Privacy Policy

Waffy Financial Technology Company — a Limited Liability Company registered under Commercial Registration No. (4030433771) (“Waffy”) — is committed to respecting the privacy of all users of its website and mobile application. Waffy continuously strives to take all reasonable measures to protect user information and data, including personal data, in accordance with the applicable laws and regulations in the Kingdom of Saudi Arabia. The Privacy Policy below outlines the personal data processed by Waffy, the methods of processing, and the purposes for collection. Please note that Waffy will obtain your consent before using your personal data for any purpose other than those specified herein. We encourage you to read this Privacy Policy carefully to understand our approach and practices regarding your data. This policy should be read in conjunction with our Terms and Conditions and any other referenced documents (if any).

Waffy reserves the right to modify this policy at its sole discretion and update this page accordingly. Registered users will be notified of any amendments at least one week (7 days) prior to their effective date.

Your access to Waffy’s website or mobile application, or the use of any of its features, constitutes your acceptance and agreement to be bound by this Privacy Policy.

Types of data Waffy collects and how:

1- Cookies:

Waffy collects your data without login using unique identifiers linked to the browser, application, or device used—namely, cookies. A ‘cookie’ is a short text file downloaded and stored on the user’s hard drive, primarily designed to enhance our services. Cookies consist of data that may accurately identify you as a user; they are also used to improve your platform experience and gain a better understanding of our users. This helps us maintain actions such as saving your preferences across browsing sessions, such as your preferred language.

Data Waffy requests from you:

When registering on the app or website, Waffy requests certain personal data. Personal data refers to information relating to a specific individual through which their identity can be identified.

  • Name and contact information, including email address and phone number.
  • Employment data.
  • Demographic data such as postal code, preferences, and interests.
  • Your website.
  • Any other data relating to our application operations.

Data collected from sellers:

Waffy collects, stores, and processes personal data related to sellers when applying for a merchant account. Additional personal data may be required, such as full name, email, date of birth, national ID or passport, and other data necessary for service delivery and legal compliance. We also collect bank account numbers and related banking details to transfer transaction values to the merchant. This process involves receiving the transaction value into Waffy’s bank account via a Central Bank-licensed payment gateway (third-party intermediary), then transferring the amount to the seller’s account, net of service fees, upon successful completion of the transaction.

Data collected from cardholders/buyers for payment services integrated with Waffy:

Waffy only processes financial and transaction data related to the personal information of cardholders/buyers and their transactions, which may include full name, email address, phone number, credit card number, expiration date, card verification value (CVV), and billing and shipping addresses. However, Waffy does not store credit card numbers or any related sensitive data, nor does it have access to them, as the actual debiting process and all credit card transactions are conducted through a Central Bank-licensed third-party financial intermediary.

Purposes of data collection

The primary purpose of Waffy collecting any data is to ensure the provision of the best services to its users. The purposes for which data is collected include, but are not limited to, the following:

  • Responding to any inquiries.
  • Addressing complaints.
  • Managing transactions between the seller and the buyer and resolving issues that arise during service provision.
  • Facilitating email campaigns conducted by Waffy’s sales and marketing department.
  • Improving advertising services.
  • Improving advertising services.
  • Fulfilling our obligations to users under Waffy’s Terms and Conditions of Use.
  • Fulfilling our obligations under Saudi laws and regulations.
  • Notifying users of changes to any or all of our core systems.

Data storage

Personal data entered into Waffy’s database forms is stored. Furthermore, Waffy maintains the right to protect user data against unauthorized access. Bank card details and payment methods for buyer accounts are not stored, as the actual purchase processing is managed by a licensed payment gateway provider. Sellers’ bank account information is stored only to the extent necessary to facilitate the transfer of transaction funds upon successful sale completion; this information does not include any sensitive data or confidential credentials associated with the sellers’ bank accounts.

Correction Request

The user has the right to request the correction of any data held by Waffy if the personal data is incomplete, inaccurate, or outdated. This process will require verification of the new personal data provided. If personal or professional information (such as name, address, or phone number) needs to be modified, the user is responsible for updating their data.

Sharing data with service providers and third parties

Waffy may share your data with a limited number of service providers to the extent necessary to provide our services, such as identity verification, infrastructure hosting, data analysis, payment processing, customer support, and email delivery. These service providers may require access to personal data to perform their essential functions. Additionally, Waffy may share data with third-party partners, such as banks, when necessary to provide services to users. We may also disclose your data to government and security authorities as required by law and within their legal authority to request such information.

Data retention period

Waffy will retain your data for as long as it is reasonably necessary or legally permitted. We ensure that data is disposed of securely when it is no longer needed or upon your request. When data destruction is required, Waffy ensures it is handled through secure disposal methods.

User rights regarding data

If you wish to exercise any of your rights mentioned below, for security purposes, we may request additional information to verify your identity before disclosing your personal data. We shall fulfill all such requests within a reasonable timeframe in accordance with applicable regulations. Please note that we may not always be able to fully process your request in certain cases, for example:

  • If the processing would compromise the confidentiality we owe to others.
  • If Waffy has a legal right to handle the request in a different manner.
  • If your request involves the deletion of data required for compliance with legal and regulatory requirements.

In all cases, we will exert our best efforts to fulfill your request in accordance with the law. Should we require additional time due to the complexity of the request, we will notify you immediately.

As a data owner, you are entitled to the following rights:

  • The right to access your personal data.
  • The right to modify/update your data.
  • The right to request the destruction of your data.
  • The right to be informed of how and why we process your data.
  • Any other right stipulated in the relevant laws and regulations.

Contacting us regarding privacy

If you have any inquiries regarding this policy, or if you wish to access or destroy your data, or in the event of a complaint, you may contact our dedicated data privacy team through one of the following channels:

Disclaimer

To the maximum extent permitted by applicable laws, Waffy disclaims all liability in the event that the information available on its website, mobile application, or within this Privacy Policy is inaccurate, incomplete, or outdated. As a user, you further agree that you are solely responsible for monitoring any changes or updates made to our platforms.

You also acknowledge that, to date, no comprehensive personal data protection system has fully entered into force in the Kingdom of Saudi Arabia. Accordingly, our processing of your data is based on our reasonable interpretation of the regulations we believe to be relevant—including the Personal Data Protection Law (PDPL), which has not yet fully taken effect and whose executive regulations have yet to be issued—as well as the established practices of similar market peers.

Furthermore, you agree to indemnify, defend, and hold harmless Waffy, its affiliates, officers, directors, and employees from and against any and all losses, liabilities, expenses, damages, and costs—including reasonable court costs and attorney fees—arising out of or resulting from your use of the website, the mobile application, and any violation of the Terms and Conditions or this Privacy Policy. In the event that you cause a technical disruption to Waffy’s website, mobile application, or any of its electronic systems, you agree to assume responsibility for any and all losses, liabilities, expenses, damages, and costs—including reasonable court costs and attorney fees—arising out of or resulting from such disruption.