Privacy policy

This privacy notice for the Royal Commission for AlUla (‘we’, ‘us’, or 'our'), is formulated in accordance with the Personal Data Protection Law and its Regulation in the Kingdom of Saudi Arabia, and describes how and why we might collect, store, use, and/or share (‘Process’) your data when you use our services, such as when you:

Questions or Concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with this privacy notice and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@rcu.gov.sa

For more information about us, please see: [https://www.rcu.gov.sa/en/about-us/about-rcu/].

SUMMARY OF KEY POINTS

This summary provides key points from our privacy notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal data do we process? When you visit, use, or navigate our Services, we may process personal data depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about the personal data we collect.

Do we process any sensitive personal data? We do not process sensitive personal data such as personal data that revealing racial or ethnic origin, or religious, biometric or Genetic Data for the purpose of identifying the person, or Health Data.

Do we receive any data from third parties? We do not receive any Personal Data from third parties.

How do we process your data? We process your data to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with the Personal Data Protection Law and its Regulation. We may also process your data for other purposes with your consent. We process your data only when we have a valid legal reason to do so. Learn more about how we process your data.

In what situations and with which types of parties do we share personal data? We may share data in specific situations and with specific categories of third parties. Learn more about when and with whom we share your personal data.

How do we protect your data? We are committed to safeguarding your personal data through the use of robust organizational and technical measures designed to ensure your information remains secure. While we strive to provide the highest level of data protection, it’s important to note that no method of electronic storage or internet transmission is entirely risk-free. In the unlikely event of unauthorized access, we have systems and protocols in place to detect, respond to, and mitigate any threats. Learn more about our data protection practices.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal data. Learn more about your privacy rights.

How do you exercise your rights? The easiest way to exercise your rights is by contacting us through privacy@rcu.gov.sa. We will consider and act upon any request in accordance with the Personal Data Protection Law and its Regulation.

Want to learn more about what we do with any data we collect? Review the privacy notice in full.

 

TABLE OF CONTENTS:

  1. WHAT DATA DO WE COLLECT?
  2. HOW DO WE PROCESS YOUR DATA?
  3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
  4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
  5. HOW LONG DO WE KEEP YOUR DATA?
  6. HOW DO WE PROTECT YOUR DATA?
  7. WHAT ARE YOUR PRIVACY RIGHTS?
  8. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
  9. CONTROLS FOR DO-NOT-TRACK FEATURES
  10. DO WE MAKE UPDATES TO THIS NOTICE?
  11. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

1. WHAT DATA DO WE COLLECT?

Personal Data You Disclose to Us. We collect personal data that you voluntarily provide to us when you register on the Services, express an interest in obtaining data about us or our products and Services when you participate in activities on the Services, or otherwise when you contact us.

Personal Data Provided by You. The personal data that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal data we collect may include the following:

  • Phone numbers
  • Names
  • Email addresses
  • Usernames
  • Passwords
  • Contact preferences

Sensitive Data. We do not process sensitive data.

All personal data that you provide to us must be true, complete, and accurate, and you have the right to notify us of any changes to such personal data.

Data Automatically Collected. Some data — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain data when you visit, use, or navigate the Services. This data does not reveal your specific identity (like your name or contact data) but may include device and usage data, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, data about how and when you use our Services, and other technical data. This data is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect data through cookies and similar technologies.

The data we collect includes:

  • Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance data our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device data, browser type, and settings and data about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event data (such as system activity, error reports (sometimes called 'crash dumps'), and hardware settings).
  • Device Data. We collect device data such as data about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include data such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration data.
  • Location Data. We collect location data such as data about your device's location, which can be either precise or imprecise. How much data we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this data either by refusing access to the data or by disabling your Location setting on your device. However, if you choose to opt-out, you may not be able to use certain aspects of the Services.
    • Legal Basis:
      •   Legitimate Interest. We use your personal data in this way as it is necessary for our legitimate interest to: (a) analyze user traffic so that we can improve our website and meet the needs of visitors to our website; (b) to provide you with access to our website; and (c) monitor how our website is used to detect and prevent fraud, other crimes and the misuse of our website. This helps us to ensure that you can safely use our websites.
      • Legal Obligations. Sometimes the collection of your personal data via cookies or similar technologies is necessary for compliance with legal obligations to which we are subject (e.g. the obligation to ensure the security of our information systems).
      • Contractual Obligation. Sometimes the collection of your personal data via cookies or similar technologies is necessary to provide you with an online service that you have requested (e.g. when you purchase a product on our website we use cookies to track what you put in your basket).
      • Consent. Where we use cookies or similar technologies for targeted advertising, analytics purposes (or purposes other than the purposes mentioned above), we rely on your consent to place the cookies.

2. HOW DO WE PROCESS YOUR DATA?

We process your data to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with the regulatory requirements. We may also process your data for other purposes with your consent.

We process your personal data for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication and otherwise manage user accounts. We may process your data so you can create and log in to your account, as well as keep your account in working order.
  • To deliver and facilitate the delivery of services to the user. We may process your data to provide you with the requested service.
    • Legal Basis:
      •  Legitimate Interest. Where we are permitted to send you such messages under the applicable laws in the Kingdom of Saudi Arabia, our legal basis for processing your personal data is that it is necessary for our legitimate interests to promote our services and provide you with other information which may be of interest to you. We will not send such messages to you if you have opted out of receiving them.
      • Consent. Where the applicable laws in the Kingdom of Saudi Arabia require that you consent to receiving direct marketing communications from us such as by email, phone, or post, we will obtain your consent (instead of relying on the legitimate interest above). We will stop sending you such messages if you withdraw your consent.
  • To send you marketing and promotional communications. We may process the personal data you send to us for our marketing purposes if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time. For more information, see section WHAT ARE YOUR PRIVACY RIGHTS? Below.
    • Legal Basis:
      •  Consent. Where the applicable laws in the Kingdom of Saudi Arabia require that you consent to receiving marketing and promotional communications from us such as by email, phone, or post, we will obtain your consent. We will stop sending you such messages if you withdraw your consent.
  • For Selling Our Products and Services. We collect and process personal data that you provide to us to deliver the products or services you have requested, whether offline or online. For example:
    • Personal Data We Collect. We collect your contact information, such as your name and contact details, to fulfill your orders of the items you have purchased. We also collect information related to the sale, such as for handling refunds or reimbursements.
    • Payment Processing. For payment transactions, your payment card details are securely transmitted directly to our Payment Processor. We do not store or process your payment card information on our servers. The Payment Processor handles the transaction in compliance with the Payment Card Industry Data Security Standard (PCI DSS) to ensure your payment details are protected.
    • Legal Basis:
      • Contractual Obligation. We need to collect certain information from you in order to conclude the transaction that you have requested, perform our contractual obligations (e.g. product delivery, refunds or reimbursements).
      • Legitimate Interest. Where the processing of your data is not strictly necessary to conclude or perform the sale, we will rely on our legitimate interests to (a) conclude or perform the transaction with you in the most expedited and efficient way; (b) maintain a trusted relation with you, and provide you with seamless and efficient customer service.
  • For analytics and market research purposes. We collect information from you or about you (such as online reviews of our services, feedback and reviews following your visits to AlUla sites, and comments and 'likes' on our social media pages) to analyze and measure market trends, customer satisfaction, the effectiveness of our campaigns and activities, etc
    • Legal Basis:
      • Legitimate Interest. We rely on our legitimate interest to (a) improve our services, and (b) pursue our mission which is the promotion of AlUla as an area of touristic, cultural, economic, and social interest.
      • Consent. We will normally rely on the legitimate interest above. However, in relation to certain personal data that we may collect from you or about you, or in relation to certain data collection activities, we may opt to rely on your consent instead (where we believe this is more appropriate in the interest of your privacy rights).
  • To comply with our legal obligations. We may process your data to comply with our legal obligations, respond to legal requests, and exercise, establish, or defend our legal rights.
    • Legal Basis
      • Legal Obligation: Processing personal data in this way is necessary to ensure compliance with our legal and regulatory obligations. It is also necessary for our legitimate interests to process personal data for the purposes of exercising and defending such claims.
  •  For our records, administration and managing our relationship with you. We will keep records of your personal data, such as your name, address, account details, and marketing preferences, in order to administer our websites and keep our records up to date.
    •  Legal Basis:
      • Legitimate interest. We use your personal data in this way as it is necessary for our legitimate interest to keep records of your personal details and update these when necessary. It is also in our legitimate interests to keep records of any correspondence with you. Our customers are important to us and so we need to keep track of your details and preferences.
      • Legal obligations. In some instances, we are required to collect and retain information for compliance with the applicable laws in the Kingdom of Saudi Arabia. For example, we need to record your marketing preferences (e.g. opt out) for compliance with our obligations concerning direct marketing.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

We may share data in this section and/or with the following categories of third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents ('third parties') who perform services for us or on our behalf and require access to such data to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal data. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will also not share your personal data with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct. The categories of third parties we may share personal data with are as follows:

  • Within RCU. We may share your personal data among other offices and locations within our organization to administer our websites, send you information about products and services that may be of interest to you, provide customer services and conduct the other activities described in this Privacy Notice.
  • Our Service Providers. We use other companies, agents or contractors to perform services on our behalf (e.g. marketing) or to assist us with the provision of our websites, services and products to you. We may share your personal data with the following categories of service providers:  
    • Infrastructure and IT service providers (including for email archiving);
    • Marketing, advertising, analysis, research and communications agencies; and
    • External auditors and professional advisers (such as accountants, lawyers, or other consultants).
  • Affiliate Marketing Programs. We may share some personal data with our partners such as travel organizations that collaborate with us for the promotion and sale of touristic services in AlUla. We will share information with our partners only to the extent this is necessary for the purposes described in this Privacy Notice and we will always ensure that we do so with your consent or another legal basis.
  • Government Entities. agencies or bodies of the Kingdom of Saudi Arabia. We may share personal data with government or other public entities, agencies or bodies of the Kingdom of Saudi Arabia where this is necessary for specific purposes such as government controls, reporting, public expenditure review and accountability.
  • Third parties permitted by law. In certain circumstances, we may be required to disclose or share your personal data, the data will be shared in strict accordance with the controls and procedures set out in the Personal Data Protection Law and its Regulation in the Kingdom of Saudi Arabia (for example, we may be required to disclose personal data to the police, regulators, government agencies or to judicial or administrative authorities in the Kingdom of Saudi Arabia). We may also disclose your personal data to third parties where disclosure is both legally permissible and necessary to protect or defend our rights, matters of national security, law enforcement, to enforce our contracts or protect your rights or those of the public.
  • Payment Processors. We may share some personal data with our Payment Processors to facilitate secure and efficient payment processing for purchases made through our website.

We may need to share your personal data in the following situations:

  • Service Providers. We will only provide our service providers with personal data which is necessary for them to perform their services to us or assist us with the provision of our websites, services and products. We require them not to use your information for any other purpose. We will use reasonable commercial efforts to ensure that all our service providers keep your personal data secure.
  • Affiliates. We may share your data with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our organization and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.

4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We may use cookies and other tracking technologies to collect and store your data.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store data. Specific data about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.

5. HOW LONG DO WE KEEP YOUR DATA?

Your personal data is retained only for the duration necessary to fulfil its intended purposes and meet legal, regulatory, accounting, or reporting obligations. We ensure data deletion after this necessary duration and avoid collecting third-party personal data unless required by the Personal Data Protection Law and its Regulation.

6. HOW DO WE PROTECT YOUR DATA?

We are committed to safeguarding your personal data through the use of robust organizational and technical measures designed to ensure your information remains secure. While we strive to provide the highest level of data protection, it’s important to note that no method of electronic storage or internet transmission is entirely risk-free. In the unlikely event of unauthorized access, we have systems and protocols in place to detect, respond to, and mitigate any threats. Although we will do our best to protect your personal data, transmission of personal data to and from our Services is at your own risk. You should only access the Services within a secure environment.

Based on the Personal Data Protection Law and its Regulation we will notify the Competent Authority when we know of the occurrence of a leak, damage, or illegal access to personal data, as well as notify you if a leakage, damage, or illegal access to personal data would cause harm to your data or conflict with your rights or interests.

7. WHAT ARE YOUR PRIVACY RIGHTS?

You may review, change, or terminate your account in accordance with the applicable laws in the Kingdom of Saudi Arabia. RCU may not be able to provide these rights if it may cause conflicts with any of the existing laws and regulations.

Withdrawing Your Consent. If we are relying on your consent to process your personal data, which may be explicit and/or implied consent depending on the applicable laws in the Kingdom of Saudi Arabia, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section 'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?' below.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor when the applicable laws in the Kingdom of Saudi Arabia allow, will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent.

Opting Out of Marketing and Promotional Communications. You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in the section 'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?' below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

Account Data. If you would at any time like to review or change the data in your account or terminate your account, you can:

  • Log in to your account settings and update your account.
  • Contact us using the contact data provided below.

Upon your request to terminate your account, we will deactivate or delete your account and data from our active databases. However, we may retain some data in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements, in a way that does not conflict with the Personal Data Protection Law and its Regulation.

Cookies and Similar Technologies. Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.

8. HOW CAN YOU REVIEW, UPDATE, DELETE, OR OBTAIN A COPY OF THE DATA WE COLLECT FROM YOU?

You have right to access or obtain a copy of your personal data, correct, complete or update or delete it in a way that does not conflict with the Personal Data Protection Law and its Regulation.

To request to review, update, or delete your personal data, please contact us at: privacy@rcu.gov.sa.

9. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ('DNT') feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

10. DO WE MAKE UPDATES TO THIS NOTICE?

Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated 'Revised' date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are processing and protecting your data.

11. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at privacy@rcu.gov.sa or contact us by post at:

Royal Commission for AlUla

ادارة الهيئة الملكية, Saudi Arabia, AlUla 43544, SA

__________

Saudi Arabia