Tirdad
Request Demo

Privacy Policy

Last updated: June 8, 2026

Tirdad ("Tirdad," "we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you access or use the Tirdad platform, website (tirdad.ai and related domains), APIs, and all related services (collectively, the "Services"). This Privacy Policy is prepared in accordance with the Saudi Arabia Personal Data Protection Law (PDPL) issued by Royal Decree M/19, and other applicable data protection laws. By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of the Services immediately.

1. Definitions

For the purposes of this Privacy Policy:

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the Saudi Arabia Personal Data Protection Law (PDPL).
  • "Customer Data" means any data, content, or materials submitted by or on behalf of the Customer to the Services, including billing records, subscription configurations, and usage metrics.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, modification, retrieval, use, disclosure, or deletion.
  • "Data Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller.
  • "Sub-Processor" means any third party engaged by Tirdad to Process Personal Data on behalf of the Customer.
  • "Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or criminal records, as defined under the PDPL.

2. Scope and Relationship to Customer Agreements

This Privacy Policy does NOT govern Customer Data processed within the Tirdad product environment pursuant to a Master Services Agreement (MSA) or similar agreement.

Tirdad's Services are designed to operate without requiring customers to provide end-user personal data to us. However, customers may choose to submit personal data in event payloads or other free-form fields. In such cases, Tirdad processes that data solely as a processor on the customer's behalf, and customers remain responsible for ensuring that any data they submit complies with applicable data protection laws. Customer Data (including any personal data customers choose to input into the Services) is processed on behalf of the customer in accordance with the applicable MSA, not under this Privacy Policy.

Role of the Parties: When processing Customer Data on behalf of a customer within the Tirdad product environment, Tirdad acts as a Data Processor, and the customer acts as the Data Controller. Such processing is governed by the applicable Master Services Agreement and, where required by law, a separate Data Processing Addendum (DPA).

Sub-Processors: Tirdad may use third-party sub-processors (e.g., cloud hosting providers, analytics services, email delivery services, and optional integrations such as payment gateways or monitoring tools) to assist in providing the Services. A current list of sub-processors is available upon written request. Tirdad will not add or change sub-processors that have access to Customer Data without providing the Customer with at least thirty (30) days' prior written notice, except where required by law or in an emergency. The Customer may object to any new or changed sub-processor for reasonable data protection concerns, in which case the Parties will work in good faith to find a commercially reasonable alternative.

This Privacy Policy applies to: information we collect when you visit our website or interact with our marketing materials; business contact information of customer representatives, prospects, partners, and vendors; and support and account management communications.

3. Information We Collect

Information You Provide Directly

  • Account Information: Name, work email address, company name, job title, phone number, and billing address when you create an account, request a demo, or contact sales.
  • Contact and Communications: Information you provide when contacting support, requesting a demo, subscribing to newsletters, or participating in surveys, webinars, or events.
  • Payment Information: Payment card details, billing address, and transaction history. Payment credentials are processed and stored securely by our PCI-DSS compliant payment service providers and are never stored on our servers.
  • Account Credentials: Username and securely hashed passwords. We never store passwords in plaintext.

Information Collected Automatically

  • Usage Data: Pages visited, features used, API calls made, interaction patterns, session duration, click paths, referral source, and platform activity logs.
  • Device and Technical Information: Browser type and version, operating system, IP address, device identifiers, screen resolution, language preferences, and referring URLs.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activity. See Section 7 for details on our cookie practices.
  • Server Logs: Access logs, error logs, and security event logs generated during your use of the Services.

Information We Do NOT Collect

Tirdad does not intentionally collect: sensitive personal data such as health information, biometric data, or government-issued ID numbers; personal data of your end users or customers (unless you voluntarily input it as Customer Data under your MSA); or financial account details beyond what is necessary for billing. Do not submit sensitive personal information via our public website or support channels.

4. Legal Basis for Processing

We process your Personal Data based on the following legal grounds under the PDPL and applicable data protection laws:

  • Contract Performance: Processing necessary to perform our contractual obligations to you, including providing the Services, processing payments, and managing your account.
  • Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Services, preventing fraud, ensuring security, and conducting analytics — provided these interests do not override your fundamental rights.
  • Consent: Processing based on your freely given, specific, and informed consent, such as for marketing communications and non-essential cookies. You may withdraw consent at any time.
  • Legal Obligation: Processing necessary to comply with applicable laws, regulations, court orders, or governmental requests.

5. How We Use Your Information

  • To provide, operate, maintain, and improve the Services and their features.
  • To process transactions, send invoices, and manage billing and subscription lifecycle.
  • To respond to your inquiries, support requests, and provide technical assistance.
  • To send administrative notifications, service updates, security alerts, and account-related communications.
  • To send marketing and promotional communications (with your consent, where required by law).
  • To detect, investigate, prevent, and address fraud, abuse, security incidents, and technical issues.
  • To conduct analytics, research, and product development to improve user experience.
  • To comply with legal obligations, enforce our Terms of Service, and protect our rights and property.
  • To create aggregated, anonymized, or de-identified data for analytics and benchmarking purposes.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Data. We may share your information in the following circumstances:

  • Service Providers: We engage third-party service providers (e.g., cloud hosting, email delivery, analytics, customer support tools) who process information on our behalf under strict confidentiality obligations and data processing agreements.
  • Business Partners: With your consent, we may share your information with partners for joint marketing or integration purposes.
  • Legal Requirements: We may disclose your information to comply with applicable laws, regulations, legal process, or enforceable governmental requests, or to protect our rights, property, or safety. We will notify you of such requests unless prohibited by law or court order.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your Personal Data becomes subject to a different privacy policy.
  • Aggregated Data: We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for industry analysis, benchmarking, and marketing purposes.

Customer Data Usage Restrictions: Tirdad does not use Customer Data processed within the Tirdad product environment for any purpose other than providing the Services to the applicable customer, as described in the Master Services Agreement. Specifically, Tirdad does not: use Customer Data to train machine learning or AI models; analyze Customer billing data beyond what is required for service delivery and invoicing; or resell Customer Data to third parties. Customer Data is processed solely on behalf of the customer as a Data Processor and is not used for Tirdad's own commercial purposes.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. The types of cookies we use include:

  • Essential Cookies: Required for the Services to function properly, including authentication, session management, and security. These cannot be disabled.
  • Analytics Cookies: Help us understand how you use the Services, which pages you visit, and how we can improve. We use privacy-respecting analytics tools.
  • Functional Cookies: Remember your preferences, language settings, and customization choices.
  • Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness. These are only set with your explicit consent.

You can manage cookie preferences through your browser settings or our cookie consent banner. Most browsers allow you to block or delete cookies. Blocking cookies may limit your ability to use certain features of the Services. We honor Do Not Track (DNT) signals.

8. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, including to satisfy legal, regulatory, accounting, or reporting requirements. Specifically: (a) Account data is retained for the duration of your active account and for thirty (30) days after account closure to enable data export; (b) Billing and transaction records are retained for seven (7) years as required by Saudi commercial and tax regulations (ZATCA); (c) Server logs and usage data are retained for twelve (12) months; (d) Marketing consent records are retained for the duration of the consent plus three (3) years. When no longer needed, we securely delete or anonymize your information using industry-standard methods.

9. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of data in transit (TLS 1.2+) and at rest (AES-256); access controls and role-based permissions; regular security assessments and vulnerability testing; employee security awareness training; incident response procedures and audit logging; and infrastructure monitored under industry-standard security practices. However, no system is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from events beyond our reasonable control. You are responsible for maintaining the confidentiality of your account credentials.

10. Data Localization and International Transfers

Your information is stored and processed primarily in the Kingdom of Saudi Arabia on cloud infrastructure located in the Riyadh region. When cross-border data transfers are necessary (for example, to sub-processors located outside the Kingdom for support services or infrastructure), we ensure appropriate safeguards are in place as required by PDPL Article 29, including: (a) adequacy decisions by the Saudi Data & Artificial Intelligence Authority (SDAIA); (b) standard contractual clauses; (c) binding corporate rules for intra-group transfers; or (d) your explicit consent after being informed of the potential risks. Customers may contact support to request specific regional preferences where technically feasible. A copy of our standard contractual clauses and list of transfer mechanisms is available upon written request.

11. Your Data Protection Rights

Under the Saudi Arabia Personal Data Protection Law (PDPL) and applicable international data protection laws, you have the following rights:

  • Right of Access: You may request access to your Personal Data and obtain a copy in a commonly used, machine-readable format.
  • Right to Rectification: You may request correction of inaccurate or incomplete Personal Data.
  • Right to Erasure: You may request deletion of your Personal Data when it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
  • Right to Data Portability: You may request transfer of your Personal Data to another service provider in a structured, machine-readable format.
  • Right to Withdraw Consent: You may withdraw your consent at any time for processing based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right to Object: You may object to the processing of your Personal Data for direct marketing purposes.
  • Right to Restrict Processing: You may request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
  • Right to be Informed: You have the right to be informed about the collection, purpose, and processing of your Personal Data before or at the time of collection.

To exercise any of these rights, submit a request to privacy@tirdad.ai.

We will respond to your request within thirty (30) days.

12. Children's Privacy

The Services are intended for business use and are not directed at individuals under the age of 18. We do not knowingly collect Personal Data from children under 18. If we become aware that we have collected Personal Data from a child under 18, we will take steps to delete such data promptly. If you believe a child has provided us with their Personal Data, please contact us immediately at privacy@tirdad.ai.

13. Third-Party Links and Services

The Services may contain links to third-party websites, services, or integrations that are not operated by Tirdad. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Services. This Privacy Policy applies solely to information collected through the Tirdad Services.

14. Data Breach Notification

In the event of a personal data breach that affects your Personal Data, Tirdad will: (a) notify the Saudi Data & Artificial Intelligence Authority (SDAIA) within seventy-two (72) hours of becoming aware of the breach, as required by the PDPL; (b) notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms; and (c) document the breach, its effects, and the remedial actions taken. Our incident response team maintains documented procedures for breach detection, assessment, and notification.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable laws. Material changes will be communicated by: (a) posting the updated Privacy Policy on our website with a revised "Last updated" date; and (b) sending an email notification to your registered email address at least thirty (30) days before the changes take effect. Your continued use of the Services after the effective date constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must discontinue use of the Services.

16. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia. Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts in Riyadh, Kingdom of Saudi Arabia.

17. Contact Us

If you have questions, concerns, or wish to exercise your rights under this Privacy Policy, please contact us:

Email: privacy@tirdad.ai

We will acknowledge your inquiry within twenty-four (24) hours and aim to resolve it within thirty (30) days.