EFFIVITY SAUDI PDPL PRIVACY POLICY

Last revision: 27 March 2026

 

 

This Privacy Policy explains how Effivity collects, uses, stores, shares, transfers, and otherwise processes Personal Data in connection with its website, software platform, and related services. It is intended as Effivity's primary privacy policy for Saudi-facing operations and Saudi customer processing, while acknowledging that certain non-Saudi processing activities may also be subject to other mandatory data protection laws.

1. Scope of this Policy

Protecting your privacy is important to us. This Privacy Policy explains how Effivity Technologies Pvt Ltd ("Effivity", "we", "us", or "our") collects, uses, stores, discloses, transfers, and otherwise processes Personal Data through www.effivity.com (the "Website"), the Effivity software platform, related applications, implementation and support services, communications, and related business activities (collectively, the "Services").

This Policy is drafted primarily under the Saudi Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH, as amended by Royal Decree No. (M/148) dated 5/9/1444 AH, together with its Implementing Regulations and related regulatory instruments applicable in the Kingdom of Saudi Arabia (collectively, the "Saudi PDPL"). For Saudi-facing operations, Saudi data subjects, and Saudi customer processing, the Saudi PDPL is the primary governing data protection framework for this Policy.

Effivity also provides services outside the Kingdom of Saudi Arabia. Where a specific processing activity is separately subject to another mandatory privacy or data protection law, including the General Data Protection Regulation ("GDPR") where its territorial scope is triggered, Effivity will comply with that law to the extent applicable. In those cases, this Policy may be supplemented by a separate notice, contract, or data processing agreement addressing the relevant non-Saudi processing.

Nothing in this Policy is intended to reduce or limit any right or protection available to a data subject under another applicable law or international agreement that grants a higher level of protection.

This Policy does not apply to websites, platforms, or services owned and operated by third parties, even where they are linked from our Website or integrated with our Services. Those third parties operate under their own privacy notices and terms.

2. Controller Details and Privacy Contact

For the purposes of this Policy, the entity responsible for the processing described in this Policy is:

You may use the above privacy contact to exercise rights, withdraw consent where applicable, ask questions about this Policy, or submit a privacy-related complaint or request.

3. Individuals Covered by this Policy

This Policy applies to Personal Data relating to the following categories of individuals, to the extent their Personal Data is processed in connection with the Services:

• Visitors to the Website.

• Prospective customers who request information, a demonstration, or a free trial.

• Subscribers or customer representatives who contract with us for the Services.

• Authorized users to whom our customers grant access to the Services.

• Individuals who contact us for support, implementation, billing, or other business communications.

• Individuals whose Personal Data our customers upload, store, or otherwise submit through the Services.

Our Services are not directed to persons under the age of 18. We do not knowingly collect Personal Data from children without an appropriate lawful basis and any required authorization. If we become aware that Personal Data has been collected from a child unlawfully, we will take appropriate steps to delete or otherwise handle that data in accordance with applicable law.

4. Our Role Under the Saudi PDPL

4.1 When Effivity acts as a Controller

We act as a controller when we collect Personal Data directly for our own purposes in connection with operating and administering the Services. Examples include Website browsing, free trial registration, account management, support communications, billing, security, analytics, and marketing communications where lawfully permitted.

4.2 When Effivity acts as a Processor

We act as a processor when our customers submit, upload, store, or otherwise make available Personal Data through the Services, including records, documents, files, workflows, and other content ("Client Records"). In those circumstances, the relevant customer usually acts as the controller and remains responsible for determining the lawful basis for processing, providing required notices, handling data subject rights, and ensuring that any processing of Sensitive Personal Data or cross-border transfer is lawful under the Saudi PDPL.

Where we act as processor, we process Client Records only on documented instructions, as necessary to provide and support the Services, to maintain security, or as otherwise required by applicable law or a binding request from a competent authority. Our processing on behalf of customers is governed by our contract and data processing agreement.

Where a particular processing activity is also subject to the GDPR or another applicable law outside the Kingdom, our role as controller or processor for that activity will also be assessed under that law. Any additional contractual, transfer, or transparency obligations for such processing may be addressed in supplemental notices, customer terms, or separate data processing agreements.

5. Legal Bases and Processing Principles

We seek to process Personal Data lawfully, fairly, transparently, for specific and legitimate purposes, and only to the minimum extent necessary. Depending on the context and our role, we may rely on one or more of the following legal bases under the Saudi PDPL:

• your consent;

• processing necessary to provide requested Services, to perform a contract with you, or to take steps related to a requested service or account;

• processing necessary to comply with legal or regulatory obligations;

• our legitimate interests, such as protecting the security of the Services, preventing misuse, improving the Services, or administering our business, provided that such interests do not override your rights and that Sensitive Personal Data is not processed on this basis; and

• actual or vital interests where permitted by law.

Where consent is requested, we seek to ensure that it is specific, informed, and can be withdrawn. We do not make consent to unrelated processing a condition of receiving a service, unless that processing is directly related to the requested service.

Where we act solely as processor for a customer, the relevant customer determines the applicable legal basis for the Personal Data contained in Client Records.

If a specific processing activity is also subject to the GDPR or another mandatory law, the corresponding lawful basis, transparency requirements, and controller or processor obligations under that law will also apply to that activity to the extent required.

6. Personal Data We Collect and How We Use It

6.1 Free trials, demos, and initial registration

Categories: first name, last name, business email address, country, company name, mobile phone number, IP address, company address, domain name, and any other information you choose to submit when requesting a demonstration, free trial, or account setup.

Purposes: to verify your request, create and maintain an account, provide a demonstration or free trial, communicate with you, maintain service security, prevent misuse, and improve our Services and related business operations.

Legal basis: your request for Services and related account setup, consent where required, and our legitimate interests in security, fraud prevention, and service improvement.

Retention: if you do not become a customer, sales and demo lead data is generally retained for up to two (2) months unless a longer period is necessary or permitted by law, or required for fraud prevention, dispute handling, or legal claims.

6.2 Website browsing, technical data, and cookies

Categories: IP address, device type, operating system, browser type, cookie identifiers, pages viewed, time logs, scroll depth, referring addresses, screen information, and similar online usage data.

Purposes: to operate the Website, remember preferences, troubleshoot issues, monitor performance, analyze Website usage, prevent abuse, and improve the Services.

Legal basis: our legitimate interests for essential Website operation, network and information security, and service improvement; and your consent where required for non-essential cookies, analytics, or similar tracking technologies.

Retention: technical logs and cookie-related data are retained only for the period necessary for functionality, security, analytics, or compliance with our cookie settings and internal retention schedule.

6.3 Account, organization profile, and service administration

Categories: addresses, business email addresses, logos, phone numbers, website URLs, company tax or VAT numbers, account settings, tenant metadata, and any supporting files that a customer uploads for account administration.

Purposes: to maintain and administer customer accounts, provide the requested Services, deliver service notices, support implementation and customer success, and manage billing and account records.

Legal basis: performance and administration of the customer relationship, compliance with legal obligations such as finance and tax record keeping, and our legitimate interests in administering the Services.

Retention: for the duration of the contractual relationship and thereafter for a reasonable period where needed for billing, audit, security, legal, dispute-management, or record-keeping purposes.

6.4 Client Records and workflow content processed on behalf of customers

Categories: depending on the customer’s use of the Services, Client Records may include names, addresses, email addresses, images, phone numbers, website URLs, identification numbers, professional titles and positions, payment information, dates of birth, audit documentation, credentials or access information included by the customer, Sensitive Personal Data including Biometric Data where permitted, and other information chosen by the customer.

Purposes: to host, store, organize, retrieve, process, secure, support, and otherwise provide the Services in accordance with the customer’s documented instructions.

Legal basis: where we act as processor, the relevant customer determines the lawful basis under the Saudi PDPL. We process Client Records only on documented instructions and under the applicable contract and data processing agreement.

Retention: until the customer deletes the data, instructs deletion, or the service relationship ends, subject to the contract, backup cycles, and any legal requirement that justifies limited continued retention.

6.5 Support requests, inquiries, and business communications

Categories: name, email address, phone number if provided, company information, message content, attachments, meeting notes, and support history.

Purposes: to respond to inquiries, provide support, troubleshoot issues, document service interactions, improve support quality, and administer our business relationship with you.

Legal basis: steps taken at your request, performance of a contract where applicable, and our legitimate interests in customer support, quality control, and business administration.

Retention: for as long as needed to manage the inquiry or support issue and thereafter for a limited period for service quality, audit, training, or dispute-resolution purposes.

6.6 Payments and billing

Categories: billing name, billing address, tax details, invoice information, subscription details, payment confirmation data, and limited payment metadata. Payment card or wallet details are processed by our third-party payment providers and are generally not stored by us except as needed for transaction confirmation or records.

Purposes: to process payments, manage subscriptions, issue invoices, maintain accounting and tax records, and protect against fraud or payment misuse.

Legal basis: performance of a contract, compliance with legal and financial reporting obligations, and our legitimate interests in revenue protection and business record keeping.

Retention: for the periods required under applicable accounting, tax, audit, and limitation laws, and longer where needed in connection with legal claims or dispute resolution.

6.7 Marketing communications and lead generation

Categories: name, email address, mobile number, company name, campaign source, communication preferences, and consent records, including lead information received from advertising platforms such as Google or Meta where applicable.

Purposes: to send newsletters, product updates, event invitations, or other promotional communications; to follow up on requests for demos or trials; and to measure the effectiveness of marketing campaigns.

Legal basis: your prior consent where required under the Saudi PDPL. Sensitive Personal Data is not used for direct marketing.

Retention: until you withdraw consent, opt out, or the relevant marketing purpose has ended. Lead data gathered for demo or free trial outreach is generally retained for up to two (2) months if no ongoing relationship is created.

Where marketing or outreach activities are directed at individuals outside the Kingdom and another mandatory law applies, including the GDPR where relevant, we will also comply with the consent, unsubscribe, and transparency requirements that apply to that activity.

6.8 Optional device-level biometric authentication

Categories: we do not collect, access, or store fingerprint, facial recognition, or similar biometric templates used by your device for authentication.

Purposes: certain mobile or device features may allow you to use device-level biometric authentication instead of a PIN for convenience. Such processing is carried out by your device provider and remains under your control on your device.

Legal basis: not processed by Effivity. Any such feature is optional and controlled by the user and the device operating system.

Retention: none by us.

6.9 Other information you voluntarily provide

Categories: any additional Personal Data you voluntarily submit through surveys, feedback forms, events, support requests, business communications, or similar interactions.

Purposes: to address the relevant request, provide the requested service or interaction, improve our business operations, or manage the particular engagement.

Legal basis: the context of your request, your consent where required, and our legitimate interests where permitted.

Retention: for the period necessary to address the relevant purpose and any associated record-keeping obligation.

6.10 Automated decision-making and profiling

Categories: not applicable to dedicated high-impact automated decision systems at present.

Purposes: we do not currently carry out solely automated decision-making that produces legal effects concerning you or similarly significantly affects you.

Legal basis: not applicable.

Retention: not applicable.

6.11 Aggregated and anonymized data

Categories: aggregated analytics, statistics, and data that has been anonymized so that it cannot be used to identify an individual.

Purposes: to analyze performance, improve the Services, support business planning, and produce internal or external statistics.

Legal basis: our legitimate interests in analytics and service improvement, and where data has been effectively anonymized so that re-identification is not possible, it is no longer treated as Personal Data.

Retention: for as long as reasonably necessary for the relevant analytical or business purpose.

7. Sources of Personal Data

We may obtain Personal Data from one or more of the following sources:

• directly from you when you use the Website, request a demo or trial, create an account, contact us, purchase Services, or otherwise communicate with us;

• automatically from your device or browser through cookies, logs, and similar technologies;

• from our customers when they grant you access to the Services or upload Client Records that contain your Personal Data;

• from advertising or referral platforms, analytics providers, publicly available sources, or other lawful third-party sources; and

• from payment service providers, authentication providers, communications tools, and other service providers that support the Services.

If we collect Personal Data from a source other than you directly, we will handle that collection in accordance with applicable law and, where required, provide the relevant information within the applicable time.

8. Whether Providing Personal Data Is Mandatory or Optional

Some Personal Data is mandatory because we need it to create accounts, authenticate users, provide requested Services, process payments, maintain security, or comply with legal obligations. Where practical, mandatory fields will be identified at the point of collection or will be obvious from the nature of the request. If you do not provide required Personal Data, we may be unable to provide the relevant feature, account, service, or response.

Other information is optional. Where you choose not to provide optional Personal Data, this will generally not affect the basic availability of the Services, although some features or personalization options may be limited.

9. Sensitive Personal Data

We do not intentionally collect Sensitive Personal Data directly from you unless such collection is necessary for a lawful, specific, and clearly identified purpose. Under the Saudi PDPL, Sensitive Personal Data may include specially protected categories such as health data, genetic data, biometric data used for identification, data revealing religious, intellectual or political beliefs, racial or ethnic origin, criminal data, and other categories protected by law.

If a customer uploads Sensitive Personal Data into Client Records, we process it only in our role as processor, on documented instructions, and subject to enhanced safeguards appropriate to the nature and risk of the data. The relevant customer remains responsible for ensuring that the collection, use, transfer, and other processing of such data is lawful, including obtaining any explicit consent, approval, authorization, or assessment required under applicable law.

We do not use Sensitive Personal Data for direct marketing.

10. Cookies and Similar Technologies

We use cookies and similar technologies on the Website to provide core functionality, maintain sessions, enhance security, measure performance, and, where permitted, understand how the Website is used.

Non-essential cookies, analytics tags, pixels, or similar technologies will be used only where permitted and, where required, on the basis of your prior consent. You may manage or withdraw your preferences through the cookie controls made available on the Website. Withdrawing consent will not affect processing carried out before withdrawal.

Where our online activities are directed to jurisdictions outside the Kingdom that impose additional cookie or electronic privacy requirements, including GDPR-related transparency obligations where relevant, we will implement those requirements to the extent applicable.

11. Sharing and Disclosure of Personal Data

We do not sell Personal Data. We may disclose Personal Data only where necessary and lawful, including the following circumstances:

• to our affiliates or related entities where necessary for operating the Services or administering the business relationship;

• to service providers and sub-processors that provide hosting, infrastructure, database management, payment processing, communications, analytics, email delivery, authentication and verification services, surveys, authentication, support, or similar operational services on our behalf;

• to contractors or consultants who support our operations and are subject to confidentiality and data protection obligations;

• to the relevant customer or authorized users within a customer organization, where the disclosure is part of providing the Services;

• to competent authorities, regulators, courts, or law enforcement where required or permitted by applicable law, or where necessary to protect rights, safety, public health, or security;

• in connection with a merger, acquisition, reorganization, financing, or sale of business or assets, subject to appropriate confidentiality and lawful handling requirements; and

• to other parties where you have directed us to do so or have provided consent where required.

Where we act as processor for Client Records, disclosures are limited to what is necessary to provide the Services, to engage approved sub-processors, to comply with documented instructions, or to satisfy a lawful requirement.

11.1 Illustrative list of current service providers

The above list is illustrative of the service providers described in this Policy and may be updated from time to time in line with our operations and applicable law.

11.2 Sub-processor Transparency and Changes

We may engage service providers and sub-processors to support the delivery, security, hosting, maintenance, and operation of the Services. We may maintain an up-to-date list of material sub-processors, including those identified in Section 11.1, their name, general function, and location, and may make that information available through our Website, customer documentation, or upon request, as appropriate. We may update our sub-processors from time to time to reflect on operational, security, legal, or business needs. Where required by applicable law or our contractual commitments, we will provide notice of material sub-processor changes in accordance with the relevant contract or notice mechanism.

11.3 KSA-Located Sub-Processors

Where Effivity engages a Sub-Processor that processes Personal Data within the Kingdom of Saudi Arabia, Effivity will include the identity, general function, and processing location of that Sub-Processor in its sub-processor documentation to the extent required by applicable law. Effivity's transparency obligations in relation to KSA-located Sub-Processors are limited to information that is reasonably available to Effivity and that Effivity is not restricted from disclosing by confidentiality obligations, legal requirements, or the Sub-Processor's own standard terms.

Effivity does not represent or warrant that the information provided regarding a KSA-located Sub-Processor's processing arrangements is complete, current at all times, or reflective of changes made by the Sub-Processor to its own infrastructure, architecture, or operations without notice to Effivity. Where Effivity becomes aware of a material change to a KSA-located Sub-Processor's processing arrangements that may affect this Policy, Effivity will update this Policy within a reasonable period.

12. International Transfers Outside the Kingdom

As an India-based company using international infrastructure and service providers, Personal Data may be stored in, processed in, or accessed from jurisdictions outside the Kingdom of Saudi Arabia. Depending on the Services used and the support required, this may include India, Ireland, Singapore, the United States and the Kingdom of Saudi Arabia and other jurisdictions in which our service providers operate.

Where we act as controller, we will transfer or provide access to Personal Data outside the Kingdom only where permitted under the Saudi PDPL, for a lawful purpose, limited to the minimum amount of data necessary, and subject to any applicable safeguards or assessments. Depending on the circumstances, safeguards may include standard contractual clauses, approved or recognized by the competent authority, binding common rules, accreditation or certification-based mechanisms, or other legally recognized transfer tools or safeguards recognized or permitted by the competent authority in the Kingdom of Saudi Arabia.

Where required under applicable law or regulations, we may conduct transfer risk assessments and implement supplementary technical, organizational, contractual, or other measures as necessary or appropriate to support the security, confidentiality, and lawful transfer of Personal Data. Effivity will also comply with any applicable requirements or conditions issued by the competent authority in the Kingdom of Saudi Arabia.

Where we act as processor in relation to Client Records, the relevant customer remains responsible for determining whether any cross-border transfer, remote access, or disclosure is lawful and permitted under the Saudi PDPL including obtaining any required approvals, authorizations, or consents. In such cases, we will process Personal Data only on documented instructions and provide reasonable cooperation, subject to confidentiality, security, and legal restrictions.

Where a particular transfer is also subject to the GDPR or another applicable law, Effivity may additionally implement the relevant transfer mechanism required by that law. Any such supplementary mechanism is intended to operate in addition to, and not instead of, the requirements of the Saudi PDPL.

Effivity may update its cross-border transfer practices, safeguards, mechanisms, or related operational arrangements from time to time to reflect changes in applicable law, regulatory guidance, competent authority requirements, security considerations, or business operations. Where required by applicable law or contractual commitment, Effivity will provide notice of material changes through this Policy, the Services, Customer Communications, or other appropriate means.

13. Processing Within the Kingdom of Saudi Arabia

Where Effivity or an approved Sub-Processor processes Personal Data within the Kingdom of Saudi Arabia — including through approved KSA-located Sub-Processors identified in Effivity's current sub-processor list — that processing is subject to the Saudi PDPL and its Implementing Regulations, and no outbound cross-border transfer mechanism is required solely by reason of the processing occurring within the Kingdom. Effivity and any approved KSA-located Sub-Processor engaged by Effivity are each expected to meet their respective obligations under the Saudi PDPL applicable to their role in that processing, to the extent required by law.

Effivity's engagement of a KSA-located Sub-Processor for the purpose of hosting or processing Personal Data within the Kingdom does not constitute a data localization commitment by Effivity. Unless expressly agreed in writing, including by electronic agreement, order form, or addendum executed or accepted in accordance with the Agreement, Effivity does not guarantee that all Personal Data will be processed exclusively within the Kingdom at all times, including for purposes of support, backup, security operations, or service resilience, which may involve access from or processing in other jurisdictions.

Where a KSA-located Sub-Processor such as Oracle Cloud Infrastructure independently replicates, backs up, or provides remote access to data across multiple regions as part of its standard global cloud operations, such activity is governed by that Sub-Processor's own terms, architecture, and applicable legal obligations. Effivity does not control the internal data-residency configurations of third-party Sub-Processors, and Effivity's responsibility in relation to such independent infrastructure decisions is limited to its reasonable contractual efforts to require appropriate safeguards in its agreement with the relevant Sub-Processor.

Where Effivity acts as processor for Client Records hosted within the Kingdom, the relevant customer as Controller remains responsible for determining whether the processing arrangements satisfy their own regulatory, sector-specific, or contractual data residency requirements.

14. Retention, Destruction, and Anonymization

We retain Personal Data only for as long as necessary for the purposes described in this Policy, and thereafter only for as long as a lawful basis exists for continued retention.

• Free-trial and marketing lead data is generally retained for up to two (2) months if no ongoing customer relationship is created.

• Account and subscription data is retained for the duration of the relationship and for a reasonable period afterward for billing, audit, security, legal, and administrative purposes.

• Payment and finance records are retained for the periods required by applicable accounting, tax, and audit obligations.

• Support and communication records are retained for the period necessary to manage the issue and for limited follow-on business, service-quality, or dispute-resolution purposes.

• Client Records are retained until deletion by the customer, customer instruction, or termination of the service relationship, subject to contractual provisions, backup cycles, and applicable law.

• Technical logs are retained for a limited period necessary for security, troubleshooting, analytics, and performance management.

When Personal Data is no longer required, we will delete, destroy, anonymize, or de-identify it in a secure manner, unless retention is required or justified by law, a dispute, legal claim, audit requirement, or similar legitimate reason. Where data is retained in backup systems, it will remain protected and will be overwritten or deleted in accordance with our backup lifecycle.

15. Security and Personal Data Breaches

We implement appropriate organizational, administrative, and technical safeguards designed to protect Personal Data against unauthorized access, misuse, loss, alteration, destruction, or unlawful disclosure. These measures may include role-based access controls, staff confidentiality obligations, secure networks and databases, encryption in transit and other protections where appropriate, credential and password controls, logging and monitoring, backup and recovery procedures, and contractual controls with relevant service providers.

No system can be guaranteed to be completely secure. If we become aware of a Personal Data breach, damage, loss, or any unlawful or unauthorized access, disclosure, alteration, destruction, or other security incident affecting Personal Data, we will promptly assess, contain, investigate, and take appropriate remedial action. Where required under the Saudi PDPL and its Implementing Regulations, we will notify the competent authority within the required timeframe and notify affected data subjects where the incident is likely to cause harm, prejudice their rights, or affect their interests. We will also document the incident and take appropriate corrective measures to reduce the risk of recurrence and take appropriate remedial action, subject to the limitations applicable to Sub-Processor incidents set out in Section 16 below

16. Security Incidents Involving Sub-Processors

Where a Personal Data breach or security incident originates from or affects processing carried out by a Sub-Processor, including a KSA-located Sub-Processor such as Oracle Cloud Infrastructure, Effivity's response obligations are limited to the following: notifying affected customers upon becoming aware of a confirmed breach affecting their Personal Data, to the extent required by applicable law; providing such information as is reasonably available to Effivity regarding the nature and scope of the incident; and taking reasonable steps to cooperate with the customer's response.

Effivity's awareness of a Sub-Processor incident is dependent on the Sub-Processor's notification to Effivity. Effivity's response timeline runs from the point Effivity itself becomes aware of the confirmed incident, not from the point the incident occurred at the Sub-Processor level. Effivity does not assume responsibility for investigating, remediating, or reporting incidents that originate within a Sub-Processor's own infrastructure, systems, or operations. Any notification or cooperation provided by Effivity in connection with a Sub-Processor incident does not constitute an admission of fault, liability, or legal responsibility on Effivity's part.

Where applicable law places a direct notification obligation on the Controller rather than the Processor, the relevant customer remains responsible for notifying the competent authority, affected data subjects, or other required parties within applicable regulatory timeframes.

17. Your Rights Under the Saudi PDPL

Subject to applicable law and any lawful limitations or exemptions, you may have the following rights in relation to your Personal Data:

 

To exercise your rights, please email privacy@effivity.com or use any privacy request mechanism that we make available through the Services. We may ask for information necessary to verify your identity before acting on a request.

We aim to act on rights requests without delay and, in general, within thirty (30) days. Where permitted by law, this period may be extended once by up to an additional thirty (30) days if the request requires extraordinary or disproportionate effort or if multiple requests have been received from the same data subject. If an extension applies, we will notify you in advance and explain the reason.

Some requests may be refused where permitted by law, including where a request is repetitive, manifestly unfounded, would require disproportionate effort, or would adversely affect the rights of others or protected interests.

Where Personal Data is contained in Client Records that we process on behalf of a customer, the relevant customer usually acts as controller. In those cases, you should direct your rights request to that customer first. If we receive such a request directly, we may refer it to the relevant customer unless applicable law requires otherwise.

If you believe your Personal Data has been handled in breach of applicable law, you may also submit a complaint to the competent authority in the Kingdom of Saudi Arabia.

If another mandatory law, including the GDPR where legally triggered, gives you additional rights or a higher level of protection in relation to a particular processing activity, we will address the request in accordance with that law to the extent required. Where we process Client Records solely on behalf of a customer, the relevant customer remains the primary point of contact for rights requests concerning that data unless law requires otherwise.

18. Third-Party Links and Services

The Website and the Services may contain links to or integrations with third-party websites, services, or tools. We are not responsible for the privacy practices, content, security, or policies of third parties that operate independently of us. You should review the privacy notice of each third-party service before sharing Personal Data with it.

19. Changes to this Policy

We may update this Policy from time to time to reflect changes in our Services, business practices, technology, legal requirements, or regulatory guidance. When we make material changes, we will update the "Last updated" date and, where appropriate or required by law, provide additional notice before the changes take effect. Where appropriate, we may maintain a revision history or version record of material changes to this Policy in support of our accountability and transparency obligations.

Where a material change to this Policy arises from a change made by a third-party Sub-Processor — including a KSA-located Sub-Processor such as Oracle Cloud Infrastructure — to its own infrastructure, architecture, certifications, or processing arrangements without prior notice to Effivity, Effivity will update this Policy within a reasonable period of becoming aware of the change. Effivity is not responsible for the timing or adequacy of notice where such changes are made unilaterally by a Sub-Processor outside Effivity's control.

20. Questions and Contact Information

If you have questions, concerns, or requests about this Policy or our handling of Personal Data, please contact us at privacy@effivity.com.

Postal correspondence may be sent to: Effivity Technologies Pvt Ltd, A-4, Narsinhdham Society, Near Mother School, Gotri Road, Vadodara, 390021, Gujarat, India.