OPERATIONAL · RIYADH · SA R&D · DEFENSE · UNMANNED SYSTEMS
LAT 24.7136 · LON 46.6753
Legal · Privacy Version 1.0 · Effective 18 April 2026

Privacy Policy.

DarkCov LLC processes personal data with restraint. Most of what we do does not involve personal data at all. Where we do process personal data, we do so under the Personal Data Protection Law of the Kingdom of Saudi Arabia and under the standards issued by the Saudi Data and Artificial Intelligence Authority. This policy explains what we collect, why, and the rights you hold over it.

§ 01

Who we are

DarkCov LLC is the Controller of personal data described in this policy. We are a research and development firm established in Riyadh, Kingdom of Saudi Arabia. For the purposes of the Personal Data Protection Law of the Kingdom (the PDPL), DarkCov LLC determines the purposes and means of processing personal data in its operations.

Personal Data Protection Law, Royal Decree No. M/19 dated 9/2/1443H, amended by Royal Decree No. M/148 dated 5/9/1444H. Supervisory authority: Saudi Data and Artificial Intelligence Authority (SDAIA).
§ 02

Scope of this policy

This policy applies to personal data we collect through darkcov.com, through our business correspondence, and through our commercial relationships.

It does not cover personal data handled inside classified engagements. Such engagements are governed by their own controls, agreed between the parties under program specific clearance and, where applicable, under the controls mandated by the competent authorities of the Kingdom.

§ 03

Personal data we process

We collect the minimum personal data necessary to operate the business. In practice, this means:

  • contact details provided through our website or business correspondence, such as name, organisation, email address, and message content;
  • commercial contract information, such as the names and positions of signatories, billing details, and correspondence related to an engagement;
  • personnel information required to administer our employment and contractor relationships;
  • technical data necessary to secure our systems and premises, such as access logs, authentication records, and telemetry.

We do not purchase personal data from data brokers. We do not profile individuals for advertising. We do not intentionally collect personal data of children under eighteen through this website.

§ 04

Legal bases for processing

We process personal data on one or more of the legal bases recognised under the PDPL and its Implementing Regulations:

  • the consent of the data subject;
  • performance of a contract with the data subject, or steps taken at the request of the data subject before entering such a contract;
  • compliance with a legal obligation of the Kingdom to which we are subject;
  • the pursuit of our legitimate interests, where those interests are not overridden by the fundamental rights of the data subject;
  • the protection of the vital interests of the data subject or of another natural person.

The relevant basis for a given processing activity is determined before the activity begins and is documented in our records of processing.

§ 05

Sensitive personal data

Sensitive personal data as defined by the PDPL, including data that reveals ethnic or racial origin, religious beliefs, health information, biometric data, genetic data, criminal data, and certain financial data, will only be processed where a specific legal basis applies, where a specific safeguard is in place, and only to the minimum extent required for the stated purpose.

§ 06

Transfers outside the Kingdom

Our default is to keep personal data inside the Kingdom of Saudi Arabia. Where a transfer outside the Kingdom is necessary, we carry it out in accordance with the Regulation on Personal Data Transfer outside the Kingdom, as updated by SDAIA.

A transfer will rely on one of the following mechanisms:

  • the destination jurisdiction is listed by SDAIA as providing an adequate level of protection;
  • Standard Contractual Clauses approved by SDAIA;
  • Binding Common Rules for intra group transfers;
  • a certification approved by SDAIA;
  • another lawful mechanism recognised by the regulator at the time of transfer.

A transfer risk assessment is completed before any transfer that involves sensitive personal data or that takes place on a continuous or large scale basis.

§ 07

Retention

Personal data is retained only for as long as necessary for the purposes for which it was collected, or for any longer period imposed by Saudi law, including tax, commercial, and sector specific record keeping obligations. At the end of the retention period, personal data is securely destroyed or anonymised, in line with the PDPL's principle of storage limitation.

§ 08

Your rights

Under the PDPL, data subjects have the following rights in respect of their personal data:

  • the right to be informed about how their personal data is processed;
  • the right of access to their personal data;
  • the right to request correction of inaccurate personal data;
  • the right to request destruction of personal data when no longer needed for the purpose for which it was collected;
  • the right to withdraw consent, where consent is the basis of processing, without prejudice to the lawfulness of processing carried out before the withdrawal.

Requests are answered within the timeframes required by the Implementing Regulations. We may take reasonable steps to verify identity before responding.

§ 09

Security

We maintain technical and organisational measures designed to protect personal data against loss, unauthorised access, disclosure, alteration, and destruction. Our information security program references the Essential Cybersecurity Controls published by the National Cybersecurity Authority (NCA ECC 2:2024), the National Cryptographic Standards (NCS 1:2020), and additional controls imposed by the specific engagements we undertake.

§ 10

Breach notification

If we become aware of a personal data breach that is likely to pose a risk to the rights and interests of data subjects, we will notify SDAIA without delay and in any event within seventy two hours of becoming aware of the breach, in accordance with Article 24 of the PDPL Implementing Regulations.

Affected data subjects will be informed without undue delay in the cases required by the PDPL.

§ 11

Third party processors

We use a limited number of third party processors to operate our infrastructure and business functions. Each processor is engaged under a written agreement that binds them to the confidentiality, security, and lawful processing requirements of the PDPL and of the relevant engagement.

We do not share personal data with any third party for marketing purposes. We do not sell personal data.

§ 12

Data Protection Officer

DarkCov has appointed a Data Protection Officer with oversight of our compliance with the PDPL. The Data Protection Officer can be contacted at dpo@darkcov.com.

§ 13

Complaints

Data subjects may file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) through the National Data Governance Platform. We ask that you contact our Data Protection Officer first so that we have the opportunity to address the matter directly.

§ 14

Changes to this policy

We may update this policy from time to time. The version in force is the version published on this page. Where a change is material, we will provide notice as required by the PDPL.

§ 15

Language

This policy is published in English for convenience. In the event of any conflict between this English version and any Arabic version we file with a competent authority, the version filed with the competent authority in the Kingdom of Saudi Arabia shall prevail.

Questions about this policy
Contact our Data Protection Officer.
dpo@darkcov.com
Terms of Service Trust Center Back to darkcov.com