1. About this Notice

This PDPL Compliance Notice supplements our Privacy Policy. Where this Notice and the Privacy Policy address the same topic, both apply; where they differ, this Notice prevails for purposes of PDPL compliance. The Notice applies to anyone whose personal data Juthoor processes in connection with the Juthoor genetic-testing platform, regardless of whether you have an account, are a customer, or have visited our website.

2. Data Controller

Juthoor — operating in the Kingdom of Saudi Arabia — is the Data Controller for personal data collected through the Juthoor application and website. As Data Controller, Juthoor determines the purposes and means of processing your personal data. Our data-protection contact is listed in section 9 below.

3. Categories of Personal Data We Process

Juthoor processes the following categories of personal data: identity data (name, national ID, date of birth); contact data (email, mobile, address); health-related data (symptoms, lifestyle, dietary preferences supplied via the questionnaire); genetic data (DNA sample analysis results); payment data (handled by our payment partners — Telr — and not stored on Juthoor servers); and usage data (how you interact with the application). Genetic and health-related data are treated as sensitive categories under the PDPL and are subject to enhanced safeguards.

4. Lawful Basis for Processing (PDPL Article 5)

Juthoor processes your personal data on one or more of the following lawful bases recognised under the PDPL: (a) your explicit consent, given at sign-up and re-confirmed for sensitive categories such as genetic data; (b) the performance of a contract you have entered into with Juthoor (your Order); (c) compliance with a legal obligation (for example, tax-records retention); or (d) the legitimate interests of Juthoor as Data Controller, where those interests are not overridden by your rights and freedoms.

5. Your Rights as a Data Subject (PDPL Article 4)

Under the Saudi PDPL, you have the following rights with respect to your personal data:

• Right to be informed of the legal and actual justification for collecting your personal data and the purposes for which it will be processed.
• Right of access — to obtain a copy of the personal data Juthoor holds about you.
• Right of rectification — to request correction of inaccurate or outdated data.
• Right of erasure — to request deletion of your personal data when it is no longer needed for the purposes for which it was collected.
• Right to withdraw consent — at any time, where processing is based on your consent. Withdrawal does not affect the lawfulness of processing performed before withdrawal, and may prevent us from continuing certain services.
• Right to object to specific kinds of processing in certain circumstances.
• Right to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) if you believe Juthoor has violated your rights.

6. How to Exercise Your Rights

To exercise any of the rights listed above, please contact our Data Protection contact (see section 9) using the following process:

• Send an email to privacy@juthoor.ai with a subject line indicating the right you wish to exercise (e.g. "Access Request", "Erasure Request", "Withdrawal of Consent").
• Include enough information for us to verify your identity — typically your registered email and a piece of corroborating information such as the order number on your most recent kit.
• We will acknowledge your request within seven (7) business days and respond substantively within thirty (30) days, in accordance with the PDPL.
• If we cannot fulfil your request — for example, when a legal obligation requires us to retain certain data — we will explain why in writing.

7. Data Retention (PDPL Article 18)

Juthoor retains your personal data only for as long as needed to fulfil the purpose for which it was collected, unless a longer period is required by law (e.g. tax records, anti-money-laundering obligations). Genetic data is retained for the duration of your active account plus a period of seven (7) years after account closure to support follow-up reports you may request. After this period, genetic data is permanently deleted or anonymised. You may request earlier deletion at any time using the process in section 6.

8. International Transfers (PDPL Article 29)

Personal data processed by Juthoor is stored on servers located within the Kingdom of Saudi Arabia. Where international transfers are necessary — for example, transferring DNA samples to an accredited laboratory outside the Kingdom — Juthoor enters into appropriate contractual safeguards and only transfers data with the regulatory approvals required by SDAIA. We will inform you in advance if your data needs to be transferred outside Saudi Arabia.

9. Data Protection Contact

For all PDPL-related requests, complaints, or questions, please contact our Data Protection contact at privacy@juthoor.ai. You may also lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) — the supervisory authority — at sdaia.gov.sa.