Skip to main content

Data Privacy Policy

This Policy explains the purpose for which Personal Data is collected, the types of data collected, how it is collected, the legal basis on which it is processed, how it is stored and retained, the parties with whom it may be shared, how it may be transferred inside and outside the Kingdom of Saudi Arabia, how it is destroyed, the rights of Data Subjects in relation to their data, and how those rights may be exercised — all in accordance with applicable laws and regulations in the Kingdom of Saudi Arabia, in particular the Personal Data Protection Law issued by Royal Decree No. (M/19), as amended, and its Implementing Regulations (the "PDPL").

This Policy forms part of the General Terms and Conditions of Use.

Article 1: Identity of the Data Controller and Contact Channels

The party responsible for processing Personal Data on the Platform is:

  • Legal name: Aqar App Company

  • Commercial registration number: 7010480536

  • National address: 2577 Althumama Road, 3rd Floor, Qurtuba, Saudi Arabia

  • Data Protection Officer (DPO): Data Department

  • Email for privacy enquiries: [email protected]

Any reference in this Policy to the "Platform" or "we"/"us" refers to the entity named above, acting as the Data Controller under the PDPL.

Article 2: Data Collection and Types of Data

We collect the Personal Data necessary to provide the Platform's services in one of two ways:

A. Data you provide directly

When you use the Platform or contact us through any channel, we may collect — by way of example and not limitation — the following:

  1. IP address

  2. Location or geographic address

  3. Email address

  4. Mobile number

  5. Device and browser type and information

  6. National ID or Iqama information

  7. Commercial registration information

  8. Title deed and property-ownership information

  9. Payment information

  10. Bank account information (where required for specific services)

  11. Content you publish on the Platform

  12. Browsing and interaction data on the Platform

  13. Private messages exchanged on the Platform

B. Data we obtain indirectly

We may obtain additional data from trusted sources for purposes such as identity verification, property-ownership verification, and verification of commercial and professional records — including from competent government entities and accredited service providers (such as national verification services and real-estate authentication platforms). We collect only the minimum data necessary to achieve the stated purpose.

Note on Sensitive Data

Some of the data we process — such as National ID information — may include elements warranting heightened protection. We do not use Sensitive Data for direct-marketing purposes under any circumstances, and we apply stricter safeguards when processing such data.

Article 3: Legal Basis for Processing

We process your Personal Data on one of the following legal bases under the PDPL, depending on the nature of the processing:

  1. Your explicit consent, given at registration or when activating a specific service.

  2. Performance of a contract to which you are a party, such as delivering services you have subscribed to.

  3. Compliance with a legal obligation in force in the Kingdom, such as responding to requests from competent authorities.

  4. Our legitimate interests, where these do not override your rights and legitimate interests — for example, fraud prevention and service improvement.

You may withdraw your consent at any time, as set out in Article 11.

Article 4: Purposes of Processing

We process your Personal Data for the following purposes:

  1. Providing the Platform's services and meeting your needs in the best possible way.

  2. Improving the performance of the Platform and the user experience.

  3. Verifying user identity and property ownership, and preventing fraud.

  4. Sending operational alerts and notifications relating to your account and services.

  5. Sending marketing messages where you have given prior consent, with a clear opt-out mechanism available at any time.

  6. Producing statistics, research, and reports relating to the services and sectors the Platform serves.

  7. Verifying payment transactions.

  8. Documenting and archiving complaints and incidents of misconduct, for submission to relevant authorities when legally required.

  9. Responding to requests from competent governmental and judicial authorities.

Article 5: Sharing Data with Third Parties

We may share your Personal Data — only to the extent necessary to achieve the purpose — with the following categories of third parties:

  1. Cloud-infrastructure and hosting providers.

  2. Payment service providers, for transaction verification.

  3. SMS, email, and notification service providers.

  4. Data-analytics and marketing service providers.

  5. Identity-verification and property-ownership-verification service providers.

  6. Legal, regulatory, and accounting advisors bound by confidentiality.

  7. Competent governmental and judicial authorities, in response to lawful requests.

  8. Any entity to which our operating rights are transferred, in whole or in part, provided that the transferee is bound by this Policy and the PDPL.

All service providers act under data-processing agreements that ensure the level of protection required by the PDPL.

Article 6: Cross-Border Data Transfers

Delivering certain services may require transferring or processing your data outside the Kingdom of Saudi Arabia — through accredited cloud or technology providers. When this occurs:

  1. We limit the transfer to the minimum data necessary to achieve the purpose.

  2. We ensure the transfer does not compromise the level of protection guaranteed by the PDPL.

  3. We rely on one of the safeguards approved by the Saudi Data & Artificial Intelligence Authority (SDAIA), including Standard Contractual Clauses or the other safeguards set out in the Regulation on Personal Data Transfer Outside the Kingdom.

  4. We carry out the necessary impact assessments for continuous or large-scale transfers.

Article 7: Data Retention Periods

We retain your Personal Data for the period necessary to fulfill the purpose for which it was collected, or for the period required by applicable laws in the Kingdom, whichever is longer. In general:

Data category

Retention period

Core account data

For the duration of an active account, and up to 10 years thereafter

Payment and financial-transaction data

10 years, in line with accounting and tax regulations

Identity-verification data

10 years

Communications and complaint records

10 years

Browsing and interaction data

10 years

Private messages on the Platform

10 years

When the retention period ends, data is permanently destroyed or anonymized, unless a legal obligation requires otherwise.

Article 8: Data Security

We implement appropriate organizational, administrative, and technical measures to protect your Personal Data against loss, destruction, or unauthorized access, including:

  1. Encryption of data in transit and at rest.

  2. Access controls and need-to-know permissions.

  3. Continuous monitoring of our systems and periodic risk assessments.

  4. Training of staff on data-protection requirements.

  5. Requiring all service providers to enter into confidentiality and data-protection agreements.

Article 9: Personal Data Breaches

In the event of a Personal Data breach that may harm you or affect your rights, we will:

  1. Notify SDAIA within seventy-two (72) hours of becoming aware of the incident.

  2. Notify you without undue delay where the breach is likely to cause serious harm to you.

  3. Take the necessary steps to contain the incident and prevent recurrence.

Article 10: Cookies and Similar Technologies

We use cookies and similar technologies for operational, analytical, and marketing purposes, including:

  1. Strictly necessary cookies: to operate the Platform and maintain your session.

  2. Performance and analytics cookies: to measure Platform usage and improve it.

  3. Marketing cookies: to personalize advertising and content, subject to your consent.

You can manage your preferences through your browser settings or through the cookie-preferences panel on the Platform.

Article 11: Direct Marketing and Notification Preferences

  1. We do not send marketing messages unless you have given prior consent.

  2. You may opt out of marketing messages at any time through:

    • The unsubscribe link at the bottom of every marketing email.

    • The notification settings in the Platform's app.

    • Contacting us at [email protected].

  3. We do not use Sensitive Data for direct-marketing purposes.

  4. Opting out of marketing does not affect operational notifications necessary for your account and services.

Article 12: Automated Decision-Making

We may use automated algorithms in certain features of the Platform — such as ranking search results, evaluating listing quality, and pricing promotional services. Where such decisions produce legal effects or significantly affect you, you have the right to request human review, and to object to the decision through the channels set out in Article 14.

Article 13: Data of Minors

The Platform is intended for adults (18 years and older). We do not knowingly collect data from minors. If we discover that data of a minor has been collected without parental consent, we will delete it without delay. If you are a parent or guardian and believe a minor's data has been collected, please contact us at [email protected].

Article 14: Your Rights as a Data Subject

Under the PDPL, you have the following rights:

  1. Right to be informed of the legal basis and purpose of the processing.

  2. Right of access — to view your data and obtain a copy.

  3. Right to rectification — to request correction of inaccurate or incomplete data.

  4. Right to erasure — to request deletion of your data in cases permitted by the PDPL.

  5. Right to object to processing in certain cases.

  6. Right to data portability — to receive your data in a structured, machine-readable format.

  7. Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

  8. Right to restrict processing in certain cases.

Article 15: How to Exercise Your Rights

To exercise any of the rights set out above:

  1. Submission channels:

  2. Identity verification: We may ask you to verify your identity to confirm the request is genuinely yours — this protects your data.

  3. Response time: We respond within thirty (30) days of receiving a complete request. This period may be extended by a further thirty (30) days for requests requiring unusual effort, with notice to you of the extension and its reasons.

  4. Fees: Exercising your rights is free of charge, unless the request is repetitive or excessive, in which case a reasonable fee reflecting actual cost may apply.

Article 16: Complaints

If you believe our processing of your data does not comply with the PDPL, you may:

  1. Contact us first at [email protected] so we can try to resolve the matter directly.

  2. File a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) through its official channels.

Article 17: Updates to this Policy

We may update this Policy from time to time to reflect regulatory or operational changes. Where material changes are made, we will notify you through appropriate channels (email or in-app notice) a reasonable period before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

Article 18: Contact Us

For any enquiry relating to this Policy or to the processing of your Personal Data:

Related Articles
Privacy Policy
Brokerage Contract & Ad License
Did this answer your question?