STC Bank Privacy Policy
| This Privacy Policy (the “Privacy Policy”) relates to your use of the STC Bank mobile application which offers financial services and other services available at: www.stcbank.com.sa (the “App”). The App is made available to you by STC BANK, a mixed closed joint stock company incorporated and existing under the laws of the Kingdom of Saudi Arabia and registered in the commercial register in the city of Riyadh under number 1010901344 and unified ID number 7010933328 having its place of business at 7252 King Khalid Rd – Al Asemah Dist. Ad Dir’iyah 13714 – 5260, Riyadh, Kingdom of Saudi Arabia (referred to in this Privacy Policy as “STC Bank”, “we”, “us” and “our”). |
| We take your privacy seriously and want you to feel comfortable whenever you use the App. We process your personal data (“Personal Data”) in accordance with the Saudi Arabia Cabinet Decision No. 98/1443 On the Approval Of the Personal Data Protection Law and Royal Decree No. M148 of 05/09/1444 AH and the respective implementing regulations as amended from time to time (together the “PDPL”), the Saudi Arabian Banking Control Law dated 22.2.1386H as amended from time to time (the “Banking Law”) and the Law of Payment and its Services, promulgated by Saudi Arabic Royal Decree No. M26/1443 dated 22/3/1443H and its implementing regulations as amended from time to time (the “PSP Regulations” and jointly with the PDPL and the Banking Law the “Applicable Laws”). |
| This Privacy Policy constitutes an integral part of the App’s terms and conditions. |
| 1. What Personal Data we collect and for what purposes |
| We collect the following types of Personal Data about you: |
| A) Personal Data provided by you to us or collected by us through YAKEEN, including full name, mobile number, national ID, residency cards, passport number, national address, and date and place of birth for the purposes of downloading the App, creating an account on the App, and using the services offered via the App; |
| B) Personal Data provided by you to us, including salary, employment sector, cash receipt, cash expenditure patterns, passcode, fingerprints and face ID for the purposes of creating an account on the App, conducting AML/KYC activities and using the services offered via the App; |
| C) If you apply for a debt product, Personal Data provided by you to us or by the Saudi Credit Bureau (SIMAH) and any other relevant governmental body to us, including SIMAH score and credit performance data for the purposes of evaluating your credits profiles, conducting risk assessments, assist with determining issuing amounts for debts any other product or liability; |
| D) Personal Data provided by you to us when you use the App, including information relating to the transactions you carry out, details of any bank accounts you transact to and from the App, fingerprints and face ID and IP address localisation data for the purposes of enabling browsing the App; using the services offered via the App and purchasing goods or services available on the App; |
| E) Personal Data provided by you to us, including full name, e-mail address, mobile number and account name on the App for the purposes of sending advertising material and carrying out promotional activities, marketing and/or direct sales of STC Bank’s products and/or services; and |
| You shall provide us only with Personal Data that are accurate, complete, up-to-date, and relevant for the purpose for which they are collected. We will take reasonable steps to ensure that your Personal Data are accurate, complete, up-to-date and relevant for the purpose for which they are collected but we will not be responsible for any inaccuracy, incompleteness, antiquity or irrelevance of the Personal Data if these are a consequence of your error or omission. |
| 2. Legal basis for the processing of Personal Data |
| The legal basis for the processing described under: |
| · Section 1 letter A) above, is the performance of the contract between STC Bank and you (Article 6(2) of the PDPL); and |
| · Section 1 letters B), C), D) and E) above, is your explicit consent (Article 5 of the PDPL). |
| 3. Mandatory and optional provision of Personal Data |
| The provision of Personal Data under Section 1, letters A), B), C) and D) is mandatory to enable STC Bank to provide the services described therein to you. Consequently, failure to provide Personal Data for the purposes referred to in Section 1, letters A), B), C) and D)will make it impossible for us to carry out the activities described therein.
The provision of Personal Data under Section 1, letter E) is optional and failure to provide such Personal Data will have no consequences other than make it impossible for us to carry out the activities described therein. |
| 4. How we collect and process your Personal Data |
| We collect and process Personal Data only when you specifically give it to us by registering on and/or using the App or by the third parties mentioned in Section 1above.
The Personal Data you provide will be processed in compliance with the Applicable Laws and, in any case, in such a way as to guarantee the security and confidentiality of the same, to prevent unauthorised disclosure or use, alteration or destruction. The Personal Data will be processed on paper and/or via telematic means, also with the help of electronic and information means. We will process your Personal Data in our own technological infrastructure and/or using the technological infrastructure of third-party suppliers appointed as data processors. We process Personal Data for the purposes set out in Section 1. |
| You may request a list of the names of the persons to whom your Personal Data is or may be disclosed by writing to the address indicated in Section 10 below. Within STC Bank’s organisation, your Personal Data may be processed by the persons in charge of the departments responsible for carrying out individual processing activities. |
| 5. Protecting your Personal Data |
| The transmission of information via the Internet is not completely secure. We will do our best to protect your Personal Data while it is in our possession, however, we cannot guarantee the security of your data transmitted online or over the App. |
| We recognise industry standards and employ security safeguards to protect personally identifiable information from unauthorised access and misuse. All information you provide to us is stored on secure servers. Any payment transactions will be protected and safeguarded by encryption. |
| 6. Sharing your Personal Data with third parties and cross-border transfers |
| We may share Personal Data with third party providers so they can provide you with certain services through the App. We will require these third party providers to take steps to ensure that your Personal Data is kept secure and used in accordance with this Privacy Policy. However, we shall not be liable for any unauthorised use of your Personal Data by a third party provider. |
| The Personal Data may be communicated, exclusively for the purposes indicated in this Privacy Policy, to the categories of subjects listed below: |
| A) persons, companies, associations or professional firms that provide services and activities of assistance and consultancy to STC Bank, with particular but not exclusive reference to accounting, administrative, legal, tax and financial matters; |
| B) companies that provide, on behalf of STC Bank, certain services related to the App and to the management and execution of purchase orders through the App, with particular but not exclusive reference to the analysis of Personal Data, the management of payment services, the management, shipment and delivery of products purchased on the App, marketing activities, the management of services provided through the App and their customisation in your favour; |
| C) in the event of a sale, merger, liquidation, receivership or transfer of assets of STC Bank or one of our affiliated companies, to the prospective buyer of the business and their professional advisers; |
| D) companies belonging to the same corporate group as STC Bank, with particular but not exclusive reference to activities of Personal Data analysis in aggregate and anonymised form, identity management of user profiles on the App, profiling and profiled marketing in relation to users who have given their consent to these activities; |
| E) subjects to whom the right to access the Personal Data is required by law, secondary legislation, a court order or by a regulatory authority of competent jurisdiction or if we believe that such disclosure is necessary, to protect, defend or enforce our rights. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and |
| F) third party companies and clients with whom STC Bank collaborates as a business partner (e.g. for the promotion of goods and services) including those third parties assisting us in supplying our services to you or perform certain functions on our behalf, including IT support services or professional services. |
| The Personal Data may be communicated, exclusively for the purposes indicated in this Privacy Policy, to the categories of recipients listed above and having their registered offices in the Kingdom of Saudi Arabia and acting, as the case may be, as data processors on behalf of STC Bank or as separate data controllers, in this case providing you, under his/her own responsibility, with appropriate information. |
| For the purposes of providing you with our payment services, the Personal Data may also be communicated, exclusively for the purposes indicated in this Privacy Policy, to the categories of recipients listed above and having their registered offices in countries outside the Kingdom of Saudi Arabia (in this case in compliance with the provisions of the Applicable Laws regarding data transfers and acting as data processors on behalf of STC Bank or as autonomous data controllers). |
| Your Personal Data will be stored on the servers available to STC Bank or to the persons in charge located in Kingdom of Saudi Arabia. Should it become necessary for technical and/or operational reasons to use subjects located outside the Kingdom of Saudi Arabia, or should it become necessary to transfer some of the collected Personal Data to technical systems and services managed in the cloud and located outside the Kingdom of Saudi Arabia, the processing will be regulated in compliance with the provisions of the Applicable Laws regarding data transfers. |
| This Privacy Policy only applies to Personal Data collected on the App. Although the App may provide links to websites of third parties, such as banks, this Privacy Policy does not apply to any other application or website that you connect to from the App. We are not responsible for the content or practices of applications and websites operated by third parties that are linked to or from the App and you should refer to the relevant privacy policies issued by such third parties. |
| 7. Underage users and users lacking legal capacity |
| STC Bank encourages parents to monitor their children’s use of the Internet for safe and filtered use of its content, including through the use of parental control tools. Besides ensuring an online environment suitable for minors, these tools can prevent the disclosure of personal data by children or young people who do not have their parents’ consent. With regard to the collection and processing of personal data, STC Bank does not process personal data of subjects under 15 years of age. Creating an account on the App is, therefore, only permitted to users who have reached the age of majority or to users who are at least 15 years old. STC Bank, moreover, encourages the creation of an account on the App of parents of registered users who are minors: in this way, parents have the opportunity to keep abreast of the initiatives that STC Bank makes available to their children, and to check their compliance with their own expectations and educational models and paths. STC Bank urges all users who are under the age of 15 not to communicate their personal data, under any circumstance, and reserves the right to exclude from the App any user who has concealed their under-age or who has communicated their personal data despite being aged less than 15. |
| Legal guardians of subjects under 15 years of age or of subjects lacking legal capacity shall exercise data subjects’ rights set out in the Applicable Laws and this Privacy Policy on their behalf. |
| 8. Data retention period |
| The Personal Data collected for the processing purpose indicated in Section 1 above shall be retained for the time necessary for the pursuit of such purposes and thereafter, and in any case for the permitted time under the Applicable Law from the achievement of the respective purposes as required by the Applicable Laws, except in case of extraordinary necessity of STC Bank to keep the Personal Data further in order to defend its rights, also in relation to disputes existing at the time of the request or upon indication of public authorities or as otherwise permitted by the Applicable Laws. |
| The Personal Data collected for the processing purpose indicated in Section 1 letter E) above shall be retained until the withdrawal of the relevant consent or until you expressly request the deletion of such Personal Data, and in any case for the permitted time under the Applicable Law from the last purchase made, except in case of extraordinary necessity of STC Bank to keep the Personal Data further in order to defend its rights, also in relation to disputes existing at the time of the request or upon indication of public authorities or as otherwise permitted by the Applicable Laws. |
| 9. Changes to this Privacy Policy |
| Any changes we may make to this Privacy Policy in the future will be posted on the App and, where appropriate, notified to you. By continuing to use the App you will be deemed to accept the changes to this Privacy Policy. |
| 10. Contact |
| Your personal data processing controller is STC Bank. You can contact STC Bank at any time by mail or e-mail at info@stcpay.com.sa. If you have any questions regarding this Privacy Policy, please include it in the email subject to enable our DPO to contact you.
STC Bank has appointed its own Data Protection Officer (also known as the “DPO“), who may be contacted for matters relating to the processing of your data. By writing to info@stcpay.com.sa you may also exercise the rights indicated under Section 11below. |
| 11. Your rights |
| Unless otherwise permitted by the Applicable Laws, we hereby remind you that you have the following rights: |
| • to the extent that consent was given for any processing of Personal Data, the right to withdraw your consent at any time by selecting the appropriate option in the App or sending an e-mail to our contacts above; |
| • the right to obtain information in relation to the purposes and legal basis for which your Personal Data is processed; |
| • the right to obtain correction of inaccurate, incomplete and/or outdated Personal Data relating to you; |
| • the right to obtain that the Personal Data concerning you is only kept without any other use of the Personal Data in the following cases: (a) you contest the accuracy of the Personal Data, for the period necessary to allow us to verify the accuracy of such Personal Data; (b) the Personal Data is necessary for the establishment, exercise or defence of legal claims; and (c) you object to the processing and are awaiting verification as to whether the legitimate grounds of the data controller for processing prevail over those of the data subject; |
| • the right to obtain the cessation of processing in cases where your Personal Data is processed for marketing purposes; and |
| • the right to receive in a readable and clear format, a copy of the Personal Data provided to STC Bank. |
| Should you reckon that your Personal Data is being processed unlawfully, you may file a complaint with the relevant data protection authority. Please note that in the Kingdom of Saudi Arabia you have the right to turn to the national authority (SDAIA / NDMO) to assert your rights in relation to the processing of your Personal Data.
Furthermore, by writing to the address info@stcpay.com.sa you may exercise the rights set forth under this Section. |