Policy for the Digital Investor Relations Solution

Privacy Policy for the Digital Investor Relations Solution

Privacy Policy for the Digital Investor Relations Solution

1. Introduction

This Privacy Policy explains how [Service Provider Legal Name], a company incorporated in the Kingdom of Saudi Arabia, with its registered office at [registered address], collects, uses, discloses, stores, protects, and otherwise processes personal data in connection with the Digital Investor Relations Solution. In this Policy, “we,” “us,” “our,” and “Service Provider” refer to [Service Provider Legal Name]. “User,” “you,” and “your” refer to investors, shareholders, analysts, media representatives, issuer personnel, website visitors, subscribers, and other persons who access or use the Digital IR Solution.

The Digital IR Solution provides digital investor-relations services for Saudi listed-company clients, including IR landing pages, share information, financial dashboards, reports and presentations, analyst coverage, IR events, mailing lists, investor notifications, dividend tools, shareholder-structure visualizations, and related communication features. For market-data feeds, the only source of feed data is Saudi Exchange / Tadawul, unless we expressly state otherwise in writing. Saudi Exchange publishes market information and issuer-announcement pages for Saudi listed companies.

Saudi Arabia’s Personal Data Protection Law framework is intended to protect individuals’ personal data, guarantee their rights, and define the obligations of controllers that process personal data. This Policy is designed to reflect those principles in a Digital IR context.

2. Scope of this Policy

This Privacy Policy applies to personal data processed through the Digital IR Solution, including platform websites, client-branded IR webpages, embedded widgets, subscription forms, email alerts, event-registration features, investor-contact forms, analytics tools, administration interfaces, and related support channels.

This Policy does not apply to third-party websites or services that are linked from the Digital IR Solution but not operated by us. It also does not replace the privacy notices of our listed-company clients. Where a Saudi listed-company client independently determines the purposes and means of processing personal data, that client’s privacy notice may also apply.

3. Our Role as Controller or Processor

Our role depends on the relevant service and contractual arrangement. We may act as a data controller when we determine why and how personal data is processed, such as when we manage our own website analytics, business communications, client relationship management, security logs, and service improvement. We may act as a data processor when we process personal data on behalf of a Saudi listed-company client and according to that client’s documented instructions, such as when we operate mailing lists, alerts, event notifications, or investor-contact workflows for that client.

Where we act as processor, the listed-company client remains responsible for its own privacy notice, lawful basis, investor communications, disclosure practices, and instructions to us. Where we act as controller, we are responsible for providing transparency and responding to applicable data-subject rights requests.

4. Personal Data We May Collect

We design the Digital IR Solution to minimize personal data and collect only what is necessary for the relevant service purpose. The Saudi data protection framework recognizes data minimization, purpose limitation, retention limitation, transparency, and personal-data protection as core statutory bases for processing.

When you visit the Digital IR Solution, your browser or device may automatically transmit technical data. This may include IP address, date and time of access, browser type and version, operating system, device type, language settings, referring URL, page viewed, session identifiers, security logs, and event logs. This information is used to operate the service, maintain security, diagnose issues, measure performance, and detect misuse.

When you subscribe to investor alerts, mailing lists, dividend notifications, financial-calendar reminders, results alerts, share-price alerts, or similar investor communications, we may collect name, email address, phone number, company or institution, professional title, investor category, country, preferred language, subscription choices, alert thresholds, selected issuer, selected securities, and consent or preference records.

When you use forms, request information, register for IR events, submit investor enquiries, or communicate with us or a listed-company client through the Digital IR Solution, we may collect the information you provide in the form or message, including contact details, organization, topic, message content, attachments, event preferences, and related correspondence records.

5. Market Data, Issuer Data, and Personal Data

The Digital IR Solution displays market-feed data sourced from Saudi Exchange / Tadawul, such as share prices, trading volumes, market capitalization, indices, latest trades, corporate actions, dividend announcements, and issuer disclosures where available through Saudi Exchange / Tadawul feeds or pages. Market-feed data is generally not personal data when it relates to listed securities, market prices, or issuer disclosures rather than an identifiable living individual.

However, some investor-relations features may involve personal data. For example, a mailing-list subscription identifies an individual subscriber, an event-registration form identifies a participant, an investor enquiry may contain personal details, and a dividend enquiry tool may involve shareholder identifiers if enabled by the issuer. Such features should be configured to collect only the minimum information needed, to display clear notices, and to apply appropriate access controls.

6. Purposes of Processing

We process personal data to provide, operate, secure, personalize, and improve the Digital IR Solution. This includes enabling Users to view IR content, receive issuer alerts, subscribe to mailing lists, manage preferences, submit enquiries, register for events, download materials, access charts, use dashboard features, and receive support.

We may also process personal data to comply with legal and regulatory obligations, manage client contracts, protect our rights and systems, prevent fraud or misuse, investigate security incidents, maintain audit logs, and produce aggregated analytics for listed-company clients. Where engagement analytics are provided to clients, they should be presented in aggregated or non-identifying form unless a clear lawful basis, contractual basis, and appropriate notice support identifiable reporting.

7. Legal Bases and Lawful Grounds

We process personal data only where a lawful basis or legal justification applies. Depending on the context, this may include consent, performance of a contract, compliance with legal obligations, legitimate interests or recognized lawful interests where permitted, protection of rights and security, or processing requested by a listed-company client under a service agreement.

Consent may be used for optional mailing lists, investor alerts, preference-based notifications, certain analytics cookies, and optional communications. Where processing is based on consent, you may withdraw consent at any time, although withdrawal does not affect processing that occurred before withdrawal or processing that remains permitted under another lawful basis.

Where we process personal data for security, service operation, troubleshooting, fraud prevention, or system integrity, we may rely on lawful interests or obligations, as applicable. Where we act as processor, the listed-company client is responsible for identifying and documenting the lawful basis for its own processing activities.

8. Cookies, Local Storage, and Similar Technologies

We use cookies, local storage, session technologies, and similar technologies as described in our Cookies Policy. These technologies may support session management, preference storage, efficient retrieval of share-data views, form functionality, security controls, analytics, and platform performance.

Some cookies may be strictly necessary for the Digital IR Solution to operate. Others, such as performance or analytics cookies, may be optional depending on the final configuration and applicable consent requirements. Users can control cookies through browser settings and, where provided, cookie-consent tools.

9. Sharing and Disclosure of Personal Data

We may share personal data with Saudi listed-company clients where necessary to operate client-branded IR services, deliver investor alerts, route enquiries, manage event registrations, and provide aggregated investor-engagement reporting. We may also share data with service providers that support hosting, cloud infrastructure, cybersecurity, email delivery, analytics, customer support, database operations, document hosting, and platform maintenance.

We require service providers to process personal data only for authorized purposes and to apply appropriate confidentiality and security measures. We may disclose personal data where required by law, regulation, court order, competent authority, or to protect rights, safety, systems, investors, clients, or the integrity of the Digital IR Solution.

10. International Transfers

Personal data may be stored or processed in the Kingdom of Saudi Arabia or in other jurisdictions depending on hosting, cloud, email, analytics, support, and client requirements. Where personal data is transferred, disclosed, or processed outside the Kingdom, we will apply transfer controls required by applicable Saudi data protection rules and contractual safeguards appropriate to the transfer.

Saudi data-protection transparency principles include informing data subjects whether personal data will be transferred, disclosed, or processed outside the Kingdom and the potential risks and consequences where relevant. The final published version of this section should identify the actual hosting regions and cross-border transfer mechanisms used by the platform.

11. Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal and contractual obligations, resolve disputes, maintain security, support auditability, and enforce agreements. When personal data is no longer needed, it should be deleted, anonymized, aggregated, or securely archived in accordance with documented retention schedules.

The Saudi data-protection framework identifies retention limitation and destruction of personal data after the purpose of collection has been fulfilled as a key principle. The retention periods below are therefore suggested starting points and should be validated against the final legal and operational requirements.

12. Security Measures

We apply reasonable organizational, administrative, and technical measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction. These measures may include access controls, encryption in transit, secure hosting, logging, monitoring, vulnerability management, backup controls, staff confidentiality obligations, supplier due diligence, and incident-response procedures.

No digital service can guarantee absolute security. Users should use secure devices, updated browsers, trusted networks, and caution when opening links or attachments. If you suspect unauthorized access, misuse of your subscription, or a security incident involving the Digital IR Solution, please contact us promptly at [security/privacy email].

13. Data Subject Rights

Subject to applicable law and verification of identity, you may have rights to be informed, access your personal data, request correction, request completion or updating, request destruction of personal data that is no longer needed, and withdraw consent where processing is based on consent. Saudi Arabia’s data-protection framework identifies these rights, including the right to be informed, access personal data, request correction, request destruction, and withdraw consent.

You may exercise your rights by contacting [privacy email]. We may need to verify your identity and may ask for information necessary to process your request. If we process your personal data on behalf of a listed-company client, we may refer to your request to that client or coordinate with the client in accordance with our contract and applicable law.

14. Managing Preferences and Unsubscribing

If you subscribe to investor alerts or mailing lists, you may manage preferences or unsubscribe using links included in the communications where available. You may also contact [privacy email] or the relevant listed-company IR contact to update your preferences.

Unsubscribing from one category of alert may not automatically unsubscribe you from all communications if you subscribed to multiple issuers, categories, or services. We may retain limited suppression records to ensure that unsubscribe requests are respected.

15. Children’s Privacy

The Digital IR Solution is designed for investors, shareholders, analysts, issuer personnel, professional advisers, and capital-market stakeholders. It is not directed to children. We do not knowingly seek to collect personal data from children. If you believe a child has provided personal data through the Digital IR Solution, please contact us so that we can assess and, where appropriate, delete the relevant information.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, platform features, laws, regulations, client requirements, data-source arrangements, technology providers, or data-protection practices. We will post the updated version with a revised “last updated” date. Where required by applicable law or where changes are material, we may provide additional notice or seek consent.