Privacy Policy – Nomou Saudi
This Privacy Policy (“Privacy Policy”) explains how Bayan Digital for Information Technology LLC, including its respective affiliates, related companies, unaffiliated partners and/or licensors (together herein referred to as “Spire”), collects, uses, processes and protects the information provided by you (“End User”) or acquired through End User’s use of the Services (as defined below). This Privacy Policy also describes what End User’s information Spire collects, the specific ways Spire uses such information, and how End Users can exercise their rights under the Applicable Laws (as defined below).
Spire regularly reevaluates its privacy and security practices and adapts them as necessary to deal with new regulatory requirements, changes in legislation and revised security standards. End Users are advised to read this Privacy Policy carefully.
- DEFINITIONS
For the purposes of this Privacy Policy, in addition to the capitalized terms defined elsewhere in this Privacy Policy, the following terms shall have the meanings ascribed to them as follows:
1.1. “AISP” means account information service provider, a regulated payment service provider that provides consolidated information on one or more Payment Accounts held by End User with either another payment service provider or with more than one payment service provider.
1.2. “Applicable Laws” means:
- KSA Open Banking Framework (KSA OBF) together with all regulatory technical standards, codes of practice, guidelines and/or formal interpretations issued by a regulator with jurisdiction over the Services contemplated in these ToS, and all laws or regulations in force from time to time in PASP’s jurisdiction giving effect to PSD2; and
- all laws, statutes, rules, regulations, decrees, orders or directives in force from time that are applicable to the Services contemplated in these ToS.
1.3. “PASP” means payment account service provider, a payment service provider (such as bank, credit institution or electronic money institution) that provides and maintains a Payment Account for End User.
1.5. “Consent” of End User means any freely given, specific, informed and unambiguous indication of End User’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
1.6. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.7. “Metadata” means all ancillary information, metadata, usage data, service data, relationships, trends, metrics, logs and all other information derived from use of the Services.
1.8. “Terms of Service” means Spire’s terms of service which govern End User’s use of the Services as the same may be amended from time to time for the purposes of compliance with changes in the Applicable Laws or good industry practice.
1.9. “Payment Account” means an account held in the End User’s name by the PASP which is used for the execution of Payment Transactions.
1.10. “Payment Account Data” means data relating to End User’s Payment Account, particularly:
- account information (including without limitation account number, type, currency, balance);
- transactions information (including without limitation transaction amount, date, description, currency); and
- account holder information (including without limitation name, address, email, phone number), on the condition that the respective PASP in its sole discretion provides access to such additional information.
1.11. “Payment Order” means an instruction by End User to its respective PASP requesting the execution of a Payment Transaction.
1.12. “Payment Order Data” means data relating to the Payment Order, including without limitation amount, currency, status, description, payee details.
1.13. “Payment Transaction” means an act initiated by End User or on End User’s behalf of placing, transferring or withdrawing funds from End User’s Payment Account.
1.14. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes, but is not limited to, Payment Account Data and Personalized Security Credentials.
1.15. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.16. “Personalized Security Credentials” means personalized features provided by PASP to End User for the purposes of authentication, including without limitation username, password, access number, security questions and answers, token/SMS codes, multifactor information, device information.
1.17. “PISP” means payment initiation service provider, a regulated payment service provider that initiates Payment Orders at End User’s request with respect to End User’s Payment Account held with the respective PASP.
1.18. “processing” or “to process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, access, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.19. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1.20. “Pseudonymization” means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific End User without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
1.21. “Services” means the services provided by Spire on behalf of End User’s respective PASP.
1.22. “Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
1.23. “TPP” means a third-party provider, such as AISP or PISP.
1.24. “Website” means the website www.spiretech.co.
- CONSENT
By accessing and using the Services End User hereby: (i) acknowledges and confirms that End User is at least eighteen (18) years old, or of the legal age of majority in the jurisdiction in which End User resides; and (ii) consents to the use of his/her Personal Data as described in this Privacy Policy. Except as set forth in this Privacy Policy, End User’s Personal Data will not be used for any other purpose without End User’s Consent. Spire will only disclose End User’s Personal Data to third parties strictly for the purposes described in this Privacy Policy. Spire does not sell, trade or rent End User’s Personal Data to any third party, nor does Spire use End User’s Personal Data for advertising purposes.
- COLLECTION OF INFORMATION
When End User starts using the Services Spire will collect information, including Personal Data, for the purpose of providing, maintaining and improving the Services, as well as meeting the compliance requirements set forth in the Applicable Laws with respect to the provision of Services. Spire collects information primarily in four (4) ways:
- Information End User voluntarily provides to Spire.When End User starts using the Services, or contacts Spire’s customer support team with respect to service-related issues or communicates with Spire in any way, End User voluntarily gives Spire information that Spire collects and processes as described in the Terms of Service and this Privacy Policy. End User gives Spire information directly through the Services, End User must authenticate himself/herself by providing the Personalized Security Credentials required to access End User’s Payment Account with the respective PASP. End User may communicate with Spire directly through the Services or by sending an email. If End User voluntarily submits Personal Data by email with his/her inquiry or request pertaining to the Services, Spire will process any such Personal Data in accordance with this Privacy Policy. Spire may require additional information, including Personal Data, in order to identify End User while processing his/her inquiry or request. Spire may also maintain a record of such communication, including any follow-ups and subsequent feedback, for internal purposes.
- Information collected through End User’s use of the Services.Spire collects information about: (i) the TPPs End User interacts with through the Services and a trail log of their actions with respect to access to End User’s Payment Account; (ii) any actions of End User within the Services; (iii) Payment Account Data to which Spire has been granted access to; and (v) details of the Consent given by End User, including without limitation scope and timestamp of such Consent. Spire may store this information or part thereof in log files or other Metadata associated with End User’s Account, and link it to other information Spire collects and processes about End User.
- Information collected through use of Services.When End User uses the Services, Spire may collect certain information in addition to that described elsewhere in this Privacy Policy, including without limitation device type and operating system. Spire will also send push notifications to inform End User about pending actions or give service-related notifications. End User can’t opt out of receiving these push notifications. Spire may access, track or collect location-based information from End User’s mobile device while downloading or using the Services.
- Information collected from PASP.Spire collects information from End User’s respective PASP for the purposes of providing the Services as follows:
- Payment Account Data, Payment Order Data and confirmation of availability of funds in End User’s Payment Account;
- Information Spire collects automatically.Each time End User uses the Services Spire collects certain information automatically about how and when End User uses the Services. This information may include without limitation the browser that End User is using, operating system, IP address, all of the areas within the Services that End User visits, and the time of day when End User accesses and uses the Services. Spire collects this information automatically as part of log files or other Metadata, as well as through the use of cookies, web beacons and other similar tracking technologies. All personally identifiable information collected about End User is treated as Personal Data in accordance with the terms of this Privacy Policy. Spire may also use the collected information in an anonymized aggregate way (i.e., it is not personally identifiable in this state) for a variety of purposes, including but not limited to enhancing or otherwise improving the Services and developing new services (see further Section 4.b. “Use of Non-Personal Data”). Further details about the use of cookies and other tracking technologies are provided below:
- Cookies— a cookie is a data file placed on a device when it is used to access the Services. Cookies or similar technologies may be used for many purposes, including without limitation remembering End User and End User’s preferences and tracking End User’s visits to the Website or access of the Services. Cookies work by assigning a number to the End User that has no meaning outside of the assigning website or application. Spire uses cookies for various purposes, including without limitation tracking End User’s movements within the Website and Services, analyzing trends, gathering statistical data and improving End User experience and the overall quality of the Services. Spire encodes and encrypts the cookies so that only Spire can interpret the information stored in them. Cookies can be disabled or controlled by setting a preference within End User’s web browser or on End User’s device. Thus, if End User does not want information to be collected through the use of cookies, End User can deny or accept the use of cookies at the individual browser or device level. However, if End User chooses to disable cookies some features of the Services may not function properly or Spire may not be able to customize the delivery of information to End User.
Besides first-party cookies set by Spire itself, Spire also uses third-party cookies. These third-party service providers with whom Spire has contracted help analyze certain online activities and provide analytics services.
Spire does not use cookies, web beacons or other similar tracking technologies to track and analyze End Users’ activity for advertising purposes and at no occasion will Spire contract such third-party service providers to collect Personal Data on Spire’s behalf for advertising purposes.
- USE OF INFORMATION
- Processing Personal Data.Spire processes Personal Data for the purpose of:
- providing, maintaining, supporting, protecting and improving the Services;
- meeting the regulatory compliance requirements set forth in the Applicable Laws;
- providing customer support;
- sending system alert messages;
- enforcing compliance with the Terms of Service for and Applicable Laws;
- protecting the rights and safety of End Users and third parties of Spire and End User’s respective PASP(s);
- transferring End User information, including Personal Data, in case of a sale, merger, consolidation, or acquisition. In such case, any acquirer will be subject to Spire’s obligations under this Privacy Policy;
- storing Personal Data in order to be able to provide the Services on Spire’s servers or servers provided by third parties that are committed to complying with Spire’s obligations contained in this Privacy Policy and with whom Spire has contracted;
- troubleshooting, analyzing and solving service-related errors. In such cases, End Users’ Personal Data may be visible to and/or accessed by technicians, IT staff and/or system administrators authorized by Spire; and
- combining Personal Data with information obtained through the use of cookies, web beacons or similar technologies to improve the Services and user experience.
- Use of Non-Personal Data.Spire may generate anonymous data derived from or based on Personal Data so that the results are no longer personally identifiable with respect to End User, and combine or incorporate such anonymous data with or into other similar data or information collected from other End Users or derived from other End Users’ use of the Services (collectively, “Anonymized Aggregate Data”). Spire may use such Anonymized Aggregate Data for any business purpose, including but not limited to:
- providing, supporting and improving the Services, including sharing such Anonymized Aggregate Data with the respective PASP for the purpose of conducting transaction risk analysis and/or compiling other statistical reports;
- conducting analytical research, compiling statistical reports and performance tracking;
- developing and/or improving other Spire’s services and products; and
- sharing such Anonymized Aggregate Data with Spire’s affiliates, agents or other third parties with whom Spire has a business relationship.
Spire will not sell Anonymized Aggregate Data.
- CHILDREN’S PRIVACY
Protecting the privacy of young children is especially important to Spire. The Services are not directed to children under the age of sixteen (18) years and Spire does not knowingly collect or process Personal Data from persons under sixteen (18) years of age. If Spire becomes aware of the fact that Personal Data of persons less than sixteen (18) years of age has been collected via the Services, Spire will take the appropriate steps to delete this information.
- DISCLOSURES AND TRANSFERS
Spire will only transfer and/or disclose Personal Data as specified in this Privacy Policy unless End User gives Consent to the disclosure and/or transfer to any other third parties.
- Disclosure to Third-Party Providers.Spire has put in place contractual (including data protection, confidentiality and security provisions) and other organizational safeguards with its third-party service providers (“Third-Party Providers”) to ensure an adequate level of protection of Personal Data. Spire may transfer Personal Data to such Third-Party Providers, including Spire’s subcontractors and hosting providers engaged by Spire in connection with the provision of Services and/or Website. Such Third-Party Providers may process, store and/or have access to Personal Data.
- Disclosure to PASP.Spire will disclose Personal Data to End User’s respective PASP for the purpose of providing the Services as further described in the Terms of Service.
- Disclosure for Legal Reasons.Spire may disclose Personal Data without End User’s Consent, and End User hereby authorizes Spire to do so, when Spire believes in good faith that the disclosure of such information is reasonably necessary or appropriate:
- to comply with the Applicable Laws, any subpoena, enforceable request from the competent authorities or other legal process;
- to enforce Spire’s rights against End User or in connection with a breach by End User of the Terms of Service, including investigation of potential violations;
- to help detect, curb or investigate fraud or other prohibited or illegal activities that affect or hurt the interests of Spire or other third parties;
- to identify, contact or bring legal action against someone who may be causing injury to, or interference with (either intentionally or unintentionally), Spire’s rights or property, other End Users of the Services, or anyone else (including the rights or property of anyone else) that could be harmed by such activities; and
- to help Spire comply with legal, accounting or security requirements, in which case Spire may disclose such information to its auditors, professional consultants, accountants and/or legal advisors.
- Disclosure in Case of a Sale or Merger.Spire may disclose Personal Data in connection with an acquisition, corporate re-organization, merger or amalgamation with another entity, a sale of all or a substantial portion of Spire’s assets or stock, including any due diligence exercise carried out in relation to the same, provided that the information disclosed continues to be used for the purposes permitted by this Privacy Policy by the entity acquiring access to the information.
- Transfer of Ownership.End User’s information (including Personal Data) may be transferred upon change of control as a result of a sale, merger, acquisition or reorganization, but only in accordance with this Privacy Policy. If the entire or substantial ownership of Spire or Services were to change, End User’s information (including Personal Data) may be transferred to the new owner so the Services can continue operations. In any such transfer of ownership End User’s Personal Data will remain subject to the promises of the then and current Privacy Policy. Spire will provide reasonable advance notice to End User via the Website and/or Services of any such change in ownership or control of End User’s Personal Data or in case such Personal Data becomes subject to a different privacy policy.
End User acknowledges that his/her Personal Data may be processed in and transferred to jurisdiction(s) other than End User’s country of residence. By using the Services and submitting any Personal Data to Spire, End User agrees to such processing, transfer and/or disclosure. Spire will take all steps reasonably necessary to ensure that Personal Data is treated securely and in accordance with this Privacy Policy.
- CONTROLLER AND PROCESSOR
In providing the Services Spire acts as Controller of Personal Data. Spire shall adhere to the following principles with respect to Personal Data processing:
- not to collect more Personal Data than is necessary for the purpose of providing the Services;
- not to use Personal Data for any other purposes than those specified in this Privacy Policy;
- ensure that all employees authorized by Spire to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- reasonably respond to requests for exercising End Users’ rights specified in Section 8.
- END USER’S RIGHTS
Taking into account the nature of the processing, Spire will provide reasonably respond to requests for exercising End User’s rights set forth below:
- the right to be informed: End User has the right to receive fair processing information about his/her Personal Data, including purpose of processing and lawful basis for processing, the identity of Controller and Processor, the categories of Personal Data collected and processed, the recipients to whom Personal Data has been or will be disclosed, details of transfers (if any) to third countries and applicable safeguards, Personal Data retention period, the existence of End User’s rights, the sources Personal Data originates from.
- the right of access:End User has the right to obtain: (i) confirmation that his/her Personal Data is being processed; and (ii) access to such Personal Data.
- the right to rectification:End User is entitled to have Personal Data rectified if it is inaccurate or incomplete. Spire can’t, however, rectify any Payment Account Data, Payment Order Data or Personalized Security Credentials, as this information is provided by and collected from End User’s respective PASP.
- the right to erasure (right to be forgotten):End User has the right to request the deletion of his/her Personal Data when there is no compelling reason for its continued processing or End User withdraws Consent to such processing. End User can delete (all) his/her Account(s) at any time, in which case End User’s Personal Data will be permanently deleted from Spire’s production servers, except for the information that Spire will retain in accordance with its Data Retention policy (see further Section 9 “Data Retention”).
- the right to restrict processing:End User has the right to block processing of Personal Data on the grounds specified in the Applicable Laws. In such case, throughout the duration of the restriction Spire will no longer be able to process End User’s Personal Data and, consequently, provide the Services to End User.
- the right to data portability:End User may request to receive free of charge a copy of Personal Data stored in Spire’s system in a structured, commonly used and machine-readable format or have Spire transmit the data directly to another organization if this is technically feasible. Spire will use commercially reasonable efforts to respond to any data portability requests without undue delay and at the latest within one (1) month, although in certain limited circumstances Spire: (i) may not be able to make all relevant information available to End User where that information also pertains to another End User; in such case, Spire will provide reasons for denial to comply with End User’s request or any part thereof; and (ii) may extend the reply period to two (2) months where the End User’s request is complex or Spire receives a number of requests; in such case, Spire will inform End User within one (1) month of the receipt of the request and explain why the extension is necessary. Spire reserves the right to charge a reasonable administrative fee if End User’s request is manifestly unfounded or excessive, particularly if it is repetitive, and for further copies of the same information.
- the right to object:End User has the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) processing for purposes of scientific/historical research and statistics. Spire does not process End User’s Personal Data for any of the foregoing purposes.
- rights in relation to automated decision-making and profiling:End User has the right to object to processing of Personal Data for the purposes of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of Personal Data to evaluate certain things about an individual). Spire does not process End User’s Personal Data for any of the foregoing purposes.
- the right to lodge a complaint with a supervisory authority:End User has the right to lodge a complaint about Spire’s data protection or privacy practices, or the exercise of any of End User’s rights with respect to Personal Data as detailed in this Privacy Policy, with End User’s local supervisory authority. For more information, End User should consult the applicable privacy and data protection regulatory body for the jurisdiction in which End User resides.
- the right to withdraw Consent:End User may withdraw Consent to Spire’s processing of Personal Data at any time. However, withdrawing Consent may result in End User’s inability to continue using the Services.
- DATA RETENTION
Spire will delete End User’s Personal Data from its primary production servers when End User deletes (all) his/her Account(s) or withdraws Consent to further processing of his/her Personal Data by Spire. As a result, End User’s Personal Data will be excised permanently from Spire’s production servers and further access to End User’s Account(s) and use of the Services will be impossible. Notwithstanding the foregoing, Spire shall retain End User’s Personal Data or portions thereof:
- in backup files on its backup servers for a period of up to one (1) year in order to ensure compliance with internal business continuity and disaster recovery procedures; and
- in log files in order to: (i) comply with the requirements of the Applicable Laws; (ii) exercise or defend (ongoing) legal claims; and (iii) assist End User’s respective PASP in meeting audit or statutory requirements. The retention period for such Personal Data shall be a minimum of five (5) years from the date of deletion, or such longer period as required by the Applicable Laws, unless subject to statutory or regulatory change.
Backups and log files containing Personal Data are stored separately from the production servers. All Personal Data retained in backup files and log files will be treated in accordance with the terms of this Privacy Policy for as long as it is retained before being automatically deleted after the retention period has elapsed.
Backup files are stored using strong TLS encryption and Spire’s authorized personnel does not access such files in the ordinary course of business operations. Spire will not use any Personal Data retained in backup files in everyday business activities.
- DATA SECURITY
- Online Confidentiality.
- End User must keep the Personalized Security Credentials and the set of credentials required to access the Services secure and never disclose them to any third party. End User is solely responsible for maintaining the confidentiality of such information. If End User suspects that the Personalized Security Credentials and/or Credentials have been stolen or been made known to others, End User must change them immediately and contact Spire promptly at privacy@spiretech.co. Spire shall not be responsible for any loss or damage resulting from access to End User’s Account and/or Services through Personalized Security Credentials obtained from End User or through violation of this Privacy Policy or the Minimum Terms of Service for End User.
- Although Spire will take reasonable steps to ensure that End User’s Personal Data is treated and stored securely, unfortunately, the sending of information via the Internet is not totally secure and on occasion such information can be intercepted. Therefore, Spire can’t guarantee the security of Personal Data that End User chooses voluntarily to send to Spire electronically. Spire expressly disclaims all liability for any interception or interruption of any Internet transmissions sent by End User or any losses of or changes to data, including Personal Data, resulting from such interception or interruption.
- Notice of Security Breach.Nobody is 100% safe from hackers. If a security breach causes an unauthorized intrusion into Spire’s systems, software or networks that leads to a Personal Data Breach resulting in a high risk to the rights and freedoms of End User, then Spire will notify Controller of the Personal Data Breach without undue delay after having become aware of it, by describing the nature of the Personal Data Breach, the data that has been, or Spire reasonably believes to have been, compromised and the immediate actions taken by Spire with respect thereto. Spire will later report to Controller the measures taken to mitigate potential adverse effects and prevent continuing or similar security breaches in the future.
- Personal Data Safeguards.Spire is committed to maintaining the confidentiality, integrity and security of the Personal Data of End Users. Spire employs advanced security techniques to safeguard Personal Data against unauthorized access, use and/or disclosure. Spire strictly restricts access to Personal Data in accordance with specific internal procedures governing access to such information. Spire carefully selects the individuals privileged with access to Personal Data in accordance with internal security policies and practices, and each such individual is bound by confidentiality obligations. The Services ensure secure communications with TLS encryption. To maintain the security of online sessions and protect Spire’s systems from unauthorized access, Spire uses a combination of firewall barriers, encryption techniques and authentication procedures, among others. Access to Spire’s systems requires multiple levels of authentication, including biometric recognition procedures. Security personnel monitor the systems 24 hours a day, 7 days a week. Spire databases are both physically and logically protected from general employee access. Spire enforces physical controls on its premises. Spire is routinely verified for its use of TLS encryption technologies and audited for its privacy practices. Spire tests its systems, the Services infrastructure for any failure points that might allow hacking.
- Data Pseudonymization.In addition to the technical and organizational security measures employed by Spire to ensure security, confidentiality and integrity of Personal Data, Spire also uses data Pseudonymization technique when processing and storing Personal Data in its systems by replacing the data fields which are the most identifying in a data record with pseudonyms. Personal Data which has undergone Pseudonymization can no longer be attributed to a specific End User without the use of additional information, and such additional information is kept by Spire separately and is subject to technical and organizational security measures to ensure that such pseudonymized Personal Data is not attributed to an identified or identifiable natural person.
- PRIVACY POLICY UPDATE
Spire reserves the right to change this Privacy Policy at any time and from time to time to reflect changes in the Services or the Applicable Laws. If Spire decides to change this Privacy Policy in the future, Spire will post an appropriate notice at the top of this Privacy Policy page and/or give reasonable advance notice to End Users through the Services or Website. Any non-material change (such as clarifications) to this Privacy Policy will become effective on the date the change is posted and any material changes will become effective thirty (30) days from their posting on the Website. Unless stated otherwise, this Privacy Policy applies to all Personal Data collected and processed by Spire in connection with the Services. The date this Privacy Policy was last revised appears at the top of this document. End User is advised to print a copy of this Privacy Policy for reference and revisit this Privacy Policy from time to time to ensure that End User is aware of any changes. End User’s continued use of the Services after the changes to this Privacy Policy become effective signifies End User’s acceptance of any such changes.
- DATA PROTECTION OFFICER
Spire’s data protection officer can be reached at any time by email at dpo@spiretech.co in case of any questions with respect to Spire’s collection, use, disclosure or processing of Personal Data.
- CONTACT
Any questions, comments or feedback regarding this Privacy Policy or any other privacy or security concern may be sent by email to privacy@spiretech.co.
Bayan Digital for Information Technology
2908 Ameer Mohd Bin Abdul Aziz
Olaya, Riyadh
Kingdom of Saudi Arabia