Privacy Policy — 01010 Digital
Home About Us Privacy Policy
GDPR Compliant
PDPL Compliant
ISO 27001 Aligned

Privacy and Data
Protection Policy

We adhere to the highest standards of personal data protection. This policy transparently explains how we collect your data, why we use it, and when we delete it — without complex legal jargon.

Last Updated: July 2025
Effective in the Arab Region
Arabic version is the reference
Core Commitments
4 Unbreakable Principles
We will never sell your data
Used only for what you agreed to
Full encryption in transit and storage
Your right to deletion is guaranteed
Policy is Effective — July 2025
Version 3.0
Effective from: July 2025
13 Sections · Comprehensive Privacy Document
GDPR + PDPL Compliant
Our Core Commitment — Not Just Words
Your data is not a product to be sold, nor a tool for advertising. We collect it only to provide you with our services in the best way possible, and we delete it when it is no longer needed. This policy translates this commitment into binding legal procedures.
No Data Selling Ever
No Targeted Ads
GDPR Compliant
Saudi PDPL Compliant
Section01
Introduction

Core Commitment to Your Privacy

This policy is a legally binding document that defines how 01010 Digital collects, processes, stores, shares, protects, and deletes personal data in the context of operating its website and providing its specialized services in financial digital transformation.

We are fully committed to the provisions of the General Data Protection Regulation (GDPR) and the Saudi Personal Data Protection Law (PDPL), and all relevant laws and legislations applicable in our clients’ countries.

Our Firm Principle
You are not the product. Your data is not a commodity. Every decision we make regarding processing your data begins with one question: Is this in your best interest?
Section02
Identity

Who We Are — Data Controller

The entity responsible for processing your personal data (“Data Controller” under GDPR and PDPL) is:

Trade Name01010 Digital
Founder & ManagerAbdalla Ghallab — Finance Transformation Manager
Country of RegistrationKingdom of Saudi Arabia
Emailinfo@internalauditsheets.com
Service ScopeArab Region — Remote and On-site service
Section03
Data Collection

Data We Collect and Sources

We collect data from three main sources, and we do not collect any data outside the scope of the purposes specified below:

Data You Provide Directly
Full name and contact details
Job title and company name
Content of your messages and requests
Appointment booking data
Newsletter subscription info
Data Collected Automatically
IP address and browser type
Operating system and device type
Pages visited and duration
Referrer source
Cookies and session data
Service-Context Data
Financial operation details for the project
Systems targeted for transformation
Client team info for training
Project execution correspondence
Meeting minutes and documents
Data from External Sources
Public LinkedIn data
Referrals from existing clients
Google Analytics data
Booking form data (Amelia)
Data We Never Collect
We do not collect under any circumstances: biometric data, health information, political or religious affiliations, bank card numbers (payments are processed via secure independent gateways), or data of children under 16.
Section04
Purposes of Use

Why We Use Your Data

We use your data exclusively for the following purposes — we do not process data for any unlisted purpose without notifying you and obtaining your consent:

  • Providing Contractual Services: Managing your requests, bookings, and executing agreed digital transformation projects.
  • Operational Communication: Responding to your inquiries, sending appointment confirmations, reminders, and project-related updates.
  • Analysis and Service Improvement: Understanding how our site is used to improve your experience — using anonymized data.
  • Direct Marketing (With Consent): Sending newsletters and specialized content — you can unsubscribe at any time.
  • Security and Fraud Prevention: Detecting suspicious activities and protecting the integrity of our systems and platforms.
  • Legal Compliance: Fulfilling accounting, tax, and regulatory obligations imposed on us by law.
Section05
Legal Basis

Legal Basis for Processing Data

Under GDPR and local regulations, personal data may not be processed without a clear legal basis. We rely on the following bases depending on the nature of the processing:

PurposeLegal BasisRevocability?
Executing contractual services Contract Execution No — Essential for service
Responding to pre-contract inquiries Contract Execution No
Sending newsletters and marketing Explicit Consent Yes — Unsubscribe anytime
Site performance analysis & improvement Legitimate Interest Yes — Via Right to Object
Tax and accounting compliance Legal Obligation No — Mandated by law
Security and fraud prevention Legitimate Interest No — Core security
Section06
Data Sharing

With Whom Do We Share Your Data?

We Do Not Sell Your Data — No Exceptions
We do not sell your personal data to any third party. We do not rent it. We do not trade it. This principle is non-negotiable under any circumstances.

We may share limited and conditional data only with the following parties:

Amelia Booking
Booking and appointment management
Signed DPA
Google Analytics
Site performance analysis (anonymized)
No PII
Email Provider
Sending communications & confirmations
Signed DPA
Hosting Provider
Site & database storage
ISO Secured Servers
Legal / Regulatory Authorities
Only upon binding court order
Legal Necessity
Legal Advisors
Only in dispute cases
Professional Secrecy
Guarantees with Third Parties
We require all service providers to sign Data Processing Agreements (DPA) according to GDPR requirements, committing to a level of protection not less than our own.
Section07
Retention & Deletion

How Long We Keep Your Data

We retain data for the minimum necessary period to fulfill its purpose. After this period, everything that can be deleted is deleted, and we only keep what the law requires us to retain:

Contracted Client Data
During contract + tax/accounting requirements
5 Years
Inquiries & Communications
From last contact or project end
3 Years
Appointments & Bookings
From session date or cancellation
1 Year
Site Analytics & Cookies
Anonymized data for site improvement
13 Months
Newsletter Subscribers
Until unsubscription — deleted within 30 days
Until Unsub.
Deletion Procedure
When the retention period ends, we apply a secure deletion process including: removing data from primary databases, deleting it from backups during the next cycle (not exceeding 90 days), and sending written confirmation to the client upon request.
Section08
Security

How We Technically Protect Your Data

We apply a multi-layered approach to data security (“Defense in Depth”) including technical and organizational controls:

Technical Controls
  • Encryption in Transit: TLS 1.3 protocol for all data transmitted via the site and APIs.
  • Encryption at Rest: AES-256 for all personal data stored in databases.
  • Multi-Factor Authentication: MFA is mandatory on all internal access accounts.
  • Access Control: “Principle of Least Privilege” — no employee accesses more data than needed.
  • Backups: Encrypted daily backups with regular restoration testing.
Organizational Controls
  • Strict internal data protection policies reviewed annually.
  • Regular training for all team members on data protection.
  • Semi-annual Penetration Testing.
  • Security audits for all external service providers prior to contracting.
Security Breach Protocol
If a security breach affecting your data is discovered, we commit to notifying the competent regulatory authorities within 72 hours of discovery, and notifying you personally as soon as the impact on your data is verified — with incident details and corrective actions taken.
Section09
Cookies

Cookies and Tracking Technologies

Our website uses cookies and similar technologies. You can control your preferences from your browser settings or our Cookie Preferences panel:

Essential Cookies
For site operation and security — session, language, CSRF protection
Mandatory — Cannot be disabled
Analytics Cookies
Google Analytics — anonymized data to measure and improve site performance
Optional
Functional Cookies
Saving your preferences like language and timezone for a better experience
Optional
Marketing Cookies
Targeted advertising cookies — we currently do not use these
Disabled
Full Control Over Preferences
You can reject or disable all optional cookies via your browser settings or by clicking “Manage Cookies” in the site footer. Disabling optional cookies does not affect your core experience on the site.
Section10
Your Rights

Your Full Legal Rights

Under GDPR and the Saudi PDPL, you have the following rights regarding your personal data. You can exercise any of them by contacting us at: info@internalauditsheets.com

Right to Access
Request a complete copy of your personal data we hold in a clear, readable format.
Right to Rectification
Immediately correct any inaccurate, incomplete, or outdated data in our records.
Right to Deletion (Right to be Forgotten)
Request data deletion when its purpose ends or consent is withdrawn — subject to legal obligations.
Right to Object
Object to data processing for marketing or legitimate interests at any time.
Right to Restrict
Request restriction of data processing in specific cases — like during data accuracy reviews.
Right to Portability
Receive your data in a machine-readable digital format (JSON/CSV) to transfer to another provider.
Responding to Your Requests
We respond to all rights requests within 30 days of receipt. In complex cases, this may be extended by an additional 60 days with prior notification. Exercising your rights is completely free of charge.
Section11
International Transfer

Data Transfer Outside the Region

Some of your data may be processed outside your country or the Arab region due to the use of international cloud services (e.g., Google Analytics, hosting servers). In these cases we ensure:

  • Data is transferred only to countries or services with an adequate level of protection under GDPR.
  • Standard Contractual Clauses (SCCs) are implemented with all service providers outside the EEA.
  • Transfer Impact Assessments (TIA) are conducted for every international transfer.
  • You are immediately notified of any change in the geographic locations of your data processing.
Preference for Local Storage
We prioritize service providers who offer servers in the Arab region or the Middle East whenever possible, to limit international data transfers.
Section12
Policy Updates

Updates to This Policy

We review this policy periodically to ensure compliance with legislative and technical changes, and our business practices. When any material change is made:

  • We send an email notice to all current clients and newsletter subscribers 30 days before the change takes effect.
  • We display a prominent notice on the homepage for at least 14 days.
  • We maintain a publicly accessible archive of all previous versions of the policy.
  • We update the “Last Updated” date displayed at the top of the page.
Version History
Current Version: 3.0 — July 2025. Previous Version: 2.1 — January 2025. To view the archive of previous versions, please contact us via email.
Section13
Contact

How to Contact Us About Your Privacy

For any inquiry or request related to this policy or your personal data, you can contact our Data Protection Officer via:

DPO Emailinfo@internalauditsheets.com
Subject line: “Privacy Request — [Request Type]”
Response TimeWithin a maximum of 30 days from request receipt
Appealing Our DecisionYou have the right to lodge a complaint with your local data protection supervisory authority
Identity VerificationWe may request proof of identity to protect your data from unauthorized access
Your privacy is not just a legal obligation — it’s a value
If you have any questions about how we handle your data, or want to exercise any of your rights, contact us directly — we answer clearly and on time.
Contact Data Officer General Contact Form