How we handle your data

Who we are

Veltrixair is a Riyadh-headquartered tri-vertical GCC enterprise. This notice covers the Industries Business Unit— the operational vertical responsible for crane installation, dismantling, modernization, parts, inspections and 24/7 emergency response across the Kingdom of Saudi Arabia. Where the IT Products & Services or Data Privacy Advisory verticals process your data, separate notices apply.

For the purposes of the Saudi Personal Data Protection Law, the Data Controllerfor the Industries BU is Veltrixair, headquartered in Riyadh, KSA. The Data Controller is responsible for determining the purposes and means of processing personal data described in this notice. Internal accountability for privacy matters sits with the VP — Data Protection & InfoSec Advisory practice (Tarique Ahmad), which serves as the BU's Data Protection Officer function.

What data we collect

We collect personal data only where it is necessary for the operational delivery of crane services, regulatory conformity, or the legitimate management of our business. The categories below are exhaustive — if data is being processed about you by the Industries BU, it falls into one of these categories.

Why we collect it

We process personal data for six identified purposes, each with a documented lawful basis. Data collected for one purpose is not silently repurposed for another — purpose limitation is built into the BU's data handling workflows.

1. Service delivery. To respond to enquiries, prepare quotes, schedule site visits, deliver engagements, manage AMC contracts, and fulfil our contractual obligations to clients.
2. Regulatory conformity. To meet SASO inspection certificate retention obligations, ZATCA invoicing requirements, HCIS site access protocols, Saudi Labour Law workforce records, and PDPL itself.
3. Recruitment. To assess applications submitted via the Careers page, route to the appropriate hiring lead, and maintain a candidate pipeline for forecast openings.
4. HSE & quality. To manage permit-to-work records, post-incident inspections, near-miss reporting, and the operational discipline that prevents safety events.
5. Communication. To send transactional engagement updates (quote confirmations, visit coordination, invoice notifications) and — only with separate consent — the quarterly newsletter.
6. Legitimate business operations. Internal financial controls, vendor management, audit, defence of legal claims, and the standard operations of running an industrial services enterprise.

How we use it

Data submitted through the Quote and Site Visit forms is routed automatically to the assigned engineering lead based on service line and site city. The reference numbers issued at submission (VTX-RFQ, VTX-VST, VTX-HR) follow the data through the engagement lifecycle. We do not enrich submitted data with third-party datasets; we do not profile enquirers; we do not sell or rent personal data under any circumstance.

For workforce data, processing is limited to what is necessary for the employment relationship and Saudi Labour Law conformity — Iqama renewals, OEM training currency, payroll, end-of-service gratuity, and the records that establish a documented employment history. Workforce data is never used for commercial profiling or shared with marketing systems.

Site visit imagery is captured exclusively for technical engineering purposes — recording the condition of an asset, documenting a fault, supporting a written assessment report. Images are stored in the Veltrixair PDPL-compliant digital store with time-stamping and access logging. Where workforce or third parties are incidentally captured, identifying detail is redacted before any external use.

Lawful basis under PDPL Article 5

PDPL Article 5 sets out the lawful bases on which personal data may be processed. The Industries BU relies on five of them, each tied to specific processing activities.

• Consent. For the quarterly newsletter (separate, granular, withdrawable), and for marketing communications. Never the basis for engagement-critical processing.
• Contractual necessity. For quote preparation, AMC delivery, site visit coordination, engagement records, invoicing — the processing without which the service cannot be delivered.
• Legal obligation. For ZATCA records, SASO inspection certificate retention, Saudi Labour Law payroll records, HCIS site access logs, and statutory employment documentation.
• Legitimate interests. For internal audit, fraud prevention, defence of legal claims, and the operational discipline of running a safety-critical industrial services BU. Balancing test documented per PDPL.
• Vital interests. For HSE incident response, where processing of health data may be necessary to protect life — the rare basis, applied narrowly.

How long we keep it

Retention periods follow PDPL Article 18 — personal data is kept only for as long as necessary for the purpose collected, plus statutory minimums where applicable. The table below is the BU's published retention schedule. After the retention period, data is deleted or anonymised through documented destruction workflows.

Who we share with

Veltrixair does not sell personal data. We share it only where necessary for the categories below, and only with parties under enforceable confidentiality and data processing obligations.

• OEM partners. Demag, Konecranes, Stahl and other authorised channels — for parts ordering, technical support, warranty claims, and OEM-credentialed training enrolment.
• Sub-contractors and specialist vendors. Civil works contractors, NDT specialists, transport vendors — bound by data processing agreements where personal data is exchanged.
• Regulatory bodies. SASO, ZATCA, SDAIA, HCIS, Civil Defence, Ministry of Human Resources — where required by law or formal regulatory request.
• Professional advisors. External legal counsel, auditors, insurers — under professional confidentiality and engaged for specific defined purposes.
• Banking and payment processors. For SAR-denominated transactions and WPS-compliant payroll, under standard banking confidentiality.
• Cloud infrastructure. Tier-1 cloud providers operating SDAIA-aligned KSA-region data centres where available; where not available, transfers governed under Section 08 below.

We do not share personal data with: marketing platforms outside our direct control, data brokers, advertising networks, or any third party for commercial enrichment. The Industries BU operates no advertising-funded surfaces.

Cross-border transfers under PDPL Article 29

Data residency is preferred to be in-Kingdom. Where cloud infrastructure, OEM systems or international vendor relationships require data to leave Saudi Arabia, transfers are governed under PDPL Article 29 — which permits cross-border transfers under specific lawful conditions including SDAIA-recognised adequacy, explicit consent, contractual necessity, or vital interest.

Transfers outside KSA are documented in a transfer impact assessment maintained by the VP — Data Protection function. The assessment records the recipient jurisdiction, the lawful basis under Article 29, the technical and organisational safeguards (encryption, access controls, contractual data processing terms), and the SDAIA notification status where required.

Your rights under PDPL Article 4

PDPL Article 4 establishes data subject rights for individuals whose personal data is processed in the Kingdom. The eight rights below describe what you can ask of the Industries BU, and how. All requests are responded to within thirty (30) days of verified identity, free of charge except for manifestly unfounded or excessive requests.

To exercise any of these rights, contact privacy@veltrixair.com with a brief description of the request and proof of identity. We will acknowledge within 5 working days and respond substantively within 30 days. Where a request cannot be fulfilled (for example, data retained under statutory obligation), the response will explain why with reference to the lawful basis.

Cookies & tracking

The Veltrixair website uses a minimal cookie footprint, deliberately. We do not use advertising cookies, tracking pixels from third-party marketing platforms, or behavioural retargeting infrastructure. The cookies we do use fall into two categories.

• Strictly necessary. Cookies required for the site to function — form submission state, language preference, accessibility settings. These are set without consent under PDPL because the site cannot operate without them.
• Analytics (consent-based). Pseudonymised analytics that record page visits and referrer source in aggregate. Set only with explicit consent. Withdrawing consent removes the cookie immediately and prevents future setting.

We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or other behavioural advertising trackers. The absence is intentional — the Industries BU does not run paid advertising surfaces and has no operational use for the data those trackers collect.

Contact & complaints

For any privacy matter — exercising a right, raising a concern, reporting a breach, or asking a question — the contact channel below is the right starting point. The VP — Data Protection function reviews privacy correspondence personally.

Veltrixair will not retaliate against any individual who exercises a right under PDPL. The relationship — whether commercial, employment, or pre-engagement enquiry — is unaffected by the act of submitting a privacy request. We treat data subject rights as a feature of the framework, not a complaint channel.