Privacy Policy
Last updated: March 2026
1. Data Controller
GateKeeper ("we", "us", or "our") is the data controller for personal data collected through our CAPTCHA services. We are committed to protecting your privacy in accordance with the Saudi Arabian Personal Data Protection Law (PDPL).
Contact Information:
Data Protection Officer: privacy@gatekeeper.sa
Location: Riyadh, Saudi Arabia
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address
- Hashed password (we never store plaintext passwords)
- Account creation date
2.2 Site Configuration
For sites you register with our service:
- Site name and allowed domains
- CAPTCHA configuration settings
- API keys (secret keys are hashed)
2.3 Verification Data
When end-users complete CAPTCHA challenges on your sites, we collect pseudonymized behavioral signals under legitimate interest (PDPL Article 6(1)) to distinguish humans from automated bots. These signals fall into six categories:
- Verification timestamp
- Risk score (0.0 to 1.0)
- Challenge result (passed, blocked, or escalated to visual challenge)
- Pseudonymized behavioral signal scores (not linked to user identity)
What We Do NOT Collect
- End-user personal information (names, emails, phone numbers)
- Behavioral signals are collected but pseudonymized and used exclusively for bot detection under legitimate interest. Raw signals are discarded after scoring; only aggregate risk scores are retained.
- IP addresses are pseudonymized at collection using HMAC-SHA256 hashing
- No cross-site tracking cookies or browsing history
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Provide CAPTCHA verification services | Contract performance |
| Bot detection and fraud prevention | Legitimate interest |
| Display usage analytics in dashboard | Contract performance |
| Send account-related emails | Contract performance |
| Improve our services | Legitimate interest |
4. Data Location
All data is processed and stored exclusively in Saudi Arabia
Our infrastructure is hosted in Riyadh. Your data never leaves Saudi Arabia.
We do not transfer personal data outside of Saudi Arabia. This ensures full compliance with PDPL data localization requirements.
5. Data Retention
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data | Until account deletion | Service provision |
| CAPTCHA challenge data | 72 hours | Security verification |
| IP addresses | Pseudonymized at collection (HMAC-SHA256) | Threat analysis (no plaintext storage) |
| Verification logs | 90 days | Security analytics |
| Behavioral signals | 90 days (scores only; raw signals discarded after scoring) | Bot detection verification |
| Audit logs | 365 days | ECC compliance requirement |
After the retention period, data is automatically and permanently deleted by an automated retention cleanup process. These retention periods comply with NCA Essential Cybersecurity Controls (ECC 2-12-3-5) requirements.
6. Your Rights Under PDPL
Under the Saudi Arabian Personal Data Protection Law (Article 14), you have the following rights:
Right to Access
View all data we hold about you in your dashboard
Right to Rectification
Update your account information at any time
Right to Erasure
Delete your account and all associated data
Right to Data Portability
Export your data in machine-readable JSON format
To exercise these rights, go to Account Settings > Data Rights in your dashboard, or contact us at privacy@gatekeeper.sa.
7. Third Parties
We work with the following service providers:
| Provider | Purpose | Data Location |
|---|---|---|
| Cloud Infrastructure Provider | Cloud hosting | Riyadh, Saudi Arabia |
We do not sell, rent, or share your personal data with third parties for marketing purposes.
8. Security
We implement industry-standard security measures:
- Industry-standard encryption at rest
- Encryption in transit (TLS 1.3)
- Secure password hashing
- Regular security audits
- Role-based access control
For more details, see our Security Whitepaper.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice in our dashboard. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.
10. Right to Complain
If you believe your data protection rights have been violated, you have the right to file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA).
SDAIA Contact Information
Website: https://sdaia.gov.sa/ndmo
You may file complaints regarding:
- Unauthorized processing of your personal data
- Failure to respond to data subject requests within 30 days
- Inadequate security measures
- Cross-border transfer violations
Before filing a complaint, we encourage you to contact us at privacy@gatekeeper.sa so we can address your concerns directly.
11. Contact Us
For privacy-related inquiries:
Email: privacy@gatekeeper.sa
Response time: Within 30 days as required by PDPL
Extensions: If your request is complex, we may extend the response period by an additional 30 days. We will notify you of any extension within the initial 30-day period.