Privacy Policy

NEOWY Learning Technology Co., Kingdom of Saudi Arabia.
Privacy contact: privacy@neowy.com

• Account data: name, email, password (hashed), preferred language.
• Learning data: course enrollments, assessment results, completion percentages, certificates issued.
• Activity data (xAPI): learning events such as views, answers, and scores — stored in standard xAPI format.
• Technical data: IP address, browser type, device, session logs — for security and diagnostics only.
• Consent data: date and time of privacy policy acceptance.

• Providing learning services, tracking progress, and issuing certificates.
• Operating the platform and improving user experience.
• Sending service-related notifications (enrollment confirmation, certificate issuance, password reset).
• Complying with legal and regulatory requirements.
• Aggregated analytics to improve content quality and learning experience.

Your data is processed based on your explicit consent provided at registration, pursuant to Article 5 of the PDPL. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell your personal data. Data is shared only in the following cases:

• Training providers (tenants): the organisation that enrolled you can view your progress and certificates.
• Technical service providers: AWS (data hosted in Frankfurt temporarily, migrating to Saudi region when available), Resend (email delivery).
• Regulatory authorities: only when legally required.

• Account data: for the duration of account activity, plus one year after last activity.
• Learning records and certificates: 5 years from issuance for verification purposes.
• xAPI events: 3 years from the date of recording.
• Technical logs: 90 days.

Under the PDPL you have the following rights:

• Access: the right to know what data we hold about you.
• Correction: request correction of inaccurate data.
• Deletion: request deletion of your data when it is no longer necessary.
• Portability: receive a machine-readable copy of your data.
• Restriction: request restriction of processing in specific circumstances.
• Withdraw consent: revoke your consent at any time.

To exercise any of these rights, contact us at: privacy@neowy.com. We will respond within 30 days.

We apply security controls including: password hashing (PBKDF2 with 100,000 iterations), HTTPS on all communications, multi-tenant data isolation, and token-based authentication (JWT). Security controls are reviewed periodically.

We use cookies strictly necessary for session management and authentication (neowy_token, neowy_tenant_slug). We do not use third-party analytics or marketing cookies.

We may update this policy periodically. We will notify you of any material changes by email or in-platform notice at least 30 days before they take effect. Continued use of the platform after changes constitutes acceptance.