Privacy Policy
Article 1: Introduction & Definitions
Taam Agency (referred to as "the Agency" or "we") is committed to protecting the privacy of its website users and clients in accordance with the Saudi Personal Data Protection Law (PDPL), issued by Royal Decree No. (M/19) dated 9/2/1443H, and its implementing regulations issued by the Saudi Data & AI Authority (SDAIA).
Article 2: Data We Collect
The Agency collects the following categories of personal data:
- Full name and contact information (email address, phone number, mailing address)
- Project, event, and service request details submitted via the website or official channels
- Website usage data, browsing behaviour, and cookie data
- Project photographs and documentation (with explicit client consent)
- Financial transaction data required to complete contracted services
Article 3: Purposes of Data Collection & Processing
Personal data is processed exclusively for the following purposes:
- Delivering contracted services and managing projects and events
- Communicating with clients regarding project progress and updates
- Issuing quotations, invoices, and completing financial and accounting procedures
- Complying with applicable legal and regulatory requirements in the Kingdom of Saudi Arabia
- Financial transaction data required to complete contracted services
- Sending marketing materials and promotional offers with prior explicit and withdrawable consent
- Improving service quality and enhancing the client experience
Article 4: Legal Basis for Processing
The Agency relies on the following legal bases for processing personal data under PDPL:
- Contract Performance: to deliver the services agreed with the client
- Legal Obligation: to comply with regulations and laws applicable in the Kingdom
- Explicit Consent: for marketing purposes and publication of project documentation
- Legitimate Interest: to improve services and develop business, provided it does not override data subjects' rights
Article 5: Sharing Data with Third Parties
The Agency does not sell, lease, or share personal data with any third party beyond strict operational necessity. Data is shared only in the following cases:
- Suppliers and subcontractors: solely for project execution, under strict confidentiality obligations
- Government and regulatory authorities: when required by law or a judicial order
- IT service providers: such as hosting and email platforms, subject to adequate security guarantees
Article 6: Rights of Data Subjects
Data subjects enjoy the following rights under PDPL and its implementing regulations:
- Access to and obtain a copy of personal data held about them
- Correction of inaccurate or misleading data
- Request for data destruction, subject to applicable legal conditions and exceptions
- Objection to or restriction of processing in cases stipulated by law
- Withdrawal of consent at any time without affecting the lawfulness of prior processing
- Lodge a complaint with SDAIA if a violation of PDPL provisions is suspected
Article 7: Data Security
The Agency implements the technical and organisational measures necessary to protect personal data against unauthorised access, disclosure, alteration, or destruction, in accordance with international standards and PDPL requirements. In the event of a security breach that poses a risk to data subjects' rights, the Agency will notify SDAIA and the affected data subjects in accordance with the prescribed procedures and timelines.
Article 8: Data Retention
Personal data is retained for the period necessary to fulfil the purposes for which it was collected, or as required by applicable legal and regulatory obligations:
- Active client data: five (5) years from completion of the last transaction
- Marketing and communication data: until consent is withdrawn or deletion is requested
- Accounting and financial data: in accordance with Zakat, Tax and Customs Authority requirements