Privacy Policy

Introduction

Information We Provide at Collection

In accordance with Article 13 of the PDPL, when we collect personal data directly from you we inform you of the following:

• The legal basis and purpose for the collection (see "Legal Basis for Processing" below).
• Which data fields are mandatory for account creation and which are optional.
• That your personal data will not be processed in a manner inconsistent with the stated purpose, except in the cases permitted by Article 10 of the PDPL.
• The identity of the data controller: Psychpedia Establishment (Commercial Registration Number: 7053485384), Kingdom of Saudi Arabia.
• That we may disclose data to service providers and transfer it outside the Kingdom as described in this policy (see "Data Sharing and Disclosure" and "International Data Transfers" below).
• The potential consequences of not providing mandatory data (for example, inability to create an account or access certain features of the Service).
• Your rights under Article 4 of the PDPL and how to exercise them (see "Your Rights" below).

Information We Collect

In accordance with Article 11 of the PDPL, we collect only the minimum amount of personal data necessary to achieve the purposes described in this policy. We collect personal data through two means: (1) directly from you (e.g., registration forms, profile settings, support messages) and (2) automatically through the Service (e.g., cookies, server logs, and device data).

User Account Data

When you register for an account, we collect personal information that you voluntarily provide:

• Name and email address
• Password (stored using secure hashing algorithms)
• Profile information (professional level, study goals, institution affiliation)
• Contact information when you reach out to our support team

Usage Analytics

We automatically collect certain information when you use our Service to understand how the platform is used and to improve your experience:

• Study session data (questions attempted, answers selected, time spent per question)
• Performance metrics (accuracy rates, progress over time, topic mastery)
• Device and browser information (browser type, operating system, device type, screen resolution)
• Log data (IP address, access times, pages viewed, features used)
• Navigation patterns and feature usage statistics

Payment Metadata

When you subscribe to a paid plan, we collect payment-related information:

• Subscription plan details and billing cycle
• Payment method type (credit card, debit card, etc.)
• Billing address and transaction history
• Subscription status and renewal dates

Important: We do not store your full credit card numbers or card security codes. All payment processing is handled securely by third-party payment processors (such as Stripe) in accordance with industry standards. We only receive payment metadata necessary for billing and subscription management.

What We Do NOT Collect

To be clear about what we do not collect:

• We do not collect patient data or clinical records
• We do not collect information about your patients or clinical practice
• We do not store full credit card numbers or card security codes
• We do not collect sensitive health information beyond what you voluntarily provide in your profile

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, maintain your session, and analyze platform usage. For detailed information about the cookies we use, please see our Cookie Policy.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Create and manage your account and authenticate your access
• Process payments and manage your subscription
• Track your learning progress and provide personalized study recommendations
• Send administrative communications (account updates, security alerts, subscription notices)
• Respond to your inquiries and provide customer support
• Analyze usage patterns to improve our content, features, and user experience
• Detect, prevent, and address technical issues, fraud, and unauthorized access
• Comply with legal obligations and enforce our Terms of Service

Legal Basis for Processing

Under the PDPL, we process your personal data only where we have a lawful basis to do so. The legal bases we rely on are:

• Consent: Where you have given clear, informed consent for us to process your personal data for a specific purpose, such as receiving marketing communications or enabling non-essential analytics cookies.
• Contractual Necessity: Where processing is necessary to perform our contract with you, including creating and managing your account, providing access to the Service, processing payments, and delivering the educational content you have subscribed to.
• Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject, such as retaining financial and tax records or responding to lawful requests from competent authorities.
• Legitimate Interest: Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights, including fraud prevention, security monitoring, and improving the Service.

In accordance with Article 7 of the PDPL, your consent for non-essential processing (such as marketing communications or non-essential analytics cookies) is not required to access or use the core Service. You may decline such consent and still use the platform.

Where we send marketing or promotional communications with your consent (Article 25 of the PDPL), we provide a clear and easy way to opt out at any time, including an unsubscribe link in every marketing email and preferences in your account settings.

Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We share data with trusted third-party vendors who help us operate our Service, including payment processors (Stripe), hosting providers, analytics services, and customer support tools. These providers are contractually obligated to protect your information and use it only for the purposes we specify.
• Legal Requirements: We may disclose information if required by law, court order, government request, or to protect our rights, property, or safety, or that of our users or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.
• With Your Consent: We may share information for other purposes with your explicit consent.

In accordance with Article 17 of the PDPL, when we correct, complete, or update your personal data at your request, we will notify or make the correction available to all entities to which such data has been transferred, where applicable.

Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing using industry-standard algorithms
• Regular security audits and vulnerability assessments
• Role-based access control (RBAC) limiting who can view your data based on job function and need
• Secure hosting infrastructure with leading cloud providers
• Regular backups and disaster recovery procedures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information using commercially reasonable means, we cannot guarantee absolute security.

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will, in accordance with Article 20 of the PDPL:

• Notify the Competent Authority under the PDPL (currently the Saudi Data and Artificial Intelligence Authority (SDAIA)) without undue delay
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Provide details of the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach

Your Rights

Under the PDPL, you have the following rights regarding your personal data:

• Right to Be Informed (Article 4(1)): The right to be informed of the legal basis and purpose for the collection of your personal data.
• Right of Access (Article 4(2)): Request confirmation of whether we process your personal data and, if so, access that data.
• Right to Obtain Data (Article 4(3)): Request a copy of your personal data in a readable and clear format.
• Right to Correction (Article 4(4)): Request correction, completion, or updating of inaccurate, incomplete, or out-of-date personal data we hold about you.
• Right to Destruction (Article 4(5)): Request destruction (deletion) of your personal data where it is no longer necessary for the purpose for which it was collected, subject to any legal or contractual obligations requiring retention as permitted by Article 18 of the PDPL.
• Right to Object: Object to the processing of your personal data in certain circumstances, including processing based on legitimate interest.
• Right to Withdraw Consent (Article 5(2)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Lodge a Complaint (Article 34): If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Competent Authority under the PDPL (currently the Saudi Data and Artificial Intelligence Authority (SDAIA)).

To exercise any of these rights, please contact us at support@psychpedia.com. In accordance with Article 21 of the PDPL and its implementing regulations, we will acknowledge your request within seven (7) days and provide a substantive response within thirty (30) days. If we require additional time, we will notify you of the extension (up to an additional 30 days) and the reasons for the delay.

Data Retention and Destruction

We retain your personal information for as long as necessary to provide our Service, fulfill the purposes outlined in this Privacy Policy, and comply with our legal obligations. In accordance with Articles 11 and 18 of the PDPL, when your personal data is no longer necessary for the purpose for which it was collected, we will destroy (delete) or anonymize it without undue delay. The retention period depends on the type of information and the purpose for which it was collected. For example:

• Account information is retained while your account is active and for a reasonable period after account closure to comply with legal obligations
• Usage analytics may be retained in anonymized or aggregated form (where the Data Subject cannot be identified) for platform improvement purposes
• Payment records are retained as required by financial regulations and tax laws

When you delete your account, we will destroy or anonymize your personal information without undue delay, except where retention is required by a legal obligation for a specific period (Article 18(2)(a) of the PDPL) or where the data is closely related to proceedings before a judicial authority (Article 18(2)(b) of the PDPL). Any data retained beyond the purpose of collection will not contain anything that may lead to specifically identifying you, in accordance with the PDPL.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including countries outside the Kingdom of Saudi Arabia. These countries may have different data protection laws. In accordance with Article 29 of the PDPL, we ensure the following before transferring your personal data outside the Kingdom:

• The transfer does not cause prejudice to national security or the vital interests of the Kingdom.
• An adequate level of protection is maintained for your personal data that is at least equivalent to the protection guaranteed by the PDPL, through contractual data protection clauses and appropriate technical safeguards with our service providers.
• The transfer is limited to the minimum amount of personal data necessary for the stated purposes.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain your session, enhance security, improve performance, and analyze platform usage. For detailed information about the types of cookies we use and how to manage them, please see our Cookie Policy.

Age Requirement

Our Service is intended for users who are at least eighteen (18) years of age. We do not knowingly collect personal data from anyone under 18. If you are under 18, you may not register for an account or use the Service. If we become aware that we have collected personal data from a person under 18, we will take prompt steps to delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@psychpedia.com.

Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the PDPL and its implementing regulations. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts in the Kingdom of Saudi Arabia.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We may also notify you via email or through the Service for significant changes. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: