Consent & Lawful Basis
This page explains the lawful bases on which <strong>Skyline Cloud</strong>, operated by <strong>Skyline Solutions</strong> (Riyadh, Kingdom of Saudi Arabia), processes personal data, and how we obtain and honor your consent. It is built to align with the Personal Data Protection Law (<em>PDPL</em>) of the Kingdom of Saudi Arabia and its Implementing Regulations. Where we say our practices are "aligned with" or "designed to meet" a standard, this reflects how we have built our service; formal certification or assessment of compliance is determined by the respective competent authority. For questions about lawful basis or consent, contact <a href="mailto:privacy@alskyline.com">privacy@alskyline.com</a> or our Data Protection Officer at <a href="mailto:dpo@alskyline.com">dpo@alskyline.com</a>.
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
Scope and Key Terms
This document applies to personal data we process through Skyline Cloud services, including cloud hosting, business email, DNS, and SSL, accessed via our cloud portal at cloud.alskyline.com and information presented on alskyline.com.
Personal data means any data that identifies, or could reasonably identify, a natural person. Processing means any operation performed on personal data, such as collection, storage, use, or deletion. A data subject is the individual to whom the personal data relates. A lawful basis is the legal ground that permits us to process your personal data under the PDPL.
Where we act as a processor on behalf of a customer (for example, when a tenant administrator manages mailboxes for their organization), the customer is responsible for establishing the lawful basis for the data they place in our service. We process that data under their instructions and in line with our agreements and this notice.
The Lawful Bases We Rely On
Under the PDPL, we process personal data only where we have a valid lawful basis. We rely on one or more of the following bases, depending on the purpose of processing:
- Consent. Where you give us specific, informed, and freely given opt-in consent — for example, to receive marketing communications or to enable optional features. You may withdraw consent at any time.
- Performance of a contract. Where processing is necessary to provide the services you or your organization have subscribed to — for example, creating and operating your hosting, email, DNS, or SSL services, authenticating logins, processing your requests, and supporting your account.
- Compliance with a legal obligation. Where we must process data to meet obligations under the laws of the Kingdom of Saudi Arabia — for example, retaining certain records, responding to lawful requests from competent authorities, and meeting breach-notification duties.
- Legitimate interests. Where processing serves a legitimate interest of Skyline Solutions or a third party that is not overridden by your rights — for example, securing our platform, preventing fraud and abuse, anti-spam and malware screening, rate limiting, maintaining audit logs, and improving service reliability. We balance these interests against your rights and freedoms.
How We Obtain Consent
Where we rely on consent, we obtain it in a way that is specific, informed, freely given, and based on an affirmative opt-in. We do not use pre-ticked boxes, and consent is never bundled as a condition of receiving a service that does not require it.
Before you consent, we tell you in clear language who is processing your data, for what purpose, and what the processing involves, so your decision is genuinely informed. Consent for one purpose does not imply consent for another; each distinct purpose is presented separately where appropriate.
- Specific: tied to a clearly stated purpose, not open-ended.
- Informed: accompanied by the information you need to understand what you are agreeing to.
- Freely given: a real choice, with no detriment for declining optional processing.
- Opt-in: requires a clear affirmative action by you, never assumed from silence or inactivity.
- Easy to withdraw: withdrawal is made as easy as giving consent, with no penalty.
Sensitive Data and Explicit Consent
Skyline Cloud is a hosting, email, DNS, and SSL platform and does not seek sensitive personal data in the ordinary course of providing its services. Sensitive data includes categories that reveal, for example, a person's racial or ethnic origin, religious or philosophical beliefs, health, genetic or biometric data, or criminal records, as defined under the PDPL.
Where any processing of sensitive data would occur and we are the responsible party, we will obtain your explicit consent for that specific processing, separate from any general consent, unless another lawful basis permitted under the PDPL applies. If you or your organization choose to store content within our services, you are responsible for ensuring you have a lawful basis — including explicit consent where required — for any sensitive data you place there.
How to Withdraw Your Consent
You can withdraw consent at any time, and we make withdrawal as easy as giving it. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal, and it does not affect processing that rests on a different lawful basis, such as performance of a contract or a legal obligation.
Once we receive your withdrawal, we stop the relevant consent-based processing without undue delay. You will not be penalized for withdrawing consent to optional processing, although some optional features that depend on that consent may no longer be available.
- Self-service preferences: adjust your consent and communication settings from within your account on the cloud portal at cloud.alskyline.com.
- Marketing emails: use the unsubscribe link included in each marketing message.
- By email: contact privacy@alskyline.com and we will action your request.
- Data Protection Officer: for any concern about how consent or lawful basis is applied, reach our DPO at dpo@alskyline.com.
Your Rights Under the PDPL
The lawful basis we rely on does not diminish your rights. Subject to the PDPL and its Implementing Regulations, you may exercise the following rights, which we handle through the contacts below:
- The right to be informed of the lawful basis and purpose of processing.
- The right to access your personal data we hold.
- The right to request correction of inaccurate or incomplete data.
- The right to request destruction of your personal data where the PDPL allows.
- The right to withdraw consent where processing is based on consent.
How We Protect the Data We Process
Whatever the lawful basis, we apply technical and organizational safeguards designed to protect your personal data. Our practices are built to align with the PDPL and recognized national frameworks; formal certification is assessed by the respective competent authority.
We keep customer data and backups in the Kingdom (Riyadh) only, with no off-shore backup provider. Public connections use TLS 1.2/1.3 only. Data is protected by encryption at rest at the infrastructure layer (AES-256) together with field-level application encryption for sensitive fields. SSL private keys are generated on a hardened node kept isolated from the mail and portal environment.
- Mandatory 2FA for all administrators, including tenant administrators, and key-only administrative access with password and root logins disabled.
- Per-tenant data isolation verified through automated tests, so one tenant's data is not exposed to another.
- Encrypted daily in-Kingdom backups with 30-day retention and database point-in-time recovery.
- Centralized authentication and administrative audit logging to record privileged activity.
- Anti-spam and anti-malware screening with SPF, DKIM, and DMARC, plus rate limiting against abuse.
- Automated internal compliance checks mapped to the PDPL and recognized national frameworks, and destructive database commands blocked in production.
Breach Notification
If a personal data breach occurs that may cause harm, we will notify the Saudi Data & Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware of it, in line with the PDPL. Where the breach is likely to cause harm to data subjects, we will also notify the affected individuals without undue delay.
Suspected security issues can be reported to security@alskyline.com.
Contact and Governing Law
For questions about lawful basis, consent, or your rights, contact our privacy team at privacy@alskyline.com or our Data Protection Officer at dpo@alskyline.com. Legal notices may be sent to legal@alskyline.com.
This document and our processing of personal data are governed by the laws of the Kingdom of Saudi Arabia, and any dispute is subject to the jurisdiction of the competent courts of Riyadh. We may update this document from time to time; the version published on our site is the current one.