Spectrum HUB — Privacy Policy

1) Scope

This Policy applies to personal data processed by Spectrum HUB (the “Company”, “we”, “our”, “us”) via:

Our websites (e.g., spectrum-hub.sa) and customer portals;
Mobile apps and cloud services for smart homes, buildings, and hotels;
IoT devices, gateways, sensors, intercoms, smart locks, and related systems we supply or support; and
Sales, marketing, events, and customer support interactions.

Where we act for a building owner, developer, hotel, or system integrator, we generally process personal data as their processor. Where we determine purposes and means, we act as a controller.

2) Data We Collect

Identity & Contact

Full name, national ID/passport (where legally required), job title, company name
Email, phone number, postal address
Account credentials (hashed), profile photo (optional)

Device & Technical

Device identifiers, IP address, OS & app versions
Network identifiers (e.g., SSID name), gateway IDs
Diagnostics, crash logs, performance and telemetry data

Usage & Access

Event logs (e.g., lock/unlock events, scene triggers)
Role and permission settings, audit trails
Time stamps, approximate location (if enabled)

Environment & Sensors

Temperature, humidity, energy, occupancy (where installed)
Video, audio, intercom recordings/streams (only if enabled)
Alarms, fault, and maintenance alerts

Commercial & Support

Orders, invoices, contracts and property/unit identifiers
Support tickets, phone recordings (where permitted), correspondence
Marketing preferences and event registrations

Hotel/Operator-Provided

Guest name, check‑in/out times, room/unit assignment
Digital key issuance and access history
Integration data from PMS/BMS/third‑party platforms

Sensitive data: We do not seek to collect sensitive personal data unless required by law or necessary for safety and security. Do not provide such data unless requested for a lawful purpose.

3) How We Use Personal Data

Operate our IoT platform, apps, and services;
Commission devices, provision users, and manage roles/permissions;
Enable automations, remote access, and notifications you configure;
Ensure safety, security, and fraud prevention (e.g., access logs, anomaly detection);
Provide customer support, maintenance, and warranty services;
Improve quality, reliability, and performance through analytics;
Send service communications and—where permitted—marketing updates (opt‑out available);
Comply with applicable laws and enforce our agreements.

We do not sell personal data.

4) Our Legal Bases (PDPL)

Under the Personal Data Protection Law (PDPL) of Saudi Arabia, we process personal data only where a legal basis applies, including:

Consent for specific processing (e.g., certain analytics, marketing, optional features);
Contract to provide services you request and to perform our agreements;
Legal obligations applicable in KSA;
Legitimate interests such as platform security, quality, and service improvement, balanced against your rights.

When we act as a processor for a customer (e.g., building owner, hotel), that customer is responsible for establishing a valid legal basis and providing required notices to end users.

6) International Data Transfers

We aim to host and process personal data in the KSA whenever feasible. If data is transferred outside the KSA, we apply PDPL requirements (including transfers based on necessity, adequacy, or safeguards) and implement contractual and technical measures to protect your data.

7) Data Security

Encryption in transit (TLS) and at rest where applicable;
Role‑based access control, strong authentication, and audit logging;
Network segmentation and vulnerability management;
Zero‑trust and least‑privilege principles across cloud and IoT components;
Vendor risk management and data processing agreements.

No system is 100% secure. We maintain, test, and improve safeguards, and we will notify relevant parties of incidents as required by law.

8) Data Retention

We keep personal data only as long as needed for the purposes described or as required by law. Typical retention periods include:

Account and contractual records: duration of the relationship + 5 years (or as required by law);
Access/event logs: 12–24 months (configurable by customer);
Intercom/video recordings: default 7–30 days (if enabled; configurable);
Support tickets: 3 years after closure.

We may anonymize data for statistical and reliability analysis.

9) Your Rights (PDPL)

Subject to PDPL and any applicable exemptions, you may have the right to:

Be informed about processing activities;
Request access to your personal data;
Request correction, update, or deletion;
Request destruction when the purpose ends;
Withdraw consent (where consent is the legal basis);
Lodge a complaint with the competent authority in KSA.

To exercise your rights, see Contact below.

10) IoT‑Specific Notices

Placement & Signage

Where cameras, intercoms, or sensors are used, operators should display appropriate notices to occupants and visitors as required by law.

User Roles

Administrators can invite users and assign roles. Access is limited to necessary functions (e.g., front‑desk staff vs. facility managers).

Guest Data

In hotel and short‑stay contexts, digital keys and access logs may be processed by the property as controller. Guests should contact the property for privacy requests.

Third‑Party Integrations

When you connect third‑party services (e.g., PMS/BMS, voice assistants), their privacy policies apply to that processing.

11) Cookies & Similar Technologies

We use necessary cookies to operate our services. With your consent, we may use analytics and performance cookies to improve features. You can manage preferences in your browser or via in‑product settings where available.

12) Children’s Privacy

Our services are not directed to children. We do not knowingly collect personal data from children without the consent of a parent or legal guardian when required by law.

13) Changes to This Policy

We may update this Policy from time to time. If changes are material, we will provide additional notice (e.g., via email or an in‑app notification). The “Last updated” date reflects the latest revisions.

14) Contact

Controller: Spectrum HUB (Legal entity: [Insert registered legal name])

Address: Advance Business Center, Al Sharafeyah, Jeddah 22234, Saudi Arabia

Email: info@spectrum-hub.sa • Support: system@spectrum-hub.sa

Phone: +966 53 399 4388

Data Protection Contact: dpo@spectrum-hub.sa (or your appointed representative)

15) Definitions

Controller: Entity that determines the purposes and means of processing personal data. Processor: Entity that processes personal data on behalf of a controller. Personal Data: Any data that identifies or renders a person identifiable. PDPL: Saudi Personal Data Protection Law and its implementing regulations.