Skip to content
PRIVACY POLICY

Privacy Policy

Last updated: 12 May 2026

This Privacy Policy explains how IDR Business Consultancy ("IDR", "we", "us") collects, uses, and protects personal data when you interact with idrbusinessconsultancy.com. We handle personal data in accordance with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL, in force since September 2024) and, where the visitor is in the European Economic Area, the EU General Data Protection Regulation (GDPR).

Working baseline

This is a v1 working baseline. Before relying on this document for legal defence please have it reviewed by qualified Saudi counsel and a GDPR-competent advisor.

1. Data controller

IDR Business Consultancy is the data controller for personal data submitted through this website. Riyadh office: Level 1, Office 1, 7698 Wadi Al Artawi, Al Olaya, Riyadh 12212, Saudi Arabia. Sydney office: Level 7, 91 Phillips Street, Parramatta NSW 2150, Australia.

2. What we collect

Contact form: your name, company, email address, phone number, the service interest you select, your message, the IP address and user agent of your browser at submit time, your selected language, and a record of your consent. Careers form: in addition to the above, your CV file, education, professional experience, nationality, date of birth, address, languages, references, and your motivation letter. Anonymous server logs may capture standard request metadata.

3. Why we process it

Contact form submissions are processed to respond to your enquiry, to follow up on commercial opportunities, and to maintain a business record of communications. Careers submissions are processed to evaluate your application, communicate next steps, and (if you are hired) onboard you. We do not use this data for behavioural advertising.

4. Legal basis

Saudi PDPL: your explicit, recorded consent at the moment of submission. GDPR (where applicable): consent (Article 6(1)(a)) for contact submissions; pre-contractual measures (Article 6(1)(b)) for careers applications; legitimate interests (Article 6(1)(f)) for fraud-prevention and security logs.

5. Retention

Contact submissions are retained for up to 24 months from the date of last interaction unless a commercial engagement begins, in which case the standard engagement-record retention applies. Careers submissions are retained for up to 24 months after the role is closed (or longer if you consent to be retained in our talent pool). Security logs are retained up to 12 months.

6. Recipients

Personal data is accessible only to authorised IDR personnel involved in responding to your enquiry or evaluating your application. We use third-party processors for email delivery (SMTP provider), database storage (Supabase), and (in the careers flow) file storage. We do not sell personal data.

7. International transfers

Data may be processed in regions where our service providers operate. Cross-border transfers from Saudi Arabia are conducted only where permitted under PDPL and subject to appropriate safeguards.

8. Your rights

Under Saudi PDPL you have the right to access, correct, delete, and object to the processing of your personal data, and the right to withdraw consent at any time. Under GDPR (where applicable) you additionally have the right to data portability and the right to lodge a complaint with a supervisory authority. To exercise any right write to privacy@idrbusinessconsultancy.com. We respond within 30 days.

9. Security

We protect data with TLS in transit, access controls on our database and storage, and least-privilege service-role keys for server-side operations only. No system is perfectly secure; if you believe your data has been compromised please email privacy@idrbusinessconsultancy.com immediately.

10. Changes

We may update this Policy from time to time. The "last updated" date at the top reflects the current version. Material changes will be highlighted.

11. Contact

Privacy enquiries: privacy@idrbusinessconsultancy.com. General enquiries: info@idrbusinessconsultancy.com.