Saudi PDPL Compliance

Last updated: 31 May 2026

Orchra is building its security and privacy program to support Saudi enterprise and public-sector procurement requirements, including PDPL, NCA ECC, and NCA CCC control mapping. This page summarizes how we handle personal data under the PDPL; the full Privacy Policy governs in the event of any conflict.

This page explains how Orchra aligns with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) and its Implementing Regulations for personal data collected through our marketing site and early-access program. The controller of your personal data is Orchra Technology (CR 012349504), Riyadh 13214, Kingdom of Saudi Arabia. Privacy contact: privacy@orchra.io.

What personal data we collect

Today, the only data we collect directly is through the early-access waitlist form:

Email address (required)
Company name, role/job title, team size (optional)
Phone number and country code (optional)

We also process server and CDN logs (including IP address) for security and reliability, and aggregate, cookieless analytics that do not identify you.

Why we collect it and the legal basis

We use this data to contact you about Orchra early access, to protect the site against spam and abuse, and to keep the site secure. Under the PDPL we rely on your consent (given when you submit the form), our legitimate interest in responding to a business enquiry you initiated and securing our site, and legal obligation where applicable. We do not sell personal data or use it for cross-context behavioural advertising.

Your data-subject rights and how to exercise them

Subject to applicable law, you have the right to be informed, to access and obtain a copy of your data, to have it corrected, to request deletion, and to withdraw consent at any time. To exercise any right, email privacy@orchra.io. We may verify your identity and will respond within 30 days. You may also complain to the Saudi Data and Artificial Intelligence Authority (SDAIA).

Retention, deletion and withdrawal

We keep waitlist data until the early-access program ends, then for a further 24 months for follow-up, after which it is deleted or anonymized. Technical logs are kept for 90 days. If you withdraw consent or request deletion earlier, we will act on that request.

Saudi data residency and cross-border transfers

Your waitlist data is stored on our application backend located in the Kingdom of Saudi Arabia, and we aim to keep it within the Kingdom. The marketing site is served via Cloudflare's global CDN, so request metadata such as your IP address may be processed outside the Kingdom for delivery and security. Where this is a cross-border transfer under the PDPL, we rely on the mechanisms permitted under the PDPL Transfer Regulations (and, for EU/UK individuals, an appropriate GDPR safeguard such as the Standard Contractual Clauses).

Sub-processors and updates

We use a small number of processors acting on our instructions: Cloudflare (delivery, hosting, security), application backend hosting in the Kingdom of Saudi Arabia (stores waitlist data), and Plausible Analytics (aggregate, cookieless analytics). The current list is maintained in our Trust Center.

Breach notification and incident handling

In the event of a personal data breach, we will notify SDAIA within the timeframe required under the PDPL (within 72 hours) and notify affected individuals where required. Our incident process covers detection, containment, assessment, notification and remediation.

Contact

Questions about PDPL or your personal data: privacy@orchra.io · Orchra Technology, Riyadh 13214, Kingdom of Saudi Arabia.