Introduction

Tourism Development Fund (TDF) is dedicated to safeguarding user data and information on its website ("the client," "clients"). TDF is committed to maintaining the confidentiality and privacy of this data and using it to provide the necessary services to the client in accordance with the applicable regulations and policies in the Kingdom of Saudi Arabia by taking appropriate and suitable measures to help protect clients' personal information from leakage and to prevent any unauthorized access.

By using TDF services, you acknowledge and agree to the content of this privacy notice and any ongoing modifications. We encourage clients benefiting from TDF services to regularly review the privacy policy to be aware of any updates.

The personal data that will be collected

TDF has prepared this privacy notice in accordance with the Personal Data Protection Law and the applicable regulations and policies in the Kingdom of Saudi Arabia. The purpose of this notice is to explain how TDF collects and processes personal data about clients, including—though not limited to—the information related to the client's profile, such as national identification details, personal photograph provided in person, national address, contact numbers, email, commercial registration information, credit data, license number, and permit number.

The purpose of collecting personal data

Personal data is collected to verify the user’s credit information for the purpose of evaluating financing requests and providing the appropriate service. It is also used to follow up on any inquiries, suggestions, or complaints submitted by the user.

Data Collection Methods

TDF collects and processes personal data obtained directly or indirectly through personal data collection points, including but not limited to:

- Registering on TDF’s website.
- Communicating through customer service channels.
- Submitting forms.
- Cookies (when visiting TDF’s website).

Personal Data Collection Mechanism

When a customer completes any form, provides information through a browser, or contacts us via phone, email, or social media platforms, all submitted data will be collected, securely stored, and processed on TDF's servers.

Storing personal data

Personal data is stored on cloud servers within the Kingdom of Saudi Arabia and is protected by advanced technologies in compliance with the regulations of the National Cybersecurity Authority to prevent unauthorized access and minimize cyber risks.

Legal basis for collecting and processing personal data

Personal data is collected and processed in accordance with the Personal Data Protection Law and its executive regulations, based on the following legal grounds—though not limited to:

• Explicit Consent:

TDF processes personal data based on the explicit consent of the client.

• Legal Obligation:

TDF processes personal data to comply with applicable laws and regulations.

• Contractual Relationship:

When TDF needs to process data to enter into or fulfill a contractual agreement with the client.

• Vital Interests :

When the processing of personal data serves actual interests of the client, and it is difficult to communicate with the client.

• Legitimate Interests:

When TDF needs to pursue its legitimate interests without infringing on the rights and interests of the client, provided that no sensitive data is processed.

• Public Interest:

To achieve public interest or if requested by a public entity and such processing is required for security purposes or to meet judicial requirements.

Processing of Personal Data

Personal data collected, whether directly or indirectly, is processed to fulfill the tasks and responsibilities assigned to TDF, in line with the objectives outlined in this policy. Processing is carried out solely by authorized personnel, in accordance with their respective roles and the approved policies for this purpose.

Failure to provide the required personal data may impact the customer's ability to access the services provided by TDF.

Rights of the Personal Data Subject

- Right to Be Informed: The personal data subject has the right to know the legal justification for collecting and processing their data, and with whom it will be shared.

- Right to Access Personal Data: The personal data subject has the right to access their personal data available with TDF. This includes viewing the data and obtaining a clear and accurate copy consistent with the records, free of charge, as determined by the policy. Requests can be submitted via the email mentioned in Clause 17.

- Right to Request Access to Personal Data: The personal data subject has the right to request access to their personal data stored with TDF.

- Right to Request Rectification of Personal Data: The personal data subject has the right to request the correction, completion, or updating of their personal data held by TDF.

- Right to Request Deletion of Personal Data: The personal data subject has the right to request the deletion of their personal data under specific circumstances, unless a legal provision mandates retaining it for a specified period.

- Right to Withdraw Consent: The personal data subject has the right to withdraw consent for processing their personal data at any time, provided that consent was the sole legal justification for processing, unless other legal or judicial requirements are met.

Sharing personal data

In accordance with the law and its executive regulations, your personal data may be shared in the following cases:

- Your Explicit Consent.

- If your personal data was collected from a publicly available source.

- If the data is requested by a third party — such as, but not limited to, the Saudi Central Bank (SAMA), credit information reports, SIMAH, banks, and government entities — and the collection or processing of your personal data is required for public interest, verification of credit records, security purposes, to enforce another law, or to meet judicial requirements.

- If the disclosure is necessary to protect public health, public safety, or to protect the life or health of specific individuals.

- If the disclosure will only involve subsequent processing in a manner that makes it impossible to identify you.

- If the disclosure is necessary to pursue the legitimate interests of TDF, provided that no sensitive data is involved.

Personal Data Protection

TDF is committed to protecting your personal data and ensuring its proper handling through several measures, including but not limited to controlling access, ensuring personal data is only accessible to authorized individuals, educating and training employees on personal data protection laws and their amendments, and deleting and disposing of personal data when the purpose for its collection has been fulfilled.

- Controlling Access: Ensuring personal data is only accessible to authorized individuals.
- Employee Training: Educating and training employees on personal data protection laws and their amendments, as well as the applicable executive regulations.
- Data Deletion: Deleting and disposing of personal data when the purpose for its collection has been fulfilled, in accordance with TDF’s approved policies and regulations.

Management of the TDF's Website

-The authority supervising the Website is: Tourism Development Fund (TDF).
-TDF’s website management reserves the right to add or change any provisions of the privacy policy.

Protection of Personal Data for Minors and Individuals Without Legal Capacity

TDF’s website and its applications are intended for use by individuals who are at least 18 years old and/or have legal capacity. If the data subject is under 18 years old or lacks legal capacity, a parent or legal guardian must provide consent on their behalf for TDF to collect and process the personal data of the data subject.

Responsibilities of the Data Subject

The data subject is responsible for the accuracy and currency of the information provided to TDF and must inform TDF of any changes as soon as possible. If you provide TDF with personal data about another individual, you must inform them of this privacy notice and obtain their consent to allow TDF to use their personal data for the specified purpose.

Retention of Personal Data

TDF will destroy the customer's personal data as soon as the purpose for its collection has been fulfilled using secure methods and techniques.

However, it may be necessary to retain personal data even after the purpose for its collection has been completed in the following cases:

• If there is a legal basis justifying retention for a specific period, the data will be destroyed once the retention period expires or the purpose for its collection ends, whichever is longer.

• If the personal data is closely linked to a case pending before a judicial authority and its retention is required for this purpose, the data will be destroyed once the judicial procedures for the case are completed.

• The data may be anonymized, with all elements that identify the customer being removed.

Changes to the Privacy Notice

The privacy notice was last updated on January 2025 and may be updated as needed. TDF recommends regularly visiting its website and reviewing this privacy notice to stay informed of any changes. By continuing to use TDF’s website and electronic platforms after the updated notice is published, the user acknowledges their acceptance of all modifications in this notice.

Communication

- Data Governance Officer – TDF’s Data Management Office

- Email:dmo@tdf.gov.sa

- Contact number: 920011552.

- Address: KAFD, Floor 11, building 305, Area 3, Riyadh 12263

Governing Law and Dispute Resolution

This privacy notice is governed by the laws and regulations in force in the Kingdom of Saudi Arabia, and any dispute arising from it shall be referred to the competent courts in Riyadh for resolution.