1. Introduction & Definitions
This policy explains how the Rakwa platform ("Platform", "we") collects, uses, protects, and discloses your personal data when you use our services. By using the Platform, you acknowledge that you have read, understood, and agreed to the data processing practices described herein.
Key Definitions:
- Personal Data: Any data relating to an identified or identifiable natural person.
- Data Subject: The natural person to whom personal data relates.
- Processing: Any operation performed on personal data (collection, storage, analysis, transfer, deletion).
- Data Controller: Rakwa Platform, as the entity determining the purposes and means of data processing.
- SDAIA: The Saudi Data and Artificial Intelligence Authority, the supervisory body for data protection law.
2. Data Controller Identity
Rakwa Platform is the Data Controller in accordance with the provisions of the Personal Data Protection Law. The legal entity operating the Platform is a sole proprietorship registered in the Kingdom of Saudi Arabia.
3. Data We Collect
We collect the following types of data in accordance with the data minimization principle:
A. Data You Provide Directly:
- Account Data: Full name, email address, phone number, password (encrypted).
- Business Data: Roastery/café name, logo, address, commercial registration (if applicable).
- Content Data: Menus, items, images, prices, categories.
- Employee Data: Names and phone numbers of staff added to the Platform (with their consent).
B. Data Collected Automatically:
- Usage Data: Login records, actions within the system, executed orders.
- Technical Data: IP address, browser type, operating system, device type.
- Analytics Data: Impressions and clicks on items (anonymized).
- Cookies: Details in Section 8 below.
C. Data from Third Parties:
- Payment Gateways: Payment status and transaction ID only (we do not receive card data).
- SMS Services: SMS delivery status.
Sensitive Data: We do not collect any sensitive data as defined by the data protection law (such as: beliefs, health, genetics, biometric data, political or union affiliations, criminal records).
4. Legal Basis for Processing
We rely on the following legal bases to process your personal data in accordance with Article 6 of the data protection law:
| Legal Basis | Examples of Use |
|---|
| Contract Performance | Creating your account, running menus, processing orders, billing |
| Explicit Consent | Marketing notifications, analytical cookies |
| Legal Obligation | Retaining invoice records for Zakat and Tax purposes |
| Legitimate Interest | Fraud prevention, system performance improvement, cybersecurity |
5. How We Use Your Data
We use your data only for the following specific purposes:
- Platform Operation: Providing digital menu services, order management, point-of-sale.
- Account Management: Identity verification, password recovery, subscription management.
- Essential Notifications: Renewal alerts, service updates, security notifications.
- SMS Messages: Sending OTP and order confirmations to end customers on your behalf.
- Analytics: Understanding Platform usage and improving performance and features.
- Security: Fraud detection, preventing unauthorized access, protecting infrastructure.
- Legal Compliance: Responding to official requests from competent government authorities.
6. Cross-Border Data Transfer
Important Disclosure: Some of your data may be processed outside the Kingdom of Saudi Arabia as permitted by Article 29 of the data protection law.
We use international service providers to operate the Platform efficiently:
| Provider | Purpose | Data Type |
|---|
| Cloudflare | Content delivery and DDoS protection | IP addresses, technical data |
| Resend | Email delivery | Email address, message content |
| Moyasar | Payment processing | Payment data (not visible to us) |
| Taqnyat | SMS delivery | Phone number, message content |
Before any cross-border transfer, we ensure the following:
- Appropriate contractual safeguards for data protection (DPAs).
- Provider commitment to a level of protection equivalent to that provided by Saudi law.
- Data transfer is limited to what is necessary for service delivery.
- Compliance with any decisions issued by SDAIA regarding cross-border transfers.
7. Data Sharing
We pledge that we do not sell your personal data to any third party under any circumstance.
We may share limited data only in the following cases:
- Service Providers: The entities mentioned in Section 6 above (payment gateways, email/SMS services, infrastructure providers).
- Competent Government Authorities: Upon official request in accordance with Saudi regulations or by court order.
- Professional Advisors: Lawyers, accountants, auditors — under strict confidentiality agreements.
- Mergers or Acquisitions: If the Platform is sold or merged, with prior notice to you.
- With Your Explicit Consent: In any other cases not covered by the legal bases above.
8. Cookies
We use cookies for the following purposes:
| Type | Purpose | Duration |
|---|
| Essential | Session, language preference, CSRF protection | Session / 1 year |
| Functional | Preferences, cart | 30 days |
| Analytical | Statistics, unique visitor identification | 30 days |
You can control cookies through your browser settings, but disabling essential cookies may affect the Platform's proper functioning.
9. Data Protection Measures
We implement strict technical and organizational measures to protect your data:
Technical Measures:
- Data encryption in transit via HTTPS/TLS 1.3.
- Password encryption using bcrypt algorithm.
- Multi-layered protection against SQL Injection, XSS, and CSRF attacks.
- Web Application Firewall (WAF) via Cloudflare.
- Two-factor Taqnyattion via OTP for login.
- Continuous monitoring for suspicious activities.
Organizational Measures:
- Strict role-based access control (RBAC) defining each employee's data access.
- Strict internal policies for data processing.
- Encrypted regular backups.
- Audit logs for all sensitive operations.
10. Data Breach Notification
In the event of any personal data breach that may cause significant harm, we commit to:
- Notifying SDAIA within (72) hours of becoming aware of the breach.
- Notifying you directly without undue delay if the breach affects your data.
- Explaining the nature of the breach, actions taken, and our recommendations for protection.
- Full documentation of all breaches in an internal register as required by law.
11. Your Rights as a Data Subject
The Saudi Personal Data Protection Law guarantees you the following rights:
- Right to be Informed: Know the legal basis and purpose of processing your data.
- Right to Access: Request a copy of your personal data held by us.
- Right to Correction: Request correction of any inaccurate or incomplete data.
- Right to Erasure: Request deletion of your data (subject to legal obligations).
- Right to Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing of your data for specific purposes.
- Right to Withdraw Consent: Withdraw your consent at any time without affecting prior processing.
- Right to Lodge a Complaint: File a complaint with SDAIA.
Response Time: We commit to responding to your requests within (30) days from the date of submission, in accordance with the timeframes specified by law.
To exercise any of these rights, contact us via: [email protected]
12. Data Retention Period
We retain your data only for the period necessary to achieve the stated purposes:
| Data Type | Retention Period |
|---|
| Active account data | Throughout subscription period |
| Data after account cancellation | 30 days then permanently deleted |
| Invoice and payment records | 10 years (legal requirement) |
| Login and audit logs | 12 months |
| Analytics tracking data | 24 months |
| Backups | 90 days |
After the retention period, data is securely deleted or permanently anonymized so it cannot be re-linked to its owner.
13. Children's Privacy
The Rakwa platform is intended for adult business owners (18 years or older). We do not knowingly collect personal data from minors. If we become aware of collecting a minor's data without parental consent, we will delete it immediately.
If you are a parent and believe your child has provided us with personal data, please contact us immediately.
14. Policy Updates
We may update this policy from time to time to reflect changes in our practices or for operational, legal, or regulatory reasons. We will notify you of any material changes via:
- Email to the address registered in your account.
- A prominent notice within the dashboard.
- Updating the "Last updated" date at the top of this page.
Your continued use of the Platform after the update takes effect constitutes your acceptance of the revised policy.
15. Governing Law
This policy is governed by the laws of the Kingdom of Saudi Arabia, and in particular the Personal Data Protection Law and its implementing regulations. The competent Saudi courts shall have exclusive jurisdiction over any dispute arising out of or relating to this policy.
16. Contact & Inquiries
For any inquiry regarding this policy or to exercise your rights, please contact the Compliance Team:
Right to Complain: If you are not satisfied with our response, you have the right to file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) through its official website:
sdaia.gov.sa 17. Severability
If any provision of this policy is found to be invalid or unenforceable under applicable law, the remaining provisions shall remain in full force and effect.