Last Updated: July 2025 | Version 2.1
Designed to comply with: GDPR, ISO 27001, Saudi Data Protection Law, NCA Regulations
Datalake ('we', 'our', 'us', or 'Datalake') is committed to protecting your privacy and ensuring the security of your personal data in accordance with international standards and Saudi Arabian regulations. This comprehensive Privacy Policy outlines our data protection practices, your rights, and our commitment to compliance with ISO 27001, GDPR, and the Saudi Data Protection Law.
We operate in compliance with: European General Data Protection Regulation (GDPR), Saudi Personal Data Protection Law (PDPL), ISO 27001 Information Security Management System, National Cybersecurity Authority (NCA) regulations, and other applicable data protection laws. Our data processing activities are conducted under legal bases including consent, contractual necessity, legal obligations, and legitimate interests.
Datalake is the data controller responsible for processing your personal data. Our registered address is in Saudi Arabia, and we maintain appropriate data protection officer (DPO) oversight. For data protection inquiries, contact our DPO at dpo@datalake.sa
We process: Identity data (name, ID numbers), Contact data (email, phone, address), Professional data (employment history, qualifications), Technical data (IP addresses, device information), Usage data (website interactions, preferences), and Special categories (where legally permitted and with explicit consent).
We process personal data based on: Consent (freely given, specific, informed), Contract performance, Legal obligations, Legitimate interests (balanced against your rights), and Public interest (where applicable). We maintain records of processing activities as required by law.
We process data for: Service provision and delivery, Customer relationship management, Legal compliance and regulatory reporting, Security and fraud prevention, Business analytics and improvement, Marketing communications (with consent), and Employment processing.
We retain personal data only for the period necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce agreements. Data is securely disposed of using certified deletion methods when no longer required.
We implement comprehensive security measures including: Encryption at rest and in transit, Access controls and authentication, Regular security assessments, Incident response procedures, Employee training, Physical security controls, and Continuous monitoring and logging.
When transferring data internationally, we ensure adequate protection through: Standard Contractual Clauses (SCCs), Adequacy decisions, Binding Corporate Rules (BCRs), and other approved transfer mechanisms. We maintain records of all international transfers.
We engage third-party processors under strict data processing agreements that include: Security requirements, Confidentiality obligations, Sub-processor restrictions, Audit rights, and Breach notification procedures. All processors are vetted for compliance.
You have the right to: Access your personal data, Rectify inaccurate data, Erase data (right to be forgotten), Restrict processing, Data portability, Object to processing, Withdraw consent, and Lodge complaints with supervisory authorities.
Where we use automated decision-making or profiling, we provide: Meaningful information about the logic involved, Significance and envisaged consequences, and the right to request human intervention, express your point of view, and contest the decision.
In the event of a data breach, we follow strict procedures: Immediate assessment and containment, Notification to supervisory authorities within 72 hours, Communication to affected individuals where required, Documentation and investigation, and Remedial action implementation.
We do not knowingly collect personal data from children under 16 without parental consent. If we become aware of such collection, we will take immediate steps to delete the information and obtain proper consent.
Our website collects minimal technical data necessary for functionality: IP addresses for security and load balancing, session data for language preferences, and basic analytics for website performance. We do not use tracking cookies or third-party analytics without explicit consent.
We may update this policy to reflect legal changes, operational requirements, or improved practices. Material changes will be communicated through: Website notifications, Email communications, and Updated effective dates. Continued use constitutes acceptance of changes.
For privacy inquiries: Email: privacy@datalake.sa, DPO: dpo@datalake.sa, Legal: legal@datalake.sa. You may lodge complaints with: Saudi Data Protection Authority, European Data Protection Authorities (if applicable), or other relevant supervisory authorities.