Skip to content
ARSign In

Governance Center

Privacy Policy

This policy explains how Cup Code collects, uses, protects, retains, and lawfully processes personal data, and how data subjects exercise their rights under the Saudi Personal Data Protection Law and its Regulations.

Version 1.1 Last updated 2026-07-11 Published and active

Policy brief

Scope, date, and public status.

StatusPublished and active Version1.1 Last updated2026-07-11 Applies toApplies to site visitors, account holders, applicants, Majlis participants, support, report, and verification request owners, and users of Cup Code digital services.
View changelog No PDF file is published for this policy.

This public policy states the operating practice. It is not a government certification or a substitute for binding law, a regulator decision, or a specific contract.

01

Controller and contact

Cup Code operates the service and determines the processing purposes described here. Operations are based in المدينة المنورة, المملكة العربية السعودية. Contact the privacy team at privacy@cupcodestudio.com and the data protection officer, when appointed or designated, at privacy@cupcodestudio.com. The entity’s statutory details appear in any specific commercial offer or contract before contracting.

02

Data categories and sources

Data provided directly includes identity, contact, account, public profile, submissions, requests, recruitment details, and uploaded documents. Systems automatically receive IP address, session, device and browser identifiers, sign-in and security logs, and preferences. Data from a sign-in provider or verification party is received only after notice and source recording. The current public site does not collect full payment-card data.

03

Purposes and lawful grounds

Only the minimum data needed is processed to create and protect accounts, perform a user request or agreement, manage submissions and competitions, answer support and reports, verify records, recruit, prevent fraud, meet legal duties, and protect rights. The lawful ground depends on the activity and may include consent, performance of an agreement, the data subject’s interest, a legal requirement, or a documented legitimate-interest balance that excludes sensitive data.

04

Required fields, choices, and consent

Each form identifies fields required to deliver the service and optional fields. Public-profile, marketing, and AI-use consent is separated from essential operation. Consent may be withdrawn through account controls or a privacy request unless another lawful ground requires continued processing.

05

Use and disclosure

Access is limited by role and operational need. Approved hosting, email, support, or security processors receive only required data under suitable contracts and safeguards. Disclosure to a competent authority occurs only when legally required. Personal data is not sold. The relevant activity notice identifies the processor, role, purpose, and processing country before nonessential processing is enabled.

06

Location and transfers outside Saudi Arabia

Each service notice identifies storage and processing locations after the production environment is approved. Data is transferred outside Saudi Arabia only for a lawful purpose, using the minimum data, after assessing necessity and risk, and applying the protection level and safeguards required by the PDPL and the Regulation on Personal Data Transfer outside the Kingdom.

07

Retention and destruction

Data is kept only for the purpose, agreement, or legal duty, then securely destroyed or anonymized so it cannot be restored. Defaults include 365 days for recruitment applications, one year for the language preference, 180 days for the Cody visitor token when enabled, and 20 minutes for a waiting-room token. Accounts, reports, and security records follow approved schedules, with deletion paused for a legal hold or dispute.

08

Security and breaches

Controls include role-based access, session protection, suitable encryption or pseudonymization, audit logs, backups, and supplier and vulnerability review. A breach affecting rights or interests is documented, the data subject is notified without undue delay, and the competent authority is notified within the statutory period when the notification conditions apply.

09

Data-subject rights and response time

You have rights to information, access, a readable copy, correction, completion or update, destruction when no longer needed, and withdrawal of consent. Identity is verified and a request is answered within 30 days. A further 30-day extension is used only for unexpected effort or multiple requests, with advance notice and reasons.

10

Objections and complaints

Start from your account privacy request, the support center, or privacy@cupcodestudio.com. The request and outcome are recorded. If the response is unsatisfactory or a right is not enabled, you may complain to the competent authority through the complaints service on SDAIA’s National Data Governance Platform.