This notice explains what data we collect, why we collect it, how long we keep it, who we share it with, and the rights you hold under Saudi Arabia's Personal Data Protection Law (PDPL, Royal Decree M/149). Effective date: 2026-04-21.
We are the data controller for projexlabs.com. We collect only what we need to respond to an inquiry (name, email, the message you send) plus a single language-preference cookie. We don't sell data, we don't share with advertisers, we don't transfer Saudi personal data across borders without your consent. You can access, correct, or erase your data by emailing hi@projexlabs.com. If you think we've got something wrong, you can complain to the Saudi Data & AI Authority (SDAIA).
Projex Labs is the data controller for projexlabs.com and all personal data processed through this site. Contact: hi@projexlabs.com. Office: Riyadh, Saudi Arabia. If you need to reach the person responsible for data protection requests, email the address above with subject line "Privacy request" and we route it internally.
We collect two narrow categories. (a) Inquiry data: when you email us or click an email-me CTA, we receive your name (if provided), email address, and the contents of your message. (b) Technical data: a single language-preference cookie (pxl_lang) stored on your device to remember whether you prefer the English or Arabic edition; standard server request logs (IP address, user agent, requested URL, timestamp) generated by the hosting infrastructure and retained only for security and diagnostics. We do not use marketing cookies, advertising pixels, session replay, heatmaps, or third-party analytics.
Inquiry data is processed on the lawful basis of taking steps at your request before entering into a potential business relationship (PDPL Article 6) and, where applicable, your explicit consent (sending us an email is itself a signal of consent to reply). Technical data — the language-preference cookie and server logs — is processed on the lawful basis of our legitimate interest in operating a reliable, bilingual, secure website, weighed against your privacy interests.
Inquiry emails are retained for as long as the potential or active partnership conversation is live, plus up to 24 months after the last interaction to support follow-ups and legal record-keeping, after which they are deleted or anonymized. The pxl_lang cookie has a 180-day max-age on your device; you can clear it at any time from your browser settings. Server request logs are retained for up to 90 days for security purposes and then discarded or rotated out.
We do not sell personal data and we do not share it with advertisers. Your inquiry email passes through the following processors strictly to deliver the service you requested: (a) our email hosting provider, which handles inbound and outbound mail on our domain; (b) our Saudi-resident infrastructure hosting and CDN providers, which operate the website and edge caching. Each processor is bound to process your data only on our documented instructions and with confidentiality obligations.
Our production hosting and primary data residency is in Saudi Arabia. Certain operational systems (for example, the email delivery path) may involve transfer outside the Kingdom. Where any transfer of Saudi personal data outside Saudi Arabia occurs, we only do so (a) where the destination country is recognized as providing an adequate level of protection under PDPL, or (b) where appropriate contractual safeguards are in place, or (c) where you have given explicit consent. We never transfer personal data for advertising, profiling, or secondary purposes.
As a data subject under PDPL you have the right to: (a) be informed about how your data is processed — this notice; (b) access your data — request a copy; (c) rectify inaccurate data; (d) erase data where we no longer have a lawful basis to keep it; (e) restrict processing in specific cases; (f) object to processing based on legitimate interest; (g) withdraw consent where consent is the lawful basis; (h) not be subject to a decision based solely on automated processing that produces legal effects (we do not make such decisions on this site). To exercise any right, email hi@projexlabs.com. We respond within 30 calendar days.
If you believe we have violated your rights under PDPL, you can file a complaint with the Saudi Data & AI Authority (SDAIA) through sdaia.gov.sa or the National Data Management Office (NDMO). You retain all rights under Saudi law to seek judicial redress. We also welcome complaints directly at hi@projexlabs.com — we'd rather hear about it and fix it than have it go to the authority first.
We apply technical and organizational measures proportionate to the nature of the data we handle: TLS 1.3 for all traffic, least-privilege access controls for the inbound inquiry channel, encrypted storage at rest on managed infrastructure, routine patching, and internal review of any change that could affect personal-data handling. We align our broader security posture with the National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) and Cloud Cybersecurity Controls (CCC) where applicable. No system is risk-free, but we take our obligation seriously.
This site is intended for partnership, research, and professional audiences. We do not knowingly collect personal data from children under 13. If you believe a child has provided data, contact hi@projexlabs.com and we will delete it.
We may update this notice to reflect changes to the law, our practices, or the site itself. The effective date at the top will change. Material changes (new data collection, new purposes, new recipients, new cross-border transfers) are called out explicitly when they happen.
Questions, requests, or complaints — email hi@projexlabs.com with subject "Privacy request" and your preferred language (EN/AR). We respond within 30 calendar days; routine requests within 48 hours.
PDPL Compliance Matrix
Each PDPL obligation mapped to the specific control or disclosure on this site. This is the same matrix we share with partners who ask for documented compliance.
| PDPL Obligation | How projexlabs.com complies | Reference |
|---|---|---|
| Privacy notice (Art. 4, 5) | This page — plain-English + formal sections 1–12 | §1–§12 above |
| Identity of data controller | Projex Labs, Riyadh, Saudi Arabia — hi@projexlabs.com | §1 |
| Lawful basis for processing | Pre-contractual steps at your request (Art. 6); legitimate interest for technical data | §3 |
| Purpose specification | Inquiry response + bilingual operation of the site — nothing else | §2, §3 |
| Data minimization | No forms, no fingerprinting, no third-party trackers; inquiry is name/email/message only | §2 |
| Consent management | Email-me-to-reply is the consent signal; pxl_lang cookie set only after language detection + user can clear | §3, §4 |
| Retention | Inquiries: duration of conversation + 24 months; cookie: 180 days; logs: 90 days | §4 |
| Recipients / processors | Email hosting + Saudi-resident infra; no advertisers, no data sale | §5 |
| Cross-border transfer rules | Primary residency in Saudi; any transfer only with adequacy/SCC/consent | §6 |
| Data subject rights (all eight) | Access, rectification, erasure, restriction, objection, portability, consent withdrawal, automated-decision opt-out | §7 |
| Right to complain to SDAIA | Disclosed with link pathway to sdaia.gov.sa and NDMO | §8 |
| Security measures | TLS 1.3, least-privilege access, encrypted at rest, NCA ECC/CCC alignment | §9 |
| Children's data | Not knowingly collected; deletion on notification | §10 |
| Breach notification readiness | Internal runbook aligned to the 72-hour window; contact route defined | Separate operational runbook, available to partners on request |
| Automated decision-making | None on this site. No profiling, no scoring, no algorithmic decisions affecting users | §7(h) |
References above point to numbered sections on this page. For the full operational runbook (breach handling, DPIA template, processor register, data residency map), partners can request it at hi@projexlabs.com.
All privacy-related requests — access, correction, deletion, withdrawal of consent, complaint — route through one address. Please include "Privacy request" in the subject line so we triage correctly.