Hala - Privacy Policy

Privacy Policy

Introduction
Scope
Contact Information
Policy Review and Updates
Methods of Data Collected
- Data Collected Directly from the Data Subject
- Data Collected from Third Parties
Legal Basis for Processing Your Personal Data
Purpose of Processing and Legal bases
Accuracy and Ensuring the Protection of Personal Data
Children's Privacy
Cookie Management
Automated Processing
Disclosure or Sharing of Collected Personal Data
Rights and Complaints
How to Exercise Your Rights
How We Use Cookies
Duration of Storage of Your Personal Data
Terms and Definition

1. Introduction

HALA Payments Company is committed to the principles of personal data protection outlined in the Personal Data Protection Law and Regulations, issued by Royal Decree No. (M19/) dated 09/02/1443 AH and amended by Royal Decree No. (M148/) dated 05/09/1444 AH.

When this policy refers to “the Company”, “we”, “us”, “Hala” or “Data Controller”, it refers to Hala Payments Company, the operator of this website, application or service.

Hala Payments Company operates under the supervision and control of the Saudi Central Bank and an EMI (Electronic Money Institution) financial institution.

Hala provides a specialized platform for digital payment solutions, supporting small and medium enterprises, and enabling freelancers to start, manage and grow their businesses with innovative financial technology tools and solutions. The company is registered under Commercial Registration No. 4030548330, and its address at: P.O. Box 12251, Riyadh 2609.

Hala’s services are designed for commercial purposes and may be utilized by individuals or entities. If you register or use Hala’s services on behalf of an entity, we will consider you an authorized representative, and you may be required to provide us with the personal data of any third parties associated with that entity.

2. Scope

This Policy applies to all Personal Data collected and processed by Hala through our websites, mobile applications, customer service centers, and any other channels or touch points where we collect your Personal Data. It covers the processing activities related to the collection, storage, use, disclosure, and protection of Personal Data, ensuring compliance with the KSA PDPL.

This policy applies to all customers, visitors, and users of our services or applications, as well as any third parties who interact with us in connection with the processing of Personal Data.

3. Contact Information

If you have any questions, you can contact Hala Customer Service via the toll-free number: 8003030122 or via email: [email protected].

If you have questions about this policy or how your personal data is processed, or if you wish to exercise any of your rights stipulated in this policy or under the Personal Data Protection Law and Regulations, please contact Hala’s Data Protection Officer via email: [email protected]

4. Policy Review and Updates

This policy was last updated on September 1, 2024. The policy may be subject to change from time to time in response to legal, regulatory or operational changes. Any updates will be posted on our website, along with the date of the latest revision. We recommend that you review this policy regularly when visiting our website or using our applications.

5. Methods of Data Collected

5.1 Data Collected Directly from the Data Subject

Hala only collects the minimum amount of personal data necessary to provide its services or products. The personal data you voluntarily provide as a data subject through our website or applications may include:

Personal Identification Data: Full name, date of birth, gender, nationality, city /area, Commercial registration CR number, identification numbers (such as national ID number, IQAMA number). Hala will verify your identity, phone number, national address, and data provided electronically through a third-party verification platform such as “Elm and Nafath”.
Contact Data: Address, phone numbers, email.
Financial Data: Bank account numbers, transactions, invoice data and number of transactions and volume.
Profile Data: Username and password, purchases or orders made by you, your interests, preferences, feedback, survey responses.
Internal Banking Identifiers: Customer profile number, account number, etc.
Payment Data: Data collected for payment purposes, including payment amounts, account/card number data, outstanding debts, Negative balance value, wallet Balance, Terminal ID, card wallet number (wallet ID) and your payment history.
Identity and Contact Data for KYC: Data to verify the customer's identity.

5.2 Data Collected from Third Parties

Hala collects personal data indirectly, including:

Technical Data: This includes your Internet Protocol (IP) address, your login data to our Site or App, your web browser type and version, your time zone settings and geographic location, your operating system and platform, and other technology used on the devices through which you access the Site and HALA application. More details are covered in our Cookie Policy.
Customer Service Interactions: Records of your contact with Hala's customer service, including recorded phone calls, chat conversations, and email correspondence.
Device Data: Information about your device, such as device ID, IP address, language settings, browser settings, time zone, operating system, platform, screen resolution, and similar details, as outlined in the Cookie Policy.
Hala Application: All content you upload or submit (such as inquiries, photos, receipts, product and store reviews, or profile pictures), as well as geolocation data and websites you visit through the application browser.
Purchase Data: Details regarding your completed purchases, including order number, product, price, purchase date, quantity, payment method used, promotional codes, delivery tracking numbers, and courier company. This also includes delivery data such as delivery status, shipping address, expected delivery date, and details from emails (such as sender and email date).
Automatic Tracking: Data collected automatically from your connected email account about your completed purchases.
Financial Insights: Data from other bank accounts and account types that you choose to link to the service, including account numbers, bank transactions, and previous transactions from your connected accounts.
Third parties: such as credit data agencies, fraud prevention agencies, regulators, banks and other financial institutions, and publicly available sources

6. Legal Basis for Processing Your Personal Data

Legal Obligations (Including Contracts and Laws): We process data based on legal obligations to ensure full compliance with the regulations in force at Hala and the contracts established between Hala and our customers.
Explicit Consent: Data is collected and processed only with the clear and explicit consent of the data subject.
Legitimate Objectives or Interests: Hala may process data to fulfill legitimate objectives or interests of any third party, as long as these interests outweigh any potential infringement on your rights and do not involve the processing of sensitive data.
Vital Interests: Processing is permissible when it is necessary to protect your vital interests or those of another individual, and it is impossible or difficult to contact you.
Internal Banking Identifiers: Customer profile number, account number, etc.
Actual Interest: In some cases, where necessary for the performance of a task carried out in the actual interest of the data subject (whether moral or material), but communicating with the data subject is impossible or difficult.

7. Purpose of Processing and Legal bases

Legal Bases	Purpose of Processing and Why
According to the privacy and cookies policies	Create an account via the website (register a lead)
According to the contract (terms and conditions)	Create an account for merchant via HALA Business application Verify your identity, assess your application, conduct required compliance and regulatory checks and procedures (including AML and fraud prevention checks).
Legitimate interests and interests of third parties	To assist you as a vulnerable customer (for example, if you need additional support when contacting us due to certain circumstances), such as contacting customer service.
Legitimate Interest You can contact us for more information on how the decision is made or if you wish to object to this process. Please refer to Section 3 for our contact information.	The ability to conduct customer satisfaction surveys and market research, and to request feedback via email, text messages, phone calls, or other communication channels. Anonymizing your identity to improve our services and products and analyze customer behavior. Conducting data analysis to develop and test the product to improve processing , fraud, and credit models, and to design our services (with data anonymization where possible). Measuring and improving marketing and advertising channels (with data anonymization where possible). Produce statistics and reports for economic analysis, analysis of payment trends or payment volumes in specific regions (with data anonymization where possible). Identifying the type of marketing we provide to you. If you do not wish for your data to be processed for marketing purposes, please contact us, and we will stop using your data for this purpose. Contact information is available in Section 3. We use your personal data for marketing purposes, such as introducing new products or promotions that are tailored to customers' financial needs and preferences. If you do not wish to receive marketing materials, you can contact us and we will stop sending them. Protecting Hala from legal claims and safeguarding Hala's legal rights. Detect fraud and protect network and information security. To receive and handle complaints, requests or reports from you or third parties made to Hala. For the operational management of Hala including, but not limited to, compliance and risk management, technology support services, reporting, auditing, systems and product training and administrative purposes.
Execution of contracts (Article 16(2) of the Personal Data Protection Regulation).	Handling all matters that reach Hala's customer service, including retaining written conversations for documentation
Execution of contracts and legitimate interests (Article 16 (2) of the Personal Data Protection Regulation)	If you contact us via social media platforms such as Facebook, Instagram, WhatsApp, or X, your personal data will be collected by these companies in accordance with their privacy notices. Hala processes this data to respond to your inquiries.
To Comply with Our Legal Obligations	To comply with any applicable laws in any country we operate in or provide a service. For the purposes of preventing and detecting money-laundering, terrorism, fraud or other crimes and/or abuses of our services. We may provide your data to, or obtain such data from, credit information agencies licensed by the Saudi Central Bank (SAMA) (including, but not limited to, the Saudi Credit Bureau (SIMAH)).
Contractual necessity or; Legitimate interest or; Compliance with legal obligations	Sharing your personal data with categories such as suppliers, contractors, companies within the Hala group, individuals with authority over your financial transactions, authorities, buyers of receivables or assets, and debt collection companies.

8. Accuracy and Ensuring the Protection of Personal Data

Hala will not routinely update your personal data unless such updates are necessary to achieve the purposes for which the data was collected. You must notify Hala as soon as possible if any of the data you provided changes. We will not be liable for any errors, inaccuracies, incompleteness, obsolescence, or irrelevance of personal data resulting from an error or omission on your part.

At Hala, we are committed to protecting your personal data from loss, misuse, or unauthorized alteration. To ensure the protection of your data, we rely on advanced physical, electronic, and administrative procedures. For example, our servers can only be accessed by authorized personnel, and your data is shared only with relevant individuals when necessary to complete the transactions and provide the services you requested.

While we do our utmost to protect the confidentiality of your personal data, online transmissions cannot be guaranteed to be completely secure. By using this site, you acknowledge the following:

You have read and understood the data privacy policy and the data privacy notice, and you agree to all terms stated therein.
You have been given the opportunity to review the privacy policy thoroughly and agree to all its provisions.

9. Children's Privacy

Since children are unable to provide consent for the processing of their personal data, the consent of a child's guardian must be obtained. However, Our Hala services are not intended for children under the age of 18. We do not knowingly collect or process children's personal data. If we discover that we have inadvertently collected a child's personal data, we will promptly delete that data. We recommend that parents and guardians monitor their children's online activity to ensure they do not provide any personal data through our platforms

10. Automated Processing

Hala does not engage in profiling and automated decision-making except when necessary for entering into or executing a contract with the data subject, when permitted by law, or when explicit consent has been obtained from the data subject.

11. Disclosure or Sharing of Collected Personal Data

We may share Your personal data and non-personal data in a variety of ways with the following third parties:
- Internal Parties: Our employees, professional advisors, agents, subcontractors, and service providers that We use to ensure rendering of Hala Services, performance of Our obligations arising out of the Terms of Use, to manage risks, to help detect and to prevent financial crime, fraud and money-laundering, to help us to manage availability and connectivity of the Website and Hala Services, to collect funds what You (or the Business Entity You represent).
- Regulatory Authorities: Personal Data may be disclosed to regulatory authorities (including but not limited to SAMA, SIMAH and SDAIA), courts, enforcement courts, judicial committees or parties/advisors to legal proceedings, as required.
- Legal Compliance: We may disclose your Personal Data, as required, by applicable law or regulation, at the request of a competent regulator, court or judicial committee or to safeguard our legitimate interests.
- Payment Service Providers: Card and payment (electronic and physical including points of sale (POS)) service providers and related platforms.
- Credit Data Agencies: Licensed by SAMA (including, but not limited to, SIMAH) for the purpose of obtaining or providing credit references and determining the Customer's ability to obtain certain products and services.
- Fraud Prevention Agencies: Government authorities, agencies or commissions or private parties involved in fraud prevention.
- Partners Organizations: Organizations with whom We have agreement to corporate with, including (bank Saudi Fransi, VISA, Arab national bank) other electronic money issuers and payment service providers, account data, service providers and payment initiation service providers.
- Business Partners: Our business partners, sub-contractors and other organization's providing services to Us and Our customers.
- Advisors: Financial and legal advisers.
- Legal Representatives: Your (or the Business Entity's You represent) agent or legal representative (such as the holder of a power of attorney that You grant, or a guardian appointed for You) and any other party linked with You (or the Business Entity You represent).
- Public data sources: Information from publicly available sources.
We may also need to share Your personal data with other third parties to provide You (or the Business Entity You represent) with Hala Services based on Your (or on the Business Entity's You represent) interests:
- If You (or the Business Entity You represent) have applied for and are issued with a Hala Mada Payment Card, we will share transaction details with organizations which help Us to provide this service (for example Mada).
We may undergo structural changes in the future. If We sell, transfer or merge part or all of Our business or assets or any associated rights or interests, or if We acquire a business, or enter into a merger, we may disclose Your personal data to the prospective buyer, transferee, merger partner and/or their advisers. If the transaction proceeds, the buyer, transferee or merge partner may use or disclose Your personal data in the same way as outlined in this Privacy Policy.
In addition, we may provide aggregated statistical data to third parties, including other organizations or members of the public, about how, when, and why You (or the Business Entity You represent) visit Our Website and use Hala Services. This data is non-personal data and will not identify You or provide data on how You (or the Business Entity You represent) individually use the Website or Hala Services.
When a third party process Your personal data on Our behalf, they are subject to strict security and confidentiality obligations consistent with this Privacy Policy and applicable laws. We will take all reasonable steps to ensure that your personal data is treated by the third party in accordance with this Privacy Policy.
Service providers are thereby mandated to comply with a list of technical and organizational security measures, including information security management, data encryption measures, and backup procedures.

12. Cross-Border Transfers

If there is ever a requirement to process your personal data outside the Kingdom as a part of Hala’s legal basis for processing personal data, Hala will ensure the data is transferred in a manner that maintains the security and privacy of your personal data. In such a case, Hala will only ever transfer your Personal Data abroad to third parties or countries which are considered to provide an adequate level of data protection, or in the absence of such legislation, subject to standard contractual agreements guaranteeing a sufficient level of protection in accordance with a standard model issued by SDAIA under the PDPL.

13. Rights and Complaints

The Right to Know: You have the right to know our contact details, the exact reasons for collecting your data, the methods used to collect it, and whether this data will be shared or sold.

The Right to Destroy and Delete Personal Data: You can request the deletion/destroy of your personal data under the following conditions:The Right to Destroy and Delete Personal Data: You can request the deletion/destroy of your personal data under the following conditions:

We no longer need it for the purpose for which it was collected.
It was processed based on your consent, and you revoke that consent.

However, Hala may not be able to delete your data in certain cases, such as:

When the data is necessary for the purpose for which it was collected.
When Hala's interest in processing the data outweighs your interest in deletion.
When we have a legal obligation to retain it.

The Right to Correct the Data: You have the right to request the correction of any inaccurate or incomplete data about you.

The Right to Access/ Get the Data: You have the right to access your personal data that we hold and obtain a copy in a clear and readable format, consistent with our records.

Unsubscribe: You have the right to opt-out of sharing your personal data for certain targeted advertising purposes

Withdraw Your Consent: If we process your personal data based on your consent, you have the right to withdraw that consent at any time. Upon withdrawal, we will cease processing your data for those purposes.

Right to File a Complaint: If you have any complaint regarding Hala's processing of your personal data, you can contact the Personal Data Protection Officer via email: [email protected] where your complaint will be processed within a period not exceeding 30 days. If the problem is not resolved or no response is received within this period, you can submit a complaint to the Saudi Central Bank through the following link.

Settings in Hala Applications:In Hala's mobile applications, you are provided with functionalities to customize your preferences for specific services, such as notification settings.

14. How to Exercise Your Rights

You can submit a request to access your personal data, delete it, or correct it by filling out the Personal Data Subject Request Form and share it with [email protected] or by sending an email to [email protected] . To ensure your privacy and maintain security, we take steps to verify your identity before granting you access to your personal data or fulfilling your request.

15. How We Use Cookies

To provide a personalized and seamless experience, Hala uses cookies and similar tracking technologies across our various interfaces. These technologies help us improve your experience by remembering your preferences and enhancing the functionality of our services. You can find more information about the tracking technologies used by Hala in our Cookie Policy.

16. Duration of Storage of Your Personal Data

The duration for which Hala stores your personal data depends on the purpose for which it is used:

Contractual Relationship: Personal data used for the contractual relationship between you and Hala is generally stored for the duration of the contractual relationship and up to ten years, in accordance with SAMA.
Legal Obligations: Personal data that Hala is under a legalobligation to retain, for example under anti-money laundering laws or bookkeeping laws, will be stored for a minimum period of ten years from the date the relationship ends.
Quality Assurance: Recordings of telephone conversations are processed for 90 days for quality assurance purposes. Recordings of inbound and outbound calls along with Hala employees notations from these calls, are maintained for ten years to document discussions and decisions.
Extended Storage: In some limited cases, the personal data may need to be stored for more than 10 years, such as Until the investigation is closed or the dispute or complaint is fully resolved.

The above legal obligations mean that Hala cannot delete your personal data, even if you ask us to delete it, if there is a legal obligation to retain it. If there is no such obligation, we will assess whether the data is needed to protect Hala from legal claims. Please note that just because we are legal obligation to store your personal data, this does not mean that we are also permitted to use this data for any other purpose.

17. Terms and Definition

Personal Data Protection Law: The purpose of this law is to protect individuals' personal data from violations and misuse in its collection, use, and processing. The law sets out the rules and principles that institutions and companies must adhere to when dealing with personal data to ensure the privacy and rights of individuals.
Personal Data: Any statement—regardless of its source or form—that can lead to the identification of an individual specifically or makes them identifiable directly or indirectly when combined with other data. This includes, but is not limited to, names, personal identification numbers, addresses, contact numbers, bank account numbers, credit card numbers, still or moving images of the user, and other personal data.
Privacy: The right of an individual to control how their personal data is collected, used, and shared. Privacy includes protecting personal data from unauthorized access or use without consent and ensuring that this data is handled securely and appropriately in accordance with applicable laws and policies.
Child: A child is any person who has not yet reached the age of eighteen.
• Processing of Personal Data: All operations carried out on personal data by any means, whether manual or automated. These operations include, but are not limited to, the collection, transmission, preservation, storage, sharing, destruction, analysis, extraction of patterns, inferences, and linking with other data.
Processing of Personal Data: All operations carried out on personal data by any means, whether manual or automated. These operations include, but are not limited to, the collection, transmission, preservation, storage, sharing, destruction, analysis, extraction of patterns, inferences, and linking with other data.
Personal Rights: The rights of individuals related to accessing, correcting, deleting, and other legal rights concerning their personal data.
Consent: Consent given directly and explicitly by the data subject in any form, indicating their acceptance of the processing of their personal data in a manner that cannot be interpreted otherwise and is verifiable.
Legitimate Interest: Any necessary need of the data controller that requires the processing of personal data for a specific purpose, provided that it does not adversely affect the rights and interests of the data subject.
Regulatory Authorities: Government entities or institutions that monitor and enforce compliance with regulations related to the protection of personal data.
Targeted Marketing: Directing advertisements and offers to individuals based on their personal data and behavior.
Third Parties: Entities that receive personal data from the controller or processor.
Collection: The process by which the data controller obtains personal data in accordance with the provisions of the regulations, whether directly from the data subject, from their representative, from a person with legal authority over them, or from another party.
Automated Processing: The use of technology and software to process, analyze, and handle data without human intervention. This includes the use of algorithms, computer programs, and systems to perform tasks such as data entry, validation, and transformation.
Destruction: Any action taken on personal data that makes it impossible to access or recover it again or to identify the data subject specifically.
Anonymization Techniques: The permanent removal of direct and indirect identifiers that indicate the identity of the data subject, making it impossible to identify the data subject.
Cookies: Small text files placed on your computer when visiting certain websites, used to identify your device. Please visit our Cookie Policy to learn more about cookies and some functions and benefits on our platforms.
IP Address: A sequence of numbers assigned to each device connected to the internet to identify its location and enable communication between devices over the network. An IP address can be static or dynamic and is used to track online activity and identify the source of the connection.
Mandatory Data: Personal data necessary to enable us to provide our services and comply with regulatory requirements. Failure to provide this data may result in our inability to provide some services.
Optional Data: There is optional personal data that we collect in order to improve the quality of services and the customer experience. The customer has the right not to provide this data without this affecting the provision of basic services
Entity: Business clients being dealt with, including (accountants and owners).