This notice is issued by KINDI (provisional)(“KINDI”). For the personal data processed under this notice, KINDI is the Data Controller as that term is defined in the PDPL. Where you submit text that contains personal data to the KINDI masking API, you are the Controller and KINDI is the Processor; that relationship is governed by the separate Data Processing Addendum and is not the subject of this notice.

KINDI processes the following categories of personal data about account holders and visitors. The list is exhaustive for the processing described in this notice.

• Identity and account. Email address, chosen password (stored only as a salted hash), display name, and the unique identifier KINDI generates for your account.
• Authentication. Browser session cookies, one-time tokens for password reset and email verification, and TOTP secrets where two-factor authentication is enabled.
• Billing. Top-up amount, billing identity, optional VAT number, and a card token returned by the payment provider; KINDI does not see or store the card itself.
• Usage metadata. Per-request timestamp, tokens billed, status code, the identifier of the API key used (never the secret), the originating account, and the IP address from which the request was made.
• Correspondence. The body of any email you send to KINDI, and the messages exchanged through any support channel KINDI operates.

KINDI does not retain the body of a masking request, the body of a masking response, the placeholder-to-original mapping, or the encrypted envelope beyond the round-trip of a single call. These elements are not personal data of the account holder; their handling is described in the Data Processing Addendum.

KINDI does not deliberately collect sensitive personal data about account holders, as that term is defined in the PDPL: data revealing racial or ethnic origin; religious, intellectual, or political belief; criminal convictions; biometric or genetic data for identification; health data; or data indicating that one or both of an individual’s parents are unknown.

KINDI’s masking service is, however, designed for inputs that may contain such data, including health data. That processing is performed on behalf of the Customer as Controller, under the Data Processing Addendum, with the additional safeguards expected under the PDPL Implementing Regulations.

KINDI relies on one of the following lawful bases for each category of processing described in this notice, consistent with the PDPL and its implementing regulations.

• Performance of the contract between KINDI and the Customer, for identity, account, authentication, and billing data.
• Compliance with a legal obligation in the Kingdom of Saudi Arabia, including obligations under tax law administered by ZATCA for billing records, and any obligation to retain records that may be imposed by a court of competent jurisdiction.
• Legitimate interest in operating, securing, and improving the service, for usage metadata and audit logging, balanced against the rights of the data subject and applied with the principle of data minimisation.

KINDI uses the categories of personal data listed in § II for the following specific, clear, and explicit purposes, as required by Article 4 of the PDPL.

• Operating the service: authenticating sign-in, issuing API keys, debiting balances, and rendering the dashboard.
• Billing and tax: producing tax-compliant receipts and maintaining the ledger required by KSA tax law.
• Service security: detecting abuse, enforcing rate limits, and investigating suspected breach of the Acceptable Use Policy.
• Support: responding to your correspondence and resolving issues you raise.
• Compliance: meeting legal, regulatory, and audit obligations placed on KINDI in the Kingdom of Saudi Arabia.

KINDI does not use personal data for advertising, for building behavioural profiles, or for sale to any third party.

KINDI retains personal data only for as long as needed for the purposes set out in § V and for the period required by applicable law.

• Account and authentication data: for the life of the account, plus 90 days after closure.
• Usage metadata: 18 months from the date of the request.
• Audit logs: 24 months from generation.
• Billing records and receipts: as required by KSA tax law (currently 6 years).
• Correspondence: 24 months from the last message in the thread.

At the end of the applicable period, KINDI deletes or irreversibly anonymises the data. A copy of the deletion record is retained for audit purposes.

KINDI shares personal data only with the sub-processors listed in the Subprocessor List and only for the purposes stated there. Each sub-processor is bound by a written agreement that imposes data-protection obligations consistent with this notice. KINDI does not sell personal data and does not share personal data with third parties for their own marketing purposes.

KINDI will disclose personal data to a public authority only on receipt of a binding legal order issued under the law of the Kingdom of Saudi Arabia, and only to the extent required by the order.

KINDI’s compute, primary storage, backups, and operational logs are all hosted inside the Kingdom of Saudi Arabia. Where a sub-processor for transactional email or DNS receives personal data outside the Kingdom, KINDI applies the safeguards required by the Transfer Regulation, including, as appropriate, Saudi standard contractual clauses and a Transfer Risk Assessment under Article 7 of the same regulation. Until the SDAIA publishes its list of jurisdictions deemed to provide an adequate level of protection, KINDI treats every cross-border transfer as requiring an explicit safeguard.

Article 4 of the PDPL affords every data subject in the Kingdom of Saudi Arabia the rights listed below. KINDI honours each of them in respect of the personal data covered by this notice.

• Right to be informed of the legal basis and the specific, clear, and explicit purpose for which your personal data is processed. This notice itself discharges that obligation.
• Right of access to the personal data KINDI holds about you.
• Right to obtain a copy of your personal data in a readable and clear format.
• Right to rectification of inaccurate, incomplete, or outdated personal data.
• Right to erasure of personal data that is no longer needed for the purposes for which it was collected, subject to retention obligations under § VI.
• Right to withdraw consent, where the processing relies on consent rather than on another lawful basis.
• Right to lodge a complaint with the competent supervisory authority. See § XI.

To exercise any of the rights set out in § IX, write to dpo@kindi.me stating which right you are exercising and providing enough information for KINDI to identify your account. KINDI will respond within thirty (30) days of receipt, as required by the PDPL Implementing Regulations. Where a request is complex or where KINDI has received multiple requests from the same data subject, the period may be extended by a further thirty (30) days; you will be informed of the extension within the original window.

KINDI does not charge a fee for the first response to a request, but reserves the right to charge a reasonable fee for repeated or manifestly excessive requests, as permitted by the PDPL Implementing Regulations.

The supervisory authority for the PDPL in the Kingdom of Saudi Arabia is the SDAIA. If you believe KINDI’s processing of your personal data infringes the PDPL, you may lodge a complaint with SDAIA in addition to, or instead of, contacting KINDI’s DPO. SDAIA publishes guidance on its Laws and Regulations page and operates a dedicated breach-notification service for incidents.

KINDI implements technical and organisational measures designed to align with the Essential Cybersecurity Controls and the Data Cybersecurity Controls issued by the National Cybersecurity Authority. A summary of those measures is published at kindi.me/security. Further detail and breach-handling commitments to Customers are stated in the Data Processing Addendum.

The KINDI service is intended for business use and is not directed to children. KINDI does not knowingly create an account for an individual under the age of eighteen. If you believe an account has been created in breach of this policy, write to dpo@kindi.me and KINDI will close it.

KINDI may update this notice from time to time. Material changes will be summarised in the version line at the head of the document and notified to the registered contact for each account at least thirty (30) days before they take effect.

For any question about this notice or about KINDI’s handling of personal data, write to dpo@kindi.me. KINDI’s registered postal address will be added to this notice once commercial registration is complete; until then, the email address above is the canonical point of contact.