Data Retention
Skyline Cloud is a Kingdom of Saudi Arabia cloud hosting, business email, DNS, and SSL service operated by <strong>Skyline Solutions</strong> in Riyadh. This page explains how long we keep personal and operational data and when we delete or anonymize it. Our guiding principle is simple: <strong>we keep personal data only as long as necessary for the purpose for which it was collected</strong>, after which it is securely deleted or anonymized. All customer data and backups are hosted <strong>in-Kingdom (Riyadh)</strong> only, with no off-shore backup provider. This summary is provided for transparency and is governed by the laws of the Kingdom of Saudi Arabia.
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
Our Retention Principle
We collect and keep personal data for defined, legitimate purposes such as operating your account, delivering hosting, email, DNS, and SSL services, processing billing, securing our platform, and meeting our legal obligations. We keep personal data only as long as necessary for the stated purpose.
When data is no longer needed for its purpose, and no legal obligation requires us to keep it, we securely delete it or anonymize it so it can no longer identify an individual. Retention periods differ by data type, as set out in the schedule below.
Our practices are designed to align with the Saudi Personal Data Protection Law (PDPL) and applicable regulatory expectations. Formal certification or accreditation against any standard is assessed by the respective competent authority.
Summary Retention Schedule
The following is a high-level summary of how long we keep the main categories of data. Specific periods may vary where a longer or shorter retention is required by law or by the technical nature of the data.
- Account & contact personal data (name, email, contact details, account profile): retained for the life of the account while it remains active.
- Closed accounts: personal data is retained for 30 days after closure to allow recovery and final administration, then deleted.
- Billing & tax invoices: retained for the period required by Saudi tax law as administered by ZATCA (the Zakat, Tax and Customs Authority).
- Server & security logs: retained for a defined period and then purged or anonymized.
- Backups: rolling 30-day in-Kingdom retention of encrypted daily backups, after which older backup data ages out.
Legal Holds & Overrides
A legal hold or a legal obligation can override the default deletion trigger. Where we are required to preserve data to comply with a law, a regulatory or tax requirement, a court order, or to establish, exercise, or defend a legal claim, we will retain the relevant data for as long as that obligation applies — even beyond the standard periods above.
Once the legal hold or obligation ends, the data returns to its normal retention schedule and is deleted or anonymized accordingly.
How Retained Data Is Protected
Throughout its retention, data is protected by technical and organizational safeguards. The following controls are in place today:
- In-Kingdom hosting only: all data and backups are stored in Riyadh, with no off-shore backup provider.
- Encryption in transit: public endpoints use TLS 1.2/1.3 only.
- Encryption at rest: AES-256 at the infrastructure layer, plus field-level application encryption for sensitive data.
- Encrypted daily backups kept in-Kingdom with 30-day retention, plus database point-in-time recovery.
- Strong access control: mandatory two-factor authentication for all administrators including tenant admins, and key-based server access only (interactive password and root-password logins disabled).
- Isolation: per-tenant data isolation verified by tests, and SSL private keys generated on a hardened node kept separate from the mail and portal environment.
- Monitoring & integrity: centralized authentication and administrative audit logging, anti-spam and anti-virus filtering, SPF/DKIM/DMARC email authentication, rate limiting, and blocking of destructive database commands in production.
Regulatory Alignment
Our retention and security practices are built to align with the Saudi Personal Data Protection Law (PDPL) and relevant national frameworks, including the National Cybersecurity Authority Essential Cybersecurity Controls (NCA-ECC) and Cloud Cybersecurity Controls (CCC), and — where applicable to relevant customers — expectations associated with CMA and SAMA. We operate an automated internal compliance check mapped to these frameworks.
These statements describe our design and operating intent. They are not claims of certification, audit, or guaranteed compliance; formal certification is assessed by the respective authority.
In the event of a personal data breach, where harm is possible we will notify the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware, and will inform affected data subjects without undue delay.
Your Rights & Requesting Deletion
Subject to Saudi law, you may request access to, correction of, or deletion of your personal data, and you may close your account. Where a request would conflict with a legal retention obligation (for example, tax invoices) or an active legal hold, we will retain only the data we are required to keep and delete the rest under our normal schedule.
To exercise your rights or ask about this policy, contact our privacy team at privacy@alskyline.com or our Data Protection Officer at dpo@alskyline.com.
Contact & Governing Law
This Data Retention summary is provided by Skyline Solutions, Riyadh, Kingdom of Saudi Arabia, operator of Skyline Cloud (cloud.alskyline.com; marketing at alskyline.com).
Contacts: privacy privacy@alskyline.com, Data Protection Officer dpo@alskyline.com, security security@alskyline.com, legal legal@alskyline.com.
This policy is governed by the laws of the Kingdom of Saudi Arabia, and any dispute arising from it is subject to the jurisdiction of the courts of Riyadh. We may update this summary from time to time; the current version is published at cloud.alskyline.com.