Privacy and Personal Data Protection Policy for THEKEY
Last updated: 03 June 2026
This Policy is designed to align with the Personal Data Protection Law of the Kingdom of Saudi Arabia, its Implementing Regulations, and related rules and controls. It is intended to inform Data Subjects how their personal data is processed and what rights they may exercise under applicable law.
1. Controller details
| Field | Details |
|---|---|
| Service provider / Controller | Miftah Ta'allum Thaki Company (registered Arabic name: شركة مفتاح تعلم ذكي), trading as THEKEY |
| Brand | THEKEY |
| Entity type | Simplified Joint Stock Company |
| Unified National Number / Commercial Registration reference | 7053234873 |
| Commercial registration status | Active |
| Certificate issue date | 05/01/2026 |
| Website | thekey.sa |
| General enquiries | hello@thekey.sa |
| Technical support | support@thekey.sa |
| Privacy / personal data protection contact | privacy@thekey.sa |
2. Definitions
For the purposes of this Policy, “personal data” means any data, regardless of its source or form, that can identify a natural person directly or indirectly. This may include name, identity number or student number, contact data, account data, usage data, learning data, exam data, device data, and any other data linked to a Data Subject.
“Data Subject” means the natural person to whom personal data relates. “Controller” means the entity that determines the purposes and means of processing personal data. “Processor” means the entity that processes personal data for and on behalf of a Controller.
3. THEKEY as Controller or Processor
Depending on the processing activity, THEKEY may act as Controller when it determines the purposes and means of processing personal data, or as Processor when it processes personal data based on instructions from an educational institution or institutional customer.
For some services, the university or educational institution may be the Controller of student, course, grade, and exam data, and THEKEY processes that data on its behalf and in accordance with its instructions and the relevant agreements.
4. Personal data we collect
We may collect and process the following categories of personal data depending on your role and how you use the Platform.
4.1 1 Account and identity data
This may include name, email address, mobile number, username, student number, employee number, institutional identifier, university or institution name, role on the Platform, profile photo if uploaded, login and authentication data, and single sign-on or institutional login data.
4.2 2 Educational and academic data
This may include enrolled courses, learning content accessed, learning progress, question attempts, answers, assignments, participation, test results, grades, feedback, instructor or supervisor notes, performance and educational analytics, badges, points, and gamification or engagement data.
4.3 3 Exam and exam-security data
Where assessment, proctoring, or exam-security tools are enabled by an educational institution, we may process exam start and end times, session logs, IP address, device, browser, and operating-system data, Safe Exam Browser or lockdown status, activity indicators during the exam, identity-verification data, images, recordings, audio, or video data if proctoring is enabled and authorised, proctor or supervisor notes, and potential-incident alerts, indicators, or reports.
This data is processed for exam security, academic integrity, cheating prevention, investigation or appeal support, and implementation of educational-institution policies.
4.4 4 AI tool data
When you use AI tools within the Platform, we may process prompts or text inputs, course files or materials submitted to the tool, generated questions, explanations, summaries, translations, AI outputs, user feedback on outputs, and related usage logs.
You should not submit unnecessary personal data, sensitive data, or confidential information into AI tools unless you are authorised to do so and the feature is configured for that purpose.
4.5 5 Payment and billing data
Where paid services are available, we may process billing name, contact details, invoice or receipt number, plan or subscription details, transaction amount, payment status, transaction reference, and required tax data. THEKEY does not store full payment-card details, and payments are processed by independent payment-service providers.
4.6 6 Support, communications, technical, and cookie data
This may include emails, support tickets, contact forms, complaints, reports, feedback, surveys, and service-related communication records. Technical data may include IP address, device type, browser type, operating system, access and usage times, session identifiers, error logs, security logs, cookies, and similar technologies.
5. Sources of personal data
We may obtain personal data directly from the Data Subject, from the university or educational institution, from instructors, supervisors, or administrators, from single sign-on or authentication systems, from payment-service providers, from assessment, proctoring, or exam-security tools, from AI, analytics, or hosting providers, from your device or browser, and from usage and support logs.
6. Purposes of processing
We process personal data for the following purposes:
- creating and managing accounts, verifying identity, and enabling login;
- providing learning, course, exam, and assignment services and enabling educational institutions to manage learning activities;
- measuring learning progress, analysing performance, and operating practice, engagement, and gamification features;
- securing exams, supporting academic integrity, preventing cheating, and verifying compliance with institutional policies;
- providing educational AI tools and generating reports and analytics;
- providing technical support, handling reports and complaints, and sending service notifications and important updates;
- processing payments, invoices, and refunds where applicable;
- improving the Platform, developing features, and protecting it against fraud, misuse, and unauthorised access;
- complying with legal, regulatory, and contractual obligations and preserving, asserting, or defending rights and claims where needed.
7. Legal bases for processing
Depending on the processing activity, we rely on one or more legal bases, including Data Subject consent, Explicit Consent where required by law, performance of a contract or agreement to which you or your institution is a party, compliance with a legal obligation, legitimate interests that do not prejudice the rights of the Data Subject and do not involve sensitive data where impermissible, protection of vital interests, or instructions from the Controller where we act as Processor.
Where processing is based on consent, you may withdraw your consent at any time through the available means. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal or processing based on another valid legal basis.
8. Sensitive Personal Data
Some Platform services may involve data that may be considered Sensitive Personal Data, such as identity-verification data, biometric data where used to uniquely identify a person, or other data classified as sensitive by law. We process Sensitive Personal Data only where an appropriate legal basis exists and necessary safeguards are applied. We do not use Sensitive Personal Data for marketing purposes.
9. Disclosure of personal data
We do not sell personal data. We may disclose personal data, on a need-to-know basis and in compliance with applicable laws, to the user’s educational institution, authorised instructors, supervisors, or administrators, hosting and cloud-service providers, email, support, payment, AI, analytics, and exam-security providers, professional advisers, legal advisers, or auditors, competent governmental, judicial, or regulatory authorities where legally required, and any other party based on Data Subject consent or instructions from the relevant educational institution.
10. Transfer or disclosure outside the Kingdom
Some personal data may be hosted or processed inside or outside the Kingdom of Saudi Arabia depending on service providers, hosting locations, features used, and educational-institution agreements.
Where personal data is transferred or disclosed to an entity outside the Kingdom, we comply with applicable legal requirements. This may include limiting the transfer to the minimum necessary, verifying that an appropriate level of protection or contractual safeguards is in place, applying the required rules and controls for transfer or disclosure outside the Kingdom, conducting a risk assessment where required, requiring service providers to protect personal data, and applying appropriate technical and organisational measures.
11. Retention and Destruction
We retain personal data for as long as necessary to achieve the purposes for which it was collected or processed, or for the period required by laws, regulations, contractual obligations, academic requirements, tax, accounting, or security requirements. When personal data is no longer needed, we securely destroy, delete, anonymise, or otherwise de-identify it so it is no longer linked to the Data Subject, unless retention is legally required.
Indicative retention schedule
| Data category | Retention period or criteria |
|---|---|
| Account data | While the account is active, then for as long as the educational institution requires unless retention is legally required. |
| Course and learning-progress data | As instructed by the educational institution for as long as the educational institution requires. |
| Grades, results, and assessment records | As required by institutional policies and legal or academic requirements. |
| Exam and proctoring data | For as long as the educational institution requires after the exam unless needed for an appeal, investigation, or dispute. |
| Payment and billing data | In accordance with accounting, tax, and legal retention periods. |
| Support and complaint data | For as long as the educational institution requires after closure of the request. |
| Technical and security logs | For as long as the educational institution requires, or longer where needed for security or investigation. |
| Marketing consent records | Until consent is withdrawn, while retaining what is needed to evidence compliance. |
12. Personal data security
We apply technical, organisational, and administrative measures to protect personal data against loss, damage, unauthorised access, disclosure, alteration, or unlawful use. Measures may include encryption in transit, encryption at rest where appropriate, access controls, least-privilege permissions, audit logs, authentication, backups, system monitoring, vulnerability management, service-provider reviews, staff training, and incident-response procedures.
No electronic system can be guaranteed to be completely secure. You must keep your access credentials confidential and notify us immediately if you suspect unauthorised use.
13. Personal data breaches
If an incident results in leakage, damage, loss, unauthorised disclosure, or unlawful access to personal data, we will investigate the incident and take appropriate containment and remediation measures. Where required by law, we will notify the competent authority and affected Data Subjects or educational institutions in accordance with applicable requirements and timeframes.
14. Data Subject rights
Subject to legal exceptions and controls, the Data Subject may exercise rights that may include the right to be informed about how personal data is collected and processed, the right to access personal data, the right to request a copy in a clear and readable format where possible, the right to request correction, completion, or updating of personal data, the right to request Destruction of personal data that is no longer needed unless a legal basis for retention exists, the right to withdraw consent where processing is based on consent, and the right to submit a complaint regarding processing of personal data.
To exercise these rights, contact privacy@thekey.sa. We may request additional information to verify identity before responding. If THEKEY processes data on behalf of an educational institution, we may refer the request to that institution or cooperate with it to process the request in accordance with applicable laws and agreements.
15. Data Subjects lacking full legal capacity
If a Data Subject lacks full legal capacity, the legal guardian or lawful representative may exercise rights relating to the Data Subject’s personal data in accordance with applicable laws and regulations. We may request proof of legal capacity or authorisation before responding to a request submitted on behalf of a Data Subject.
16. Marketing communications
We may send service communications relating to accounts, courses, exams, technical support, security, or important updates. These are not marketing messages. We send marketing or promotional messages only in accordance with applicable laws and based on consent where required, and we will provide a clear and convenient opt-out method.
17. Cookies and similar technologies
We use cookies and similar technologies for login and session management, account and Platform security, preference storage, Platform usage analysis, performance improvement, error detection, and fraud and misuse prevention. Some cookies are necessary for the Platform to operate. You can control cookies through your browser settings, but disabling essential cookies may affect some Platform features.
18. Third-party links and services
The Platform may contain links or integrations with third-party websites or services. Those services are governed by their own privacy notices and terms. THEKEY is not responsible for third-party privacy practices except to the extent required by applicable law or relevant agreements.
19. Changes to this Policy
We may update this Policy from time to time. We will post the updated version on the Platform and revise the last-updated date. We may provide additional notice if a change is material or required by law.
20. Complaints and contact
For questions, requests, or complaints relating to privacy or personal data protection, contact privacy and personal data protection at privacy@thekey.sa, technical support at support@thekey.sa, or general enquiries at hello@thekey.sa. If you are not satisfied with our response, or your complaint is not handled in accordance with applicable legal requirements, you may submit a complaint to the competent authority in the Kingdom of Saudi Arabia in accordance with applicable procedures.