Privacy Policy


Current privacy policy for Data Sitr Est. and the DataSitr service, including processing roles, data categories, retention, rights, and complaints handling.

1. Entity name and activity

DataSitr operator operates DataSitr as a Saudi-hosted AI privacy gateway. The service is designed to detect personal data, tokenize or route it according to risk, and preserve machine-readable compliance records. It is a technical control layer, not by itself a regulator approval or legal opinion.

2. Contact information and update record

The privacy and compliance function is currently founder-led. The founder also serves as the registered DPO and AI agent. This policy is reviewed on at least an annual basis and after material changes.

Privacy questions and data-subject requests should be routed through your DataSitr operator or administrator. The founder is the registered DPO and AI agent for this deployment.

3. Categories of personal data

The service may process onboarding and account data, text submitted through the API or dashboard, detected identifiers such as names, Saudi IDs, phone numbers, IBAN, email addresses and addresses, plus higher-risk or sensitive signals when they appear in customer-submitted text. It also processes operational metadata, billing records, and compliance records.

4. Collection methods and purposes

Data is collected directly from customers during onboarding, key creation, dashboard use, and support interactions, and indirectly through text payloads submitted for AI processing. Purposes include PII detection, tokenization, privacy-lane routing, requested AI processing, compliance record keeping, billing, support, and incident response.

5. Processing mechanisms

Requests are classified into green, amber, red, or blocked outcomes. Green-lane traffic is tokenized before eligible external processing. Amber and red traffic are intended to remain on operator-configured in-Kingdom paths or be blocked when no safe path exists. Machine-readable processing, transfer, and audit records are written alongside this workflow.

6. Data sharing and disclosure

Detector-sanitized green-lane text may be routed to approved external AI providers when policy permits it. Amber and red handling relies on operator-configured local paths. DataSitr does not sell personal data and does not share it for unrelated marketing.

7. Storage, retention, destruction, and security

Detected identifiers are tokenized and stored in an encrypted vault. Operational and compliance records are retained to support billing, troubleshooting, auditability, and legal obligations. Current default retention expectations are:

Security measures include encryption, access control, audit logging, guarded deployment, and backup/restore procedures. The exact key-custody backend depends on the deployment configuration.

8. Data subject rights

DataSitr supports workflows for access, rectification, and erasure of subject-linked records, together with operator audit trails. The current operational target is to complete supported workflows within 30 calendar days unless law or contract requires a different timeframe.

9. Complaints and objections

Complaints and objections can be submitted through the published privacy contact route. Security disclosures should use the published security channel. The current internal target is to review complaints within 5 business days and issue a response or next-step notice within 30 calendar days, unless a stricter timeline applies.

10. Policy access and updates

This policy is published on the public site, through the dashboard legal footer, and in the documentation repository. This deployment is operated by DataSitr operator. Material changes should trigger an update to this page and related customer-facing documentation.