Privacy & Personal Data Protection Policy
Diving Secrets Center — دايفينج سيكرتيس سنتر
Version 2.0 | February 2026 | Compliant with Saudi PDPL
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Important Legal Notice:
This policy is prepared in accordance with the Saudi Personal Data Protection Law (PDPL). Using our website does not imply automatic consent to data collection — each purpose requires your explicit and separate consent.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Who We Are
We are Diving Secrets Center, the entity responsible for processing and protecting your personal data. You can reach us at:
- Address: Al-Mousa Center, Road 3 Tower, 3rd Floor, Al-Olaya, Riyadh 12221, Saudi Arabia
- Email: Info@divingsecrets.com.sa
- Data Protection Officer (DPO): privacy@divingsecrets.com.sa
- Phone: +966 920 035 162 (Saturday–Thursday, 10 AM – 6 PM)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. What Data Do We Collect and Why?
Data Minimisation Principle: We only collect what is strictly necessary to provide the requested service. Each data point has a defined purpose and a known retention period.
--- Registration & Account Data ---
Full Name
Purpose: Account creation and service personalisation
Retention Period: Account duration + 1 year
Email Address
Purpose: Login and communication
Retention Period: Account duration + 1 year
Mobile Number
Purpose: Verification and emergency contact
Retention Period: Account duration + 1 year
Date of Birth
Purpose: Eligibility verification (diving requirement)
Retention Period: Account duration + 5 years
--- National ID Data (Sensitive Data) ---
Notice: National ID and Iqama numbers are classified as sensitive data under PDPL. They are collected solely to verify trainee identity as required by Saudi diving regulations and PADI certifications. They are encrypted with AES-256 and never displayed in the user interface.
--- Biometric Data (Fingerprint) ---
Notice: Fingerprint data is only collected after obtaining explicit, separate consent before any processing. It is converted into an encrypted digital template — the actual fingerprint image is never stored. It is deleted immediately upon your request or account closure.
--- Purchase & Transaction Data ---
We retain details of booked courses, trips, and purchase history for 7 years as required by tax regulations. Payment data is partially encrypted — we never store full card numbers.
--- Cookies ---
Essential Cookies: For session management and login — cannot be disabled as they are operationally required.
Analytical Cookies (Google Analytics): To improve user experience — can be rejected via cookie settings.
Marketing Cookies: For personalised advertisements — require your explicit consent before activation.
You can manage your cookie preferences at any time via the "Cookie Settings" button at the bottom of any page.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. Who Has Access to Your Data?
We do not sell or trade your personal data. Data is shared only in the following cases:
1. International PADI Certification Bodies: Name, ID, and course results — to issue certified diving qualifications.
2. Payment Gateway Provider (SAMA-licensed): Invoice details only, never the full card number.
3. Cloud Hosting Provider: Encrypted data only.
4. Competent Government Authorities: Only what the law requires, pursuant to judicial or regulatory orders.
Important Notice: We do not transfer your data outside Saudi Arabia except to PADI International for certification purposes, under binding Data Processing Agreements (DPA) ensuring a level of protection equivalent to the PDPL.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. Your Rights Over Your Data
The PDPL grants you established rights over your data. To exercise any of them, contact our DPO: privacy@divingsecrets.com.sa
1. Right of Access
Obtain a copy of the personal data we hold about you.
Response time: 10 business days
2. Right of Rectification
Correct any inaccurate or incomplete data.
Response time: 10 business days
3. Right of Erasure
Delete your data when the purpose lapses or consent is withdrawn (subject to legal obligations).
Response time: 15 business days
4. Right to Object
Object to processing your data for direct marketing.
Response time: 10 business days
5. Right to Restrict Processing
Request processing restriction during disputes or accuracy challenges.
Response time: 10 business days
6. Right to Data Portability
Receive your data in a structured, machine-readable format (JSON/CSV).
Response time: 20 business days
7. Right to Withdraw Consent
Withdraw your marketing or biometric consent at any time without retroactive effect.
Response time: Immediate
8. Right to Lodge a Complaint
File a complaint with the National Data Protection Authority if your concerns are not resolved.
Response time: Per Authority procedures
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. How Do We Protect Your Data?
We apply a comprehensive security framework aligned with ISO 27001, NIST, and the National Cybersecurity Authority's requirements, including:
- Sensitive data encrypted at rest with AES-256
- All communications encrypted with TLS 1.3 — HTTPS enforced
- Least-privilege access controls with periodic review
- Two-factor authentication (2FA) for all administrative accounts
- Daily encrypted backups with monthly restore testing
- Annual penetration testing by an accredited third party
- Quarterly mandatory security awareness training for all staff
In case of a breach: We notify the National Authority within 72 hours of discovery, and notify you personally within 5 business days if the breach poses a risk to your rights.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. Protection of Minors' Data
Individuals under 18 years of age may not register independently on the website.
- Registration of minors requires explicit written consent from a parent or guardian.
- Children's programmes are provided under the responsibility of the registered guardian.
- Minors' data is never used for any marketing purpose.
- Parents or guardians have the right to access and request deletion of a minor's data at any time.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7. Updates to This Privacy Policy
We reserve the right to update this policy in line with legislative or technical developments. For any material change:
- You will be notified via your registered email at least 30 days before the change takes effect.
- You will be asked to explicitly approve material amendments.
- The date of the latest update will be published at the bottom of this page.
- You have the right to reject updates and request deletion of your data if you do not agree.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8. Contact Us or Lodge a Complaint
For privacy-related enquiries:
- Data Protection Officer: privacy@divingsecrets.com.sa — Reply within 10 business days
- General Email: Info@divingsecrets.com.sa — Reply within 3 business days
- Phone: +966 920 035 162
To file a complaint with the regulatory authority:
- National Personal Data Protection Authority: www.pdp.gov.sa
- Communications, Space & Technology Commission: www.cst.gov.sa
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Privacy Policy effective from February 2026 | Version 2.0
Diving Secrets Center — دايفينج سيكرتيس سنتر | divingsecrets.com.sa
All Rights Reserved © 2026 | Compliant with the Saudi Personal Data Protection Law (PDPL)