nehlum Legal Privacy Policy
LEGAL · DATA PROTECTION

Privacy Policy

How nehlum collects, uses, protects, and shares personal data — in compliance with the Saudi Personal Data Protection Law (PDPL) and applicable GCC data-protection regulations.

PDPL · Royal Decree M/19 Effective 1 June 2026 Version 1.0

Last updated: 1 June 2026  ·  This policy is governed by the laws of the Kingdom of Saudi Arabia.

nehlum Technologies ("nehlum", "we", "us", or "our") is committed to protecting the privacy and personal data of every individual who interacts with us. This Privacy Policy explains how we collect, use, disclose, store, and safeguard personal data, and the rights available to you as a data subject.

We process personal data in accordance with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia, issued under Royal Decree No. M/19 dated 9/2/1443H and its Implementing Regulations, as administered by the Saudi Data & Artificial Intelligence Authority (SDAIA). Where we process data relating to individuals in other GCC member states, we also observe the applicable national data-protection regulations of those jurisdictions.

1. Data controller

For the purposes of the PDPL, the data controller responsible for your personal data is:

  • nehlum Technologies
  • Dammam, Eastern Province, Kingdom of Saudi Arabia
  • Email: privacy@nehlum.sa
  • Phone: +966 55 453 5655

2. Scope of this policy

This policy applies to personal data we collect through our website, products and platforms, sales and support interactions, recruitment activities, and any other dealings with clients, partners, suppliers, applicants, and website visitors. It does not apply to third-party websites or services that may be linked from our properties; those are governed by their own privacy policies.

3. Personal data we collect

We collect personal data that you provide directly to us and data generated automatically when you use our services. Depending on your relationship with us, this may include:

Information you provide

  • Identity & contact data — name, job title, employer, email address, telephone number, and business address.
  • Enquiry & engagement data — the contents of forms, emails, support tickets, and project briefs you submit to us.
  • Recruitment data — CVs, qualifications, and employment history when you apply for a role.
  • Contractual data — billing details and information required to deliver services under an agreement.

Information collected automatically

  • Technical data — IP address, browser type, device identifiers, operating system, and language settings.
  • Usage data — pages viewed, time spent, referring URLs, and interactions with our website and platforms.
  • Cookie data — information stored through cookies and similar technologies (see Section 7).

We do not intentionally collect sensitive personal data (such as data revealing health, religious belief, or genetic or biometric data) through our website. Where processing of sensitive data is necessary for a specific service, we will obtain your explicit consent or rely on another lawful basis as permitted under the PDPL.

Under the PDPL, we process personal data only where a lawful basis applies. Depending on the context, we rely on one or more of the following:

  • Consent — where you have given clear, informed consent for a specific purpose (which you may withdraw at any time).
  • Performance of a contract — where processing is necessary to enter into or perform an agreement with you or your organisation.
  • Legitimate interests — where processing serves our legitimate business interests and does not override your rights and freedoms, as permitted by the PDPL.
  • Legal obligation — where processing is required to comply with a law, regulation, or order of a competent authority in the Kingdom.

5. How we use personal data

We use personal data for the following purposes:

  • To respond to enquiries and provide the information, products, or services you request.
  • To deliver, operate, maintain, and improve our platforms and engagements.
  • To manage contracts, billing, and our relationship with clients, partners, and suppliers.
  • To assess and process recruitment applications.
  • To send service communications and, with your consent, relevant updates about our offerings.
  • To secure our systems, prevent fraud, and ensure the integrity of our services.
  • To comply with legal, regulatory, and contractual obligations.

We do not use personal data for automated decision-making that produces legal or similarly significant effects without appropriate safeguards and, where required, your consent.

6. Cookies and similar technologies

Our website uses cookies and similar technologies to operate essential functions, remember your preferences, and understand how the site is used so we can improve it. Cookies fall into three broad categories:

  • Strictly necessary — required for the website to function and cannot be switched off.
  • Performance & analytics — help us measure and improve site performance; used only with your consent.
  • Preference — remember choices such as language to personalise your experience.

You can manage or disable cookies through your browser settings. Disabling certain cookies may affect the functionality of the website.

7. Disclosure and sharing of personal data

We do not sell personal data. We may share personal data with the following categories of recipients, subject to appropriate contractual and security safeguards:

  • Service providers — trusted processors who perform services on our behalf (such as hosting, infrastructure, analytics, and communications), under written agreements that restrict their use of the data.
  • Professional advisors — auditors, legal, and financial advisors where necessary.
  • Competent authorities — government, regulatory, or law-enforcement bodies where disclosure is required by the laws of the Kingdom.
  • Corporate transactions — in connection with a merger, acquisition, or restructuring, subject to the protections of this policy.

8. Cross-border transfers

Where we transfer personal data outside the Kingdom of Saudi Arabia, we do so only in accordance with the PDPL and its Implementing Regulations and any conditions set by SDAIA. Such transfers take place only where an adequate level of protection is ensured in the destination country, or where appropriate safeguards (such as binding contractual clauses) are in place, or where another lawful transfer condition under the PDPL applies. For data relating to individuals in other GCC states, we apply equivalent transfer protections required under the relevant national regulations.

9. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, regulatory, or reporting requirements. When personal data is no longer required, we securely delete or anonymise it. Retention periods vary by data category and the nature of our relationship with you.

10. Data security

We implement appropriate organisational, technical, and administrative measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These measures include access controls, encryption in transit and at rest where appropriate, network security, and ongoing monitoring aligned to recognised standards including ISO/IEC 27001. In the event of a personal-data breach that is likely to cause harm, we will notify the competent authority and affected data subjects in accordance with the timelines required by the PDPL.

11. Your rights as a data subject

Subject to the conditions and exceptions set out in the PDPL, you have the following rights in relation to your personal data:

  • Right to be informed — to know the legal basis and purpose for collecting your data.
  • Right of access — to obtain confirmation of, and access to, the personal data we hold about you.
  • Right to obtain a copy — to receive your personal data in a readable and clear format.
  • Right to rectification — to have inaccurate or incomplete data corrected or updated.
  • Right to erasure — to request deletion of your data where it is no longer needed or processing is unlawful.
  • Right to withdraw consent — to withdraw consent at any time, without affecting prior lawful processing.

To exercise any of these rights, contact us using the details in Section 13. We will respond within the period required by the PDPL. There is generally no charge, although we may apply a reasonable fee or decline manifestly unfounded or excessive requests as permitted by law. We may need to verify your identity before acting on a request.

12. Children's privacy

Our website and services are intended for businesses and individuals aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

13. Contact us and complaints

If you have questions about this policy, wish to exercise your rights, or want to make a complaint about how we handle personal data, please contact our privacy team:

  • Email: privacy@nehlum.sa
  • Phone: +966 55 453 5655
  • Address: Dammam, Eastern Province, Kingdom of Saudi Arabia

If you are not satisfied with our response, you have the right to lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA), the competent supervisory authority for personal data protection in the Kingdom.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates when it was last revised. Material changes will be communicated through our website. We encourage you to review this policy periodically.