Privacy Policy

Maximus Gulf Skills Training Privacy Notice

Maximus Gulf Co. Ltd. including our subsidiaries (i.e. Maximus Academy Training Company) (together, “Maximus”, “we”, “us”, or “our”) is the Controller of personal data processed via this portal. We respect your privacy and issue this Privacy Notice to explain how we collect, use, disclose, transfer, store, and destroy personal data in accordance with the Kingdom of Saudi Arabia Personal Data Protection Law (PDPL), its Implementing Regulations, and SDAIA guidance.

Controller Identity & Contact: Maximus Gulf Co. Ltd. (CR: 1010374556) and Maximus Academy Training Company (CR: 1009039487), registered address: 2783 King Abdulaziz Road, Riyadh, 6257, Saudi Arabia.

Data Protection Officer (DPO): privacy@maximusgulf.com

This Online Skills Training portal is designed for Learners.  It provides Learners with the ability to select and pay for a training course, process a refund or cancellation, or obtain a tax invoice. This privacy notice describes how Maximus (“we,” “our,” or “us”) collects, uses, and discloses (“Process”) your personal data when you use our website, services, or interact with us (“Services”).

Means of Collection: We collect personal data (i) directly from you via forms and the portal; (ii) automatically via cookies/SDKs and server logs; and (iii) from service providers acting on our instructions (e.g., payment, hosting, analytics – see ‘How do we disclose your Personal Data’ section).

We are committed to protecting your privacy and complying with the applicable data protection law, including the PDPL, its Implementing Regulations, and SDAIA guidance. We collect, use, and are responsible for personal data about you in line with your rights under PDPL.

You can contact us via various available channels, using the below contact details.

Who to Contact: You can raise a request by navigating to the “Contact us” page.

Please select “General Query” from the “Request type” field and add all other data to the form and click “Submit”.

You may also contact us by email at privacy@maximusgulf.com or by post at the address stated above. For privacy rights requests, see ‘How to Exercise Your Rights’.

Date of Last Update

This privacy notice was last updated on 22/10/2025. We may change this privacy notice from time to time. When we do, we change the “Date of Last Update.” Check the site for our latest privacy notice. When you use the site after we change the “Date of Last Update” date, it means you accept the changes. You may contact us at the contact information below for a review of previous privacy notices.

Information Collected Automatically when you Visit this Website

Our web server automatically collects and stores the following information about your visit:

• The Internet Protocol Address and domain name used, but not the e-mail address. The Internet Protocol Address is a numerical identifier assigned either to your Internet service provider or directly to your computer.
• The type of browser and operating system you used.
• The date and time you visited this Site.
• The web pages or services you access at this Site.
• The website you visited prior to coming to this website.
• The website you visit as you leave this website.

The information that is collected automatically is used to improve this website’s content and to help us understand how users are interacting with the website. This information is collected for statistical analysis, to determine what information is of most and least interest to our users, and to improve the utility of the material available on the website.

The information is not collected for commercial marketing purposes. We do not sell or otherwise disclose the information collected from the website for commercial marketing purposes. We collect the information above from your visit to the website only for these purposes and for purposes related to skills training.

Note on sensitivity: Location data derived from IP address is treated as sensitive personal data under PDPL and is handled with heightened safeguards (see ‘Sensitive Data’ and ‘Tracking technologies and your choices’).

What Personal Data is Collected?
We collect and process the following Personal Data:

Categories of Personal Data	Specific Data Collected
Personal Data	Salutation, First Name, Last Name, Full Name Arabic, Full Name English, Gender, Address, City, Street, Neighborhood, Region, Country, Postal Code, National ID Number (for eligibility verification/e-invoicing compliance), Mobile Number, Email Address, Nationality
Employment and Education Data	Job Title, Education Degree, Employment Status, Years of Experience
Payment Data	Card Number, Expiry Date (Month and Year), Security Code (CVV) (captured by payment gateway only; we do not store CVV), Full Name, Address, Email, Phone Number
Online Identifiers	Internet Protocol address
Location Data	Internet Protocol address

Official Identifiers & Payments: National ID is collected to verify eligibility and issue tax invoices as required by law. Card payments are processed by a certified payment provider; we retain only minimal payment identifiers/tokens necessary for refunds and chargebacks and do not store CVV.

Sensitive Data

We process limited sensitive personal data in the form of location data (derived from IP address) for security, fraud prevention, and service analytics. We apply enhanced safeguards and do not use sensitive data for marketing.
How do we collect your Personal Data?

Some of the personal data that we process is obtained directly from you when you use this portal to pay for a training course, to process a refund or cancellation, or to obtain a tax invoice

We also collect data automatically via cookies and similar technologies (see ‘Tracking Technologies and your Choices’ section).

How do we use your Personal Data?

We use your personal data only for legitimate business purposes and in accordance with the laws of the Kingdom of Saudi Arabia. This includes:

• Providing and managing our services– to register your account, process course enrollments, and deliver training programs (legal bases: contractual necessity; legal obligation for invoicing).
• Communicating with you– to send confirmations, updates, and relevant information about your courses or account (contractual necessity/legitimate interests; you may opt out of non-essential communications).
• Improving our services– to analyze usage trends, enhance user experience, and develop new offerings (legitimate interests; analytics only with consent where cookies are non-essential).
• Processing payments and issuing invoices– in compliance with financial and tax regulations (contractual necessity; legal obligation).
• Maintaining security– to prevent fraud, unauthorized access, and protect our systems and users (legitimate interests and, where applicable, vital interests).
• Meeting legal obligations– as required by Saudi authorities or applicable laws (legal obligation).

How do we Disclose your Personal Data?

We may disclose personal data to our agents, affiliates, and subcontractors to allow them to perform certain functions relating to the skills training program. We disclose personal data as described here and only as permitted by PDPL. Processors act under our written instructions and must implement appropriate security. Typical recipients include:

• Payment processors and banks (fees, refunds, chargebacks).
• Hosting, IT, cybersecurity and support providers (portal operation, security).
• Analytics providers (only if you opt in to analytics cookies).
• Professional advisers (legal, compliance, audit).
• Government authorities/regulators (where required by law).

We may collect or disclose personal data without your agreement if it is:

• necessary to fulfill or meet the reason for which the personal data is collected.
• necessary to perform our statutory duties as authorized by law or authorized by regulation.
• to comply with valid legal process.
• necessary or appropriate to protect the rights, property or safety of us, our clients or others or
• necessary in connection with a corporate transaction (such as a merger, acquisition, reorganization, or sale of assets), limited to the minimum data needed, shared under confidentiality undertakings with professional advisers and counterparties, and subject – if data leaves KSA – to PDPL transfer conditions.

We do not disclose your Personal Data to any third party for direct marketing purposes. We do not share your personal data with unaffiliated third parties. Where we engage unaffiliated processors, we do so under contract and with safeguards.

Legal Basis for Collecting and Processing Your Personal Data

We rely on one or more of the following legal bases, as applicable to each purpose described above:

• Consent (e.g., non-essential analytics cookies; you may withdraw at any time without affecting prior lawful processing).
• Contractual necessity (e.g., enrolment, account management, payments, refunds, support).
• Legal obligation (e.g., tax/e-invoicing, accounting, recordkeeping, responding to lawful requests).
• Legitimate interests (e.g., service improvement, fraud prevention, security), balanced against your rights and never for sensitive personal data.
• Vital interests (in emergencies to protect you or others).

How do we Store your Personal Data?

We store personal data securely at data centers located in the Kingdom of Saudi Arabia and implement technical and organizational measures consistent with PDPL and the National Cybersecurity Authority (NCA) frameworks (access controls, encryption in transit and at rest, logging, and regular testing).

Retention

Transactional records (including e-invoices) are retained for at least six (6) years to meet ZATCA requirements. Other data is retained only as long as necessary for the purposes stated above (or as required by law) and then securely destroyed or irreversibly anonymized.

Destruction

We use approved destruction methods (e.g., cryptographic erasure for databases, certified media wiping) to prevent access or reconstruction.

International Transfers

Where it is necessary to transfer personal data outside the Kingdom (for example, to our analytics provider in the United States if you opt in to analytics), we do so only under PDPL transfer conditions and appropriate safeguards (e.g., SDAIA Standard Contractual Clauses or other approved instruments), with data minimization and a transfer risk assessment.

Tracking Technologies and your Choices

Below is further information on our use of certain Tracking Technologies and how to exercise choice with respect to them.

Cookies and Similar Technologies

We use only necessary cookies by default. We set analytics or advertising cookies only if you opt in via our cookie banner, where you can granularly enable/disable categories and withdraw consent at any time via “Cookie Settings.” Some analytics may involve international transfers (see ‘International transfers’).

A cookie is a small amount of data that is transferred to your browser by a web server and can only be read by the server that gave it to you. It functions as your identification card and enables us to record your activities and preferences. It cannot be executed as code or deliver viruses. A web beacon is a small transparent gif image that is embedded in an HTML page or e-mail used to track when the page or e-mail has been viewed. We use cookies and similar devices to track your use of the site, types of products and services viewed, information downloaded, and to count visitors we receive daily. Our web servers automatically log the IP/Internet address of your computer.

Our website uses Google Analytics, which we load only if you consent to analytics cookies. Where enabled, we configure it to limit personal data (including use of IP controls) and prohibit combining with other Google data. You can also use Google’s opt-out tools in addition to our cookie settings. You may view the Google Analytics Privacy Statement at: https://policies.google.com/technologies/partner-sites

If you do not want your browser to accept cookies, you can modify the cookie option in your browser’s settings. However, some Site features or services may not function properly or be accessible without cookies. For additional information on Opting-Out of Google Analytics tracking cookies, please see Google Analytics Opt-Out at: https://tools.google.com/dlpage/gaoptout?hl=en.

Browser Settings

You can exercise control over browser-based cookies by adjusting the settings on your browser, and mobile devices may offer ad and data limitation choices. Use the help function on your browser or click on the applicable links below to learn more:

• Google Chrome:
  • https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en
• Firefox:
  • https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop?redirectslug=enable-and-disable-cookies-website-preferences&redirectlocale=en-US
• Edge:
  • https://support.microsoft.com/en-us/windows/manage-cookies-in-microsoft-edge-view-allow-block-delete-and-use-168dab11-0753-043d-7c16-ede5947fc64d
• Safari:
  • https://support.apple.com/en-gb/105082

Please note, clearing cookies or changing settings may affect your choices and you must opt-out separately via each browser and other device you use. Cookie-enabled opt-out signals may no longer be effective if you delete, block or clear cookies. We are not responsible for the completeness, accuracy or effectiveness of any third-party notices, tools, or choices.

Your Rights Regarding Processing of Your Personal Data

Under the Personal Data Protection Law, you have the following rights:

Right of Access to Your Personal Data / Right to Request Access to Your Personal Data	You have the right to ask us for copies of your personal data.  See “How to Exercise Your Rights” below. We will respond to your request within 30 days of receipt. Where requests are complex or numerous, we may extend once by up to an additional 30 days and will notify you.
Right to Request Correction of Your Personal Data	You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete or outdated. See “How to Exercise Your Rights” below. We will respond to your request within 30 days of receipt. We may request information to verify your identity and the accuracy of the data to be corrected.
Right to Request Destruction of Your Personal Data	You have the right to request destruction of your personal data unless there are legal or contractual bases that do not allow us to destroy the data. See “How to Exercise Your Rights” below. We will respond to your request within 30 days of receipt.
Right to Withdraw Your Consent for Processing Your Personal Data	You have the right to withdraw consent for processing your personal data unless there are legal bases that require otherwise. See “How to Exercise Your Rights” below. We will respond to your request within 30 days of receipt.

For further information on each of those rights, including the circumstances in which they apply, see guidance from the Kingdom of Saudi Arabia Privacy Regulator: Saudi Data & AI Authority (SDAIA) on individual rights under the Personal Data Protection Law.

How to Exercise Your Rights

If you would like to exercise any of your rights as described in this privacy notice, please contact us at: privacy@maximusgulf.com

If you choose to contact us, you will need to provide us with enough information to identify you, such as:

• Full name
• Email address
• Mailing address
• Reason you provided the information to Maximus
• Proof of your identity and address
• A description of what right you want to exercise and the information to which your request relates.

We may contact you for additional information if needed to verify your identity. Requests are generally free of charge unless manifestly unfounded or excessive.

Personal Data Protection Officer

Please contact our Data Protection Officer by email if you have any questions about this privacy notice or the personal data, we hold about you.

Email: Privacy@maximusgulf.com

Complaint or Objection Filing Method

If you have a complaint about how we have processed your personal data, please contact us (see Personal Data Protection Officer) in the first instance so we can provide you with a response.

If you remain dissatisfied with our response, you can contact the Kingdom of Saudi Arabia Privacy Regulator.

The KSA Regulator is the Saudi Data & AI Authority (SDAIA). They may be contacted at:

The Unified Call Centre: 8001221111

Email:  Suggestions@sdaia.gov.sa

Website: www.sdaia.gov.sa

National Data Governance Platform “DGP”: www.dgp.sdaia.gov.sa

Security and Personal Data Breaches

We implement technical and organizational measures appropriate to the risks of our processing (including access controls, encryption in transit and at rest, logging, monitoring, and regular testing). If a personal data breach occurs, we will assess impact promptly and, where required, notify SDAIA within 72 hours and affected individuals without undue delay.

Children and Individuals Lacking Legal Capacity

Our Services are designed for adults. Where a learner is a minor or lacks legal capacity, we obtain and verify guardian consent, and guardians may exercise PDPL rights on their behalf.

This Privacy Notice was published on 10 November 2025.