1. Introduction

At FLCO, we are committed to upholding the highest standards of data privacy and protection. This Privacy Policy outlines how we collect, use, protect, and disclose personal information obtained through our services, systems, and digital platforms. We comply with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia, and align with international privacy standards including ISO/IEC 27701 and GDPR-aligned principles where applicable.

2. Policy Scope

This policy applies to all personal data processed by FLCO in the context of:

• Client engagements and projects
• Online and offline communications
• Website and digital platform usage
• Employment and recruitment processes
• Supplier and third-party interactions

3. Types of Data We Collect

We may collect and process the following categories of personal data:

Category	Details
Identity Data	Full name, national ID, passport number, date of birth
Contact Information	Phone number, email address, business or residential address
Professional Data	Company affiliation, job title, commercial registration details
Financial Data	Bank account details, invoicing data, payment history
Technical Data	IP address, browser type, operating system, access logs
Communication Records	Emails, meeting notes, project-related messages
Recruitment Data	CVs, references, qualifications, work history

We do not collect sensitive data (e.g. health, biometric, or religious information) unless specifically required and lawfully justified.

4. Legal Basis for Processing

FLCO processes personal data under the following lawful bases:

• Contractual necessity – for fulfilling service agreements
• Legal obligation – to comply with tax, labor, and regulatory frameworks
• Legitimate interest – for business development, client management, and system security
• Consent – where required (e.g. marketing communications or newsletter subscriptions)

5. Purpose of Processing

We process personal data to:

• Deliver and manage consulting services effectively
• Respond to inquiries and client requests
• Process transactions and issue contracts or invoices
• Improve digital services and website functionality
• Meet legal, regulatory, or auditing requirements
• Administer recruitment and HR processes
• Conduct marketing, training, or events (with consent)

6. Data Retention and Disposal

Personal data is retained for only as long as necessary, based on:

Data Type	Retention Period
Client & Project Records	10 years post-project completion
Financial Records	10 years (per zakat and tax regulations)
Recruitment Data	2 years post-application or hiring decision
Website Logs	Up to 12 months

All records are securely destroyed after expiration, using shredding or data wiping techniques aligned with ISO/IEC 27001 Annex A.8.

7. Data Sharing and Third Parties

We may disclose personal data to:

• Authorized FLCO staff and consultants
• Government entities or regulators when legally required
• Professional service providers (e.g. legal, accounting, audit)
• Technology providers (e.g. cloud hosting, Odoo ERP, email services)

Third parties are contractually obligated to adhere to confidentiality, non-disclosure, and data protection standards.

FLCO does not sell, rent, or trade your personal data to any entity.

8. International Data Transfers

Some of our tools and infrastructure may involve secure data transfers outside Saudi Arabia (e.g. via Microsoft Azure or Odoo hosting). In such cases, we implement:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs)
• Access restrictions and encryption

We ensure all transfers comply with PDPL, including SDAIA guidance and international adequacy standards.

9. Data Security Measures

FLCO employs robust administrative, technical, and physical security controls:

• Secure servers and firewalls
• Role-based access controls (RBAC)
• Two-factor authentication (2FA)
• End-to-end encryption for data at rest and in transit
• Regular risk assessments and audits
• Incident response plans and data breach notification protocols

We also train all employees on data privacy awareness and confidentiality obligations.

10. Your Rights 

You have the right to:

• Access your personal data and obtain a copy
• Correct or update inaccurate or outdated information
• Request deletion of your personal data (subject to legal retention)
• Object to data processing under certain conditions
• Withdraw consent for non-essential processing at any time 
  

To exercise these rights, please contact our Data Protection Officer (DPO) at:  info@flco.sa

11. Use of Cookies and Tracking Technologies

Our website uses cookies to:

• Enhance user experience
• Analyze traffic and improve performance
• Track conversions (e.g. ISO training interest)

12. Links to Third-Party Sites

Our platforms may contain links to third-party websites (e.g. ISO certifiers, training partners). We do not control and are not responsible for their privacy practices.

13. Policy Review and Updates

We may update this Privacy Policy to reflect changes in regulation, technology, or our services. Updated versions will be posted on our website with an updated “Effective Date”.

We encourage you to review this policy periodically.

14. Contact Us

For questions, concerns, or to exercise your data rights, contact:

First Leadership Company for Professional Consultations (FLCO)

Email: info@flco.sa

Location: Qatif, Eastern Province, Saudi Arabia

Website: www.flco.sa