Who we are
This Privacy Policy explains how Setrick (“Setrick”, “we”, “us”, or “our”) collects, uses, and protects personal data when you visit https://setrick.com (the “Site”) or otherwise engage with us in the course of our business activities.
Setrick is established at 14315 As Samh Ibn Malik Rd, Al Iskan, Riyadh, Kingdom of Saudi Arabia. For any question about this policy or your personal data, contact our privacy team at privacy@setrick.com.
Data we collect
We collect personal data only to the extent necessary to provide the Site, communicate with prospective clients, and operate our business. Depending on your interaction with us, we may collect the following categories:
- Identifiers: name, business email address, phone number, company name, job title.
- Project information: budget range, timelines, project scope, and other details you choose to submit through our contact form.
- Technical data: IP address, device type, browser, operating system, approximate location derived from IP, and referrer URL.
- Usage data: pages visited, actions taken, time spent, and interactions with Site features, collected via cookies and similar technologies.
- Communications: correspondence you send us (email, chat, calls) and any records of those communications.
We do not intentionally collect any special-category or sensitive personal data through the Site.
Sources of data
We obtain personal data from the following sources:
- Directly from you, when you submit a form, email us, or otherwise contact us.
- Automatically, through cookies and similar technologies, when you visit the Site.
- From third parties such as analytics providers, business-enrichment tools, publicly available professional sources, and referrals from existing clients or partners.
Purposes and legal bases
We process personal data for specific, legitimate purposes, each supported by an appropriate legal basis under applicable law (including the KSA Personal Data Protection Law (“PDPL”) and the EU and UK General Data Protection Regulation (“GDPR”)).
| Purpose | Data used | Legal basis (GDPR) | Legal basis (PDPL) |
|---|---|---|---|
| Respond to enquiries submitted via the contact form | Identifiers, project information, communications | Pre-contractual steps at your request (Art. 6(1)(b)) | Necessary to implement a contract to which you are a party or to take steps at your request |
| Operate, secure, and improve the Site | Technical data, usage data | Legitimate interests (Art. 6(1)(f)) | Legitimate interests of the controller |
| Analytics (when you consent) | Usage data, technical data | Consent (Art. 6(1)(a)) | Consent |
| Marketing communications (where lawful) | Identifiers, communications preferences | Consent or legitimate interests, as applicable | Consent |
| Comply with legal obligations and defend legal claims | Any of the above as required | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) | Compliance with a legal obligation; protection of vital interests |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, you have the right to object (see Section 9).
International transfers
Because we operate from the Kingdom of Saudi Arabia and use service providers in multiple jurisdictions, personal data may be transferred to and processed in countries other than your own, including the EEA, the United Kingdom, and the United States.
Where required by the GDPR or UK GDPR, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or adequacy decisions. For transfers subject to the PDPL, we rely on the lawful mechanisms set out in Article 29 of the PDPL and its implementing regulations, including the regulator’s adequacy frameworks and approved contractual safeguards.
Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, to comply with legal, accounting, or reporting requirements, and to defend legal claims. Typical retention periods are:
| Category | Retention period |
|---|---|
| Contact form enquiries (no engagement follows) | Up to 24 months from last contact |
| Records relating to signed engagements | Duration of engagement plus up to 7 years |
| Marketing contacts | Until you withdraw consent or after 36 months of inactivity |
| Website technical logs | Up to 12 months |
| Cookie consent records | 12 months (then re-prompted) |
At the end of the applicable period, we delete or securely anonymise the data.
Security
We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS), access controls based on the principle of least privilege, vendor due diligence, logging, and staff training. No method of transmission over the internet or electronic storage is fully secure, so we cannot guarantee absolute security, but we work to protect your data and will notify you and regulators of material breaches as required by law.
Your rights
Depending on where you reside, you may have the following rights in respect of your personal data. We honour these rights regardless of jurisdiction wherever operationally feasible:
- Access a copy of the personal data we hold about you.
- Request correction of inaccurate or incomplete data.
- Request deletion of your data, subject to legal exceptions.
- Restrict or object to processing in certain circumstances.
- Request portability of data you provided to us.
- Withdraw consent at any time where processing relies on consent.
- Lodge a complaint with a data protection authority.
To exercise any of these rights, email privacy@setrick.com. We will respond within the timeframes required by applicable law (typically within 30 days, extendable where permitted). We may ask you to verify your identity before acting on a request.
Saudi Arabia (PDPL) rights
If you are in the Kingdom of Saudi Arabia, the PDPL grants you rights including the right to be informed, to access, to request correction or destruction, and to transfer your personal data. You may also lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA).
EEA and UK (GDPR) rights
If you are in the EEA or the United Kingdom, the GDPR and UK GDPR grant you the rights described in Section 9, plus the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or the place of the alleged infringement. EEA and UK residents may lodge a complaint with their national supervisory authority. A list is available via the European Data Protection Board at edpb.europa.eu.
California (CCPA/CPRA) rights
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), gives you additional rights regarding personal information:
Right to know
You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes for collection, and the categories of third parties with whom we share it. In the preceding 12 months we have collected the categories described in Section 2.
Right to delete and correct
You may request deletion of personal information we have collected from you, or correction of inaccurate personal information, subject to the exceptions provided by the CCPA/CPRA.
Right to opt out of sale or sharing
We do not sell personal information and do not share personal information for cross-context behavioural advertising. If this ever changes, we will update this policy and provide a clear “Your California Privacy Choices” mechanism. We honour Global Privacy Control (GPC) signals as a request to opt out where applicable.
Right of non-discrimination and authorised agents
We will not discriminate against you for exercising any CCPA/CPRA right. You may designate an authorised agent to submit requests on your behalf; we may require written verification of the agent’s authority and your identity.
To exercise any California right, email privacy@setrick.com with the subject “California Privacy Request”.
Children
The Site is directed to businesses and professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it.
Automated decision-making
We do not use your personal data for solely automated decision-making that produces legal or similarly significant effects on you. If this changes, we will update this policy and, where required, seek your consent or provide the safeguards required by law.
Changes to this policy
We may update this policy from time to time to reflect changes to our practices, technology, or legal requirements. The “Last updated” date at the top indicates when it was last revised. Material changes will be highlighted on the Site and, where required, we will seek renewed consent.
Contact us
Questions, requests, or complaints should be directed to our privacy team:
- Email: privacy@setrick.com
- Post: Setrick, 14315 As Samh Ibn Malik Rd, Al Iskan, Riyadh, Kingdom of Saudi Arabia