Terms of Service
Data Processing Addendum
Privacy Policy
Sub-processor List
Service Level Agreement
Support Policy
Acceptable Use Policy
Cookie Notice
CCPA Notice
PDPL Notice
PIPL Notice
Data Transfer Impact Assessment
Website Terms
Business Ethics Policy
Account Lockout Policy
Subject Access Request
Vulnerability Disclosure Agreement
Statement of Work
Self-Managed Terms

PDPL Notice

The Saudi Personal Data Protection Law (PDPL) came into effect on September 14, 2023, with full enforcement beginning in September 2024. We have already taken concrete steps to ensure compliance with PDPL, including offering in-Kingdom data residency (GCP Dammam and on-premise hosting), maintaining SOC 2 certified security controls, and updating our policies and processes to align with PDPL requirements.

This Notice explains how Ideanote handles personal data under Saudi Arabia’s Personal Data Protection Law (PDPL) and its Implementing Regulations, including the Regulation on Personal Data Transfer outside the Kingdom (together, the “PDPL Framework”). Ideanote processes personal data as a processor on documented instructions from the customer (controller).

1. Legal Basis & Purposes of Processing

We process personal data only for specified, explicit, and legitimate purposes necessary to deliver the Ideanote service (e.g., idea capture, collaboration, innovation workflows, user management, support) and as instructed by the customer.

Legal bases may include consent, contract, and other lawful grounds permitted by PDPL. We practice data minimization and purpose limitation.

2. Data Residency & Hosting

Customers may host in Google Cloud Platform (GCP) KSA — Dammam region or choose on-premise deployment in KSA. Our KSA hosting option keeps customer personal data stored and processed inside the Kingdom.

3. Cross-Border Data Transfers

Where customers select KSA hosting (GCP Dammam) or on-premise, Ideanote will store and process customer personal data solely within KSA and no customer personal data is transferred outside the Kingdom of Saudi Arabia.

This includes support operations designed to avoid remote access to customer personal data from outside KSA. This approach aligns with PDPL’s restrictions on cross-border transfers and obviates transfer approvals and safeguards.

4. Data Subject Rights

We support customers in fulfilling data subject requests under PDPL, including access, correction, deletion, objection/restriction, and portability where applicable. Requests can be initiated through the customer’s admin or via our privacy contact below; Ideanote acts on controller instructions and within statutory timelines.

5. Security Safeguards

Ideanote maintains a robust security program, including SOC 2 controls, encryption in transit and at rest, access governance, logging, vulnerability management, and disaster recovery. Sub-processors (if any) supporting a KSA deployment are contractually bound to equivalent safeguards and are located in KSA when handling customer personal data.

6. Incident  and Breach Notification

Ideanote will notify the customer without undue delay following a personal data breach and support any notifications required to SDAIA and affected individuals under PDPL (commonly within 72 hours, where applicable). Customers remain responsible for notifications in their controller role; Ideanote provides the necessary information and cooperation.

7. Data Retention and Deletion

We retain personal data only as long as necessary for the stated purposes or as required by law and by the customer’s configuration. Upon contract termination or at the customer’s written instruction, Ideanote will delete or return customer personal data from KSA environments, subject to lawful retention duties.

8. Accountability & Governance

We maintain records of processing, staff training, and internal audits aligned to the PDPL Framework and sectoral overlays where relevant (e.g., SAMA, NCA, CST for regulated industries). Documentation (e.g., DPA, security summaries) is available to enterprise customers.

9. Contact

Privacy & Compliance: privacy@ideanote.io, dpo@ideanote.io