Privacy Policy

PRIVACY POLICY

Last Updated: Jan 2026
Effective Date: Mar 2026

We are committed to protecting the privacy and security of personal data in strict compliance with the Saudi Arabian Personal Data Protection Law (PDPL) and the regulations issued by the Saudi Data & Artificial Intelligence Authority (SDAIA).

This Privacy Policy explains how we collect, use, and protect information when you visit our website, register for an account, or utilize our omnichannel customer communication platform.

  1. Our Role in Data Processing
  • As a Data Controller: Experia is the Controller for the account configuration data, billing details, and analytics of our direct corporate clients.
  • As a Data Processor: For all conversational text, chat transcripts, voice recordings, video streams, emails, and form inputs sent to our clients by their end-users through integrated channels (including WhatsApp, Facebook, Instagram, SMS, and Live Chat), Experia acts strictly as a Data Processor. Our clients are the Controllers of that end-user data.
  1. Information We Collect

We collect the minimum amount of data required to deliver our communication management services:

  • Account and Registration Data: Full name, corporate email address, Saudi national ID or commercial registration (CR) number, phone number, and account passwords.
  • Payment & Billing Information: Billing address and payment card or corporate bank transfer metadata.
  • Integration Credentials: API keys, access tokens, and account identifiers provided by you to link third-party communication networks (e.g., Meta APIs for WhatsApp/Instagram, local telecom SMS channels).
  • Usage Metadata: IP addresses, browser variants, application event logs, and connection timestamps recorded for system security and optimization.
  1. Purpose and Legal Basis for Processing

We process data within Saudi Arabia based on the following legal foundations under the PDPL:

  • Performance of a Contract: Processing is necessary to initialize, execute, and support your Experia subscription agreement.
  • Legal Obligations: Compliance with regulatory reporting, local telecommunication guidelines, and national cybersecurity standards.
  • Legitimate Interests: Troubleshooting platform performance, preventing operational fraud, and preserving infrastructure stability.
  1. Local Infrastructure Sovereignty & Storage
  • In-Kingdom Hosting: In alignment with national data localization objectives, all platform data, communication transcripts, survey profiles, voice recording files, and metadata are hosted on secure enterprise infrastructure physically located within the Kingdom of Saudi Arabia.
  • No Unauthorized Cross-Border Transfers: Experia does not transmit, store, or route personal data outside the geographic boundaries of Saudi Arabia unless explicitly authorized by the Data Controller and processed under a transfer framework explicitly approved by SDAIA.
  1. Third-Party Subprocessors

To deliver continuous omnichannel routing, Experia coordinates with select third-party service providers who operate as subprocessors:

  • Communication Network APIs: Meta Platforms Inc. (for native WhatsApp, Facebook, and Instagram message syncing).
  • Local Infrastructure Gates: Certified Saudi Arabian telecommunications operators (for SMS marketing transmission and direct voice call routing).
  • All subprocessors are bound by written agreements ensuring they maintain data security baselines identical to or exceeding those defined by Experia under the PDPL.
  1. Technical Security Measures

Experia implements administrative, organizational, and technological controls mapped to National Cybersecurity Authority (NCA) standards, including:

  • Full AES-256 encryption for data at rest across all databases and file stores.
  • TLS 1.3 transport layer encryption for data moving across live communication streams.
  • Enforced multi-factor authentication (MFA) and granular Role-Based Access Controls (RBAC) for all system administration teams.
  1. Data Retention and Destruction
  • We retain personal account information only for the duration of your active platform subscription.
  • Upon termination of services or an explicit administrative purge command, Experia will irreversibly destroy or anonymize all communication files, chat histories, and database rows within 30 business days, excluding records mandated for retention by applicable Saudi laws.
  1. Data Subject Rights under the PDPL

Under Saudi privacy rules, individuals possess explicit rights regarding their personal information:

  • Right to Know/Access: Request confirmation of processing and a copy of held personal files.
  • Right to Correct: Request immediate correction of outdated or inaccurate records.
  • Right to Destroy: Request erasure of data when its primary collection purpose is fulfilled.

Note: If you are an end-user communicating with a business that uses Experia, please direct your rights requests to that business entity directly, as they control your data.

  1. Contact and Regulatory Support

For questions regarding this policy, to exercise your statutory privacy rights, or to reach our Data Protection Officer, contact us at:

  • Email: privacy@experiaapp.com
  • Corporate Address: Riyadh, Kingdom of Saudi Arabia

Contact us and our team will get back to you as soon as possible.