Privacy Policy

PRIVACY POLICY

Effective Date: 1 March 2026 | Version 1.0

1. Data Controller

Commercial Registration: 1010897398

Registered Address: Riyadh, Kingdom of Saudi Arabia

Email: privacy@impactiveconsulting.com.sa

Website: https://www.impactiveconsulting.com.sa

IMPACTIVE Consulting is the data controller responsible for your personal data processed through our website, consulting services, and AI-powered tools, as defined under the PDPL.

2. Definitions

For the purposes of this Privacy Policy:

"Personal Data" means any data that identifies or can be used to identify a natural person, directly or indirectly, as defined under the PDPL.
"Sensitive Data" means personal data revealing racial or ethnic origin, religious or political beliefs, criminal records, biometric or genetic data, health data, or data indicating that one of the parents of the data subject is unknown.
"Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.
"Data Subject" means the natural person whose personal data is being processed.
"Nasih" means IMPACTIVE Consulting's AI-powered chatbot that provides general educational financial and business guidance (not regulated financial or investment advice).
"Client Assistant" means the website live chat or contact functionality enabling direct communication with IMPACTIVE Consulting staff.
"Agentic AI Processing" means automated processing where the AI system may use tools, access external data sources, maintain persistent memory across sessions, and execute multi-step reasoning chains to fulfill user requests.

3. Scope of This Policy

This Privacy Policy applies to all personal data processed by IMPACTIVE Consulting through:

The website at impactiveconsulting.com.sa and all its subdomains
Contact forms and inquiry submissions
The Client Assistant (live chat) functionality
The Nasih AI Chatbot
Career and CV submission portals
Consulting engagement onboarding and service delivery
Email communications
Cookies, analytics, and server logs
Third-party integrations and embedded content

This policy does not apply to third-party websites linked from our site. We encourage you to review the privacy policies of any third-party services you access through our website.

4. Personal Data We Collect

4.1 Data You Provide Directly

Contact Forms and Inquiries

Full name
Email address
Phone number (if provided)
Company name and job title (if provided)
Subject and message content of your inquiry

Client Assistant (Live Chat)

Name or alias provided during chat
Email address (if provided for follow-up)
Chat transcripts and messages exchanged

Nasih AI Chatbot

Queries and prompts submitted to Nasih
Conversation history within a session
Any personal data voluntarily included in your queries (note: you should avoid sharing sensitive personal or financial data with Nasih)

Career and CV Submissions

Full name, contact details (email, phone)
Curriculum vitae (CV) / resume content
Educational qualifications and professional experience
Cover letter or supplementary documents
Professional certifications and references (if provided)

Consulting Engagement Data

Client contact information and authorized representatives
Business and financial data provided during engagements
Project-related communications and documents

4.2 Data Collected Automatically

Server Logs and Technical Data

IP address (anonymized where feasible)
Browser type and version
Operating system
Referring URL and pages visited
Date, time, and duration of visits
Device type (desktop, mobile, tablet)

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. For detailed information about the cookies we use, their purposes, and how to manage them, please refer to our separate Cookie Policy.

4.3 Data from Third Parties

We may receive personal data from:

Business referral partners who refer potential clients to us (with consent)
Publicly available sources such as commercial registries and professional networking platforms
Analytics providers (aggregated, non-identifying data)

5. Lawful Basis for Processing

Under the PDPL, we process your personal data based on one or more of the following legal grounds:

6. How We Use Your Personal Data

We process personal data for the following purposes:

Service Delivery

To respond to your inquiries and provide requested information
To deliver consulting services under engagement agreements
To communicate with you regarding projects, proposals, and deliverables

Nasih AI Chatbot Operation

To process your queries and generate educational financial and business guidance
To maintain session context for coherent conversation within a single session
To improve the quality, accuracy, and relevance of Nasih's responses

Recruitment

To evaluate CV/job applications and manage the recruitment process
To contact applicants regarding their applications and potential opportunities
To maintain a talent pool for future positions (with your consent)

Website Operations and Security

To operate, maintain, and improve our website functionality
To detect, prevent, and address security threats, fraud, and technical issues
To analyze website usage patterns (aggregated and anonymized where possible)

Legal and Regulatory Compliance

To comply with applicable Saudi laws, regulations, and legal processes
To enforce our terms, policies, and legal agreements
To protect the rights, property, and safety of IMPACTIVE Consulting, our clients, and the public

7. Nasih AI Chatbot and Automated Processing

7.1 Nature of Processing

Nasih is an AI-powered chatbot that uses large language models (LLMs) to process your queries and generate responses. Nasih operates with the following capabilities:

Automated Response Generation: Nasih uses artificial intelligence to generate responses to your queries without direct human intervention during the conversation.
Session Memory: Nasih may retain context within a conversation session to provide coherent, contextual responses. Memory is subject to the retention periods described in Section 9.
Multi-Step Reasoning: Nasih may perform multi-step analytical processes to formulate responses to complex queries.

7.2 Agentic AI Processing Disclosure

In accordance with PDPL Article 29, we disclose that Nasih may engage in agentic AI processing, which means:

Nasih may access reference tools, calculators, or external data sources to enhance response quality.
Nasih may maintain persistent memory across sessions to personalize your experience (if enabled).
Nasih executes multi-step reasoning chains to analyze queries and formulate comprehensive responses.
Nasih does not make legally binding decisions or provide regulated financial, legal, or investment advice.

7.3 Third-Party AI Processor

Nasih's AI capabilities are powered by third-party AI infrastructure. Your queries submitted to Nasih are transmitted to and processed by our AI service provider (currently Anthropic, the developer of the Claude AI model) under a Data Processing Agreement (DPA) that ensures:

Processing is limited to the purposes of generating responses to your queries.
Technical and organizational security measures are maintained.
Data is not used for training the AI model without separate consent.
Data is processed in compliance with applicable data protection requirements.

7.4 Your Rights Regarding Automated Processing

Under the PDPL, you have the right to:

Be informed about the existence of automated processing (this notice fulfills this obligation).
Request human review of any significant decision made solely on the basis of automated processing.
Request access to, correction of, or deletion of data processed through Nasih.
Opt out of persistent memory features by contacting us at privacy@impactiveconsulting.com.sa.

7.5 Important Limitations

Nasih provides general educational guidance only. Nasih does not provide regulated financial advice, investment recommendations, legal opinions, or any form of professional advice that requires licensing from the Capital Market Authority (CMA), Saudi Central Bank (SAMA), or any other Saudi regulatory authority. You should not rely on Nasih's outputs as a substitute for professional advice from qualified, licensed professionals.

8. Data Sharing and Disclosure

We do not sell your personal data. We may share your personal data with the following categories of recipients:

Service Providers and Processors

Cloud hosting and infrastructure providers
AI service providers (for Nasih chatbot processing)
Email and communication service providers
Analytics providers (aggregated data only where possible)
IT security and support services

Professional and Legal

Professional advisors (legal, accounting, audit) under confidentiality obligations
Regulatory authorities and government agencies when required by Saudi law
Courts and judicial authorities in response to valid legal orders

Business Operations

Authorized IMPACTIVE Consulting personnel who need access for legitimate business purposes

All third-party processors are bound by contractual obligations to process personal data only on our instructions and to maintain appropriate security measures in accordance with the PDPL.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized. Where anonymization is used, the data can no longer be associated with you and may be retained for statistical and analytical purposes.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS/SSL protocols
Encryption of data at rest for sensitive data stores
Access controls and authentication mechanisms limiting data access to authorized personnel
Regular security assessments and vulnerability testing
Employee training on data protection and security best practices
Incident response procedures for data breach detection, containment, and notification
Secure disposal of data at the end of retention periods

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your personal data but are committed to maintaining best-practice security standards.

11. International Data Transfers

Your personal data is primarily stored and processed within the Kingdom of Saudi Arabia. However, in certain circumstances, your data may be transferred to, and processed in, countries outside Saudi Arabia:

When using third-party AI processors (e.g., Anthropic) whose infrastructure may be located outside Saudi Arabia.
When using cloud hosting providers with data centers outside Saudi Arabia.

Where international transfers occur, we ensure that:

The receiving country provides an adequate level of data protection as determined by the competent Saudi authority, or
Appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs), and binding corporate rules, or
The transfer is necessary for the performance of a contract or falls under another exception permitted by the PDPL.

You may request information about the specific safeguards applied to international transfers of your data by contacting us at privacy@impactiveconsulting.com.sa.

12. Your Rights Under the PDPL

As a data subject under the Saudi Personal Data Protection Law, you have the following rights:

Right of Access: You have the right to request access to your personal data that we hold and obtain a copy of it.
Right to Correction: You have the right to request correction of inaccurate or incomplete personal data.
Right to Deletion: You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to legal retention obligations.
Right to Restrict Processing: You have the right to request restriction of processing in certain circumstances.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to Object: You have the right to object to processing of your personal data in certain circumstances, including processing for direct marketing.
Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right Regarding Automated Decisions: You have the right to not be subject to decisions based solely on automated processing (including AI) that produce legal effects or similarly significantly affect you, and to request human review of such decisions.

12.1 How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: privacy@impactiveconsulting.com.sa
Subject line: "PDPL Data Subject Request — [Your Request Type]"

We will respond to your request within thirty (30) days of receipt. We may request verification of your identity before processing your request. If we are unable to fulfill your request, we will explain the reasons and inform you of your right to file a complaint with the competent authority.

12.2 Right to Complain

If you believe that your data protection rights have been violated, you have the right to file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) or the competent judicial authority.

13. Children's Privacy

Our website and services are not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@impactiveconsulting.com.sa, and we will take steps to delete such data promptly.

14. Third-Party Links and Services

Our website may contain links to third-party websites, services, or social media platforms. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services before providing your personal data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Effective Date" at the top of this policy.
Post a notice on our website for a reasonable period.
Where required by the PDPL, obtain your renewed consent for material changes to the way we process your data.

We encourage you to review this Privacy Policy periodically. Your continued use of our website and services after any changes constitutes your acceptance of the updated policy.

16. Bilingual Content

This Privacy Policy will be made available in both English and Arabic. In the event of any discrepancy or conflict between the English and Arabic versions, the Arabic version shall prevail to the extent required by Saudi law.

17. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL), its Implementing Regulations, and all other applicable Saudi legislation and regulations.

18. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

We aim to respond to all inquiries within thirty (30) days.

— End of Privacy Policy —

This Privacy Policy explains how IMPACTIVE Consulting collects, uses, stores, shares, and protects personal data when you access our website (impactiveconsulting.com.sa), use our services, or interact with our AI-powered tools. We are committed to protecting your privacy in compliance with the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree M/19 (2021), its Implementing Regulations, and all applicable Saudi Arabian data protection legislation.

Lawful Basis	When We Rely On It
Consent (PDPL Art. 6)	When you submit a contact form, use the Client Assistant, interact with Nasih, or submit a CV/job application.
Performance of a Contract (PDPL Art. 6)	When processing is necessary to provide consulting services you have engaged us for.
Legitimate Interest (PDPL Art. 6)	Website security, fraud prevention, service improvement, and analytics (where not overridden by your rights).
Legal Obligation (PDPL Art. 6)	When we are required to retain or disclose data under Saudi law, regulations, or court orders.
Public Interest	Where processing is necessary for reasons of substantial public interest under Saudi law.

This section provides specific transparency disclosures required under PDPL Article 29 regarding automated processing and AI-powered decision-making.

Data Category	Retention Period
Contact form submissions	2 years from submission, unless a consulting engagement begins
Client Assistant chat transcripts	1 year from the date of conversation
Nasih conversation data	90 days from last interaction; auto-deleted after 90 days of inactivity
Nasih persistent memory (if enabled)	90 days; deletion on request at any time
CV / job applications	1 year from submission (or until position is filled, whichever is shorter), unless you consent to longer retention for talent pool
Consulting engagement records	10 years from engagement completion (as required by Saudi Companies Law and ZATCA regulations)
Server logs and technical data	12 months from collection
Cookie data	As specified in our Cookie Policy

IMPACTIVE Consulting Attention: Data Protection Officer / Privacy Team Address: Riyadh, Kingdom of Saudi Arabia Email: privacy@impactiveconsulting.com.sa Website: https://www.impactiveconsulting.com.sa