1. Purpose of this Policy

This Privacy Policy explains how Hasanah Specialized Laboratories Company collects, uses, stores, shares, protects, and otherwise processes personal data through its website and related digital channels. It also explains the rights of personal data subjects and the general process for exercising those rights. This Policy forms part of the Company's internal governance framework and is intended to support compliance with the applicable laws and regulations of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL), its Implementing Regulations, and any applicable instructions, guidance, or controls issued by the competent authority.


2. Scope

This Policy applies to website visitors, users of online forms, current and prospective clients, representatives of suppliers and partners, and any person who submits personal data through the website or through linked digital channels. It also applies to personal data collected when requesting laboratory services, submitting inquiries, requesting quotations, contacting the Company, applying for employment, or submitting complaints or feedback through the website.


3. Personal Data We May Collect

Depending on the nature of the interaction or service, we may collect identification and contact data such as name, mobile number, email address, company name, job title, city, and correspondence details. We may also collect technical and usage data such as IP address, browser type, preferred language, visited pages, visit time, cookies, and server log information required to operate, secure, and improve the website. Where the website allows uploads or attachments, we may collect the contents of documents and any personal data contained therein to the extent necessary to process the relevant request.


4. Sources of Personal Data

We collect personal data directly from the data subject when forms are completed, messages are sent, quotations or services are requested, newsletters are subscribed to, CVs are submitted, or supporting documents are uploaded. Certain data may also be collected automatically through cookies, analytics technologies, and server log files. In some cases, we may receive personal data from an employer, an authorized representative, or a regulatory or contractual counterparty connected to the requested service.


5. Purposes of Processing

We process personal data for legitimate purposes connected with the Company's business activities, including receiving and responding to inquiries and requests; evaluating service requests and quotations; creating customer records where needed; verifying identity, authority, or authorization; administering contracts and transactions; issuing quotations, invoices, notices, and service-related communications; improving service quality and website performance; following up on complaints and feedback; protecting the website and systems from unlawful or fraudulent use; complying with legal and regulatory obligations; and generating internal statistics or operational indicators after reducing personal identifiers where possible.


6. Legal Basis for Processing

The Company processes personal data on legally recognized grounds, including the data subject's consent where consent is required, where processing is necessary to perform a contract or provide a requested service, where processing is necessary to achieve a legitimate interest that does not prejudice the rights of the data subject, where processing is necessary to comply with a legal or regulatory obligation, or in any other case permitted by applicable laws and regulations in the Kingdom of Saudi Arabia.


7. Cookies and Similar Technologies

The website may use cookies and similar technologies to enhance the user experience, enable core website functions, measure performance, understand how the website is used, and strengthen security. Users may adjust browser settings to reject or delete certain cookies; however, doing so may affect certain website functions or performance. Where a cookie notice or banner is activated, continued use of the website may be treated as acknowledgment of the use of cookies in accordance with this Policy.


8. Sharing and Disclosure of Personal Data

The Company does not sell personal data or trade in it. However, personal data may be disclosed or shared, on a need-to-know basis, with technical, IT, hosting, advisory, or other service providers, and with regulatory, judicial, security, or other competent authorities, where there is a lawful, contractual, or legitimate operational basis for doing so. Personal data may also be shared within the Company, with its affiliates, or with contracting counterparties where required to deliver services, administer the website, or comply with legal obligations, provided that appropriate safeguards are applied to protect confidentiality and security.


9. International Transfers

Personal data will not be transferred outside the Kingdom of Saudi Arabia except in cases permitted under the applicable laws and regulations, and subject to the implementation of appropriate legal, contractual, organizational, and technical safeguards to the extent required for the legitimate purpose of the transfer or processing.


10. Data Retention and Destruction

The Company retains personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, or to satisfy legal, contractual, regulatory, operational, evidentiary, or rights-protection requirements. Once the relevant purpose expires or the retention period ends, the data will be securely destroyed, anonymized, archived, or otherwise handled in accordance with the Company's approved controls and any applicable legal requirements.


11. Information Security

The Company implements reasonable and appropriate administrative, organizational, and technical measures to protect personal data against unauthorized access, use, disclosure, alteration, loss, or destruction. Such measures may include access controls, restricted permissions, system and network protections, recordkeeping, staff awareness, and periodic review of relevant procedures. However, no method of transmission or electronic storage can be guaranteed to be completely secure, and use of the website is subject to this inherent limitation.


12. Rights of Data Subjects

Subject to the applicable laws and regulations, data subjects may have rights that include the right to be informed, the right to access personal data, the right to request correction, update, or completion of personal data, the right to request destruction of personal data where there is no continuing lawful, contractual, or legitimate basis for retention, and the right to withdraw consent in cases where processing is based on consent, all in accordance with the applicable legal controls and procedures.


13. How to Submit Privacy Requests

A data subject may submit a privacy-related request or exercise any applicable right through the official communication channels published on the website. The Company may request proof of identity, authority, or authorization before fulfilling a request. The Company may also decline, restrict, or extend the handling of a request to the extent permitted by law, including where the request affects the rights of others or conflicts with an ongoing legal, contractual, or regulatory obligation.


14. Children's Privacy

The website is not intended for children unless expressly stated otherwise. The Company does not knowingly collect personal data from children except where permitted by applicable laws and controls and, where required, through appropriate lawful means.


15. External Links

The website may contain links to external websites, platforms, or services that are not controlled by the Company. The Company is not responsible for the privacy practices, content, or security arrangements of such external parties. Users should review the privacy notices of those third parties before providing any personal data to them.


16. Changes to this Policy

The Company reserves the right to update or amend this Policy at any time. The version published on the website shall be the effective version from the date of publication, and users are encouraged to review it periodically for any updates.


17. Contact

For privacy-related inquiries or requests, users should contact the Company through the official communication channels published on the website. 


18. User Acknowledgment

By using the website or submitting personal data through it, the user acknowledges that they have read and understood this Policy and that certain processing activities may be necessary to operate the website, respond to requests, deliver services, and comply with legal and regulatory requirements.