Legal disclaimer: This is an English translation of our Arabic policy, intended for informational purposes only. In any conflict of interpretation, the Arabic version is the legally binding reference under the laws of the Kingdom of Saudi Arabia.
PDPL Compliant

Privacy Policy

How we collect your personal data, how we use it, and your rights to control it — written in plain language, not legalese.

Last updated: 1 Ramadan 1447 AH — 27 April 2026 Version: 1.0 Supervisory authority: Saudi Data & AI Authority (SDAIA)

1. Scope of this policy

This policy governs the processing of personal data of users of Mashro Alomr Platform (the "Platform") — whether learners, instructors, mentors, or visitors. It applies to the website, the apps, and all related services.

2. Data controller

Responsible entity: Mashro Alomr Platform — an educational entity preparing for licensing by the National e-Learning Center (NeLC).

3. Data we collect

A. Data you provide directly

  • Name, email, mobile number (at registration).
  • Date of birth, region, education level (optional, for recommendations).
  • Profile picture and CV (for instructors and mentors).
  • User-generated content (comments, assessment answers, support messages).

B. Data we collect automatically

  • IP address, browser and device type, operating system.
  • Login records and activity within the Platform (courses completed, watch duration, scores).
  • Cookies and similar technologies (details in section 11).

C. Data from third parties

  • When signing in via Google / Apple / Saudi National Single Sign-On (Nafath), we receive only the basic identifier and email.
  • Billing data from licensed payment gateways (mada, Apple Pay, bank transfer) — we do not store card numbers.

4. Processing purposes

We process your data only for the following purposes:

  1. Service delivery: account creation, course enrollment, certificate issuance.
  2. Experience improvement: recommending suitable tracks, reminders, learning analytics.
  3. Communications: course notifications, billing, support responses.
  4. Regulatory compliance: meeting our obligations to NeLC and other competent authorities.
  5. Marketing (only with your consent): new offers and courses. You may withdraw consent at any time.

We do not use your data to make automated decisions with legal effect on you without human review.

  • Performance of contract: delivering the educational services agreed upon.
  • Consent: for direct marketing and non-essential cookies.
  • Legitimate interest: Platform security and fraud prevention.
  • Legal obligation: billing and accounting retention under the laws of the Kingdom.

6. Data sharing

We do not sell your data. We share it only with:

  • Approved service providers (hosting, email, payment gateways) under strict Data Processing Agreements (DPAs).
  • Instructors and mentors with whom you interact directly (only your name and progress in the course).
  • Competent authorities upon explicit legal request, or to protect the rights of the Platform and its users.

7. Cross-border transfers

We prefer to store data inside the Kingdom. Where transfer outside the Kingdom is necessary (e.g., for certain cloud services), we comply with the following:

  • Applying safeguards equivalent to PDPL (encryption, standard transfer agreements).
  • Not transferring to jurisdictions that do not provide an adequate level of protection without your explicit consent.
  • Obtaining the approval of the Saudi Data & AI Authority (SDAIA) where required.

8. Retention periods

  • Active account data: for the duration of the subscription.
  • Closed account: 90 days, then full deletion (unless immediate deletion is requested).
  • Financial records: 10 years, in accordance with the accounting laws of the Kingdom.
  • Certificates and achievements: kept available for verification (with the option to hide them upon your request).
  • Security logs: 12 months maximum.

9. Your rights (under PDPL)

You have the following rights, exercisable via privacy@mashroalomr.com within 30 days:

  • Right to be informed: to know how we process your data.
  • Right of access: to request a copy of your data in a readable format.
  • Right to rectification: to correct any inaccurate data.
  • Right to erasure: to request deletion of your data (subject to legal obligations).
  • Right to restrict processing: to suspend specific processing without deletion.
  • Right to object: to refuse processing for direct-marketing purposes immediately.
  • Right to withdraw consent: at any time, without retroactive effect.
  • Right to lodge a complaint: with the Saudi Data & AI Authority (SDAIA).

10. Security measures

We apply technical and organizational controls including:

  • TLS 1.3 encryption for all communications.
  • Encryption of sensitive data in the database (AES-256).
  • Least-privilege access controls and audit logs.
  • Periodic penetration testing and independent security reviews.
  • Staff training on data protection in line with NeLC requirements.

11. Cookies and tracking

We use three categories of cookies:

  • Essential: required for Platform operation (sign-in, saved preferences). No consent required.
  • Analytics: for usage measurement and Platform improvement. Requires your consent.
  • Marketing: for content tailored to your interests. Requires your consent.

You can change your preferences at any time from Cookie settings.

12. Minors (under 18)

The Platform is intended for adults. For minors aged 13 to 18, the explicit consent of a parent or legal guardian is required prior to registration. We do not knowingly collect data from children under 13. If you become aware of such collection, please contact us immediately for deletion.

13. Data breaches

In the event of a breach that may affect your rights, we will:

  • Notify the Saudi Data & AI Authority within 72 hours.
  • Notify you directly if the impact is high.
  • Take immediate steps to contain the breach and prevent recurrence.

14. Policy updates

We may update this policy to keep pace with regulatory changes or service developments. Material changes will be communicated to you via email at least 30 days before they take effect. The last-update date is shown at the top of the page.

15. Contact and complaints