Privacy Policy

Privacy and Data Protection Policy

Introduction

OxCira, as the owner and operator of the OxCira platform, is keen to protect the personal data privacy of platform users and fully comply with applicable regulations and laws in the Kingdom of Saudi Arabia, specifically the Personal Data Protection Law and its executive regulations, the controls of the National Cybersecurity Authority, and any relevant systems or instructions. This policy aims to clarify the regulatory foundations the platform adopts in collecting, processing, and protecting personal data, explain the rights of data subjects, and outline the technical and organizational measures in place to ensure data confidentiality and integrity. By using the OxCira platform, you acknowledge that you have read this policy and agree to its provisions.

Article (1): Scope of Application

This policy applies to all personal data that is collected, processed, stored, or shared through:

  • The OxCira platform in all its digital interfaces
  • The website and associated applications
  • Systems, technical infrastructure, and databases
  • Any operational or technical channels affiliated with the platform

It also applies to all employees, contractors, and service providers who have authorized access to the data.

Article (2): Adopted Regulatory Frameworks

The platform commits to the following in data protection compliance:

  • The Personal Data Protection Law (PDPL)
  • Executive regulations issued by the Saudi Data and Artificial Intelligence Authority (SDAIA)
  • Basic Cybersecurity Controls (ECC) issued by the National Cybersecurity Authority (NCA)
  • Any other relevant regulatory laws pertaining to the platform's operations

Article (3): Definitions

For the purposes of this policy:

  • Personal Data: Any data that can identify a natural person or make them identifiable directly or indirectly.
  • Data Subject: The natural person to whom the personal data relates.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or destruction.
  • Platform: The OxCira platform.
  • Company: OxCira Company.

Article (4): Data Classification According to NCA Controls

The platform adopts a clear classification of data that includes:

  • Public Data
  • Internal Operational Data
  • Personal Data
  • Sensitive Personal Data (when applicable)

Different protection controls are applied to each category based on the principle of least privilege and need-to-know.

Article (5): Sources of Data Collection

The platform collects data from the following sources:

  • Data provided directly by the user during registration or use of services
  • Operational data resulting from platform use
  • Technical data such as login records, IP address, cookies
  • Authorized service providers (payment, logistics, technical services)
  • Relevant government authorities when legally required

Article (6): Legal Basis for Data Processing

Personal data is processed based on one or more of the following legal bases:

  • Explicit consent from the data subject
  • Fulfillment of a contractual obligation in which the data subject is a party
  • Compliance with a legal obligation
  • Protection of a legitimate interest of the platform without infringing upon the rights of data subjects

Article (7): Purposes of Data Collection and Processing

Personal data is used solely for the following purposes:

  • Creating and verifying accounts
  • Operating the platform and providing its services
  • Managing offers, requests, and transactions
  • Executing payment and settlement processes
  • Logistic and operational coordination
  • Compliance with laws and regulations
  • Cybersecurity and fraud prevention
  • Operational and legal notifications
  • Improving service quality and user experience
  • Data analysis and output development: the platform may use the data—after technical processing that does not lead to direct identification of its owners—for statistical analysis, deriving indicators, performance measurement, service quality improvement, operational output development, decision-making support, and enhancing the platform's efficiency, in compliance with legitimate purposes and according to the controls stipulated in the applicable laws and regulations in the Kingdom of Saudi Arabia.

Data will not be used for any other undisclosed purpose.

Article (8): Data Sharing and Disclosure

The platform does not sell or rent personal data. Data may be shared - only to the minimum necessary extent - with:

  • Payment service providers
  • Logistic partners
  • Technical or security service providers
  • Relevant governmental authorities upon legal request

This sharing is conducted under agreements that ensure confidentiality and data protection.

Article (9): Data Transfer Outside the Kingdom

Personal data will not be transferred outside the Kingdom of Saudi Arabia except:

  • In accordance with the provisions stipulated in the Personal Data Protection Law
  • After implementing the necessary legal and technical measures
  • Ensuring a level of protection that is no less than that which is enforced within the kingdom

Article (10): Information Security and Cybersecurity

The platform implements security and organizational controls according to NCA requirements, including but not limited to:

  • Encrypting sensitive data
  • Access control and management
  • Continuous monitoring and auditing
  • Cyber incident management
  • Backup and disaster recovery plans
  • Periodic system testing

Article (11): Cyber Incident Management

In the event of a security incident:

  • Immediate assessment and containment are performed
  • The incident is documented, and its causes analyzed
  • Reporting to relevant authorities is conducted when necessary
  • Corrective actions are taken to prevent recurrence

Article (12): Data Retention and Destruction

  • Data is retained for the period necessary to achieve regulatory or operational purposes.
  • After the purpose has been fulfilled, data will be securely destroyed or anonymized, unless the law requires retention for a longer period.

Article (13): Rights of Data Subjects

The data subject has the following rights, according to the law:

  • The right to be informed
  • The right to access their data
  • The right to request correction of data
  • The right to request data deletion
  • The right to withdraw consent (without affecting the legality of prior processing)

Article (14): Exercising Rights of Data Subjects

  • The data subject can exercise their rights through the official channels of the platform, and requests will be handled within a reasonable timeframe and according to the approved regulatory procedures.

Article (15): Text Messages and Notifications

  • The platform may send text messages or electronic notifications for operational and regulatory purposes, which are considered part of the service operation according to the terms and conditions of use.

Article (16): Amendments and Periodic Review

  • This policy is subject to periodic review and may be amended when necessary. Continuing to use the platform after amendments are published is considered agreement to them.

Article (17): Governing Law and Jurisdiction

  • This policy is governed by the laws of the Kingdom of Saudi Arabia, and jurisdiction lies with the courts of Jubail.

Article (18): Language of Reference

  • The Arabic language is the primary reference for interpreting this policy, and it prevails in the event of any conflict with any translation.
  • This policy should be read and interpreted in conjunction with the terms and conditions of using the OxCira platform, and each is considered complementary to the other.