(A) Privacy Policy

Applicable Law

SurePay adheres to all policies and procedures issued by the Central Bank and any directives regarding compliance with regulations issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) and the National Data Protection Office.

Any disputes arising regarding these terms, or any violations thereof, or disputes arising therefrom, or any actions that may harm the company's reputation, are subject to the jurisdiction of the courts of the Kingdom of Saudi Arabia in accordance with applicable laws. SurePay reserves the right to take legal action against any user or any other person outside Saudi Arabia in the competent courts of the countries where they are located, if the user resides outside the Kingdom or if information indicates their presence in a specific country, granting that country jurisdiction even if the residence is temporary. Users are prohibited from filing any lawsuit against SurePay outside the Kingdom of Saudi Arabia.

All terms outlined in the Terms of Use and Privacy Policy are considered complementary to one another. If any of these terms is invalidated for any reason, the remaining terms and conditions will remain in effect and binding on the user.

Company Rights (SurePay)

Right to Collect Personal Data

SurePay reserves the right to collect personal data directly from the individual or, when necessary, from a third party to serve legitimate interests. It ensures that only the minimum necessary data is collected to fulfill “Know Your Customer” requirements mandated by the Saudi Central Bank, adhering to Article 10 of the Law, which states: Personal data must be collected directly from its subject and processed solely for the intended purpose. However, data may be collected from sources other than the individual, or for purposes other than initially intended, under specific circumstances:

1. With the explicit consent of the Personal Data Owner, per the Law.
2. If the personal data is publicly available or obtained from a public source.
3. When a public authority collects or processes the data for public interest, security purposes, compliance with other laws, or to fulfill judicial requirements.
4. If adhering to this restriction would harm or adversely affect the vital interests of the Personal Data Owner.
5. When data collection or processing is necessary to protect public health, safety, or the life or health of a specific individual(s).
6. If the data is not stored in a manner that enables direct or indirect identification of the Personal Data Owner.
7. When collection or processing serves legitimate interests without infringing on the Personal Data Owner’s rights or conflicting with their interests, provided that the data is not classified as sensitive.

The company may verify data provided by accredited third parties.

Right to Disclose Personal Data

SurePay may disclose personal data under the provisions of Article 15 of the Law, which states that data may only be disclosed in the following cases:

1. With the Personal Data Owner’s consent, in accordance with the Law.
2. If the personal data was obtained from a public source.
3. If the requesting party is a public authority, and the disclosure serves the public interest, security purposes, compliance with other laws, or judicial requirements.
4. When necessary to protect public health, safety, the life, or health of a specific individual(s).
5. If the disclosure involves processing in a manner that does not lead to the identification of the Personal Data Owner or any specific individual.
6. When necessary to serve legitimate interests without infringing on the Personal Data Owner’s rights or conflicting with their interests, provided that the data is not sensitive.

Article 16 specifies conditions under which data disclosure is prohibited, including when:

1. It poses a risk to national security or damages the reputation or interests of Saudi Arabia.
2. It affects the country’s relations with another state.
3. It could impede the detection of a crime, undermine a suspect’s right to a fair trial, or impact ongoing legal proceedings.
4. It endangers the safety of an individual(s).
5. It violates the privacy of a third party.
6. It conflicts with the interests of a person lacking legal capacity.
7. It breaches professional confidentiality requirements.
8. It conflicts with a legal obligation, procedure, or court ruling.
9. It reveals a confidential information source whose disclosure is against the public interest.

SurePay also commits to informing the Personal Data Owner in the event of a data breach, destruction, or unauthorized access, per Article 20, which states:

1. The data controller must notify the relevant authority when aware of any personal data breach, destruction, or unauthorized access, as prescribed by regulations.
2. The data controller must notify the Personal Data Owner if any breach, destruction, or unauthorized access could damage their data or conflict with their rights or interests, as prescribed by regulations.

Use of Data for Development and Marketing Purposes

SurePay retains the right to use personal data to enhance user experience, and to refine its marketing and advertising strategies. This data may be shared between the company’s website, its business partners, and affiliated entities for service provision, marketing, and advertising purposes.

Types of Data Collected

Data Voluntarily Provided by the User

Upon registering on SurePay website or any online platform, users are asked to provide their name, user ID, phone number, nationality, country of residence, and communication preferences.

When making requests through the website or sales representatives, the minimum necessary personal data is collected to fulfill "Know Your Customer" requirements set by the Saudi Central Bank. This includes: National ID number and a copy of it, Certificate of Incorporation (for companies), Commercial registration number and a copy containing the unified enterprise number, Authorization letter (for agents acting on behalf of the applicant), Freelance work certificate (for individuals), Municipal license, Proof of address certificate, Ownership deed or certified lease agreement (in specific cases for contracting), International Bank Account Number (IBAN).

For payment data, users may provide payment or credit card details (e.g., card number, cardholder’s name, expiration date). This data is shared with third-party payment service providers to complete the transaction, and only minimal information is stored to confirm the transaction or comply with applicable laws and retain a transaction reference number.

Additionally, calls or customer surveys conducted via official communication channels may be recorded for quality improvement and training purposes.

Data Provided by Third Parties

A user may be referred to or registered on the website by a third party, such as an agent. In such cases, the user’s personal data will be provided to SurePay by the third party in accordance with the information mentioned in section (A) above.

Certain technical data may be collected automatically, such as browser type, operating system, IP address, unique device identifiers, and device type. Location data may also be collected to understand customer traffic patterns, enhance user experience, and protect against fraud. Additionally, site preferences and time spent browsing are recorded to improve website productivity.

Upon submitting requests and providing required data or voluntary credit information, SurePay may verify data through trusted external parties, such as the National Unified Access “Nafath” (upon client consent), the Ministry of Commerce’s commercial registration, or through the Wathq service (for commercial registration verification).

Data Not Voluntarily Provided by the User

The website includes features that allow users to refer it to others, such as friends or family. In such cases, the names, contact details, emails, and phone numbers of these individuals will be collected and managed by SurePay for service provision, marketing, and advertising purposes, in accordance with this policy.

SurePay may also receive information about users from other services, such as social networks (e.g., Facebook, X). This includes specific data shared when using these services to sign into SurePay. Additionally, advertisers, developers, publishers, affiliate partners, and other third parties may also share data with SurePay to enhance advertising targeting and measure ad performance.

Data Collection Mechanism

Personal data is collected when a user registers on SurePay website, initiates transactions, or is referred to by a third party.

Users may browse SurePay website anonymously in certain cases; however, some site features (e.g., transaction processing) are accessible only after logging in with a username and password. All personal data provided to SurePay is voluntarily given by the users, with purposes including:

1. Personal data is used to keep users informed about SurePay updates, events, products, and strategies.
2. It aids in developing SurePay website, products, and marketing strategies according to user preferences and experiences. It also enhances site security and user protection against fraud, malware, and phishing.
3. Personal data helps verify users’ identities, identify suitable services and features, and personalize their experience on the site.
4. It is also used to send important notifications, such as updates to SurePay policies, transaction alerts, or notifications about unexpected incidents like site outages or fraud attempts.
5. Personal data is essential for service delivery, meeting regulatory requirements, providing support, answering queries, investigating suspected violations of terms, and addressing illegal activities.
6. Personal data supports SurePay auditing for target markets and audience profiling, without revealing user identities unless legally required. Audit-generated data is anonymized for statistical purposes.
7. Personal data may be used for managing offers and competitions on the website, with user consent. Users may unsubscribe from emails or promotional content anytime.

Data Retention

SurePay allows users to access and copy their personal data on request. Data collection is limited to user-provided information before transaction processing. Users may modify their saved personal data, with SurePay ensuring accuracy and compliance with applicable regulations throughout service delivery. While security measures are in place, full internet security cannot be guaranteed. Data retention follows the Saudi Central Bank’s payment system regulations, emphasizing user rights under the law.

For inactive or deleted accounts, data is retained for legal and business purposes, such as fraud prevention and dispute resolution.

Non-Personal and Sensitive Data

SurePay uses cookies, web beacons, and similar technologies on its website. Refer to the cookie policy for details:

1. SurePay may collect non-personal information, like users' IP address, function, language, preferences, and time zone, to understand customer behavior and improve service quality.
2. User search history and website activity may also be collected to tailor content to user interests and enhance search response.

When making transactions on SurePay website, users may need to provide credit or debit card information. Transaction details are securely processed without being stored. SurePay complies with SSL certification standards and the Saudi Central Bank’s regulations for secure data handling. SurePay neither accesses nor uses sensitive information like credit/debit card details or banking transaction records. All payments are handled by secure, external servers. When non-personal data is used with personal data, SurePay treats it as personal data according to its policies.

Sharing of Personal Data

SurePay may share your personal data, as necessary, for the following purposes:

1. According to the Data Sharing Policy issued by the National Data Management Office, our company commits not to share your personal data with non-governmental entities unless they are authorized to perform specific pre-agreed services or upon obtaining your explicit consent. This commitment is a fundamental clause in all contracts to ensure that partner entities comply with data protection laws.
2. Sharing with Governmental or Private Entities: SurePay may share necessary personal data with governmental or private entities for specific purposes based on legal grounds or justified operational needs, aiming to serve public or personal interests without compromising national interests, the activities of entities, individual privacy, or environmental safety. This excludes data and entities exempted by royal decrees.
3. Compliance with Regulations and Legal Requirements: SurePay may disclose data to comply with applicable laws, regulations, or governmental, security, or judicial requests (e.g., court orders, subpoenas, search warrants, or similar requests), or to protect our legal rights.
4. Enforcing Terms and Investigations: SurePay may share data to enforce its terms and other applicable policies, including for investigations of potential violations or suspected fraud, intellectual property infringement, or any illegal activities that might expose SurePay to legal liability.
5. Protection of Rights, Privacy, and Safety: To protect our rights, privacy, property, or the safety of our users or SurePay website, we may share data to prevent, detect, and address fraud, security issues, legal issues, and technical problems, or to protect the rights or safety of users and others. This may involve sharing data with other companies and organizations for fraud protection and credit risk reduction.
6. Business Partners: SurePay may share personal data with its business partners with whom it collaborates to provide services, taking into account legal requirements for attribution. This includes facilitating order requests and implementing support services, such as technical support or processing online payment transactions.
7. Secure Data Sharing with Third Parties: When sharing your personal data with any third party, SurePay ensures it is done within a secure and reliable environment in compliance with related laws and policies. We are committed to taking additional steps to protect your data by signing a data-sharing agreement between SurePay and third parties under specific terms and conditions that align with data-sharing principles.

Disclosure to Third Parties and Third-Party Websites

SurePay may disclose personal data to its strategic partners and affiliates as permitted by applicable law or based on legal grounds. Data will not be shared for non-marketing purposes.

Users should be aware that in certain circumstances under the law, SurePay may be legally obligated to disclose personal data in response to legal or governmental requests. Users may not claim compensation unless there is direct harm. The company also reserves the right to disclose data to enforce terms and conditions, protect identity and security, or in the event of a merger, restructuring, or acquisition. Furthermore, SurePay services may contain advertisements and links to other websites, so please review SurePay "Cookie Policy" for more details.

SurePay only shares personal data with third parties as explicitly outlined in this policy. If third-party websites require users to provide personal information, users acknowledge that this information is provided voluntarily and agree to indemnify SurePay from any claims or liabilities arising from the use of this data by those websites. To mitigate liability, SurePay reserves the right to use the following tools:

• User Data Analysis Tools
• Tracking and Analytics Tools
• Website Performance Monitoring Tools

Personal Data Owner’s Commitment to Privacy

The Personal Data Owner plays a crucial role in protecting their data by taking the following measures:

• Regularly reviewing updated privacy policies, terms, and conditions, keeping personal data current, and managing privacy preferences.
• Controlling and updating marketing preferences, verifying the source of links before opening them, and checking the sender’s name before opening any notifications or links.
• Refraining from disclosing passwords, security codes, account information, or personal data to anyone and avoiding responses to calls or websites that collect personal data without verifying the contact's legitimacy. SurePay will never request such information.
• Choosing how to handle cookies and understanding how they work, along with other tracking technologies.
• Logging out at the end of each session, especially when using devices belonging to others or in public internet locations.

SurePay disclaims liability for any unauthorized access to personal data due to the Personal Data Owner’s failure to maintain data confidentiality.

Protection of Personal Data

SurePay is committed to implementing a range of security measures, including encryption and authentication technologies, to protect personal data and maintain its confidentiality, ensuring no unauthorized party can access it. Users are encouraged to take necessary precautions when browsing the internet and avoid sharing sensitive information, such as passwords or security codes, with anyone. Periodically changing passwords, using a mix of characters and numbers, and ensuring a secure browser are recommended for online safety.

SurePay regularly trains its employees, representatives, and affiliates on privacy and security policies to uphold strict privacy standards across all levels. Only specially trained SurePay representatives handle personal data, and the company stays updated with relevant regulatory changes in Saudi Arabia.

Please note that SurePay employees will never ask for personal data, passwords, or credit card information for any purpose. If you receive such a request, do not respond or share any information. Instead, contact us immediately to report the incident. If you suspect a security breach in your account or believe someone else is using it without authorization, please notify us immediately through our official communication channels.

SurePay may update its policies periodically. Any changes or updates become effective immediately. Users are advised to regularly review policies on the website and other SurePay-managed online platforms.

Response to Data Breaches

SurePay will notify users within a maximum of 72 hours (about 6 days) after becoming aware of any incident or intrusion resulting in a data breach. The notification will be sent via email or any other available means to help users take timely preventive actions. SurePay will also provide full support to users affected by a data breach to exercise their right to seek compensation against the breach and its perpetrators. It is understood that SurePay will not be financially liable to the user for any reason unless the breach was caused intentionally by SurePay or its representatives.

In cases where a data breach or leak occurs through a third party, SurePay is not legally responsible for the incident, and no legal recourse can be taken against SurePay.

Notifications, Marketing Messages, and Alerts

As previously mentioned, collecting your personal data helps improve service quality and user experience and serves marketing and promotional purposes. By providing any of your contact details, you consent to receiving marketing or promotional messages. If you do not wish to receive such messages or participate in advertising customization programs, you can opt-out via your account settings on the website or by clicking the “unsubscribe” link at the bottom of each email or by contacting our Customer Service Center by phone.

Notifications and alerts are essential services that cannot be disabled except in the event of account termination or the end of the relationship with the company, as these alerts contain important account-related information or service impact notifications. Therefore, these messages are a core component of our provided services.

Visiting the Website from Outside the Kingdom

The user acknowledges and agrees that using SurePay website is, always, subject to the regulations of the Kingdom of Saudi Arabia (“applicable law”). When accessing SurePay website from outside the Kingdom, user data will be collected and stored per this Privacy Policy and other related SurePay policies (such as the Cookie Policy). The user understands this without making claims regarding differences in data protection or cybersecurity legislation between Saudi Arabia and the country of access.

Cross-Border Data Transfers

In accordance with applicable laws, your personal data will be stored and processed securely within Saudi Arabia’s geographic borders to maintain national digital sovereignty over this data, except in cases where data transfer or processing outside the Kingdom’s borders is specified in Article 29 of the Personal Data Protection Law.