Privacy Policy

للاطلاع على سياسة الخصوصية باللغة العربية

The Saudi Business Machines Ltd. (‘SBM,’ ‘Company,’ ‘Us,’ ‘We,’ ‘Our’) is committed to protecting the privacy and security of your Personal Data. This privacy notice (‘Notice’) is addressed to individuals of based in the Kingdom of Saudi Arabia (‘KSA’).

This Notice applies to you (‘Customer’), including current, former, or prospective customers of our products, services, and/or businesses, including any credit facilities, credit cards, debit cards, forex instruments, cheques, other payment instruments, remittance services (both inward and outward), currency exchange services, prepaid payment instruments, loans, other credit transaction-related products or services, insurance products, investments, wealth management, estate management, credit assessment, financial products, advisory services, investment advisory services, trading accounts, savings or current accounts, other accounts, deposits, transfers, referrals, cash management, payment services and products, payment gateway, wallets, merchant acquiring, PSP services, Third Party Application Provider (TPAP) services, Point of Sale (POS) services, collections, distributions, agencies, trusts Sharia-compliant finance and investment products. Our products and/or services will outline specific terms and conditions and can be read in conjunction with this Notice (where applicable).

Policies

  1. Personal Data and Processing
    Personal data means any data by which you may be identified as a living individual which may include your name, your address, your photo, etc. To operate as a Company and offer you customized products and services, we may process your Personal Data. Processing means operations performed on Personal Data, e.g., collecting, recording, saving, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, sharing etc.
     
  2. Controller and Processor
    Saudi Business Machines Ltd. is the Company’s registered business name. The registered Head Office of The Saudi Business Machines Ltd. is (head office national Address), Kingdom of Saudi Arabia.

    For the purposes of the applicable Law, the Company is the Data Controller in respect of the Personal Data that we collect and process about you. This is because the Company in most cases determines why and how your Personal Data is processed.

    In some cases, the Company may act as a Data Processor when processing your Personal Data on behalf of another SBM entities or subsidiaries. In these cases, the Company conducts the processing of Personal Data under specific instructions from the entity or subsidiaries acting as a Data Controller.
     
  3. Your Personal Data
    This Notice aims to provide you with clear and transparent information about how we collect, use, and protect your Personal Data in compliance with the KSA Personal Data Protection Law approved by the Royal Decree No. (m/19), dated 1443/02/09 (corresponds to 16 September 2021) and amended pursuant to Royal Decree No. (m/148) dated 1444/09/05 (Corresponds to 27 March 2023) (“Law”). Your Personal Data may be obtained when using our website https://www.sbm.com.sa as well as the choices you can make about our collection and use through other channels. Our website may contain links or have a mechanism of re-direction to other websites and in that case refer to the website specific privacy notice for reference.

    We may collect and process your Personal Data to the extent necessary to provide a high standard of personalized products and/or services. We may collect and process various kinds of Personal Data about you, which may include mandatory and optional information:
    • Identifying information: such as name, date of birth, nationality, qualifications, certifications, emergency contact, photos, video recording, passport, visa or work permit, national ID or Iqama, gender details, location data and publicly available data.
    • Contact information: including address, phone numbers, and email.
    • Family information: including marital status, spouse details, and children’s details.
    • Financial information: such as financial transaction, Company account details, Company card number, credit data, investment portfolio details, and tax identification details
    • Professional information: covering employee details, career history, and salary records.
    • Website technical data: comprising IP addresses and browser details.
    • Sensitive data: Any personal information that includes references to an individual's racial or tribal origin, religious, intellectual, or political beliefs, or indicates their membership in associations or civic institutions. This also includes criminal and security data, biometric data that identifies the individual, genetic data, credit data, health data, location data, and data that indicates the individual is an orphan or has an unknown parent or parents.
    • Website profile and usage data: encompassing marketing preferences.

    Moreover, when we process Personal Data related to children or incompetents,’ we will notify the Legal Guardian and obtain the necessary consent.

    Depending on the type of information, all necessary efforts will be made to inform the Data Subject of the type of information that is being collected.

    We may collect your Personal Data in a number of ways:

    • When you apply for a product and/or service from our website or through other channels such as mobile application, phone conversations, branches or directly from one of our employees. Your Personal Data may be obtained when using our website as well as the choices you can make about our collection and use through other channels. Our website may contain links or have a mechanism of re-direction to other websites and in that case refer to the website specific privacy notice for reference.
    • When you provide it online or by other methods of communication such as email, ‘can we help you’ chats, phone conversations or branch visits.
    • When you visit the website capturing your Internet Protocol (IP) address.


    We may obtain your Personal Data indirectly from third parties in the following ways:

    • Following an introduction to us by another third party, such as law firm, or management consulting.
    • If another person provides your Personal Data to us when they obtain a product or service from us on your behalf, that is to be held jointly with you, on behalf of business of which you are a director, shareholder, owner, trustee or beneficiary (as applicable) or they have nominated you as a guarantor under our agreement with them or to provide any other security or informed us that you are a donor or lender / financer.
    • When we conduct our searches for the purposes of processing your application and/or during your relationship with us.
    • In response to our marketing activities, you request information about our products via a third party (e.g., website and social media platforms).


    We have outlined below the types of processing activities and their purposes:

    • Account Management: We may process your Personal Data to manage account activities including account opening, account closing, account updates, account maintenance, account reconciliation, sending account statements, account related queries or complaints and others.
    • Transactions: We may process your Personal Data to fulfil financial transactions such as deposits, withdrawals, payments, transfers, Sharia compliant transactions and others.
    • Know Your Customer (KYC) update: We may process your Personal Data to identify and verify your identity while account opening and periodically over time.
    • Business operations: We may process your Personal Data to manage business operations related activities including changes to the business, legal and regulatory compliance reporting, auditing, monitoring communications and activities related to your account, anti-money laundering checks, protecting the safety and welfare of individuals, Company’s property and assets, monitoring unauthorized access or activities on our systems, detecting fraudulent transactions and others.
    • Credit Assessment: We may process your Personal Data to evaluate your credit worthiness when applying for loans, Financing mortgages, credit cards, or any Sharia complaint Financing.
    • Risk Assessment: We may process your Personal Data to assess risks associated with providing you with our products and/or services to prevent fraudulent activities.
    • Delivery: We may process your Personal Data to deliver our products to you in the form of cards, statements, rewards, and others.
    • Marketing: We may process your Personal Data to market and promote our products and services tailored to your needs and preferences except sensitive data.
    • Research and statistical analysis: We may process your Personal Data for research and statistical analysis to develop and provide you with customized products and services.
    • Customer Service: We may process your Personal Data to support your queries/requests on recent purchases and/or orders and provide timely updates and others.
    • Safeguard interests: We may process your Personal Data to safeguard the interests of you and the Company including managing queries/use of your rights, fraud monitoring and investigations, claims made by or against us or our customers and others.
    • Legal and regulatory obligations: We may process your Personal Data to comply with the legal and regulatory obligations including managing requests from government bodies, responding to judicial proceedings, requests, or other inquiries.

    You may not be required to provide any of the Personal Data that we request. However, failure to do so may result in us being unable to open or maintain your account, provide services and/or products to you or your organization, discuss any other opportunities with you or deal with other matters.

  4. Legal Basis
    We will use a legal basis to process your Personal Data. This means we will have a legal justification to use your Personal Data, as required by the Law. We may rely on the following legal basis to process your Personal Data if collected from you under the Law:

    • Your consent (we will let you know on a case-by-case basis should we require your consent).
    • Processing achieves a definite interest for you, and it is impossible or difficult to contact you.
    • Processing is required by applicable Laws and is performed in accordance with them.
    • Processing is performed to perform an agreement to which you are a party.
    • Processing is necessary for the purpose of our legitimate interest.


    We aim to ensure that as a rule we will use your Personal Data in accordance with the purposes, as specified in Section 3. However, please note that pursuant to the Law we may also collect and process your Personal Data for purposes other than the ones specified in Section 3 for which Personal Data was collected. It may happen in the following circumstances:

    • If you give your consent to such collection and processing.
    • If your Personal Data is publicly available, or if it was collected from a publicly available source.
    • If collection and processing is required for your vital interests.
    • If collection or processing of your Personal Data is necessary to protect public health or safety, or to protect the life or health of you or other individuals.
    • If your Personal Data is recorded or stored in a form that makes it impossible to identify you directly or indirectly.
    • Collection of your Personal Data is necessary to achieve our legitimate interests (in this case, we will not process your Sensitive Data, e.g., Credit Data, Health Data).
       
  5. Personal Data Disclosure

    We may, as could be required for the purposes listed in section 3, disclose your Personal Data to the following:

    • Other entities or subsidiaries of SBM Group.
    • Service providers, vendors, agents, consultants, intermediaries etc., who perform services or assist us to operate the business or provide products or services such as IT companies, Legal firms etc.
    • Entities or people with whom we have tie-ups for the co-branded services, products or programs, any rewards programs or loyalty programs, any benefits, offers, features or any similar arrangements.
    • With co-lenders / Financers, co-originators, collaborators, and persons with whom SBM or its affiliates may have a tie-up for products or services.
    • Insurance, health or legal services, any member of our group, current or potential clients, suppliers, subcontractors, and other business contacts in the ordinary course of our business.
    • Third-party Company’s, financial institutions, credit card associations or other card payment and platform providers, payment recipients, beneficiaries, nominees, intermediaries and their Company’s, financial clearing houses and clearing or settlement systems and specialized payment companies or institutions such as Electronic Clearing Service (ECS), ESAL, ATM portability, SARIE, SWIFT, MADA etc.
    • Security brokers, stock exchanges, Financial Technology (Fintech) entities or service providers, third party fund managers, and securities clearing houses (if you have invested with us).
    • Current or potential business partners, professional advisors and consultants involved in the management of our business or derivations.
    • Any applicable regulatory authorities (governmental, statutory, regulatory, executive, law-enforcement, investigating or judicial/ quasi-judicial authorities, departments, instrumentalities, agencies, ministries, institutions, boards, commissions, courts, tribunals, etc.) or other third parties as could be required by Law or in accordance with other regulatory obligations or policies applicable to us or to you.


    We may disclose your Personal Data, in the following cases:

    • You consent to the disclosure.
    • Your Personal Data has been collected from a publicly available source.
    • The entity requesting disclosure is a public entity, and the collection or processing of your Personal Data is required for public interest or security purposes, or to implement another Law, or to fulfil judicial requirements.
    • Disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
    • The disclosure will only involve subsequent processing in a form that makes it impossible to identify you directly or indirectly.
    • The disclosure is necessary to achieve our legitimate interests (in this case, no Sensitive Data (e.g., Health Data, Credit Data) will be processed).
       
  6. Cross-border Transfer

    We may need to transfer your Personal Data for processing outside of the KSA. In such cases, we will comply with the requirements of the Law regarding the cross-border Personal Data transfers, as well as with the requirements of other Laws and regulations, where applicable.

  7. Data security

    We have put in place appropriate technical measures, administrative controls, and legal safeguards to:

    • Prevent your Personal Data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed (e.g., access control, network security, communication security, policies and procedures, encryption, and other techniques).
    • Deal with any suspected Personal Data breach, and we will notify you and the Competent Authority of the breach where we are legally required to do so based on the requirements outlined in the Law.
       
  8. Storage of Personal Data:
    • Location: All personal data collected will be securely stored in our data centers located in SBM Data Centers and / or SBM's Cloud Applications hosted in Saudi Arabia. These data centers are equipped with advanced security measures to protect your information from unauthorized access, disclosure, alteration, or destruction.
    • Security Measures: We employ a variety of security technologies and procedures to help protect your personal data. This includes encryption, firewalls, access controls, and secure servers. Only authorized personnel have access to personal data, and they are required to maintain the confidentiality and integrity of the information.
       
  9. Retention

    We will retain your Personal Data for the period outlined as per the SBM’s related retention policies, legal and regulatory obligations, or any other period necessary for us to meet our operational obligations such as maintaining accounts, facilitating client relationship management, responding, or defending against legal claims or regulatory requests etc. However, we will retain your personal data after completing its purpose if there is a regularity requirement that requires keeping it for a specific period, and in the event where a case pending with judicial authority.

  10. Destruction of Personal Data:
    • Destruction Methods: Personal data will be destroyed using methods that ensure the information cannot be reconstructed or retrieved. This includes:
      • Digital Data: Secure deletion methods such as data wiping, degaussing, or physical destruction of storage media.
      • Physical Data: Shredding, pulping, or incineration of paper records.
         
  11. Your rights

    In accordance with the Law, you may exercise the following rights:

    Right to be informed

    You have the right to be informed of:

    • the valid legal or practical justification for collecting your Personal Data and
    • The purpose for collecting your Personal Data.

    Right to have access to your Personal Data

    You have the right to have access to your Personal Data that is held by us.

    Right to request obtaining your Personal Data

    You have the right to request your Personal Data held by us in a readable and clear format.

    Right to request correcting, completing, or updating

    You have the right to request correction, completion or updating of your Personal Data, which is held by us

    Right to request erasure (destruction)

    You have the right to request erasure (destruction) of your Personal Data available to us, which is no longer required by us. Moreover, we may continue to retain personal data to comply with legal and regulatory obligations.

    Right to withdraw consent

    You have the right to withdraw your consent at any time which you previously gave in relation to the processing of your Personal Data.

    Right to complain

    You have the right to submit any complaint to the Competent Authority that may arise out of the Law.

    Please contact us via digital channels and contacting our branches if you would like to know more about your rights or if you would like to exercise any of them. Our contact information is provided at the last part of this document.

  12. What will be affected when consent is withdrawn

    Moreover, in cases where consent is withdrawn, we may not be able to provide certain products or services that depend on processing your Personal Data

  13. Marketing from Us

    We may use your Personal Data for marketing/advertising except sensitive data purposes to inform you about our products and/or services based on the consent provided. You may ask us to stop sending marketing messages by following the opt-out links on any marketing message sent to you or by contacting us via phone Companying at any time. When you opt-out of receiving these marketing messages, you will no longer receive them.

  14. Social Media

    SBM operates channels, pages, and accounts on social media sites to be able to inform, assist, and engage with you to improve our products and services. Please do not share any personal information on our social media sites. If you wish to communicate with us, please contact us via phone Companying. SBM shall not be responsible for any information posted on those sites other than the information posted by its employees on its behalf.

  15. Automated decision-making

    Your Personal Data may be processed through automated decision-making using tools and technologies to make credit decisions and determine eligibility for our products and/or services. Moreover, we may also use automated decision making to perform anti-money laundering and sanction checks to determine if your activity is consistent with money laundering or known fraudulent conduct.

  16. Your use of our website

    We may use (“Cookies”) to monitor user activity on our websites. A Cookie is a small piece of information stored on your computer's hard drive, tracking your interactions with our website. This enables us to gain insights into how customers navigate our website, facilitating its ongoing development and enhancement. Should you have any further inquiries, please refer to the cookie policy or contact us via phone Companying.

  17. Review and Updates

    Our products, services, facilities, features, and/or functionalities are subject to change and therefore, any changes we make to our last updated Notice on September -2024 will be posted on our website and, when appropriate, we will notify you of the change via email. Please check back frequently to see any updates or changes to our Notice.         

  18. Contact Us

    Keeping your Personal Data accurate and up to date is particularly important for us. Please keep us informed if any of the information we hold about your changes during your relationship with us. If you have any queries, comments, or requests regarding this Notice, or you would like to exercise any of your rights set out above, please contact us via digital channels, and contacting our branches.