Website Privacy Policy

Scope of this policy

VASTSOFT Establishment is a software company registered in the Kingdom of Saudi Arabia (Commercial Registration No. 1010838619; Unified National Number 7031622371). The Website is an informational showcase for our company, services, and products. This policy describes the personal data we process about visitors to the Website, where we act as the data controller.

VASTSOFT is registered in the National Register for Personal Data Protection, maintained by the Saudi Data and AI Authority (SDAIA) on the National Data Governance Platform, under Registration No. 3260006717 (issued 5 June 2026; status: active). The official contact registered for data protection is [email protected], +966 55 502 8400.

This policy does not cover the products we offer. When you sign up for or use a product such as VOrder or VMail, the personal data processed inside that product is governed by that product’s own privacy policy and, where the product is operated on behalf of a business customer, by the agreement between us and that customer. Please read the relevant product policy separately.

You can reach us about the Website and your personal data at [email protected].

Data we collect on the Website

When you visit or interact with the Website, we may collect:

• Contact and enquiry data: the name, email address, phone number, and the message or query you submit through our "Contact us" form. We collect this so our sales team can respond to you.
• Technical and device data: IP address, browser type and version, operating system, language, referring pages, and similar diagnostic information generated automatically when you visit.
• Analytics and usage data: pages viewed and aggregate interaction with the Website, collected through cookies and similar technologies only after you consent.

We do not record your browsing sessions, capture screenshots, or log the full content of your HTTP traffic. We do not knowingly collect sensitive personal data through the Website, and if such data is submitted to us inadvertently, we delete it.

How we use data

We use the personal data collected on the Website to respond to your enquiries and contact you about your request for sales purposes, to operate, secure, and maintain the Website, to detect and prevent fraud, abuse, and security incidents, to understand and improve how visitors use the Website (using analytics, where you have consented), and to comply with our legal obligations.

We do not sell your personal data, and we do not use your data to build advertising profiles about you.

Legal basis

Under the PDPL we process personal data on one or more of the following bases: your consent; your request and our legitimate interest in responding to and following up on your enquiry; our legitimate interest in operating and securing the Website, provided this does not override your rights; and compliance with legal obligations.

Non-essential cookies and analytics are carried out only on the basis of your consent, which you give through our consent banner before that tracking begins. You may withdraw your consent at any time, as easily as you gave it, and we will stop the relevant processing without undue delay.

Cookies, analytics, and consent

When you first visit the Website, we ask for your consent through a consent banner before placing non-essential cookies or running analytics. Strictly necessary cookies — for example, those that remember your language or keep you signed in — may operate without consent because the Website cannot work properly without them.

Only after you opt in do we run our analytics cookies, which measure aggregate traffic and how visitors use the Website. You can change or withdraw your choices at any time through the consent controls on the Website. Withdrawing consent does not affect processing carried out before the withdrawal.

Sharing and disclosure

We share personal data only as needed to run the Website:

• Service providers and processors (such as hosting, analytics, and email-delivery providers) who process data on our instructions under confidentiality and data protection terms.
• Authorities or third parties where required by the laws of the Kingdom of Saudi Arabia, a court order, or to establish, exercise, or defend legal rights, or to protect our users or the public.
• A successor entity in connection with a merger, acquisition, or sale of assets, subject to this policy.

Data location and cross-border transfers

We host and process personal data both inside the Kingdom of Saudi Arabia and outside it, including through service providers located abroad. Any transfer of personal data outside the Kingdom is carried out in line with the PDPL and the Regulations on Personal Data Transfer outside the Kingdom.

Where the destination country is not covered by an adequacy decision published by SDAIA, we rely on appropriate safeguards — such as SDAIA’s Standard Contractual Clauses — and we carry out a transfer risk assessment, limiting the data transferred to the minimum necessary and applying additional protections where needed.

Data retention

We keep contact and enquiry data submitted through the "Contact us" form only for as long as needed to respond to you, and in any case we delete it within 30 days of your enquiry, unless a longer period is required to comply with a legal obligation or to establish or defend a legal claim. Analytics and technical data are kept for a limited period appropriate to security and analytics, after which they are deleted or anonymized.

Security

We apply organizational, administrative, and technical measures — including encryption in transit and at rest, access controls, and regular review — to protect personal data against loss, unauthorized access, alteration, or disclosure. No system is perfectly secure, but if a personal data breach occurs we will notify SDAIA within 72 hours of becoming aware of it, and we will notify affected individuals without undue delay where the breach may cause damage to their data or conflict with their rights and interests, as required by the PDPL.

Your rights

Subject to the PDPL, you have the right to:

• Be informed about how your personal data is processed.
• Access the personal data we hold about you and obtain a copy of it in a readable, commonly used format.
• Request correction of inaccurate, incomplete, or outdated data.
• Request destruction of your data where there is no lawful reason to keep it.
• Request that we restrict processing in defined circumstances.
• Withdraw your consent at any time where processing is based on consent.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days, extendable in the cases allowed by the PDPL. You also have the right to lodge a complaint with SDAIA, the competent authority in the Kingdom, within 90 days.

Children

The Website is intended for businesses and adults. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here and change the "last updated" date. We will communicate significant changes through the Website or by email where appropriate.

Contact us

For any question about this policy or your personal data on the Website, contact us at [email protected] or through our contact page.