Privacy Policy

*This Privacy Policy explains how IMPACTIVE Consulting collects, uses,

stores, shares, and protects personal data when you access our website

(impactiveconsulting.com.sa), use our services, or interact with our

AI-powered tools. We are committed to protecting your privacy in

compliance with the Saudi Personal Data Protection Law (PDPL) issued by

Royal Decree M/19 (2021), its Implementing Regulations, and all

applicable Saudi Arabian data protection legislation.*

1. Data Controller

Entity: IMPACTIVE Consulting

Commercial Registration: \[CR Number\]

Registered Address: Riyadh, Kingdom of Saudi Arabia

Email: privacy\@impactiveconsulting.com.sa

Website: https://www.impactiveconsulting.com.sa

IMPACTIVE Consulting is the data controller responsible for your

personal data processed through our website, consulting services, and

AI-powered tools, as defined under the PDPL.

2. Definitions

For the purposes of this Privacy Policy:

\"Personal Data\" means any data that identifies or can be used to

identify a natural person, directly or indirectly, as defined under

the PDPL.

\"Sensitive Data\" means personal data revealing racial or ethnic

origin, religious or political beliefs, criminal records, biometric

or genetic data, health data, or data indicating that one of the

parents of the data subject is unknown.

\"Processing\" means any operation performed on personal data,

including collection, recording, organization, storage, adaptation,

retrieval, use, disclosure, transmission, restriction, erasure, or

destruction.

\"Data Subject\" means the natural person whose personal data is

being processed.

\"Nasih\" means IMPACTIVE Consulting\'s AI-powered chatbot that

provides general educational financial and business guidance (not

regulated financial or investment advice).

\"Client Assistant\" means the website live chat or contact

functionality enabling direct communication with IMPACTIVE

Consulting staff.

\"Agentic AI Processing\" means automated processing where the AI

system may use tools, access external data sources, maintain

persistent memory across sessions, and execute multi-step reasoning

chains to fulfill user requests.

3. Scope of This Policy

This Privacy Policy applies to all personal data processed by IMPACTIVE

Consulting through:

The website at impactiveconsulting.com.sa and all its subdomains

Contact forms and inquiry submissions

The Client Assistant (live chat) functionality

The Nasih AI Chatbot

Career and CV submission portals

Consulting engagement onboarding and service delivery

Email communications

Cookies, analytics, and server logs

Third-party integrations and embedded content

This policy does not apply to third-party websites linked from our site.

We encourage you to review the privacy policies of any third-party

services you access through our website.

4. Personal Data We Collect

4.1 Data You Provide Directly

Contact Forms and Inquiries

Full name

Email address

Phone number (if provided)

Company name and job title (if provided)

Subject and message content of your inquiry

Client Assistant (Live Chat)

Name or alias provided during chat

Email address (if provided for follow-up)

Chat transcripts and messages exchanged

Nasih AI Chatbot

Queries and prompts submitted to Nasih

Conversation history within a session

Any personal data voluntarily included in your queries (note: you

should avoid sharing sensitive personal or financial data with

Nasih)

Career and CV Submissions

Full name, contact details (email, phone)

Curriculum vitae (CV) / resume content

Educational qualifications and professional experience

Cover letter or supplementary documents

Professional certifications and references (if provided)

Consulting Engagement Data

Client contact information and authorized representatives

Business and financial data provided during engagements

Project-related communications and documents

4.2 Data Collected Automatically

Server Logs and Technical Data

IP address (anonymized where feasible)

Browser type and version

Operating system

Referring URL and pages visited

Date, time, and duration of visits

Device type (desktop, mobile, tablet)

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. For

detailed information about the cookies we use, their purposes, and how

to manage them, please refer to our separate Cookie Policy.

4.3 Data from Third Parties

We may receive personal data from:

Business referral partners who refer potential clients to us (with

consent)

Publicly available sources such as commercial registries and

professional networking platforms

Analytics providers (aggregated, non-identifying data)

5. Lawful Basis for Processing

Under the PDPL, we process your personal data based on one or more of

the following legal grounds:

Consent (PDPL Art. 6): When you submit a contact form, use the

Client Assistant, interact with Nasih, or submit a CV/job

application.

Performance of a Contract (PDPL Art. 6): When processing is

necessary to provide consulting services you have engaged us for.

Legitimate Interest (PDPL Art. 6): Website security, fraud

prevention, service improvement, and analytics (where not overridden

by your rights).

Legal Obligation (PDPL Art. 6): When we are required to retain or

disclose data under Saudi law, regulations, or court orders.

Public Interest: Where processing is necessary for reasons of

substantial public interest under Saudi law.

6. How We Use Your Personal Data

We process personal data for the following purposes:

Service Delivery

To respond to your inquiries and provide requested information

To deliver consulting services under engagement agreements

To communicate with you regarding projects, proposals, and

deliverables

Nasih AI Chatbot Operation

To process your queries and generate educational financial and

business guidance

To maintain session context for coherent conversation within a

single session

To improve the quality, accuracy, and relevance of Nasih\'s

responses

Recruitment

To evaluate CV/job applications and manage the recruitment process

To contact applicants regarding their applications and potential

opportunities

To maintain a talent pool for future positions (with your consent)

Website Operations and Security

To operate, maintain, and improve our website functionality

To detect, prevent, and address security threats, fraud, and

technical issues

To analyze website usage patterns (aggregated and anonymized where

possible)

Legal and Regulatory Compliance

To comply with applicable Saudi laws, regulations, and legal

processes

To enforce our terms, policies, and legal agreements

To protect the rights, property, and safety of IMPACTIVE Consulting,

our clients, and the public

7. Nasih AI Chatbot and Automated Processing

*This section provides specific transparency disclosures required under

PDPL Article 29 regarding automated processing and AI-powered

decision-making.*

7.1 Nature of Processing

Nasih is an AI-powered chatbot that uses large language models (LLMs) to

process your queries and generate responses. Nasih operates with the

following capabilities:

Automated Response Generation: Nasih uses artificial intelligence to

generate responses to your queries without direct human intervention

during the conversation.

Session Memory: Nasih may retain context within a conversation

session to provide coherent, contextual responses. Memory is subject

to the retention periods described in Section 9.

Multi-Step Reasoning: Nasih may perform multi-step analytical

processes to formulate responses to complex queries.

7.2 Agentic AI Processing Disclosure

In accordance with PDPL Article 29, we disclose that Nasih may engage in

agentic AI processing, which means:

Nasih may access reference tools, calculators, or external data

sources to enhance response quality.

Nasih may maintain persistent memory across sessions to personalize

your experience (if enabled).

Nasih executes multi-step reasoning chains to analyze queries and

formulate comprehensive responses.

Nasih does not make legally binding decisions or provide regulated

financial, legal, or investment advice.

7.3 Third-Party AI Processor

Nasih\'s AI capabilities are powered by third-party AI infrastructure.

Your queries submitted to Nasih are transmitted to and processed by our

AI service provider (currently Anthropic, the developer of the Claude AI

model) under a Data Processing Agreement (DPA) that ensures:

Processing is limited to the purposes of generating responses to

your queries.

Technical and organizational security measures are maintained.

Data is not used for training the AI model without separate consent.

Data is processed in compliance with applicable data protection

requirements.

7.4 Your Rights Regarding Automated Processing

Under the PDPL, you have the right to:

Be informed about the existence of automated processing (this notice

fulfills this obligation).

Request human review of any significant decision made solely on the

basis of automated processing.

Request access to, correction of, or deletion of data processed

through Nasih.

Opt out of persistent memory features by contacting us at

privacy\@impactiveconsulting.com.sa.

7.5 Important Limitations

Nasih provides general educational guidance only. Nasih does not provide

regulated financial advice, investment recommendations, legal opinions,

or any form of professional advice that requires licensing from the

Capital Market Authority (CMA), Saudi Central Bank (SAMA), or any other

Saudi regulatory authority. You should not rely on Nasih\'s outputs as a

substitute for professional advice from qualified, licensed

professionals.

8. Data Sharing and Disclosure

We do not sell your personal data. We may share your personal data with

the following categories of recipients:

Service Providers and Processors

Cloud hosting and infrastructure providers

AI service providers (for Nasih chatbot processing)

Email and communication service providers

Analytics providers (aggregated data only where possible)

IT security and support services

Professional and Legal

Professional advisors (legal, accounting, audit) under

confidentiality obligations

Regulatory authorities and government agencies when required by

Saudi law

Courts and judicial authorities in response to valid legal orders

Business Operations

Authorized IMPACTIVE Consulting personnel who need access for

legitimate business purposes

All third-party processors are bound by contractual obligations to

process personal data only on our instructions and to maintain

appropriate security measures in accordance with the PDPL.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the

purposes for which it was collected, or as required by applicable law:

Contact form submissions: 2 years from submission, unless a

consulting engagement begins

Client Assistant chat transcripts: 1 year from the date of

conversation

Nasih conversation data: 90 days from last interaction; auto-deleted

after 90 days of inactivity

Nasih persistent memory (if enabled): 90 days; deletion on request

at any time

CV / job applications: 1 year from submission (or until position is

filled, whichever is shorter), unless you consent to longer

retention for talent pool

Consulting engagement records: 10 years from engagement completion

(as required by Saudi Companies Law and ZATCA regulations)

Server logs and technical data: 12 months from collection

Cookie data: As specified in our Cookie Policy

Upon expiry of the applicable retention period, personal data is

securely deleted or anonymized. Where anonymization is used, the data

can no longer be associated with you and may be retained for statistical

and analytical purposes.

10. Data Security

We implement appropriate technical and organizational measures to

protect your personal data against unauthorized access, alteration,

disclosure, or destruction. These measures include:

Encryption of data in transit using TLS/SSL protocols

Encryption of data at rest for sensitive data stores

Access controls and authentication mechanisms limiting data access

to authorized personnel

Regular security assessments and vulnerability testing

Employee training on data protection and security best practices

Incident response procedures for data breach detection, containment,

and notification

Secure disposal of data at the end of retention periods

While we implement robust security measures, no method of electronic

transmission or storage is 100% secure. We cannot guarantee absolute

security of your personal data but are committed to maintaining

best-practice security standards.

11. International Data Transfers

Your personal data is primarily stored and processed within the Kingdom

of Saudi Arabia. However, in certain circumstances, your data may be

transferred to, and processed in, countries outside Saudi Arabia:

When using third-party AI processors (e.g., Anthropic) whose

infrastructure may be located outside Saudi Arabia.

When using cloud hosting providers with data centers outside Saudi

Arabia.

Where international transfers occur, we ensure that:

The receiving country provides an adequate level of data protection

as determined by the competent Saudi authority, or

Appropriate safeguards are in place, including Standard Contractual

Clauses (SCCs), Data Processing Agreements (DPAs), and binding

corporate rules, or

The transfer is necessary for the performance of a contract or falls

under another exception permitted by the PDPL.

You may request information about the specific safeguards applied to

international transfers of your data by contacting us at

privacy\@impactiveconsulting.com.sa.

12. Your Rights Under the PDPL

As a data subject under the Saudi Personal Data Protection Law, you have

the following rights:

Right of Access: You have the right to request access to your

personal data that we hold and obtain a copy of it.

Right to Correction: You have the right to request correction of

inaccurate or incomplete personal data.

Right to Deletion: You have the right to request deletion of your

personal data where it is no longer necessary for the purposes for

which it was collected, subject to legal retention obligations.

Right to Restrict Processing: You have the right to request

restriction of processing in certain circumstances.

Right to Data Portability: You have the right to receive your

personal data in a structured, commonly used, and machine-readable

format.

Right to Object: You have the right to object to processing of your

personal data in certain circumstances, including processing for

direct marketing.

Right to Withdraw Consent: Where processing is based on your

consent, you have the right to withdraw consent at any time without

affecting the lawfulness of processing prior to withdrawal.

Right Regarding Automated Decisions: You have the right to not be

subject to decisions based solely on automated processing (including

AI) that produce legal effects or similarly significantly affect

you, and to request human review of such decisions.

12.1 How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: privacy\@impactiveconsulting.com.sa

Subject line: \"PDPL Data Subject Request - \[Your Request Type\]\"

We will respond to your request within thirty (30) days of receipt. We

may request verification of your identity before processing your

request. If we are unable to fulfill your request, we will explain the

reasons and inform you of your right to file a complaint with the

competent authority.

12.2 Right to Complain

If you believe that your data protection rights have been violated, you

have the right to file a complaint with the Saudi Data and Artificial

Intelligence Authority (SDAIA) or the competent judicial authority.

13. Children\'s Privacy

Our website and services are not directed at individuals under the age

of eighteen (18). We do not knowingly collect personal data from

children. If you are a parent or guardian and believe that your child

has provided us with personal data, please contact us at

privacy\@impactiveconsulting.com.sa, and we will take steps to delete

such data promptly.

14. Third-Party Links and Services

Our website may contain links to third-party websites, services, or

social media platforms. This Privacy Policy does not apply to those

third-party services. We are not responsible for the privacy practices

of any third party. We encourage you to review the privacy policies of

any third-party services before providing your personal data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes

in our practices, technology, legal requirements, or other factors. When

we make material changes, we will:

Update the \"Effective Date\" at the top of this policy.

Post a notice on our website for a reasonable period.

Where required by the PDPL, obtain your renewed consent for material

changes to the way we process your data.

We encourage you to review this Privacy Policy periodically. Your

continued use of our website and services after any changes constitutes

your acceptance of the updated policy.

16. Bilingual Content

This Privacy Policy will be made available in both English and Arabic.

In the event of any discrepancy or conflict between the English and

Arabic versions, the Arabic version shall prevail to the extent required

by Saudi law.

17. Governing Law

This Privacy Policy is governed by and construed in accordance with the

laws of the Kingdom of Saudi Arabia, including the Personal Data

Protection Law (PDPL), its Implementing Regulations, and all other

applicable Saudi legislation and regulations.

18. Contact Information

If you have any questions, concerns, or requests regarding this Privacy

Policy or the processing of your personal data, please contact us:

IMPACTIVE Consulting

Attention: Data Protection Officer / Privacy Team

Address: Riyadh, Kingdom of Saudi Arabia

Email: privacy\@impactiveconsulting.com.sa

Website: https://www.impactiveconsulting.com.sa

We aim to respond to all inquiries within thirty (30) days.