Skip to content

Personal Data Protection Law (PDPL) for the Kingdom of Saudi Arabia

miMove PA Limited — KSA Data Residency & PDPL Compliance Statement

Effective date: November 2025
Entity: miMove PA Limited

1. Introduction & Purpose

miMove PA Limited (“miMove”, “we”, “our”) is committed to the responsible, transparent, and ethical use of data to help every young person develop a positive relationship with enrichment activities — including sport, reading, performing arts, and other pursuits that contribute to personal development.

This statement outlines how miMove ensures full compliance with the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) and international data standards. It also explains our commitment to data residency in KSA and how we work with schools, education ministries, and trusted partners to safeguard all users’ information.

2. Our Data Hosting Commitment

All Saudi Arabian user data collected through miMove will be stored and processed within the Kingdom of Saudi Arabia.

  • Data will be hosted on Amazon Web Services (AWS) KSA, a secure, ISO 27001–certified environment.

  • All personal data — including student, teacher, and school account information — will remain within KSA data centres.

  • Backup, disaster recovery, and system monitoring will also occur within KSA jurisdiction.

This approach ensures compliance with the data residency requirements of the PDPL and provides assurance to schools and authorities that no data is transferred or accessed outside KSA without explicit approval.

3. Compliance with the Saudi Personal Data Protection Law (PDPL)

miMove’s practices align fully with the key principles of the PDPL, including:

  • Lawful and Transparent Processing: Data is collected only with clear purpose and consent, communicated through our privacy notices for schools, students, and parents.

  • Data Minimisation: We collect only the information necessary to deliver the miMove service and support meaningful insight into participation and enrichment.

  • Accuracy and Integrity: We maintain accurate data through structured validation and allow schools to correct or update records.

  • Retention and Deletion: Data is retained only for the period agreed with each school or educational authority and deleted securely when no longer required.

  • Data Subject Rights: Students, parents, and teachers can request access, correction, or deletion of their data through their school or directly via our Data Protection Officer.

  • Security and Confidentiality: Encryption, access controls, and audit logging protect all data at rest and in transit.

miMove is committed to continuous review and improvement of our processes to remain compliant with all updates issued by the Saudi Data & Artificial Intelligence Authority (SDAIA) and the National Data Management Office (NDMO).

4. Our Responsibilities & School Responsibilities

miMove PA Limited (Data Processor)

  • Operates the miMove platform on behalf of participating schools and education authorities.

  • Implements robust technical and organisational measures to ensure the security and lawful processing of all personal data.

  • Processes data only according to written instructions from the school or education authority (the Data Controller).

  • Notifies controllers promptly of any data incidents or breaches.

Schools / Education Authorities (Data Controllers)

  • Determine the lawful basis for collecting student data.

  • Obtain appropriate consent where required.

  • Manage user access and verify data accuracy.

  • Ensure all users understand how and why their data is being used through their own local privacy communications.

5. Safeguarding, Security & Ethical Data Use

miMove’s founding principle is that data should always serve the wellbeing and development of young people.

We do not use student data for marketing, profiling, or commercial resale. All data collected through miMove exists to:

  • Support young people’s reflection on their enrichment activities.

  • Help schools understand engagement, inclusion, and wellbeing.

  • Enable evidence-based decision making at school, local, and national levels.

Security measures include:

  • End-to-end encryption (AES-256 for data at rest, TLS 1.2+ for data in transit)

  • Role-based access controls and authentication

  • Regular security audits and vulnerability testing

  • Staff training in data ethics and privacy principles

6. Hosting Architecture Summary

Primary Hosting:
AWS Middle East (Riyadh Region) – ISO 27001, SOC 2, and CSA STAR certified.

Backup and Disaster Recovery:
Secondary KSA data centre under the same compliance framework.

Encryption:
Data encrypted in transit and at rest using industry-standard methods.

Data Residency:
No personal or activity data leaves KSA without prior written authorisation from the Data Controller and in full accordance with PDPL provisions.

7. Contact & Oversight

For all data protection enquiries, please contact:
Marcella Griso, Data Protection Officer (DPO)
miMove PA Limited
Email: marcella@mimoveapp.com
Website: www.mimoveapp.com

Final Note

miMove’s mission is to make every young person’s enrichment journey visible and valued. Our data protection and residency commitments ensure that schools, families, and ministries can trust that information is handled safely, locally, and for the right reasons — to support young people’s growth.