This Privacy Notice governs the collection and use of personal data by the Royal Commission for AlUla ("RCU", "us", "we", or "our") in relation to the use of our websites [www.experiencealula.com and www.book.expereincealula.com] and mobile applications [Experience AlUla Mobile Application] ("websites"), our marketing and sales activities, our customer service and any other use of your personal data by us or our service providers on our behalf. For more information about us, please see: [https://www.rcu.gov.sa/en/about-us/about-rcu/]
This Privacy Notice is addressed to you as a visitor of our websites, an individual contacting us for enquiries or other reasons, a potential or actual customer of RCU (where e.g. you buy tourism services such as tours, experiences, events tickets etc… from us or our suppliers ), a recipient of marketing from us (or marketing providers on our behalf ), or a recipient of online personalised advertising of our products and services.
Please read this Privacy Notice carefully as it explains what personal data we process, how we use it, who we share it with, and your rights in relation to personal data. It also includes other information regarding our practices regarding the handling of your personal data.
1. What information is covered by this Privacy Notice? This Privacy Notice governs the processing of personal data that you provide to us, that we collect or receive from you or that we receive from third parties about you. Personal data is any information relating to an identified or identifiable natural person.
2. What information do we collect from you or about you? We may collect information about you from the following sources:
- Information you provide via our websites or when you contact us
- Information gathered through website cookies
- How you interact with our emails, websites, social media pages
- Information you provide when purchasing our products or services (either online or offline)
If you want to know more about this, please see sections 2.1 and 2.2 below.
2.1 Information we receive from you
We collect personal data that you provide to us when you visit our websites, engage with us to provide you with access to our websites and their features, contact us by phone, email or other means, or provide reviews to our products or services. This includes your name, postal and email address, telephone number, other identification details, and your opinions (e.g. in relation to a feedback request). For example, you may provide us with personal data when you:
- Elect to subscribe to email newsletters (sent by us or third parties on our behalf or in partnership with us);
- Correspond with us via the links available on our websites or on our social media pages or by email;
- Complete forms on our websites or forms provided to you by other means (e.g. physical form with feedback request following your visit to AlUla sites); and
- Respond to a marketing initiative launched by us or on our behalf (e.g. a competition or survey).
We also collect personal data that you provide to us when you purchase our products or services. This includes e.g. your payment card details and billing address.
2.2 Information we collect about you
In addition to personal data you provide to us, we receive information about you that you authorise third parties to provide to us, such as our partners including [booking partners]. This can include information about purchases of touristic packages or site visit tickets that you made with one of our partners, your nationality, your contact details, your preferences as a tourist to AlUla sites.
We also obtain personal data from third-party service providers in order to verify your identity, to prevent fraud, or to help us identify products and services that may be of interest to you.
We may also collect information about you from public registers or information which is otherwise publicly available.
- Technical information, including your IP address, browser type and version, device identifier, location and time zone setting, browser plug-in types and versions, operating system and platform, page response times, and download errors;
- Information about your visit, including the websites you visit before and after our website and products you viewed or searched for;
- Length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page; and
- Similar information for additional content that can be accessed from website pages, such as opening or printing documents or which videos are played and for how long.
When you visit one of our social media pages (e.g. Twitter), we, the social media platform or third parties collect information about your interaction with us via the social media.
However, we do not collect information about you by means of cookies or other technologies where your consent is required by law and you have not consented.
3. For which purposes do we use your personal data?
3.1 Cookies or similar technologies.
We use your personal data to diagnose problems with our websites or administer our websites, to analyse user traffic to measure use of our websites and to improve the content of our websites and our services as well as to keep our websites safe and secure.
We also use certain information that is collected by third parties via cookies on third parties' websites. For example, we receive information from Twitter or other social media where we have a page / account regarding your interaction with such page / account. We may use this information for analytical purposes e.g. to analyse the effectiveness and results of our social media initiatives.
- Legitimate interest. We use your personal data in this way as it is necessary for our legitimate interest to: (a) analyse user traffic so that we can improve our website and meet the needs of visitors to our website; (b) to provide you with access to our website; and (c) monitor how our website is used to detect and prevent fraud, other crimes and the misuse of our website. This helps us to ensure that you can safely use our websites.
- Legal obligations. Sometimes the collection of your personal data via cookies or similar technologies is necessary for compliance with legal obligations to which we are subject (e.g. the obligation to ensure the security of our information systems).
3.2 Comply with legal or regulatory requirements and exercise or defend legal claims.
We may need to process personal data to comply with legal and regulatory requirements to which we are subject and/or to defend such claims or exercise our legal rights.
Legal Basis: Processing personal data in this way is necessary to ensure compliance with our legal and regulatory obligations. It is also necessary for our legitimate interests to process personal data for the purposes of exercising and defending such claims.
3.3 To provide you with information about our products and services.
We use your personal data (such as your email address or other contact details) to send you information about our services and other information which may be of interest to you, including events, surveys, updates and other relevant information.
- Legitimate interest. Where we are permitted to send you such messages under applicable law, our legal basis for processing your personal data is that it is necessary for our legitimate interests to promote our services and provide you with other information which may be of interest to you. We will not send such messages to you if you have opted out of receiving these.
- Consent. Where applicable law requires that you consent to receiving direct marketing communications from us such as by email, phone or post, we will obtain your consent (instead of relying on the legitimate interest above). We will stop sending you such messages if you withdraw your consent.
Please see further information below under "What are your rights?" in relation to your rights to opt out of receiving marketing messages.
3.4 For selling our products and services.
We collect and process personal data that you provide to us for the purposes of providing you with the product or service that you have requested (either offline or online). For example, we need your payment card details to process your payment on our websites; and your postal address to deliver the product you have bought. We may also collect personal data further to a sale but in relation to such sale, e.g. for refunds or reimbursements.
- Contractual necessity. We need to collect certain information from you in order to conclude the transaction that you have requested, perform our contractual obligations (e.g. product delivery, refunds or reimbursements).
- Legitimate interest. Where the processing of your data is not strictly necessary to conclude or perform the sale, we will rely on our legitimate interests to (a) conclude or perform the transaction with you in the most expedite and efficient way; (b) maintain a trusted relation with you, and provide you with seamless and efficient customer service.
3.5 For analytics and market research purposes
We collect information from you or about you (such as online reviews of our services, feedback and reviews following your visits to AlUla sites, comments and 'likes' on our social media pages) to analyse and measure market trends, customer satisfaction, the effectiveness of our campaigns and activities, etc.
- Legitimate interest. We rely on our legitimate interest to (a) improve our services, and (b) pursue our mission which is the promotion of AlUla as an area of touristic, cultural, economic and social interest.
- Consent. We will normally rely on the legitimate interest above. However, in relation to certain personal data that we may collect from you or about you, or in relation to certain data collection activities, we may opt to rely on your consent instead (where we believe this is more appropriate in the interest of your privacy rights).
3.6 For our records, administration and managing our relationship with you.
We will keep records of your personal data, such as your name, address, account details and marketing preferences, in order to administer our websites and keep our records up to date.
- Legitimate interest. We use your personal data in this way as it is necessary for our legitimate interest to keep records of your personal details and update these when necessary. It is also in our legitimate interests to keep records of any correspondence with you. Our customers are important to us and so we need to keep track of your details and preferences.
- Legal obligations. In some instances we are required to collect and retain information for compliance with applicable law. For example, we need to record your marketing preferences (e.g. opt out) for compliance with our obligations concerning direct marketing.
4. What are the consequences of not providing your personal data?The provision of your personal data is necessary when personal data is needed for the purposes of entering into or servicing a contract that you have with us or to receive the products or services or information you request, or for us to comply with applicable law and regulations (see details of this in section 3 above).
Refusal to provide your information may make it impossible for us to provide the products, services or information requested or to fulfil our contractual obligations.
5. With which third parties do we share your personal data? Your personal data is intended for RCU but may be shared with third parties in the following circumstance
5.1 Within RCU. We may share your personal data among other offices and locations within our organisation to administer our websites, send you information about products and services that may be of interest to you, provide customer services and conduct the other activities described in this Privacy Notice.
5.2 Our service providers. We use other companies, agents or contractors to perform services on our behalf (e.g. marketing) or to assist us with the provision of our websites, services and products to you. We may share your personal data with the following categories of service provider:
- Infrastructure and IT service providers (including for email archiving);
- Marketing, advertising, analysis, research and communications agencies; and
- External auditors and professional advisers (such as accounts, lawyers or other consultants).
We will only provide our service providers with personal data which is necessary for them to perform their services to us or assist us with the provision of our websites, services and products. We require them not to use your information for any other purpose. We will use reasonable commercial efforts to ensure that all our service providers keep your personal data secure.
5.3 Our partners. We may share some personal data with our partners such as travel organisations which collaborate with us for the promotion and sale of touristic services in AlUla. We will share information with our partners only to the extent this is necessary for the purposes described in this Privacy Notice and we will always ensure that we do so with your consent or another legal basis (as described in section 3 of this Privacy Notice).
5.4 Other public entities, agencies or bodies of the Kingdom of Saudi Arabia. We may share personal data with government or other public entities, agencies or bodies of the Kingdom of Saudi Arabia where this is necessary for specific purposes such as government controls, reporting, public expenditure review and accountability.
5.5 Third parties permitted by law. In certain circumstances, we may be required to disclose or share your personal data in order to comply with a legal or regulatory obligation (for example, we may be required to disclose personal data to the police, regulators, government agencies or to judicial or administrative authorities in the Kingdom of Saudi Arabia or in other locations where we operate such as Europe). We may also disclose your personal data to third parties where disclosure is both legally permissible and necessary to protect or defend our rights, matters of national security, law enforcement, to enforce our contracts or protect your rights or those of the public.
6. Do we transfer personal data outside the EEA?
Your personal data is transferred to and processed by us or our service providers which are located in countries outside the European Union and/or European Economic Area ("EEA"). In particular, if you are located in the EEA we will transfer the personal data we collect about you to the Kingdom of Saudi Arabia (where our headquarter is located).
We will take all steps that are reasonably necessary to ensure that your personal data, upon and after transfer, is treated securely and in accordance with this Privacy Notice as well as applicable data protection laws. If you want to know more about our measures (as required by applicable law) in relation to international data transfers, please contact us by emailing email@example.com.
7. What are your rights? To the extent required by the law of your jurisdiction, you may request access to the personal data we maintain about you or request that we correct, amend, delete or block the information by contacting us as indicated below. Where required by law, you may withdraw any consent you previously provided to us or object at any time on legitimate grounds to the processing of your personal data, and we will apply your preferences going forward.
You can make a request to exercise any of these rights in relation to your personal data by emailing firstname.lastname@example.org.
7.1 EEA Residents. If you are a resident in the EEA or EU data protection law applies to your personal data, you have the following rights in respect of your personal data (if applicable):
- Access. You have the right to request a copy of the personal data we are processing about you. For your own privacy and security, at our discretion we may require you to prove your identity before providing the requested information.
- Correction. You have the right to have incomplete or inaccurate personal data that we process about you corrected.
- Deletion. You have the right to request that we delete personal data that we process about you, except we are not obliged to do so if we need to retain such data in order to comply with a legal or regulatory obligation or to establish, exercise or defend such claims.
- Restriction. You have the right to restrict our processing of your personal data where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.
- Portability. You have the right to obtain personal data we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) personal data which you have provided to us, and (b) if we are processing that data on the basis of your consent or to perform a contract with you.
- Objection. Where the legal justification for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
- Withdrawing Consent. If you have consented to our processing of your personal data, you have the right to withdraw your consent at any time, free of charge. This includes cases where you wish to opt out from marketing messages that you receive from us.
- Complaint with data protection authority. You have a right to make a complaint with your national data protection authority or other public authority governing the protection of your personal data.
8. How do we protect your personal data?
We have implemented technical and organisational security measures to safeguard the personal data in our custody and control. Such measures include, for example, limiting access to personal data only to employees and authorised service providers who need to know such information for (a) the purposes described in this Privacy Notice; and (b) in order to perform their jobs, such as providing you with information you request, or notifying you of new products and services. We also maintain certain reasonable physical, electronic, and procedural safeguards to protect the personal information in our possession from loss, misuse, and unauthorised access, disclosure, alteration and destruction, and we review and adjust these safeguards regularly in response to advances in technology.
While we endeavour to protect our systems, sites, operations and information against unauthorised access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others, such as hackers.
9. How long do we keep your personal data?
We will only retain your personal data for as long as necessary for the purpose for which that data was collected and to the extent permitted by applicable law.
10. Links to third-party websites
Please note our websites may, from time to time, contain links to and from other websites, such as the websites of other public entities or bodies of the Kingdom of Saudi Arabia. If you follow a link to any other websites from our website, please note that these websites have their own privacy policies and that we have no control over how they may use your personal data. You should check the privacy notices of third party websites before you submit any personal data to them.
Where we receive information from social media platforms on how you interact with our initiatives, content and pages on those social media, we take control of and responsibility for this information (as described in other sections of this notice e.g. section 3.1). However, please note that the social media platform remains responsible for its own uses of this information.
11. How can you contact us?
If there are any questions or concerns regarding this Privacy Notice, please contact us by emailing email@example.com.
12. Changes to this Privacy Notice
We reserve the right to change this Privacy Notice at any time and as permitted by law. We will notify you of material changes to this Privacy Notice by posting the updated Privacy Notice on our websites or as otherwise required by law.
Last updated: [03 Dec 2020]