Privacy Policy

Arkan Capital Advisors ("Arkan", "we", "us") is the controller of personal data collected through arkanlimited.com and through our advisory relationship with you. We are a joint-stock company incorporated in the Kingdom of Saudi Arabia, licensed by the Capital Market Authority (CMA License 23-09871), with registered office at Al-Faisaliah Tower, Floor 24, King Fahad Road, Riyadh.

This Policy is issued in accordance with the Saudi Personal Data Protection Law issued by Royal Decree M/19 dated 9/2/1443H, its Implementing Regulations, and guidance issued by the Saudi Data and Artificial Intelligence Authority (SDAIA).

We process the categories of personal data necessary to deliver licensed investment advisory services and to comply with our regulatory obligations, including:

• Identification data — full name, national ID or Iqama number, passport, date and place of birth, nationality, photograph.
• Contact data — residential and mailing addresses, telephone numbers, email addresses.
• Financial data — source of wealth, source of funds, bank account details, transaction history, portfolio holdings, tax residency.
• Suitability data — investment objectives, risk tolerance, knowledge and experience, financial situation.
• Regulatory data — PEP and sanctions screening results, adverse media checks, beneficial ownership.
• Digital data — IP address, device identifiers, browser metadata, portal access logs, and audit trails of secure messages.

We process personal data for the following purposes, in each case relying on a lawful basis under PDPL Article 6:

• Performance of contract — opening and operating your advisory mandate, executing instructions, reporting and billing.
• Legal obligation — KYC, CDD and enhanced due diligence under the Saudi Anti-Money Laundering Law and CMA AML rules; record-keeping; regulatory reporting to the CMA, SAMA, ZATCA and SAFIU.
• Legitimate interests — fraud prevention, information security, internal audit and risk management, subject to a balancing test.
• Consent — direct marketing communications and non-essential cookies, which you can withdraw at any time.

We do not sell personal data. We share it only with:

• Saudi regulators and government authorities (CMA, SAMA, ZATCA, SAFIU, MoCI) where required by law or pursuant to a lawful request.
• Custodians, brokers, fund administrators and exchanges (including Tadawul) strictly to execute and settle your instructions.
• Vetted service providers acting as data processors under written contracts — including cloud hosting, KYC and sanctions screening, secure document signing, and external auditors and legal counsel — all bound by confidentiality and security obligations.
• Acquirers or successors in connection with a corporate transaction, subject to equivalent protection.

Personal data is hosted primarily within the Kingdom of Saudi Arabia. Where data must be transferred outside the Kingdom (for example, for sanctions screening or international custody), we rely on an SDAIA-approved transfer mechanism, undertake a documented transfer impact assessment, and impose contractual safeguards on the recipient.

Client records are retained for ten (10) years following the end of the advisory relationship, in line with CMA record-keeping requirements. KYC and AML records are retained for ten (10) years from the date of the transaction or relationship end as required by the Saudi AML Law. Marketing data is retained only while you maintain a valid consent. Data is securely deleted or anonymised at the end of the applicable retention period.

Subject to the limits set out in the PDPL and its Implementing Regulations, you have the right to:

• Be informed of the legal and actual basis for processing your data.
• Access your data and obtain a copy in a clear and readable format.
• Request correction, completion or updating of inaccurate data.
• Request destruction of data that is no longer required for the original purpose.
• Withdraw consent for any processing based on consent.
• Lodge a complaint with SDAIA if you believe your rights have been violated.

Requests should be addressed to our Data Protection Officer at privacy@arkanlimited.com. We will respond within thirty (30) days of receipt of a verifiable request.

We apply administrative, technical and physical safeguards proportionate to the sensitivity of the data we hold, including TLS 1.3 in transit, AES-256 encryption at rest, multi-factor authentication on all internal and client-facing systems, least-privilege access controls, immutable audit logging, continuous monitoring and annual third-party penetration testing. Personnel are bound by confidentiality and receive annual data-protection and AML training.

arkanlimited.com uses strictly necessary cookies for session management and security, and (with your consent) analytics cookies that help us understand aggregate usage. We do not use third-party advertising cookies. You can manage your cookie preferences through your browser settings or our on-site cookie banner.

Our services are intended for individuals aged eighteen (18) and above. We do not knowingly collect personal data from minors except where strictly necessary for estate-planning instructions issued by a qualified guardian.

We may update this Policy from time to time to reflect changes in law, regulation, or our practices. Material changes will be notified to clients in writing and the "Last updated" date above will be revised. Continued use of our services after the effective date constitutes acceptance of the updated Policy.

Data Protection Officer
Arkan Capital Advisors
Al-Faisaliah Tower, Floor 24, King Fahad Road, Riyadh 12211, KSA
privacy@arkanlimited.com · +966 11 455 0000