a quick, amicable solution.

How to exercise your rights? Email privacy@tharwah.net with your request. We aim to respond within 30 days (additional time may be needed with notice in complex cases or where multiple requests are received).

Security Incidents, Changes, and How to Contact Us

We prepare for the worst so it does not happen—and if it does, we minimize its impact. Our incident response plan covers rapid containment, root-cause analysis, mitigation (patching, key rotation, strengthening controls), and structured notification: notifying the competent authority where appropriate, and affected individuals without undue delay when their rights may be impacted—with clear guidance (e.g., change password or enable MFA). After each incident, we review, learn, and update our procedures to prevent recurrence.

This policy may change when laws or our ways of working change. We will update the “Last Updated” date above and highlight any material changes through appropriate channels before they take effect where required. If any sentence is unclear, or you want a print-ready copy or a different language, let us know.

Contact:
Data Protection Section — Tharwah
Email: privacy@tharwah.net
Address: Riyadh, Kingdom of Saudi Arabia (Attn: Data Protection Officer)

In closing: privacy is not just a document you sign, but an experience you live with us confidently. If you feel we can explain something more simply or protect something better, contact us—we are here for you.