Privacy Policy

Sa'adah Events Company ("Sa'adah", "we", "us"), headquartered in Riyadh, Kingdom of Saudi Arabia, is the data controller for the personal data processed under this policy.

Sa'adah is committed to compliance with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) and its implementing regulations, as well as any related legislation in Gulf Cooperation Council states.

We collect the following categories of data depending on how you use the platform:

• Account & contact data: Full name, mobile number (required for OTP), email address (optional for attendees; required for organizers and staff).
• KYC verification documents (organizers only): Commercial registration, official identity document, VAT registration certificate (where applicable), IBAN for payouts.
• Booking & transaction data: Ticket details, order records, currency used, date and time of transaction.
• Payment data (processed by third party): Payments are handled by a PCI-DSS certified external payment gateway. Sa'adah does not store full card numbers. We retain only card type and last four digits for reference purposes.
• Device & usage data: IP address, browser and device type, pages visited and navigation path, connection timestamps — used for operational, security, and service improvement purposes.
• User preferences: Selected language, preferred currency, notification settings.

We process your data for the following purposes, with the legal basis indicated for each:

• Performance of contract: Account activation, processing bookings, issuing QR-code tickets, handling payments and refunds.
• Legal obligation: Compliance with tax requirements (ZATCA and GCC equivalents), retention of financial records as required by the relevant tax and regulatory authorities.
• Legitimate interest: Fraud prevention, platform security, and service improvement based on aggregated and anonymised usage patterns.
• Consent: Sending marketing communications and event recommendations (you may withdraw consent at any time).
• Operational notifications: Booking confirmations, event reminders, change and cancellation notices.

We never sell your personal data. We may share data with:

• Organizers: Name and ticket details necessary for gate check-in confirmation only.
• Payment gateway: Transaction data required to process payment or refund securely.
• Messaging providers: Mobile number for OTP and SMS notifications; email address for confirmations and updates.
• Cloud hosting provider: Data is stored on servers located in or near the Gulf region. Where international data transfers are necessary, we ensure appropriate safeguards are in place.
• Regulatory and legal authorities: When required by a valid legal order, court order, or binding legal obligation.

All third-party service providers are bound by data processing agreements that require them to uphold the same protection standards as Sa'adah.

Different categories of data are retained for different periods:

• Active account data: Retained for as long as your account remains active.
• Order records and financial transaction data: Retained for a minimum of seven (7) years after the transaction, to meet tax, accounting, and legal requirements — even after account deletion, retained in anonymised form wherever possible.
• KYC documents (organizers): Retained for the duration of the contractual relationship and for a reasonable period thereafter in accordance with regulatory requirements.
• Device and connection logs: Retained for no longer than 12 months unless a longer period is required by law.

Upon expiry of the applicable retention period, data is securely deleted or anonymised.

The Saudi Personal Data Protection Law grants you the following rights:

• Access: The right to know what personal data we hold about you.
• Correction: The right to request correction of inaccurate or incomplete data.
• Erasure (deletion): The right to request deletion of your data in cases permitted by law — noting that order and financial transaction records are retained for legal and tax purposes.
• Objection: The right to object to processing of your data for direct marketing purposes.
• Portability: The right to receive a copy of your data in a machine-readable format.
• Withdrawal of consent: The right to withdraw any consent previously given, without affecting the lawfulness of prior processing.

Exercise your rights directly in the app: You can export all your data or delete your account directly from your Account page → Privacy tab without needing to contact us.

To exercise other rights or for any privacy queries, contact our Data Protection Officer at: privacy@saadah.com

We use essential cookies to operate the platform (user session, language and currency preferences) and optional analytics and marketing cookies that are only activated with your explicit consent.

For full details and to manage your preferences, see our Cookie Policy or interact with the consent banner on your first visit.

Sa'adah platform data is primarily processed and stored on servers located in or near the Gulf region.

Where it is necessary to transfer personal data outside the Kingdom of Saudi Arabia (e.g. to technical service providers), we ensure that appropriate safeguards exist, such as standard contractual clauses or data processing agreements that protect your data to the required standard.

We apply appropriate technical and organisational security measures including: encryption in transit and at rest, access controls on the principle of least privilege, and regular security reviews. Payment data is processed exclusively through a PCI-DSS certified gateway. In the event of a data breach affecting your rights, we will notify you in accordance with applicable legal requirements.

For any queries about this policy, or to exercise rights that cannot be fulfilled directly through the app, please contact our Data Protection Officer:

• Email: privacy@saadah.com
• Postal address: Sa'adah Events, Riyadh, Kingdom of Saudi Arabia

You also have the right to lodge a complaint with the Saudi Data and AI Authority (SDAIA) if you believe your data is being processed in violation of the PDPL.