Privacy Policy

Effective date: 1 January 2026 Last updated: 1 January 2026 Introduction

This Privacy Policy explains how KABi Technologies for Information Technology ("KABi", "we", "us", or "our") collects, uses, discloses, stores, and protects personal data when you use www.kabi.ai and related services (the "Services").

This Privacy Policy is designed to align with the laws and regulations of the Kingdom of Saudi Arabia ("KSA"), including the Personal Data Protection Law (PDPL), its implementing regulations, and applicable regulations on personal data transfer outside the Kingdom.

1. Who controls your personal data

Controller: KABi Technologies for Information Technology Location: Kingdom of Saudi Arabia Contact email: hello@kabi.ai

If a Data Protection Officer (DPO) is appointed for applicable processing activities, you may contact the DPO through hello@kabi.ai with the subject line "DPO Request".

2. Scope and relationship with Terms

This Privacy Policy applies to personal data processed through the Services and related communications.

Your use of the Services is also subject to our Terms and Conditions. If there is any conflict between this Privacy Policy and the Terms regarding personal data processing, this Privacy Policy prevails to that extent.

3. Roles and responsibility allocation

For most platform operations, KABi acts as a Controller.

When employers, recruiters, or other third parties receive candidate or user data through the Services for their own hiring, evaluation, or compliance purposes, they may act as independent controllers of that data. Their processing is governed by their own privacy notices and legal obligations.

KABi is not responsible for privacy practices of independent controllers beyond KABi's own legal obligations.

If you provide personal data about any third party (for example, references, colleagues, or contact persons), you represent that you are authorized to provide that data and have provided any required notices or obtained any required consents.

4. Categories of personal data we process

We may process the following categories of personal data, depending on how you use the Services:

  • 1. Identity and account data
  • Name, username, account credentials, profile photo, nationality, date of birth, and account identifiers.
  • 2. Contact data
  • Email address, phone number, national address and similar contact details.
  • 3. Profile and professional data
  • CV/resume, employment history, education, certifications, skills, salary expectations, career preferences, references, and related profile content.
  • 4. Employer and business data
  • Organization details, authorized user details, job posting content, hiring requirements, and communication records.
  • 5. Application and interaction data
  • Job applications, messages, interview scheduling details, assessment outcomes, customer support interactions, complaints, and feedback.
  • 6. Transaction and billing data
  • Subscription details, invoice and payment metadata, VAT/tax related information, and billing records. Payment card data is typically processed by payment service providers acting under their own regulatory obligations.
  • 7. Technical and usage data
  • IP address, log files, timestamps, browser type, device identifiers, operating system, referral URLs, cookies and similar tracking identifiers, and user activity events.
  • 8. Compliance and risk data
  • Security alerts, fraud indicators, abuse reports, and information required for legal claims or regulatory cooperation.
  • 9. Sensitive data (where applicable)
  • • Sensitive data (as defined under PDPL) is processed only where legally permitted and with explicit consent where required, or under another lawful basis recognized by law.
5. Sources of personal data

We collect personal data from:

  • 10. You directly
  • When you register, complete a profile, post jobs, apply for positions, contact support, submit complaints, or otherwise interact with the Services.
  • 11. Your organization
  • If your employer or authorized organization creates or administers your account.
  • 12. Other users and counterparties
  • For example, recruiters, employers, or job seekers interacting with you through the Services.
  • 13. Publicly available or licensed sources
  • Where lawful and relevant to recruitment, fraud prevention, quality assurance, or compliance.
  • 14. Service providers and integrations
  • For identity verification, fraud prevention, analytics, communications, and payment operations.

Where we collect personal data from a source other than you, we provide required notice information without undue delay and within legally required periods (typically up to 30 days), unless a legal exception applies.

6. Purposes and legal bases of processing

We process personal data only for specified and lawful purposes, including the following:

  • 15. Account creation, authentication, and platform operation
  • Legal basis: performance of a contract; pre-contract steps; legitimate interest.
  • 16. Matching, recruiting workflows, and service functionality
  • Legal basis: performance of a contract; consent where required; legitimate interest.
  • 17. Communication and support
  • Legal basis: performance of a contract; legitimate interest; legal obligation where applicable.
  • 18. Billing, payments, tax, and financial records
  • Legal basis: performance of a contract; legal obligation.
  • 19. Security, fraud prevention, abuse detection, and platform integrity
  • Legal basis: legal obligation; legitimate interest.
  • 20. Legal compliance, audits, incident response, and cooperation with competent authorities
  • Legal basis: legal obligation; legitimate interest.
  • 21. Service improvement, analytics, product quality, and troubleshooting
  • Legal basis: legitimate interest; consent where required by applicable law for tracking technologies.
  • 22. Direct marketing and promotional communications
  • Legal basis: consent where required by law; legitimate interest where legally permitted.
  • 23. Establishment, exercise, and defense of legal claims
  • Legal basis: legitimate interest; legal obligation.

Where consent is the legal basis, you may withdraw consent at any time. Withdrawal does not affect processing already performed before withdrawal.

Where legitimate interest is the legal basis, we apply proportionality and balancing assessments and do not process Sensitive Data on this basis unless another lawful basis applies.

7. Mandatory and optional data

Some personal data is mandatory for account setup, security, legal compliance, and core service performance. Other data is optional.

If you do not provide mandatory personal data, we may be unable to provide all or part of the Services.

8. Automated processing and profiling

We may use automated tools for ranking, matching, recommendations, spam or fraud detection, and service optimization.

Where a decision with legal or similarly significant effects is made solely by automated processing, we will do so only where legally permitted and with required safeguards, including explicit consent where required and a mechanism to request human review where applicable.

9. Cookies and similar technologies

We use cookies and similar technologies for authentication, security, preferences, analytics, and service improvement.

Where required by law, we will request your consent before placing non-essential cookies or similar trackers, and we will provide controls to manage preferences.

You can also manage cookie settings through your browser or device controls, but disabling certain cookies may affect service functionality.

We may disclose personal data to:

  • 24. Employers, recruiters, and other users
  • As needed to provide recruiting and hiring workflows selected by you or enabled by your account settings.
  • 25. Service providers and processors
  • • Hosting, cloud, analytics, communications, customer support, payment processing, security, and professional services providers under contractual confidentiality and data protection obligations.
  • 26. Group entities, advisors, and auditors
  • For governance, audit, compliance, and legal operations under strict access controls.
  • 27. Competent authorities and law enforcement
  • When required or permitted under applicable law, legal process, judicial order, or regulatory request.
  • 28. Corporate transaction counterparties
  • In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality and lawful transfer safeguards.

We do not sell personal data in violation of applicable law.

11. Cross-border transfers

Where personal data is transferred or disclosed outside KSA, we apply safeguards required by applicable law and transfer regulations, which may include:

  • transfer to jurisdictions assessed as providing adequate protection;
  • standard contractual clauses approved or recognized by the competent authority;
  • binding common rules or other approved safeguards;
  • risk assessments and additional protective measures where required.

Transfers are limited to the minimum personal data reasonably necessary for the relevant purpose.

12. Data retention and destruction

We retain personal data only for as long as needed for lawful and legitimate purposes, including service delivery, security, legal compliance, tax/accounting requirements, dispute management, and defense of legal claims.

Retention may vary by data type. Typical criteria include:

  • 29. Account and profile data
  • Retained while account is active and for a limited period after closure for legal, audit, fraud-prevention, and dispute purposes.
  • 30. Application and communication records
  • Retained as needed for recruiting workflows, service support, and legal compliance.
  • 31. Billing and tax records
  • Retained for periods required by tax, accounting, and financial regulations.
  • 32. Security logs and investigation records
  • Retained as needed to detect, investigate, and prevent incidents and unlawful conduct.
  • 33. Consent and rights-request records
  • Retained as needed to demonstrate compliance with legal obligations.
  • 34. Processing activity records
  • Maintained and retained in line with applicable legal requirements, including PDPL implementing regulation obligations.

Where data is no longer required and no legal basis for further retention applies, we delete or anonymize it in accordance with legal and technical requirements.

13. Information security

We implement appropriate organizational, administrative, physical, and technical safeguards to protect personal data against unauthorized access, alteration, disclosure, destruction, and other unlawful processing.

These safeguards include access controls, least-privilege measures, encryption where appropriate, logging and monitoring, incident response procedures, secure development controls, and vendor risk controls.

No system is completely risk-free. You are responsible for maintaining the confidentiality of your account credentials and notifying us immediately if you suspect account compromise.

14. Personal data breach handling

If a personal data breach occurs, we will assess impact and respond in accordance with applicable law.

Where legally required, we will notify the competent authority within applicable timelines (currently up to 72 hours in specified cases) and notify affected data subjects without undue delay where their rights or interests may be adversely affected.

15. Your rights under applicable law

Subject to applicable legal conditions and exceptions, you may have the right to:

  • 35. Be informed about legal basis and purposes of processing.
  • 36. Access personal data we hold about you.
  • 37. Obtain a copy of your personal data in a readable format.
  • 38. Request correction, completion, or update of personal data.
  • 39. Request destruction of personal data where legal conditions are met.
  • 40. Withdraw consent where processing is based on consent.
  • 41. Submit complaints to KABi and, where applicable, to the competent authority.

To exercise your rights, contact hello@kabi.ai with sufficient information for identity verification and request handling.

We generally respond within 30 days. If legally permitted and necessary due to complexity or multiple requests, we may extend for an additional period allowed by law (typically up to 30 additional days) and notify you with reasons.

We may decline or limit requests where permitted by law, including to protect rights of others, legal privilege, trade secrets, ongoing investigations, or legal compliance duties.

16. Marketing preferences

Where required by law, we obtain consent before sending direct marketing communications.Subject to applicable legal conditions and exceptions, you may have the right to:

Where required by law, we obtain consent before sending All marketing communications include a clear mechanism to opt out. Opt-out requests are handled without undue delay and free of charge.

Even if you opt out of marketing, we may still send non-promotional service, transactional, or legal notices.

17. Children and legal capacity

Where required by law, we obtain consent before sending The Services are intended for persons aged 18 and above.

If we become aware that personal data was provided by a person lacking legal capacity without valid legal basis, we may restrict processing and take appropriate corrective action, including deletion where required.

18. Complaints and escalation

If you have concerns about personal data processing, please contact us first at hello@kabi.ai so we can investigate and resolve the issue.

If you are not satisfied with our response, you may lodge a complaint with the competent authority in KSA in accordance with applicable law and procedures.

19. Updates to this Privacy Policy

We may update this Privacy Policy to reflect legal, regulatory, technical, or business changes.

If updates are material, we will provide reasonable notice through appropriate channels (for example, Website notice, email, or in-account notification) before the updated policy takes effect, unless immediate updates are required by law or security needs.

20. Language and interpretation

This Privacy Policy may be made available in more than one language. In case of conflict, the version required to prevail under applicable law will govern.

21. Contact

KABi Technologies for Information Technology Email: hello@kabi.ai