This policy complements Minthar Holdings' general Privacy Policy with specific requirements for data governance in the context of AI. It addresses the unique challenges posed by collecting, processing, storing, and controlling training data when developing and operating AI systems. This policy applies in parallel with — and not as a substitute for — PDPL obligations.
When acquiring data for AI model training, we commit to: verifying the legal basis for processing per the PDPL (consent, legitimate interest, or other basis); complete documentation of data sources and chain of custody; respecting the intellectual property rights of data producers; verifying fair demographic representation to avoid bias; conducting a Data Protection Impact Assessment (DPIA) when processing personal data.
We apply rigorous data quality standards including: completeness, accuracy, and consistency checks before using data in training; demographic distribution analysis to detect underrepresentation; statistical bias testing across protected categories (gender, nationality, age); documenting known data limitations; periodic data quality reviews throughout the model lifecycle, not only at initial training.
We apply the data minimization principle in the AI context: collecting the minimum data necessary to achieve the purpose; avoiding storing personal data in training sets when aggregated or synthetic data can be used; deleting or anonymizing personal data after the training purpose is fulfilled; periodically reviewing the necessity of retaining legacy datasets.
When processing personal data through AI systems: we obtain explicit and specific consent for AI processing — distinct from general data collection consent; we inform individuals how their data will be used in AI systems; we provide an easy mechanism to withdraw consent; we respect data subject rights under the PDPL including access, rectification, and deletion.
When data needs to be transferred outside Saudi Arabia for AI model training or operation: we comply with SDAIA requirements for cross-border data transfers; we conduct a data transfer impact assessment; we verify that an adequate level of protection exists in the receiving country; we use appropriate contractual safeguards; we prefer local processing options wherever possible.
Training data and trained models are subject to specific retention policies: raw training data — retained for the duration of operational need with annual review; intermediate training models — deleted after final model approval unless needed for reproducibility; deployed models — retained with complete version history; audit logs — retained for a minimum of 5 years. Secure deletion procedures are applied upon expiration of retention periods.
We encourage the use of synthetic data as an alternative to real data when appropriate: to reduce privacy risks in training; to improve representation of underrepresented groups; to test AI systems in rare scenarios. Synthetic data quality must be validated and its generation methodology documented. Synthetic data is not used as a complete substitute for real data in critical decision systems without additional validation.
Large Language Models (LLMs) used in our services are subject to additional controls: generated content risk assessment before deployment; content filters and ethical guardrails; periodic review of model outputs for bias or misinformation; restricting access to sensitive data through permissions design; documenting model limitations and informing users about them.
This policy works in full integration with the general Privacy Policy and PDPL: data subject rights stipulated in the PDPL apply fully to AI processing; data access requests can be submitted through the Data Subject Rights page; 72-hour breach notification to SDAIA applies when data used in AI is compromised.
This policy is reviewed annually or upon issuance of updates to the PDPL, its implementing regulations, or SDAIA guidance related to AI. It is also reviewed upon adoption of materially new AI technologies. Updates are approved by the AI Ethics Committee.