PDPL Compliance Statement
Last updated: March 2026
Full PDPL Compliance
GateKeeper is designed from the ground up to comply with the Saudi Arabian Personal Data Protection Law (PDPL). All data processing occurs exclusively within Saudi Arabia, and we implement all required data subject rights.
About PDPL
The Personal Data Protection Law (PDPL), issued by Royal Decree M/19 dated 9/2/1443H (September 2021), is Saudi Arabia's comprehensive data protection regulation. It establishes rules for the collection, processing, and protection of personal data.
As a Saudi-focused CAPTCHA service, GateKeeper takes PDPL compliance seriously and has implemented technical and organizational measures to ensure full compliance.
Compliance Overview
| PDPL Requirement | GateKeeper Implementation | Status |
|---|---|---|
| Data Minimization | All 133 behavioral signals documented with specific security purposes (Signal Purpose Matrix). No unnecessary data collected. | Compliant |
| Purpose Limitation | Data used exclusively for bot detection and fraud prevention under documented Legitimate Interest Assessment (PDPL Article 6(1)) | Compliant |
| Storage Limitation | 90-day default retention with automatic deletion | Compliant |
| Data Localization | All data stored in Riyadh, Saudi Arabia | Compliant |
| Right to Access | Dashboard displays all user data; audit log available | Compliant |
| Right to Erasure | One-click account deletion with cascading data removal | Compliant |
| Right to Portability | JSON export of all personal data on request | Compliant |
| Security Measures | Industry-standard encryption at rest and in transit, secure password hashing | Compliant |
Data Localization
Your Data Never Leaves Saudi Arabia
Unlike international CAPTCHA providers, GateKeeper processes and stores all data exclusively within Saudi Arabia. This ensures compliance with PDPL data localization requirements and eliminates cross-border data transfer risks.
Infrastructure
Hosted in Riyadh, Saudi Arabia
Database
Encrypted database - Hosted in Riyadh, Saudi Arabia
Cache Layer
Secure cache layer - Deployed in Saudi Arabia
Backups
Encrypted backups stored within Saudi Arabia
Data Subject Rights (Article 14)
PDPL Article 14 grants data subjects specific rights over their personal data. Here is how GateKeeper implements each right:
1. Right to Be Informed
You have the right to know what data we collect and why.
Implementation: Our Privacy Policy clearly documents all data collected, purposes, and legal basis. This information is available before account creation.
2. Right to Access
You have the right to access all personal data we hold about you.
Implementation: Your dashboard shows all account data, site configurations, and verification statistics. An audit log shows all actions taken on your account.
3. Right to Rectification
You have the right to correct inaccurate personal data.
Implementation: Account settings allow you to update your email address and other profile information at any time.
4. Right to Erasure (Right to be Forgotten)
You have the right to request deletion of your personal data.
Implementation: Account Settings > Data Rights > Delete Account permanently removes all your data, including account information, sites, API keys, and verification logs.
5. Right to Data Portability
You have the right to receive your data in a machine-readable format.
Implementation: Account Settings > Data Rights > Export Data generates a JSON file containing all your personal data, downloadable within 24 hours.
6. Right to Restrict Processing
You have the right to limit how we process your data.
Implementation: Account Settings > Data Rights > Restrict Processing allows you to pause data processing (full, marketing, or analytics) while keeping your account active.
7. Right to Object
You have the right to object to processing based on legitimate interests.
Implementation: Contact privacy@gatekeeper.sa to object to any processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
8. Right to Withdraw Consent
You have the right to withdraw consent at any time for consent-based processing.
Implementation: For any processing based on consent, you can withdraw via Account Settings > Privacy Preferences. Withdrawal does not affect the lawfulness of processing before withdrawal.
9. Right to Not Be Subject to Automated Decisions
You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.
Implementation: Our bot detection scoring is used to assist human decision-making, not replace it. Site owners can configure manual review workflows for borderline cases. You can request human review of any automated decision.
10. Right to Lodge a Complaint
You have the right to file a complaint with SDAIA if you believe your rights have been violated.
Implementation: Complaints can be filed at https://sdaia.gov.sa/ndmo. We encourage you to contact privacy@gatekeeper.sa first so we can address your concerns directly.
Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected. Our retention periods are:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Until account deletion | Service provision |
| CAPTCHA challenge data | 72 hours | Security verification |
| IP addresses | Pseudonymized at collection (HMAC-SHA256) | Threat analysis (no plaintext storage) |
| Verification logs | 90 days | Security analytics |
| Behavioral signals | 90 days (scores only; raw signals discarded after scoring) | Bot detection verification |
| Audit logs | 365 days | ECC compliance requirement |
After the retention period, data is automatically and permanently deleted by an automated retention cleanup process. You can request earlier deletion at any time.
Security Measures (Article 19)
PDPL Article 19 requires appropriate technical and organizational measures to protect personal data. We implement:
Encryption at Rest
Industry-standard encryption for all stored data
Encryption in Transit
TLS 1.3 for all network communications
Password Protection
Secure password hashing with strong parameters
Access Control
Role-based access with audit logging
Network Security
Private networks, no public database access
Monitoring
24/7 security monitoring and alerting
Cross-Border Data Transfer (Article 29)
No Cross-Border Transfers
GateKeeper does not transfer personal data outside of Saudi Arabia. All data processing, storage, and backup operations occur within the Kingdom, ensuring full compliance with PDPL Article 29.
Exercising Your Rights
To exercise any of your PDPL rights:
- Self-Service: Most rights can be exercised directly through your dashboard under Account Settings > Data Rights
- Email Request: Contact privacy@gatekeeper.sa with your request
- Response Time: We respond to all requests within 30 days as required by PDPL
- Extension: For complex requests, we may extend the response period by an additional 30 days (60 days total). We will notify you of any extension within the initial 30-day period, explaining the reasons for the delay.
Request Tracking
All data rights requests are logged in our system. You will receive a confirmation email with a reference number when you submit a request. You can track the status of your request in Account Settings > Data Rights > Request History.
Right to Compensation (Article 40)
Liability Acknowledgment
Under PDPL Article 40, data subjects who suffer material or moral damage as a result of violations of the Personal Data Protection Law may seek compensation through the competent courts in Saudi Arabia.
Your Rights Include:
- Compensation for material damage (financial losses, costs incurred)
- Compensation for moral damage (distress, reputational harm)
- Right to legal action in Saudi Arabian courts
- Right to join class actions if applicable
We take our data protection obligations seriously. If you believe you have suffered damage due to our data processing activities, please contact privacy@gatekeeper.sa before pursuing legal action so we can attempt to resolve the matter directly.
Contact Information
For PDPL-related inquiries:
Data Protection Officer
Email: privacy@gatekeeper.sa
Location: Riyadh, Saudi Arabia
Response time: Within 30 days as required by PDPL
SDAIA Registration
GateKeeper is registered with the Saudi Data and Artificial Intelligence Authority (SDAIA) as a data controller. Our registration details are available upon request.