Skip to content
MILESTONE

Privacy Notice

How Milestone Initiative handles your personal data, in line with the Saudi Personal Data Protection Law (PDPL).

Last updated: 10 May 2026

This Privacy Notice explains how Milestone Initiative ("Milestone", "we", "us") collects, uses, and protects personal data through this website. Milestone is the controller of the personal data processed under this Notice, in line with the Personal Data Protection Law of the Kingdom of Saudi Arabia (Royal Decree M/19, the "PDPL") and the Implementing Regulation issued by the Saudi Data and AI Authority ("SDAIA").

1. Who we are

Milestone Initiative is established in Riyadh, Kingdom of Saudi Arabia. Questions about this Notice or about your personal data can be sent to privacy@milestone-reports.com, or by post to:

Milestone Initiative
Riyadh, Kingdom of Saudi Arabia

2. What personal data we collect

We collect personal data only when you actively provide it or when it is needed to operate the site:

  • Account data — your name, email address, and an opt-in flag for product updates, when you create a member account.
  • Authentication data — a hashed password, email-verification tokens, and password-reset tokens. We never store your password in plain text.
  • Lead-form data — the information you provide on the Contact / Book a Meeting form: full name, organization, job title, email, phone (optional), preferred meeting format, and the message itself.
  • Operational data — your IP address, browser/user-agent, and the timestamp of each submission, used to apply rate limits and to write an audit record.
  • Cookies and analytics data — see the Cookie Policy for details. Analytics are only loaded if you accept the cookie banner.

We do not intentionally collect any sensitive personal data (health, biometric, religious, financial, or genetic data) through this site.

3. The lawful basis for processing

Purpose Lawful basis under PDPL
Creating and operating your member account Performance of a contract you have requested
Sending verification, password-reset, and notification emails you opt in to Performance of a contract / your consent
Responding to a Contact / Book a Meeting submission Pre-contractual measures at your request
Defending the site against abuse (rate limits, CAPTCHA, audit logs) Our legitimate interest in the security of the service
Loading Google Analytics for usage measurement Your consent (cookie banner)

You can withdraw your consent at any time. Withdrawing consent does not affect processing already carried out on the basis you previously gave.

4. Who we share your personal data with

We share your personal data only with the service providers we rely on to deliver the site, and only to the extent strictly necessary:

  • Cloudflare, Inc. — runs the Turnstile CAPTCHA on the Contact form. Cloudflare receives your IP address and a verification token at the moment you submit. Privacy policy: https://www.cloudflare.com/privacypolicy/.
  • Google LLC — receives anonymized usage analytics through Google Analytics 4, but only if you accepted analytics cookies. Privacy policy: https://policies.google.com/privacy.
  • Our email provider — used to deliver the verification, password-reset, and notification emails you have asked to receive.

We do not sell your personal data, and we do not share it for advertising purposes.

5. International transfers

Some of the providers above (Cloudflare, Google) process data outside the Kingdom of Saudi Arabia. We rely on the lawful-transfer mechanisms permitted under PDPL Articles 28–29, including transfers necessary for the performance of a contract with you and transfers carried out on the basis of your explicit consent. We retain the right to suspend or replace any provider if a transfer mechanism is no longer available.

6. How long we keep your personal data

Data Retention
Member account For as long as the account is active. We delete the account on request.
Lead-form submissions Up to 24 months after the submission, unless an active engagement requires longer.
Authentication tokens (verify, reset) Until used or expired (48 hours for verification, 1 hour for reset).
Audit log entries 24 months from the date of the recorded action.
Analytics data Up to 14 months (Google Analytics retention setting).

7. Your rights under PDPL

Subject to PDPL Articles 4–7, you may at any time:

  • Be informed about how we process your data — this Notice serves that purpose.
  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erase your data, where the lawful basis no longer applies.
  • Withdraw any consent you have given (cookies, marketing emails, account creation).
  • Lodge a complaint with the Saudi Data and AI Authority — https://sdaia.gov.sa.

To exercise any of these rights, write to privacy@milestone-reports.com from the email address registered with us. We will respond within 30 calendar days.

8. Security

We use industry-standard measures to protect your personal data: TLS 1.2+ for data in transit, bcrypt for password hashing, role-based access control on the admin surface, audit logs on every state-changing action, and short-lived tokens for verification and reset flows. No method is fully secure; please tell us if you suspect unauthorized access to your account.

9. Children

This site is intended for organizational decision-makers and is not directed at children. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Changes to this Notice

We may update this Notice from time to time. Material changes will be flagged on the site, and the "Last updated" date above will be revised. Continued use of the site after a change constitutes acknowledgement of the updated Notice.