Privacy Policy & Data Protection

Last Updated: July 2026 — Fully compliant with the Saudi Arabian Personal Data Protection Law (PDPL)

1. Introduction & Regulatory Commitment

Welcome to SkyLight Chat and its voice-calling companion platform 'Halla'. We are fully committed to protecting the privacy and personal data of our subscribed business entities (Controllers) and their end-users (Data Subjects). This policy is strictly designed and implemented in complete conformity with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia, issued under Royal Decree No. (M/147) and its amendments, and under the regulatory supervision of the Saudi Data and AI Authority (SDAIA) and the National Data Management Office (NDMO).

2. Legal Definitions

For the purposes of this Policy: 'Platform' refers to the SkyLight Chat dashboard, AI Studio, and the Halla smart-calling system. 'Personal Data' means any information that leads to the direct or indirect identification of a natural person, including name, national ID, phone number, voice prints, and geographical location. 'Sensitive Data' includes biological reference data such as biometric voice prints utilized for synthesis and voice classification within the Halla system. 'Processor' refers to SkyLight Chat, which processes data on behalf of our subscribed clients. 'Data Subject' refers to the natural end-user interacting with our clients' automated systems.

3. Local Data Residency in Saudi Arabia (Sovereignty Compliance)

In compliance with the national digital sovereignty guidelines and cybersecurity regulations of the Kingdom of Saudi Arabia, SkyLight Chat and Halla guarantee that all client databases, conversation logs, media files, voice recordings, knowledge bases, and metadata of subscribers and end-users are hosted and stored exclusively in secure local data centers physically located within the borders of the Kingdom of Saudi Arabia. Cross-border transfer, routing, or processing of personal data outside the Kingdom of Saudi Arabia is strictly prohibited unless explicitly approved in writing and executed in accordance with the regulatory exceptions defined by the Saudi Data and AI Authority (SDAIA).

4. Personal Data We Collect & Process

We collect and process only the necessary minimum data required to deliver high-quality automation services: A) Registration Data: Company name, authorized contact person, business email, phone numbers, headquarter address, and Commercial Registration (CR) number for legal validation. B) Chat and Communication Logs: Content of messages, photos, videos, and documents exchanged over official WhatsApp Business API, Instagram, Telegram, LinkedIn, and the Web Chat widget. C) Voice Data (Halla Platform): Voice recordings of inbound and outbound phone calls, transcripts generated by our automatic Speech-to-Text engine, and voice metadata required to render natural Saudi and regional Arabic dialects. D) Knowledge Base Assets: Uploaded corporate documents (PDF, DOCX, XLSX, URLs) uploaded to train the custom AI agents. E) Billing & Payments: Financial transactions are processed via secure Saudi and Gulf payment gateways complying with the Payment Card Industry Data Security Standard (PCI-DSS); our platform does not store sensitive credit card numbers.

5. Security Measures & Cybersecurity Alignment

We enforce state-of-the-art administrative, technical, and physical security measures that align with the National Cybersecurity Authority (NCA) guidelines: A) Data at Rest is fully encrypted using the industry-standard AES-256 encryption algorithm. B) Data in Transit is encrypted utilizing the highly secure TLS 1.3 protocol. C) Strict Multi-Tenant Database Isolation guarantees that each subscriber's environment, database, files, and knowledge base are completely separated at the architectural level to prevent any accidental leakage or cross-client data accessibility. D) Detailed Activity & Audit Logs record every sensitive administrative action, data modification, or user login to ensure robust accountability and role-based tracking.

6. Strict No Cross-Training Policy

SkyLight Chat enforces a strict and binding policy prohibiting the use of your conversation logs, proprietary knowledge bases, voice recordings, or customer data to train public or global AI models. Each client's AI model and custom knowledge parameters are trained and maintained in a completely isolated environment, ensuring your proprietary operational intelligence remains your exclusive intellectual property.

7. Legal Grounds for Data Processing

We process personal data based on solid legal grounds: A) Execution of the commercial contract with the subscribed organization to deliver communication and automation tools. B) Legitimate interest of the subscribed company to deliver superior customer support, automated bookings, and order tracking. C) Compliance with financial and tax regulations of the Zakat, Tax and Customs Authority (ZATCA) in Saudi Arabia for invoicing and transaction recording.

8. Voice Data and Call Recording Terms (Halla System)

The Halla calling platform records telephone interactions to execute booking flows, support ticket creation, and quality assurance. The subscribed organization (Controller) is legally obligated to explicitly inform their end-users that calls are recorded and processed via artificial intelligence. The subscribed organization bears full legal responsibility and liability for compliance with this notification requirement under Saudi law.

9. Data Disclosure & Government Requests

We never sell, lease, or trade personal data. Data is shared with approved, contracted third-party service providers (such as official Meta WhatsApp BSPs) strictly on a need-to-know basis and under strict confidentiality agreements. No data is disclosed to governmental, security, or judicial authorities unless we receive an official, legally binding request issued by a competent KSA authority in full accordance with the Saudi Personal Data Protection Law (PDPL).

10. Data Subject Rights under KSA PDPL

Data subjects are entitled to exercise their legal rights as guaranteed by the Saudi Arabian Personal Data Protection Law: A) Right to be Informed: The right to know the purpose and legal basis for collecting and processing their data. B) Right of Access: The right to request and obtain a clear copy of their stored personal data. C) Right to Rectification: The right to request correction or updating of any incomplete, inaccurate, or outdated data. D) Right to Erasure/Destruction: The right to request complete destruction of their personal data when it is no longer required for the purpose of collection, subject to financial or regulatory record-keeping laws (such as ZATCA regulations). E) Right to Withdraw Consent: The right to withdraw consent for data processing at any time.

11. Data Retention & Secure Destruction Policy

We retain personal data as long as the corporate subscription is active. Upon account termination, we commit to securely and permanently destroying all personal data, chat transcripts, voice recordings, and knowledge bases from both our active servers and backup systems within a period not exceeding thirty (30) business days, providing a formal certificate of secure destruction upon request.

12. Policy Modifications

This Privacy Policy is updated periodically to reflect technical enhancements and updates to the regulatory guidelines of SDAIA. Subscribed organizations will be officially notified of any material changes via registered email or a prominent notification within the system dashboard at least fifteen (15) days prior to the changes taking effect.

13. Contact Our Data Protection Officer (DPO)

If you have any questions regarding this policy or wish to exercise your legal rights under the Saudi Personal Data Protection Law (PDPL), please contact our Data Protection Officer at: Email: privacy@skylightchat.com or open an official support ticket inside your dashboard.

سياسة الخصوصية | سكاي لايت شات