Privacy Policy

Last Updated on Aug 3rd 2025

This Privacy Policy describes how supplAI collects, uses, discloses, and protects personal data when you access our website and services.

Scope & Applicability
  • GDPR applies if you're located in the European Economic Area.
  • Saudi PDPL applies if data is processed within Saudi Arabia or involves Saudi residents—regardless of where supplAI is based
Information We Collect
  • Account & Contact Data: Name, email, phone, company info.
  • Shipment & Logistics Data: Addresses, cargo details, tracking history.
  • Usage & Interaction Data: Feature usage, visited pages.
  • Device & Log Data: IP address, browser type, timestamps.
  • Marketing Preferences: Newsletter subscriptions, communication preferences.
Legal Bases for Processing
  • GDPR (EU Users)
    • Consent (e.g., marketing communications).
    • Consent (e.g., marketing communications).
    • Legitimate interests (supply chain optimization), with assessments when used.
  • PDPL (Saudi Users)
    • Consent (explicit opt-in required)
    • Contractual or statutory necessity.
    • Legitimate interests recognized but limited for sensitive data
Use of Personal Data
  • Service Provision: To facilitate logistics operations, tracking, documentation, analytics dashboards.
  • Communication: Sending shipment updates and newsletter (with consent where required).
  • System Improvements: Analyze usage to optimize performance, security, and interface.
  • Legal Compliance & Security: Fraud prevention and system protection.
Data Subject Rights
  • GDPR Rights: Access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and withdraw consent.
  • PDPL Rights (Saudi Users):
    • Right to be informed, access, correct, delete, restrict processing, object or withdraw consent.
    • SupplAI supports exercise of these rights upon contact.
Cross-Border Data Transfers
  • GDPR: Transfers outside EEA require adequacy, standard contractual clauses, or equivalent safeguards.
  • PDPL:
    • Transfers outside Saudi Arabia are allowed under adequacy decisions, for international agreements, national interest, contract performance, or other cited purposes.
    • SupplAI ensures proper safeguards per the relevant jurisdiction.
Record Keeping & Oversight
  • Maintain Record of Processing Activities (ROPA) as required by GDPR and PDPL
  • Conduct Data Protection Impact Assessments (DPIAs) where high-risk processing occurs (e.g., tracking, sensitive cargo data)
  • Appoint a Data Protection Officer (DPO) if required by PDPL
Data Security & Breach Notification
  • Use security controls aligned with Saudi NCA standards or equivalent international best practices
  • GDPR Breach Notifications: Inform supervisory authority and affected individuals where required.
  • PDPL Breach Notifications: Notify SDAIA within 72 hours of breach detection; notify impacted individuals as appropriate
Retention & Deletion
  • Personal data retained only as necessary to fulfill operational, legal, or analytic purposes.
  • After these purposes are met, data is securely deleted or anonymized.
Enforcement & Penalties (PDPL)Non-compliance with PDPL may result in severe penalties:
  • Up to SAR 3,000,000 (~€760,000) and/or 2 years' imprisonment for unlawful use of sensitive data
  • Up to SAR 5,000,000 for other violations; doubled for repeat offenses
Updates & Notification
  • We may update this policy to reflect regulatory changes (e.g., GDPR updates or PDPL amendments).
  • Significant changes will be published on our site and communicated as required.
Contact & Exercising Your Rights

To request access, corrections, or deletion of your personal data—or withdraw consent—contact us at [info@supplai.ai].
We will respond in accordance with GDPR (typically within 30 days) or PDPL timelines.