Mithaq GRCBack to home

Privacy Policy

Last updated: 2026-05-25

This Privacy Policy explains how Mithaq GRC ("Mithaq", "we", "us") collects, uses, stores, and protects information when you use our governance, risk, and compliance platform. We comply with the Saudi Personal Data Protection Law (PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Who we are

Mithaq GRC is operated by Mithaq Compliance, a company registered in Riyadh, Kingdom of Saudi Arabia (Commercial Registration No. 7054299107). In this policy, "we", "us", and "our" refer to Mithaq Compliance.

2. Information we collect

We collect: (a) account information you provide when invited (name, work email, organization, role); (b) content you upload to the platform (risks, controls, frameworks, documents, approvals, attachments, audit notes); (c) usage data (pages viewed, actions taken, timestamps); and (d) technical data (IP address, browser type, device identifiers) collected by our authentication provider and hosting provider.

3. How we use information

We use the information to: provide and operate the platform; authenticate users and prevent unauthorized access; generate the audit trails your organization requires; respond to support requests; improve product features; and comply with legal obligations under Saudi law and other applicable regulations.

4. Legal basis

Under the Saudi PDPL, we process personal data based on (a) the necessity of performing our contract with your organization, (b) compliance with legal obligations, and (c) your consent where required. Where the GDPR applies, we rely on the equivalent legal bases (Article 6(1)(b), (c), and (a)).

5. Sharing and disclosure

We do not sell personal data. We share information only with: (a) sub-processors required to deliver the service (authentication, database, storage, and hosting providers); (b) parties you direct us to share with (e.g. approval routing within your organization); and (c) competent authorities when required by law. A current list of sub-processors is available on request.

6. Where data is stored

Your data is hosted on cloud infrastructure with database servers located in the European Union. By using Mithaq GRC, you acknowledge that your data may be processed and stored outside the Kingdom of Saudi Arabia.

7. Data retention

When you close your account, we retain your data for a grace period of 30 days, during which it can be restored or exported on request. After 30 days, your data is permanently deleted from our systems.

8. Security

We protect customer data with: row-level security on every database table, server-enforced audit trails, immutable evidence storage for approvals, encryption in transit and at rest, role-based access control, and regular security reviews. We follow industry-standard secure development practices. No system is perfectly secure; we will notify your organization without undue delay if a personal-data breach occurs, as required by PDPL.

9. Your rights

Subject to applicable law (PDPL and, where relevant, GDPR), you have the right to: access your personal data, request correction or deletion, restrict or object to certain processing, withdraw consent, and lodge a complaint with the Saudi Data & AI Authority (SDAIA) or your local supervisory authority. To exercise these rights, contact us at the address in section 11.

10. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. Continued use of Mithaq GRC after changes take effect constitutes acceptance of the revised policy.

11. Contact us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at contact@mithaqgrc.com.sa.