Last updated: June 2025
This notice supplements our Privacy Policy and explains how FORSA complies with the Saudi Personal Data Protection Law (PDPL) and implementing regulations issued by the Saudi Data & AI Authority (SDAIA).
Data controller
FORSA (operating the forsa.com.sa marketplace)
H52J+GJ6, Al Baladeah, Aziziyah, Riyadh, 12211, Saudi Arabia
Kingdom of Saudi Arabia
Email: [email protected] · Phone: +966 554663387
Categories of personal data we process
| Category | Examples | Retention (typical) |
|---|---|---|
| Identity & contact | Name, email, phone, national address | Account lifetime + legal minimum |
| Transaction | Orders, payments, invoices, refunds | Up to 10 years (tax/accounting) |
| Vendor KYC | CR number, VAT, bank details, ID copies | Relationship + regulatory period |
| Technical | IP, device ID, logs, cookies | Months to 2 years |
| Communications | Support tickets, chat, email | 3 years after resolution |
Lawful bases for processing
We process personal data on one or more of the following bases under the PDPL:
- Your consent (e.g. optional marketing, non-essential cookies).
- Performance of a contract (orders, accounts, vendor agreements).
- Legal obligation (tax, anti-fraud, regulatory reporting).
- Legitimate interests (security, analytics, service improvement) where not overridden by your rights.
- Vital interests or public interest where applicable and permitted by law.
Your rights under the PDPL
Subject to applicable exceptions, you have the right to:
- Be informed about how your data is collected and used (this notice and our Privacy Policy).
- Access your personal data held by FORSA.
- Request correction of inaccurate or incomplete data.
- Request destruction of personal data when no longer needed or when withdrawal of consent applies, unless retention is required by law.
- Withdraw consent for consent-based processing at any time.
- Object to certain processing where provided by law.
How to submit a PDPL request
Email [email protected] with subject “PDPL Data Subject Request” and include:
- Your full name and registered email or phone on your FORSA account;
- Description of your request (access, correction, deletion, etc.); and
- Proof of identity where necessary to protect your data from unauthorised disclosure.
We will acknowledge your request and respond within the period required by the PDPL and SDAIA guidance.
Data sharing and processors
We use trusted processors (hosting, payments, SMS, analytics) bound by data-processing agreements. Marketplace vendors receive order data as independent controllers or processors for fulfilment purposes. A list of main processor categories is available on request.
Cross-border transfers
Where data is transferred outside KSA, we implement safeguards required by the PDPL, including approved contractual clauses and transfer assessments.
Security and breach notification
We maintain technical and organisational measures appropriate to the risk. If a personal data breach poses a risk to your rights, we will notify SDAIA and affected individuals as required by law.
Complaints to SDAIA
If you believe we have not handled your personal data in accordance with the PDPL, you may contact us first. You also have the right to lodge a complaint with the Saudi Data & AI Authority (SDAIA).
Updates
This notice may be updated to reflect legal or operational changes. The “Last updated” date at the top indicates the current version.