800 124 0166
العربية

1. Privacy Notice

  1. 1.1. Overview

    We take our obligations under KSA data protection regulations very seriously and we’re committed to keeping your personal data secure. The Personal Data Protection Law (PDPL) imposes obligations on us as a “data controller” when we collect, hold, amend, share, or otherwise use or erase/destroy (collectively referred to as “processing”) your personal data. It also gives you, as the “data subject”, rights over your personal data.

    One such obligation is to process your personal data fairly, lawfully, and in a transparent manner. This privacy notice is designed to help you understand what personal data we hold, why it is required, and how it is used. It also sets out some of your legal rights.


  2. 1.2. To Whom This Privacy Notice Applies

    This privacy notice explains how we will use the personal data of:

    • Anyone who asks for a decision in principle on whether we would grant a loan to them.
    • Anyone who applies for or takes out a loan with us or has had a loan administered by us.
    • Anyone who becomes or applies to become a party to an existing loan.
    • Anyone who does or may guarantee a loan with us.

    Each such person is referred to as “you” and “your” in this privacy notice.


  3. 1.3. How We Collect Your Personal Data

    We may receive personal data from various sources, including directly from the data subject and from other individuals who represent the data subject during the collection process. We also collect personal data provided by customers through application forms, identification documents, and financial statements.

    A. Data Collected Directly from the Data Subject

    This includes personal data that you provide to us voluntarily through various means, such as:

    • Completion of physical or electronic application forms (e.g., e-forms with fields, drop-down lists, checkboxes, and radio buttons)
    • Submission of identification documents (e.g., national ID, passport)
    • Provision of financial statements or supporting documents
    • Direct communication with our staff through phone calls, in-person meetings, or emails

    These data are collected to process applications, provide services, or comply with legal and regulatory obligations.

    B. Data Collected Indirectly

    This includes personal data that we obtain without direct interaction with you, through means such as:

    • Cookies and tracking technologies used on our websites or mobile applications
    • Website analytics tools that collect usage and interaction data (e.g., pages visited, time spent)
    • Log data captured automatically when using our digital services (e.g., IP address, device type)
    • Data sharing or interconnection with third parties or service providers (e.g., financial institutions, government platforms), where such third parties are authorized to share your personal data with us

    All indirect collection methods are implemented in accordance with the PDPL and applicable regulations, ensuring that the rights of the data subject are respected.


  4. 1.4. Personal Data We Collect

    Dar Al Tamleek holds various personal information in relation to its clients, including (But Not Limited to) any of the following:

    • Account Data: (Key data collected directly from the user to create an account or personal file, such as Full name, National Id/ Iqama Number, Date of Birth, Nationality, PIN, addresses, and contact numbers).
    • Payment Data: (Data collected for payment purposes, such as bank card number, payment amounts, etc.).
    • Data obtained from other parties.
    • Cookies Data: (Data collected by website logs, cookies or similar technologies).
    • Location Data: The company shall also inform the Data Subject whether collection of this data is mandatory or optional for processing purposes.

    Providing personal data is essential for DAT to offer certain services and fulfill our obligations under the law. If you choose not to provide the mandatory personal data required for specific purposes, you may experience consequences which include inability to access services and products offered by DAT.


  5. 1.5. Purpose of Processing

    Personal data may be used to:

    • Consider a customer's application for a loan or decision in principle.
    • Manage our relationship with a customer, provide and administer the loan and other products and services they have with the company.
    • Ensure that we have the information we need to consider a customer's application or decision in principle and administer the account and ensure that other authorized persons have the information they need.
    • Identify and prevent financial fraud.
    • Comply with legal and regulatory requirements.

    Personal Data will not be subsequently processed in a manner inconsistent with the Collection purpose.


  6. 1.6. Where Personal Data Is Processed

    Information that you provide us is stored in our secure servers located in the Kingdom of Saudi Arabia (KSA) and is processed by staff located in KSA. DAT has also implemented adequate technical and organizational measures to protect your Personal Data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing, incidents of leakage, damage, or illegal access, including, but not limited to, the use of data encryption, anonymization, and coding methods.

    We have also put in place appropriate security measures to notify you, and the competent authority of any breach as required by applicable law.


  7. 1.7. How Long Personal Data Is Kept For

    We will retain information about you for the period necessary to fulfill the purposes for which the data was collected. After that, we will anonymize or delete it. To ensure the security of your data, we implement stringent technical and organizational measures to protect it from unauthorized access or disclosure.

    The retention period may vary depending on the purposes for which the information was collected. Where a specific legal or regulatory requirement applies to your information, we will retain it for at least the period of time specified in such a legal or regulatory requirement.


  8. 1.8. How do we disclose your Personal Data

    We may, as required for the purposes listed in Section 5 above, disclose your personal data to third parties inside the Kingdom of Saudi Arabia. Such disclosure may occur either occasionally (on a one-time basis), or regularly (on a recurring basis), depending on the nature and necessity of the processing activity. The personal data may be disclosed to the following categories of organizations:

    • Our professional advisors or other contractors who provide us with data processing, professional or management services, such as Customer Relationship Management Platforms.
    • Suppliers, subcontractors, business partners in the IT sector or other third parties involved in the management of our business;
    • Any legitimate interest purposes (e.g. managing operational activities); and
    • Any applicable regulatory authorities (governmental and other public bodies, for example, SAMA, Real Estate Development Fund, etc.) or other third parties as could be required by law or in accordance with other regulatory obligations or policies applicable to us or to you (e.g. Absher, GOSI, etc).

    We may disclose your personal data in the following cases:

    • You consent to the disclosure.
    • Your personal data has been collected from a publicly available source.
    • The entity requesting disclosure is a public entity, and the collection or processing of your personal data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
    • The disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
    • The disclosure will only involve subsequent processing in a form that makes it impossible to directly or indirectly identify you.
    • The disclosure is necessary to achieve our legitimate interests (in this case no sensitive data (e.g. health data) will be processed).

    When providing your personal data to legal entities with whom we have contractual relations, we request a confirmation of the security measures these legal entities take to protect the personal data we provide. We do not share the personal data with public authorities or other third parties without a proper lawful request of the authorities.

    We make best efforts to ensure we have relevant contractual agreements in place with the parties with whom we share your personal data with and that they comply with data protection requirements of DAT.


  9. 1.9. Data Minimization

    Personal Data must be adequate, relevant, and limited to what is absolutely necessary for the purpose of the collection and processing.

    Controls:

    • You can only collect and process Personal Data where your job duties require so. You cannot collect and process Personal Data for any reason unrelated to your job duties.
    • You must not collect any additional data.
    • You must ensure the Personal Data collected is adequate and relevant to the intended purpose. When Personal Data is no longer needed for the specified purpose, it should be deleted, anonymized, or masked subject to SAMA documents and Record Retention instructions unless an exception applies. These exceptions include if there is legal justification or if the Personal Data is closely related to a case being heard before the courts or an internal investigation.
    • Additionally, in accordance with the data minimization principle set out in the PDPL, DAT must collect only the minimum amount of Personal Data necessary to achieve the purpose of the processing, and must ensure the following:
      • DAT collects only the necessary Personal Data that is closely and directly related to the purpose of processing the data, which is determined through the use of appropriate means, including Records of Processing Activities (RoPA) that indicate the need for each collected data and linking it to each purpose of processing or other means, and
      • DAT provides necessary care to achieve the purpose of the processing without collecting unnecessary Personal Data.
      • DAT shall practice the principle of data minimization by analyzing what Personal Data is being captured, what the associated risks to individuals are and how these risks can be mitigated through a robust DPIA policy and procedure. Where a risk is identified to an individual, one of the mitigation techniques will be to minimize what data is being collected through full consideration of the necessity of collection of each Personal Data type to ensure that Personal Data collected is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

  10. 1.10. Legal Basis of Processing

    In accordance with the Personal Data Protection Law, the legal basis on which we rely in processing such data is:

    • Your consent: The most common legal basis for processing personal data is obtaining your consent. This means that you must clearly agree to the use of your personal data for specific purposes, and this consent must be verifiable. If processing involves sensitive data, credit data or automated means are used for processing, explicit consent is mandatory under PDPL.
    • In fulfillment of any contractual obligation necessary for the performance of a contract to which you are a party.
    • Sometimes, certain personal data be processed to comply with legal obligations.
    • Vital Interests: This allows for processing data when it is necessary to protect your vital interests, such as life-threatening situations where it is impossible to obtain consent in time (e.g., in medical emergencies).
    • Legitimate Interest: Processing may also be based on the legitimate interests of the data controller, as long as these interests do not infringe upon your rights as a data subject. Examples include fraud prevention, network security, or ensuring business continuity. However, sensitive data will not be processed based on legitimate interests.

  11. 1.11. Your Rights

    You have several rights under PDPL in relation to the way we process your personal data:

    • Right to be Informed: You have the right to be informed about the legal basis and the purpose of the collection of your personal data.
    • Right to Access: The right to access the Personal Data held by Dar Al Tamleek.
    • Right to Obtain Data in Readable Format: You have the right to request Personal Data held by Dar Al Tamleek in a readable and clear format.
    • Right to Data Deletion: You have the right to request the destruction of the Personal Data held by Dar Al Tamleek when such Personal Data is no longer needed.
    • Right to Timely Responses: DAT is obliged to respond to employee requests pertaining to their rights within specified timeframes and using specified methods.
    • Right to Rectify Data: You have the right to request the correction, completion, or updating of the Personal Data held by Dar Al Tamleek.
    • Right to Withdraw Consent: You have the right to withdraw your consent to process your Personal Data at any time, given that it shouldn’t affect processing on a legal basis.
    • Right to Complaint: If you become aware of any privacy incident, you may submit a complaint to the competent authority within 90 days of the incident, including:

      • Place and time of the violation;
      • Information about the complained entity;
      • Information about the party complained against; and
      • Clear and specific description of the violation.
    • Right to claim compensation for material or moral damage: You have the right to claim compensation for material or moral damage if harmed.
    • DAT shall respond to Personal Data Requests or Complaints within 30 (thirty) calendar days from the date of receipt of the Personal Data Request or a Complaint. DAT may extend this timeline in case the response requires disproportionate effort (in the opinion of the DPO), or if DAT receives multiple requests from the same Data Subject.
    • DAT may take additional time but not more than 30-day period, DAT Data Subject must be notified of the extension (including the reasons for it), without any delay after the decision on the extension is taken by the DPO.
    • DAT may refuse to fully or partially comply with the Personal Data Request or the Complaint in the following cases:

      • A Personal Data Request or a Complaint is not based on any Data Subjects Right (e.g., the Personal Data Request or the Complaint is ungrounded or not relevant to Personal Data or any Data Subjects Rights, etc.);
      • A Personal Data Request is repetitive (e.g., Data Subject submits the same Personal Data Request during the time period when no changes to the Personal Data in question took place); and
      • A Personal Data Request requires disproportionate efforts in the opinion of the DPO (the opinion and reasoning for it shall be documented).

    For further details regarding the processing of your Personal Data and how to exercise your rights, you can contact the Personal Data Protection Officer at DAT using the below-mentioned contact details:

    Personal Data Protection Officer:
    Name: Personal Data Protection Officer
    Email: [email protected]
    Phone Number: +966126065607 Ext: 1077


  12. 1.12. Security Measures

    DAT shall define, document, and implement comprehensive administrative, technical, and organizational measures to protect Personal Data from leakage, damage, loss, unauthorized disclosure, or illegal access. At a minimum, these measures shall include:

    • Data Encryption: Use of robust encryption standards for Personal Data in transit and at rest.
    • Anonymization and Pseudonymization: Application of anonymization, pseudonymization, or coding methods where appropriate to reduce the risk of identifying Data Subjects.
    • Access Controls: Implementation of role-based access controls, multi-factor authentication, and least privilege principles to restrict access to Personal Data.
    • Monitoring and Detection: Deployment of monitoring systems and incident detection mechanisms to identify and respond to potential data security events.
    • Regular Audits and Reviews: Periodic assessment of security controls, including testing, to ensure their continued effectiveness and alignment with legal, regulatory, and best-practice requirements.

    These measures shall be reviewed and updated regularly to remain effective against evolving threats and to ensure compliance with the National Cybersecurity Authority (NCA) controls, the Saudi Central Bank (SAMA) Cybersecurity Framework, and recognized international standards.


  13. 1.13. Complaint or Objection Filing Method

    If you have any concerns, or if we do not comply with the Personal Data Protection Law, you can file a complaint with the Data Protection Officer at the contact details given above. If you are dissatisfied with how we process your data, or if we fail to respond within 30 days, you can file a complaint to the Competent Authority, SDAIA at the address below:

    Kingdom of Saudi Arabia, Riyadh.
    Website: Saudi Data & AI Authority (sdaia.gov.sa)
    National Data Governance Platform “DGP” (dgp.sdaia.gov.sa).


  14. 1.14. Changes to Privacy Notice

    We reserve the right to update this privacy notice at any time, and we will provide you with new privacy notice when we make any substantial updates. We will also notify you in other ways from time to time about the processing of your personal information.


2. Cookie Notice

  1. 2.0 Use of Cookies

    Cookies are small text files that web servers can store on your computer’s hard drive when you visit a website. They allow the server to recognize you when you revisit the website and to tailor your web browsing experience to your specific needs and interests. If you wish to restrict or block the cookies which are set by us, you can do this through your internet browser settings or the cookies preference management tool on the relevant website.


  2. 2.1 Why do we use cookies?

    We use a limited number of cookies for several reasons. Some cookies are required for technical reasons in order for our websites to operate, and we refer to these as "essential" or "strictly necessary" cookies. Other cookies also enable us to track the use of our website. This is described in more detail in the table below.

    3. Types of Cookies Who Serves These Cookies How to Refuse
    Essential website cookies:These cookies are strictly necessary to provide you with services available through our websites and to use some of its features, such as access to secure areas. DAT Because these cookies are strictly necessary to deliver the Websites to you, you cannot refuse them. You can, however, block or delete them by changing your browser settings, as described below under the heading "How can I control cookies?".
    Performance and functionality cookies: These cookies are used to enhance the performance and functionality of our websites. Without these cookies, certain functionality (like videos) may become unavailable. Various To refuse these cookies, please follow the instructions below under the heading "How can I control cookies?".
    Analytics and customization cookies: These cookies collect information that is used in aggregate form to help us understand how our website is being used. This does not enable us to engage in targeted marketing. Google Analytics To refuse these cookies, please follow the instructions below under the heading "How can I control cookies?".

  3. 2.2 What about other tracking technologies, like web beacons?

    Cookies are not the only way to recognize or track visitors to a website. Some websites use similar technologies from time to time, like web beacons (sometimes called "tracking pixels" or "clear gifs"). These are tiny graphics files that contain a unique identifier that enables website owners to recognize when someone has visited their website or opened an e-mail sent to them. This allows website owners, for example, to monitor the traffic patterns of users from one page to another within the website and to deliver or communicate with cookies.


  4. 2.3 Do you use Flash cookies or Local Shared Objects?

    "Flash Cookies" (also known as Local Shared Objects or "LSOs") are used by some website owners to, among other things, collect and store information about your use of services, fraud prevention, and other site operations.


  5. 2.4 Do you use social networking cookies?

    These cookies are used to enable you to share pages and content that you find interesting on our website through third-party social networking and other websites.


  6. 2.5 Do your cookies serve targeted advertising on our website?

    Yes, we use cookies to enhance your experience by showing you relevant offers and finance solutions that match your needs and interests. These cookies help us tailor our marketing efforts so that you receive personalized content that may be of value to you.

    You always have control over your cookie preferences and can manage them through your browser settings at any time.


  7. 2.6 Links to other websites

    Our website contains links to other websites. If you access those other websites, they may use cookies. Please read any cookie privacy notices on those websites if you wish to know what cookies are being used.


  8. 2.7 How can I control cookies?

    You can set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you may still use our website, though your access to some functionality and areas of our website may be restricted. As the means by which you can refuse cookies through your web browser controls vary from browser to browser, you should visit your browser's help menu for more information.


  9. 2.8 How often will you update this Cookie Notice?

    We may update this Cookie Notice from time to time to reflect, for example, changes to the cookies we use or for other operational, legal, or regulatory reasons. Please, therefore, re-visit this Cookie Notice regularly to stay informed about our use of cookies and related technologies. The date at the footer of this Cookie Notice indicates when it was last updated.


  10. 2.9 Where can I get further information?

    If you have any questions about our use of cookies or other technologies, please email our Data Protection Officer at [email protected].