Privacy Notice
Last updated: October 16, 2025
Jurisdictions covered: KSA (PDPL), EU/EEA (GDPR & ePrivacy), UK GDPR, California (CPRA)
1. Who we are
Altaius is a Saudi-based AI-powered Leadership Training Platform as a Service (LT‑PaaS). We provide immersive leadership simulations, an AI coaching assistant, and analytics for enterprise and public-sector clients across the GCC and internationally.
For the purposes of applicable data protection laws, Altaius acts as a 'Controller' for personal data we determine the purposes and means of processing for our websites, marketing, pre-contract engagement, and platform administration. For enterprise learning programs, we typically act as a 'Processor' on behalf of the client (your employer or training provider) and process personal data under their instructions. When we act as a Processor, please refer to your employer's privacy notice.
Legal entity & contact: Altaius Company, registered in Riyadh, Kingdom of Saudi Arabia.
Email: privacy@altaius.com
Registered address: 5176 Saud Ibn Abdulaziz Ibn Muhammad Branch, Al Nakheel District, Riyadh 12381, Secondary Number 6764, Kingdom of Saudi Arabia
2. Scope of this Notice
This Notice applies to the Altaius website, platform, mobile and web applications, communications, events, and support channels. It covers personal data processed about visitors, prospective customers, platform users (learners, admins, and content creators), partners, and suppliers.
3. What personal data we collect
We collect the following categories of personal data, depending on your interaction with Altaius:
- Account & Identity Data: name, business email, mobile number, job title, organization, language preferences, SSO identifiers (where enabled).
- Profile & Program Data: team/department, cohort membership, manager/sponsor, role seniority, learning goals provided by you or your employer.
- Simulation & Coaching Data: in‑scenario choices, free‑text inputs, messages with the AI coach, scenario outcomes, skills scores, time‑to‑decision, debrief notes, and feedback.
- Usage & Device Data: IP address, device/browser type, operating system, session identifiers, crash logs, and telemetry (collected via cookies or similar technologies).
- Communications Data: support tickets, emails, chat messages, call recordings (where permitted), survey responses, event registrations.
- Payment & Commercial Data: billing contact, invoicing details, purchase history (payment card data is handled by compliant payment processors).
- Third‑Party Source Data: limited data received from your employer/training provider (e.g., roster details), SSO/identity providers, channel partners, and public sources.
- Sensitive Personal Data: Altaius does not intentionally collect sensitive categories (e.g., health, biometric, genetic, credit, religious or political beliefs) via the platform. Learners should avoid entering such information in free‑text fields. Where sensitive data is ever necessary (e.g., accessibility needs), we will obtain explicit consent or rely on another permitted legal basis and apply heightened safeguards.
4. Why we use personal data (purposes and legal bases)
We process personal data for the purposes below. Our legal bases depend on your location and the activity. Under the KSA Personal Data Protection Law (PDPL), consent is the default legal basis unless an exemption applies (e.g., contract performance, legal obligation, vital interests, or legitimate interests where permitted and not overridden). Under the GDPR/UK GDPR, we rely on contract, legitimate interests, consent, legal obligation, or vital interests as appropriate.
| Purpose | Typical Data | Legal Basis (PDPL / GDPR) |
|---|---|---|
| Provide and administer the platform; create accounts; authenticate users; enable SSO; deliver simulations and AI coaching. | Account, Profile, Simulation & Coaching, Usage. | Contract performance; Legitimate interests in operating a secure service; Consent where required. |
| Personalized coaching, analytics dashboards, and program reporting to your employer/training provider. | Simulation & Coaching, Profile, Usage. | Processor activity under client instructions; Controller: Legitimate interests to improve learning outcomes; Consent where required. |
| Service improvement, safety, and quality (debugging, security monitoring, model evaluation, feature usage analytics). | Usage & Device, Simulation telemetry. | Legitimate interests in improving and securing services; Legal obligation for security; Consent for non‑essential cookies/analytics in the EEA/UK. |
| Customer support, incident response, and compliance (including breach handling). | Account, Communications, Usage. | Legitimate interests; Legal obligation; Vital interests (where needed). |
| Marketing communications, events and surveys (non‑B2B transactional). | Account, Communications. | Consent (EEA/UK); Legitimate interests where permitted for B2B; Opt‑out always available. |
| Payments, billing and vendor management. | Payment & Commercial, Account. | Contract performance; Legal obligation. |
5. AI, profiling and automated decision‑making
Altaius uses AI models to generate coaching prompts, score scenario performance, and recommend next‑best learning activities. These features constitute 'profiling' for training and feedback purposes.
We do not make solely automated decisions that produce legal or similarly significant effects about you. Human review and appeals are available for key outcomes (e.g., skills scoring) via your program admin or Altaius support. See our AI Transparency Policy for more details.
6. Cookies and similar technologies
We use strictly necessary cookies to operate the platform and preference, analytics, and (where applicable) marketing cookies. In the EEA/UK, we seek prior consent for any non‑essential cookies. You can manage your preferences through our Cookie Banner and settings at any time.
For full details, please see our Cookie Policy.
7. How we share personal data
We share personal data with:
- (a) Your employer/training provider: program analytics and progress reports
- (b) Service providers: cloud hosting, security, analytics, and support vendors under contract
- (c) Payment processors: for billing and invoicing
- (d) Channel/content partners: engaged by your organization
- (e) Authorities: where required by law
We require recipients to implement appropriate confidentiality and security measures and not to use the data for their own purposes.
8. International transfers and data residency
Altaius offers Saudi/GCC data‑residency options for enterprise customers. Where personal data is transferred outside the Kingdom of Saudi Arabia, we comply with the PDPL and its Regulations (including the SDAIA Standard Contractual Clauses or Binding Common Rules, transfer risk assessments, and additional safeguards).
For EEA/UK transfers, we use EU SCCs and/or the UK IDTA/Addendum as applicable.
9. Retention
We retain personal data for as long as necessary for the purposes described above, including to comply with legal, accounting, or reporting requirements. Typical defaults: account data for the life of the account plus up to 2 years; simulation interaction logs for 24 months (then pseudonymized or aggregated); billing records for up to 10 years (or as required by law). Client‑specific retention settings are available under enterprise contracts.
10. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, audit logging, vulnerability management, and vendor due diligence. Our security practices align with PDPL, NCA ECC (Essential Cybersecurity Controls), and GDPR/UK GDPR requirements. Incident response and breach notification processes are in place to ensure compliance.
11. Your rights
Depending on your jurisdiction, you have rights to:
- Access: request a copy of your data
- Rectification: request correction/erasure
- Restriction: object to or restrict processing
- Withdraw consent: where processing is based on consent
- Portability: request portability (where applicable)
- Lodge a complaint: with the relevant supervisory authority (e.g., SDAIA in KSA, your local Data Protection Authority in the EEA/UK, or the CPPA/Attorney General in California)
Where we act as a Processor, please direct your request to your employer/training provider. To exercise your rights where we act as a Controller, contact: privacy@altaius.com
12. Children
Altaius is designed for professional learners and is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us and we will take appropriate steps.
13. How to contact us
For questions or concerns about this Privacy Notice or our data practices, contact:
Email: privacy@altaius.com
Registered address: Altaius Company, 5176 Saud Ibn Abdulaziz Ibn Muhammad Branch, Al Nakheel District, Riyadh 12381, Secondary Number 6764, Kingdom of Saudi Arabia
If you are not satisfied with our response, you have the right to lodge a complaint with the Saudi Data & AI Authority (SDAIA) or your local supervisory authority.
14. Changes to this Notice
We may update this Notice from time to time. Material changes will be communicated via the platform or email. The 'Last updated' date shows the effective date.
