PDPL Statement

PDPL Compliance Statement

Nuhaa AI is committed to upholding the privacy rights of individuals in accordance with the Saudi Personal Data Protection Law (PDPL), Royal Decree M/19 of 1443H, and its Implementing Regulations, as issued by the Saudi Data and AI Authority (SDAIA). This statement outlines our practices concerning the collection, processing, and protection of personal data.

Our Commitment to PDPL

As a sovereign AI advisory firm operating in the Kingdom of Saudi Arabia, Nuhaa AI recognizes the imperative of robust data protection. Our services, delivered to Saudi government bodies, regulators, and large regulated enterprises, necessitate the highest standards of data governance. We adhere strictly to the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality as enshrined in PDPL. Our operations are designed to ensure the secure and compliant processing of personal data, particularly that of Saudi residents, which is processed exclusively within the Kingdom in alignment with PDPL requirements.

Controller Identity and Contact

Nuhaa AI (نُهى) acts as the data controller for personal data collected through its operations, including website interactions.

• Company Name: Nuhaa AI
• Headquarters: Riyadh, Kingdom of Saudi Arabia
• Website: https://nuhaa.sa
• Contact Email: hello@nuhaa.sa

Lawful Basis for Processing

Nuhaa AI processes personal data primarily based on the explicit consent of the data subject. This consent is obtained when individuals submit briefing request forms via our website. The data collected (full name, role, organization, country, prompt/notes, optional preferred briefing format) is strictly necessary for the purpose of responding to briefing requests and initiating advisory engagements.

Data Subject Rights under PDPL

Under PDPL, individuals possess specific rights regarding their personal data. Nuhaa AI acknowledges and facilitates the exercise of these rights:

• Right to be informed: Individuals have the right to know the details of personal data processing, including its purpose and the entities involved in its processing.
• Right of access: Individuals may request access to their personal data held by Nuhaa AI.
• Right to correction: Individuals can request the correction of inaccurate or incomplete personal data.
• Right to destruction: Individuals have the right to request the destruction of their personal data if it is no longer necessary for the purpose for which it was collected, or if consent is withdrawn and no other lawful basis exists for its retention.
• Right to withdraw consent: Where processing is based on consent, individuals have the right to withdraw their consent at any time. This withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights

To exercise any of your rights under PDPL, please submit an email request to hello@nuhaa.sa. We will respond to your request in accordance with PDPL timelines and requirements. We may require verification of your identity to process your request securely.

Cross-Border Data Transfers

Nuhaa AI does not engage in the cross-border transfer of personal data collected through its website. All personal data collected from Saudi residents is processed and stored within the Kingdom of Saudi Arabia, in strict compliance with PDPL. Should future operational necessities ever require cross-border data transfers, such transfers would be conducted only in strict adherence to PDPL Article 29, which mandates specific safeguards such as adequacy decisions, binding corporate rules, or standard contractual clauses, to ensure an equivalent level of protection to that afforded by PDPL.

Data Security and Breach Notification

Nuhaa AI implements robust technical and administrative security measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. These measures include data encryption, access controls, and regular security audits. In the event of a personal data breach, Nuhaa AI is committed to notifying SDAIA and the affected data subjects without undue delay, as required by PDPL.

Records of Processing Activities

Nuhaa AI maintains comprehensive records of its processing activities as mandated by PDPL. These records document the purposes of processing, categories of personal data, recipients, retention periods, and security measures in place. These records are crucial for demonstrating accountability and compliance with PDPL.

Data Protection by Design and by Default

Nuhaa AI integrates data protection principles into its operational design and default settings for all data processing activities. This "Privacy by Design" approach ensures that personal data protection is considered at every stage of development and implementation, from initial concept to deployment. Our systems are configured to process the minimum necessary personal data and to ensure the highest level of privacy by default.

Working with Processors and Sub-Processors

Where Nuhaa AI engages third-party processors or sub-processors for the handling of personal data, it ensures that these entities provide sufficient guarantees to implement appropriate technical and administrative measures to meet PDPL requirements. Contractual agreements with such parties will include specific data protection clauses aligning with PDPL obligations, ensuring data subjects' rights are protected.

Right to Lodge a Complaint with SDAIA

Data subjects have the right to lodge a complaint with the Saudi Data and AI Authority (SDAIA) if they believe their rights under PDPL have been infringed upon.

Effective Date

This PDPL Compliance Statement is effective as of 22 April 2026.