Sharing Reality
Sign in

Last updated: 8 May 2026

Privacy policy

This page explains how Sharing Reality (the studio) collects, uses, and protects personal data under the Saudi Personal Data Protection Law (PDPL, Royal Decree M/19). It is the baseline we operate by; if anything here conflicts with a written agreement we’ve signed with you, the agreement controls.

1. Who we are

Sharing Reality is an event and brand studio registered in Jeddah, Kingdom of Saudi Arabia. For the purposes of PDPL, we are the controller of personal data we collect through this site, our client portal, and the events we run on behalf of our agency clients.

2. What we collect

  • Contact form data — your name, work email, company, phone, and the brief you write us when you submit the contact form or the embedded brief widget.
  • Account data — for clients who accept a portal invite: full name, work email, the company you represent, and any voice intake or feedback you provide through the portal.
  • Operational data — events you sign off on, invoices we issue you, the proposal text the agency produces for you, your decisions on per-section approvals, and any uploaded assets (logos, brand guidelines, photographs).
  • Technical data — IP address and user- agent string captured in our audit log when you take a material action (sign-off, account creation, MFA login).
  • Cookies — see our cookie policy for details.

3. Why we process it

  • To respond to your enquiry and prepare a proposal for the event you described.
  • To run an event we have been engaged to deliver — vendor coordination, on-site execution, post-event reconciliation.
  • To bill, invoice, and collect payment for delivered work.
  • To improve our internal proposal and budget agents using anonymised aggregates of past events. Personal data is never fed back into the AI agents.
  • To meet legal and tax obligations under Saudi law.

4. Legal basis

Most processing is performed on the basis of contract (we cannot deliver an event without the data necessary to deliver it) or legitimate interest (for example, maintaining our audit log to defend the studio in a dispute). For marketing communications and the contact form, we rely on your consent, which you can withdraw at any time by contacting our DPO (see section 9).

5. Recipients and third parties

We share personal data only with:
  • Sub-processors we have written agreements with: Supabase (database), Railway (application hosting), Resend (transactional email), Anthropic and OpenAI (AI language models for proposal drafting), Google (Gemini for search grounding and voice transcription), Cloudflare (DDoS protection at the edge).
  • Vendors you engage with us — limited to the information they need to deliver their portion of your event (e.g. a venue gets the guest count, not the guest list).
  • Government authorities when legally required — GEA, SCEGA, Civil Defense, Amanah for permits; ZATCA for tax records.

6. Cross-border transfers

Some sub-processors operate infrastructure outside the Kingdom. Where transfers occur, we rely on the controller- to-processor mechanisms permitted under PDPL Article 29 and its implementing regulations. We do not transfer personal data to jurisdictions that have not been recognised as providing adequate protection without putting equivalent contractual safeguards in place.

7. Retention

  • Contact form submissions: 24 months from submission, or the duration of the resulting client relationship, whichever is longer.
  • Client portal accounts: for the duration of the engagement plus 5 years (Saudi commercial records retention rule).
  • Event records (proposals, invoices, signed deliverables): 10 years from event delivery (Saudi tax retention rule).
  • Audit log: 5 years from the event recorded.
  • Voice intake / feedback audio: never persisted. The audio you record in your browser is streamed straight to a transcription model and discarded as soon as the transcript is produced — only the resulting text is stored with the event record. We do not keep a copy of the audio file on disk or in a database.

8. Your rights

Under PDPL you have the right to:
  • Access the personal data we hold about you.
  • Correct any inaccurate data.
  • Delete your data, subject to our retention obligations.
  • Have your data transferred in a structured, machine-readable format.
  • Object to specific processing activities.
  • Withdraw consent where consent is the legal basis.

Submit a request via the form at /data-subject-request. We respond within 30 days, in line with PDPL Article 22.

9. Data Protection Officer

For privacy questions, complaints, or to exercise any of the rights above, contact our DPO:

privacy@sharing-reality.com

You also have the right to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) if you believe we have processed your data unlawfully.

10. Changes

We update this policy when our practices change. The “last updated” date at the top reflects the most recent revision. Material changes are notified to portal users by email at least 30 days before they take effect.

This policy is the studio’s baseline. Where it conflicts with a written agreement you have signed with us, the agreement controls. Drafted in line with PDPL but should be read alongside the implementing regulations published by the Saudi Data & AI Authority (SDAIA).

Privacy Policy — Sharing Reality