Mohtawa Digital Agency (“we,” “us,” or “our”) operates under Saudi Arabia’s Personal Data Protection Law (PDPL) and is committed to safeguarding your privacy. This policy details how we collect, process, and protect your personal information when using our website (https://www.mohtawa.sa) or using our services. By accessing our platforms, you consent to the practices described herein, which comply with Saudi regulatory requirements, including the PDPL and CITC guidelines.
Personal Data:
- Contact Information: Full name, email address (including professional/work email), mobile/office phone numbers with country codes, and physical address (for service delivery or billing).
- Professional Details: Company name, job title, department, and business registration documents (when required for corporate contracts).
- Government Identifiers: National ID/Iqama numbers (only when Saudi regulations mandate KYC verification in financial transactions).
- Payment Data: The last four digits of the credit/debit card (processed via Saudi-certified payment gateways like SADAD), bank account details (for wire transfers), and invoice records.
Non-Personal Data:
- Technical Logs: Full IP address (anonymized after 30 days), browser version (including Chrome/Firefox/Safari specifics), operating system (Windows/macOS/iOS/Android), and device identifiers (IMEI for mobile traffic).
- Usage Analytics: Session duration, pages visited (with timestamps), click heatmaps via tools like Google Analytics (configured for Saudi IP filtering), and referral URLs.
- Cookies:
- Essential: PHPSESSID for login continuity, cart retention for e-commerce.
- Performance: _ga (Google Analytics) with 26-month Saudi data residency.
- Marketing: Facebook Pixel (limited to aggregate targeting in GCC countries).
Third-Party Data:
- CRM integrations (e.g., Salesforce) capturing lead source details.
- Social media profiles (when users connect accounts for campaigns).
How We Use Your Information
Your data enables us to provide and enhance our digital marketing services while complying with Saudi legal obligations. We process information to create and manage client accounts, deliver contracted social media management and SEO services, and issue tax invoices compliant with ZATCA e-invoicing requirements.
Service Delivery:
- Account Management: Storing client profiles in our Saudi-hosted CRM (including service preferences and historical requests).
- Project Execution: Sharing contact details with subcontractors under NDAs (e.g., freelance designers for website projects).
- Payment Processing: Transaction records shared with the Saudi Arabian Monetary Authority (SAMA)-licensed processors.
Communication:
- Operational: SMS/WhatsApp notifications for appointment reminders (via Saudi telecom providers like Saudi Telecom Company, Etihad Etisalat, Zain Saudi Arabia, etc.).
- Marketing: Newsletter campaigns (only after explicit opt-in) with unsubscribe links in Arabic/English.
Analytics & Improvement:
- A/B Testing: User behavior analysis to optimize website layouts for Saudi audiences.
- Fraud Prevention: Cross-checking IP locations with transaction details for anti-fraud measures.
Legal Compliance:
- Tax Reporting: Sharing invoice data with ZATCA (Saudi tax authority).
- Regulatory Requests: Responding to official inquiries from Saudi government entities.
Data Storage and Security
All personal data is stored on secure servers physically located within Saudi Arabia, utilizing STC Cloud or equivalent PDPL-compliant providers. We implement AES-256 encryption for stored data and TLS 1.3 protocols for information transmission, aligning with NCA Essential Cybersecurity Controls.
Infrastructure:
- Onshore Hosting: Primary servers are located in Riyadh (via Saudi cloud providers like Saudi Telecom Company).
- Encryption: AES-256 for databases, TLS 1.3 for all web traffic.
Access Controls:
- Role-Based Permissions: Marketing staff only see contact details, finance staff access payment records.
- Audit Logs: All data accesses are recorded with employee ID timestamps
Breach Protocols:
- 72-Hour Notification: Mandatory reporting to the Saudi Data Protection Authority per PDPL Article 14.
- User Alerts: Direct SMS/email to affected Saudi residents.
Vendor safeguard
- DPAs Signed: With all third parties (e.g., Saudi Post for delivery).
- Annual Audits: SOC 2 reviews for cloud providers.
Your Rights Under Saudi PDPL
As a data subject, you may submit verified requests to access, correct, or delete your information through our Absher-authenticated portal. Deletion rights are subject to Saudi legal retention requirements.
Access Requests:
- Verification Process: Submitting a Saudi ID copy is required via the Absher-authenticated portal.
- Response Timeline: 30 calendar days (extendable under PDPL Article 5).
Deletion Scenarios:
- Withdrawal of Consent: For marketing data (processed within 14 business days).
- Legal Exceptions: Retention of financial records per Saudi Commercial Law.
Dispute Resolution:
- Complaint Submission: Through the unified Saudi government platform (My.gov.sa).
- Compensation Rights: As per PDPL Article 23 for proven damages.
Cookies and Tracking
We deploy a CITC-compliant consent banner that blocks all non-essential cookies until users explicitly select (Agree) or “Accept.” Third-party tools like Facebook Pixel are configured to limit data processing to GCC countries. Our Help Center provides detailed cookie management instructions for Saudi-popular browsers like Chrome on iOS and Samsung Internet.
Detailed Cookie Table:
Opt-Out Mechanisms:
- Browser Settings: Step-by-step guides for Safari (iOS) and Chrome (Android).
- Saudi-Specific Tools: NCA-approved cookie consent banners.
International Data Transfers
While we prioritize Saudi-based processing, any cross-border transfers (e.g., to UAE-based marketing tools) follow PDPL Article 29 requirements.
Approved Countries:
- GCC States: Bahrain, UAE (under PDPL Article 29 exceptions).
- Non-GCC Cases: SDAIA pre-approval is required for EU/US transfers.
Safeguard Examples:
- Model Clauses: Modified for Saudi contractual requirements.
- Onward Transfer Bans: Prohibiting subcontractor data reuse.
Data Sharing and Third Parties
Information is disclosed only to PDPL-compliant partners:
- Payment Processors: SADAD and other SAMA-approved gateways.
- Cloud Providers: STC Business Solutions for Saudi-hosted data storage.
- Government Entities: When legally required (e.g., tax audits by ZATCA).
All third-party contracts include PDPL Article 21 clauses mandating Saudi data residency and immediate deletion post-service. We conduct annual SOC 2 audits of vendors handling sensitive data.
Policy Updates
We review this policy annually or when Saudi regulations change. Material updates (e.g., new data processing purposes) will be announced via:
- Website banners for 30 days.
- Direct emails to active clients.
- Arabic/English SMS for critical changes.
Contact Us
For privacy inquiries or to exercise PDPL rights:
Data Protection Officer
Email:
Info@mohtawa.sa
Phone:
+966 59 442 0917
Address:
Building No. 3827, Al Saif Al Amadi Street
Riyadh 12468
Kingdom of Saudi Arabia