Legal

Privacy Policy

HAKTIV AI - Privacy Policy

Effective 6 July 2026Last updated 6 July 2026

1.Introduction

HAKTIV AI respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal data when you visit our website at haktiv.ai (the "Website"), communicate with us, or interact with our marketing.

This Policy is designed to support compliance with the Personal Data Protection Law of the Kingdom of Saudi Arabia (PDPL), issued by Royal Decree No. (M/19) dated 09/02/1443H, as amended, and its Implementing Regulations, together with guidance issued by the Saudi Data & Artificial Intelligence Authority (SDAIA).

2.Who Is Responsible for Your Data (Data Controller)

For personal data collected through the Website and our marketing and sales activities, the data controller is:

  • Al Deraa Al Ruqmi for Cybersecurity (الدرع الرقمي للأمن السيبراني) (operating as HAKTIV AI)
  • Commercial Registration No.: 1010978332
  • VAT Registration No.: 312038816800003
  • Address: RDAA8806, 8806 King Khalid Br Rd, Al Khalidiyah, 5261, Diriyah 13714, Kingdom of Saudi Arabia
  • Privacy contact: privacy@haktiv.ai

An important distinction. Organizations that subscribe to the HAKTIV platform (our customers) may process the personal data of their own employees and users within the platform. For that data, the customer is the data controller and HAKTIV acts as a data processor, processing personal data only on the customer's documented instructions under the applicable customer agreement and data processing terms. If you are an employee or user of a HAKTIV customer and have questions about how your data is handled in the platform, please contact your organization first. This Policy covers the Website and our own activities as a controller.

3.Scope of This Policy

This Policy applies to personal data we process as a controller in connection with the Website, demo and contact requests, events, marketing communications, and business relationships with prospective and existing customers and partners. It does not replace the privacy notices of our customers or of third-party websites linked from the Website.

4.What Personal Data We Collect

Depending on how you interact with us, we may collect:

  • Contact and professional data: name, job title, organization name, business email address, business phone number.
  • Enquiry data: the content of messages you send us, demo requests, and meeting notes.
  • Contract and billing data (customers and partners): names and contact details of signatories and billing contacts, and related records.
  • Technical data: IP address, device and browser type, operating system, pages visited, and interaction data, collected through cookies and similar technologies (see our Cookies Policy).
  • Communication preferences: your marketing opt-in and opt-out choices.

We apply the principle of data minimization: we collect only the personal data that is necessary for the purposes described in this Policy.

5.Sensitive Personal Data

We do not seek to collect sensitive personal data (such as health data, biometric or genetic data, credit data, or data revealing religious or political views) through the Website, and we ask that you do not submit it to us. If we ever need to process sensitive data, we will do so only in accordance with the PDPL, including obtaining explicit consent where required. We do not use sensitive personal data for marketing purposes.

6.How We Collect Personal Data

  • Directly from you: when you fill in a form, request a demo, contact us, attend an event, or enter into an agreement with us.
  • Automatically: through cookies and similar technologies when you browse the Website (see our Cookies Policy).
  • From third parties: we may receive business contact details (such as name, job title, and business contact information) from business-data providers, event organizers, or partners, and we handle such data in accordance with the PDPL.

7.Purposes and Legal Bases of Processing

We process personal data only for specified, explicit, and lawful purposes (purpose limitation) and on a legal basis recognized by the PDPL:

Data categoryPurposeLegal basis under PDPLRetentionShared with
Contact and professional dataResponding to enquiries and demo requests; managing sales conversationsLegitimate interest of the controller (non-sensitive data, without prejudice to your rights); or steps at your request prior to a contractAs long as necessary for the stated purpose and applicable legal requirementsCRM provider (HubSpot); authorized staff
Contract and billing dataConcluding and performing agreements; invoicing; recordsPerformance of a contract; compliance with legal obligations (e.g. tax and commercial record-keeping)Statutory retention periods under Saudi lawProfessional advisers; authorities where required
Marketing preferences and business contact dataSending marketing and event communicationsConsent (opt-in), withdrawable at any timeUntil consent is withdrawn or the data is no longer neededCRM and email tools (HubSpot, Microsoft 365)
Technical dataWebsite operation and securityLegitimate interest (Website security and operation)See the cookie durations in our Cookies PolicyHosting provider (Google Cloud, Kingdom of Saudi Arabia region)
Support and incident dataInvestigating issues, fraud prevention, securityLegitimate interest; compliance with legal obligationsAs long as necessary for the stated purpose and applicable legal requirementsHosting and security providers

8.Consent and Withdrawal of Consent

Where our processing is based on your consent - including direct marketing - you may withdraw that consent at any time, free of charge, by contacting privacy@haktiv.ai or using the unsubscribe link in any marketing message. Withdrawal does not affect processing that occurred before withdrawal, and we will not make access to the Website conditional on consent to processing that is not necessary to provide it.

9.Marketing Communications

We send marketing emails or messages only where you have opted in, or otherwise as permitted by applicable Saudi regulations. Every marketing communication we send includes a clear and free means to opt out. If you opt out, we will stop sending you marketing communications, though we may still contact you about your existing enquiries or agreements.

10.Cookies and Tracking Technologies

The Website uses only essential cookies necessary for its operation, such as remembering your language choice. We do not currently use analytics, advertising, or other non-essential cookies. If we introduce any in the future, we will update our Cookies Policy and request your consent before they are set.

11.Automated Decision-Making and Profiling

We do not use personal data collected through the Website to make automated decisions that produce legal effects or significantly affect individuals. The AI features of the HAKTIV platform operate on customer data under the customer's control and the applicable customer agreement.

12.How We Share Personal Data

We do not sell personal data. We share personal data only:

  • With service providers (processors) who help us run the Website and our business - such as cloud hosting, CRM, email, and analytics providers - under contracts that require them to protect the data and process it only on our instructions. Our key providers currently include Google Cloud (hosting, Kingdom of Saudi Arabia region), HubSpot (CRM), and Microsoft 365 (email and productivity).
  • With professional advisers (legal, accounting, audit) where necessary and subject to confidentiality.
  • With competent authorities where disclosure is required by the laws of the Kingdom of Saudi Arabia or by a binding order.
  • In corporate transactions (such as an investment, merger, or acquisition), subject to appropriate safeguards.

13.Cross-Border Data Transfers

Our platform and core systems are hosted in a cloud region located within the Kingdom of Saudi Arabia, and customer data processed on the platform remains in the Kingdom.

Some of the business tools we use to manage enquiries, sales, and communications - currently our CRM (HubSpot) and our email and productivity suite (Microsoft 365) - may store or process business contact data on infrastructure located outside the Kingdom. Where this occurs, we transfer only the minimum personal data necessary and apply the PDPL and the Regulation on Personal Data Transfer Outside the Kingdom, including appropriate contractual safeguards and any required risk assessment.

14.Data Retention

We keep personal data only for as long as necessary to fulfil the purposes described in this Policy or to comply with legal, regulatory, or contractual obligations under Saudi law. When personal data is no longer needed, we securely delete, destroy, or anonymize it.

15.Data Security

We apply administrative, technical, and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. These include access controls, encryption in transit, logging, tenant isolation, and staff confidentiality obligations. In the event of a personal data breach that is subject to notification requirements, we will notify the competent authority and affected individuals in accordance with the PDPL and its Implementing Regulations.

16.Your Rights Under the PDPL

Subject to the conditions and exceptions in the PDPL, you have the right to:

  • Be informed - know how and why we process your personal data, and the legal basis for it.
  • Access - request access to the personal data we hold about you and obtain a copy of it in a readable format.
  • Correction - request that inaccurate, incomplete, or outdated data be corrected or updated.
  • Destruction - request the deletion or destruction of your personal data where it is no longer needed or where processing is unlawful, subject to legal retention requirements.
  • Withdraw consent - at any time, where processing is based on consent.

We do not charge a fee for exercising these rights, and we will respond within the timeframes set by the PDPL and its Implementing Regulations. We may need to verify your identity before acting on a request.

17.How to Submit a Privacy Request

Send your request to privacy@haktiv.ai with the subject line "Personal Data Request", describing the right you wish to exercise. You may also write to us at RDAA8806, 8806 King Khalid Br Rd, Al Khalidiyah, 5261, Diriyah 13714, Saudi Arabia. If we cannot fulfil your request in whole or in part, we will explain why, subject to applicable law.

18.Complaints

If you believe your personal data has been processed in violation of the PDPL, please contact us first so we can try to resolve your concern. You also have the right to lodge a complaint with the competent authority in the Kingdom of Saudi Arabia (currently the Saudi Data & Artificial Intelligence Authority - SDAIA) in accordance with its applicable procedures.

19.Children's Privacy

The Website is intended for business users aged 18 or over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@haktiv.ai and we will delete it.

20.Data Protection Officer / Privacy Contact

We have designated a privacy point of contact for all personal-data matters. For all privacy matters: privacy@haktiv.ai.

21.Updates to This Policy

We may update this Policy from time to time to reflect changes in our practices or in applicable law. The "Last updated" date shows the latest revision. Material changes will be announced on the Website, and where required by the PDPL we will seek renewed consent.

22.Contact Us

  • Privacy requests: privacy@haktiv.ai
  • General enquiries: hello@haktiv.ai
  • Address: RDAA8806, 8806 King Khalid Br Rd, Al Khalidiyah, 5261, Diriyah 13714, Kingdom of Saudi Arabia