Privacy Policy — Invest Riyadh
Privacy Policy for Invest Riyadh (investriyadh.ai) — how we collect, use, store, and protect your personal information, your rights, and how to contact us about privacy matters.
Privacy Policy
Effective Date: March 23, 2026
The Vanderbilt Portfolio (“we,” “us,” or “our”) operates the website investriyadh.ai (“the Site”). This Privacy Policy describes how we collect, use, store, and protect information about visitors to our Site.
We are committed to protecting your privacy and handling your personal information responsibly. This policy explains our practices in plain language so you can make informed decisions about the information you share with us.
1. Information We Collect
Information You Provide Directly
We collect information that you voluntarily provide to us, including:
Contact information: When you contact us by email (info@investriyadh.ai), submit a form on the Site, or communicate with us through other channels, we collect the information you provide, which may include your name, email address, organization, and the content of your message.
Newsletter subscription: If you subscribe to our newsletter, we collect your email address and any other information you provide during the subscription process (such as name and organization).
Report downloads: If you download reports or other resources from the Site, we may collect your email address and other information you provide during the download process.
Information Collected Automatically
When you visit our Site, we automatically collect certain information about your device and browsing activity, including:
Device and browser information: Your IP address, browser type and version, operating system, device type, and screen resolution.
Usage information: Pages you visit, links you click, time spent on pages, referring website addresses, and other browsing behavior on our Site.
Cookies and similar technologies: We use cookies and similar tracking technologies to collect information about your browsing activity. See our Cookie Policy for detailed information about the cookies we use.
Information from Third Parties
We may receive information about you from third-party services, including:
Analytics providers: We use Google Analytics and similar services to understand how visitors use our Site. These services collect information about your browsing behavior and provide us with aggregate and anonymized usage statistics.
Advertising partners: If we display advertisements on the Site, our advertising partners (including Google AdSense) may collect information about your browsing activity for the purpose of serving targeted advertisements. See our Cookie Policy for details.
2. How We Use Your Information
We use the information we collect for the following purposes:
To provide and maintain the Site: Including displaying content, processing your requests, and ensuring the Site functions properly.
To communicate with you: Including responding to your inquiries, sending newsletters (if you have subscribed), and providing information you have requested.
To improve the Site: Including analyzing usage patterns, identifying popular content, diagnosing technical issues, and optimizing the user experience.
To display advertising: We use advertising (including Google AdSense) to support the Site. Advertising partners may use cookies and other technologies to serve relevant advertisements based on your browsing activity.
To comply with legal obligations: Including responding to lawful requests from government authorities and complying with applicable laws and regulations.
To protect our rights: Including enforcing our Terms of Service, protecting against fraud and abuse, and defending our legal rights.
3. How We Share Your Information
We do not sell your personal information to third parties. We may share your information in the following circumstances:
Service providers: We share information with third-party service providers who assist us in operating the Site, including hosting providers, email service providers, analytics providers, and advertising partners. These providers are contractually required to use your information only to provide services to us and to protect your information.
Advertising partners: Our advertising partners (including Google AdSense) receive information about your browsing activity through cookies and similar technologies for the purpose of serving targeted advertisements. You can manage your advertising preferences through your browser settings and through the advertising opt-out mechanisms described in our Cookie Policy.
Legal requirements: We may disclose your information if required to do so by law, in response to a court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Business transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change by posting a notice on the Site.
4. Data Retention
We retain your information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements:
- Contact information: Retained for as long as necessary to respond to your inquiry and for a reasonable period thereafter for our records.
- Newsletter subscriptions: Retained until you unsubscribe or request deletion.
- Analytics data: Retained in aggregate form for up to 26 months (consistent with Google Analytics data retention settings).
- Server logs: Retained for a reasonable period for security and diagnostic purposes.
5. Data Security
We implement reasonable technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Use of HTTPS (SSL/TLS) encryption for data in transit
- Regular security updates and patches for our systems
- Access controls that limit who can access personal information
- Regular review of our security practices
However, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your information, we cannot guarantee its absolute security.
6. Your Rights and Choices
Depending on your location, you may have the following rights regarding your personal information:
Access: You may request a copy of the personal information we hold about you.
Correction: You may request that we correct inaccurate or incomplete personal information.
Deletion: You may request that we delete your personal information, subject to certain exceptions (such as information we are required to retain by law).
Opt-out of marketing: You may unsubscribe from our newsletter at any time by clicking the “unsubscribe” link at the bottom of any email or by contacting us at info@investriyadh.ai.
Cookie preferences: You may manage your cookie preferences through your browser settings. See our Cookie Policy for details.
To exercise any of these rights, please contact us at info@investriyadh.ai. We will respond to your request within a reasonable timeframe.
7. Children’s Privacy
The Site is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at info@investriyadh.ai, and we will take steps to delete such information.
8. International Data Transfers
The Site is operated from the United States. If you are accessing the Site from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
By using the Site, you consent to the transfer of your information to the United States and the processing of your information in accordance with this Privacy Policy.
9. Third-Party Links
The Site may contain links to third-party websites. This Privacy Policy does not apply to third-party websites, and we are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of any third-party website you visit.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or applicable laws. We will post any changes on this page and update the “Effective Date” at the top. We encourage you to review this Privacy Policy periodically.
11. Contact Us
If you have any questions about this Privacy Policy or our privacy practices, please contact us at:
Email: info@investriyadh.ai Publisher: The Vanderbilt Portfolio
12. Specific Privacy Rights by Jurisdiction
European Economic Area (EEA) and United Kingdom
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR, including the right to access your personal data, the right to rectification of inaccurate data, the right to erasure (“right to be forgotten”) under certain circumstances, the right to restrict processing, the right to data portability (receiving your data in a structured, machine-readable format), and the right to object to processing based on legitimate interests. You also have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.
Our legal basis for processing personal data of EEA and UK residents includes consent (for newsletter subscriptions and cookie placement), legitimate interests (for analytics and site improvement), and legal obligations (for compliance with applicable laws). Where we rely on legitimate interests, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms.
California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, use, disclose, and sell, the right to delete your personal information, the right to opt out of the sale or sharing of your personal information, and the right to non-discrimination for exercising your privacy rights. We do not sell personal information as defined by the CCPA/CPRA. To exercise your California privacy rights, contact us at info@investriyadh.ai.
Saudi Arabia and GCC Residents
Saudi Arabia’s Personal Data Protection Law (PDPL) provides privacy protections for Saudi residents, including requirements for consent to data processing, data minimization, purpose limitation, and data breach notification. We comply with the PDPL and any implementing regulations issued by the Saudi Data and AI Authority (SDAIA). Residents of other GCC countries are also protected by their respective national data protection laws, and we endeavor to comply with all applicable privacy regulations in the jurisdictions from which our Site is accessed.
13. Data Processing Activities
The following table summarizes our key data processing activities, the personal data involved, our legal basis for processing, and the retention period:
| Activity | Data Processed | Legal Basis | Retention |
|---|---|---|---|
| Site analytics | IP address, browsing behavior, device info | Legitimate interest | 26 months (aggregated) |
| Newsletter delivery | Email address, name | Consent | Until unsubscribe |
| Report downloads | Email address, name, organization | Consent | Until deletion request |
| Contact form responses | Name, email, message content | Legitimate interest | Duration of inquiry + 2 years |
| Advertising | Browsing behavior, interests | Consent (cookies) | Per cookie duration |
| Security | IP address, access logs | Legitimate interest | 90 days |
14. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Our use of analytics and advertising technologies involves automated processing of browsing data, but these processes do not make decisions about individual users that have legal or similarly significant consequences.
15. Cookie Policy Integration
This Privacy Policy should be read in conjunction with our Cookie Policy, which provides detailed information about the specific cookies and tracking technologies used on our Site. The Cookie Policy explains the types of cookies we use (essential, analytics, advertising, and functionality), provides a complete cookie inventory with names, purposes, and durations, describes how to manage your cookie preferences through browser settings, and explains the opt-out mechanisms available for analytics and advertising cookies. Together, these two policies provide comprehensive information about how we collect and use data about our Site visitors.
16. Data Protection Officer
While we are not legally required to appoint a Data Protection Officer under all applicable regulations, we designate our publisher as the primary contact for all privacy-related matters. You can reach our privacy contact at info@investriyadh.ai with any questions, concerns, or requests regarding the processing of your personal data.
17. Data Breach Notification Procedures
In the event of a data breach that compromises personal information, we follow a structured incident response protocol designed to minimize harm to affected individuals and comply with notification requirements across all applicable jurisdictions.
Detection and containment: Our security monitoring systems are designed to detect unauthorized access attempts, unusual data exfiltration patterns, and anomalous system behavior. Upon detection of a potential breach, our incident response team initiates containment procedures to isolate affected systems and prevent further unauthorized access.
Assessment and classification: Following containment, we assess the scope and severity of the breach, identifying what categories of personal data were affected, how many individuals were impacted, and what the likely consequences are for affected individuals. Breaches are classified according to severity levels that determine the speed and scope of our notification response.
Notification timeline: We notify affected individuals and relevant regulatory authorities according to the following standards:
| Jurisdiction | Regulatory Authority | Notification Deadline |
|---|---|---|
| European Economic Area | Lead Supervisory Authority | 72 hours from discovery |
| United Kingdom | Information Commissioner’s Office (ICO) | 72 hours from discovery |
| Saudi Arabia | Saudi Data and AI Authority (SDAIA) | As required under PDPL implementing regulations |
| California | California Attorney General (if 500+ residents affected) | Without unreasonable delay |
| Other US States | State Attorney General (as applicable) | Per state-specific deadlines |
Individual notification: When a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we notify those individuals directly via email, providing a description of the breach, the categories of data affected, the likely consequences, the measures we have taken to address the breach, and the steps individuals can take to protect themselves.
Post-incident review: Following resolution of any data breach, we conduct a thorough post-incident review to identify root causes, assess the effectiveness of our response, and implement additional safeguards to prevent recurrence. Findings from post-incident reviews are incorporated into our security improvement roadmap.
18. Privacy by Design Principles
We incorporate privacy considerations into the design and development of our systems, processes, and content from the outset, rather than treating privacy as an afterthought. Our privacy-by-design practices include data minimization (collecting only the personal data necessary for each specific purpose), purpose limitation (using personal data only for the purposes for which it was collected), storage limitation (retaining personal data only for as long as necessary to fulfill its purpose), pseudonymization and anonymization (applying technical measures to reduce the identifiability of personal data where feasible), and access controls (limiting access to personal data to authorized personnel who require it for their specific responsibilities). These principles guide our technology selection, system architecture decisions, and operational procedures, ensuring that privacy protection is embedded throughout our data processing activities rather than applied as a compliance overlay.
19. Cross-Border Data Transfer Mechanisms
When personal data is transferred from the European Economic Area, United Kingdom, or Saudi Arabia to the United States or other jurisdictions, we rely on appropriate transfer mechanisms to ensure that your data receives an adequate level of protection:
Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with our service providers to ensure that personal data transferred from the EEA receives contractual protections equivalent to those provided under the GDPR.
UK International Data Transfer Agreement: For transfers from the United Kingdom, we use the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, as appropriate.
PDPL transfer requirements: For transfers from Saudi Arabia, we comply with the cross-border data transfer requirements of the Personal Data Protection Law, including ensuring that the receiving jurisdiction provides an adequate level of data protection or that appropriate safeguards are in place.
Supplementary measures: Where transfer mechanisms alone may not provide sufficient protection, we implement supplementary technical and organizational measures — including encryption, access controls, and contractual restrictions — to ensure the ongoing protection of transferred personal data. We regularly assess whether any developments in the legal frameworks of recipient countries could affect the level of protection provided to transferred data, and we adjust our transfer practices accordingly.
Last updated: March 23, 2026