INTRODUCTION
Tabby is committed to informing customers on how it will collect, use, store, share and protect their personal information when they transact with us. You accept this privacy policy (the “Privacy Policy”) whenever you access or use Tabby products, services, features, and technologies including the Tabby mobile app and www.Tabby.ai (the “Tabby Services”). Please read this Privacy Policy carefully.
This Privacy Policy does not apply to information submitted or collected through websites maintained by other companies or organizations to which Tabby may link to or who may link to Tabby. Tabby is not responsible for the actions and privacy policies of third-party websites.
Our success to date is the result of the high degree of trust we have built with consumers, retailers, and partners in all markets. This trust is critical in the financial sector and when handling personal data. Maintaining that trust requires we operate with the highest ethical standards and strive to do what’s right every day. Such standards are necessary across all parts of the business but more importantly complying with the Saudi applicable laws and requirements.
As a financial institution, Tabby is liable to adhere to a number of additional regulations, such as laying out Tabby’s approach to grant credits, prevent money laundering, terrorist financing, and so forth. On occasion, Tabby is required to store certain information or share details with public authorities when ordered to do so.
Tabby prioritises these responsibilities and consistently works to keep the customer’s best interest in mind when assessing how to best comply with them.
Tabby is committed to letting you know how we will collect, use, store, share and protect the customer’s personal information when they transact with us. They accept this privacy policy (the “Privacy Policy”) whenever they access or use Tabby products, services, features, and technologies including the Tabby mobile app and www.Tabby.ai (http://www.tabby.ai/) (the “Tabby Services”).
This Privacy Policy does not apply to information submitted or collected through websites maintained by other companies or organizations to which we may link or who may link to us. We are not responsible for the actions and privacy policies of third-party websites.
Additionally, if the customer uses a Tabby product, their non-public personal information will be subject to Tabby’s use of such information and will be consistent with that privacy notice.
COMPLIANCE WITH PERSONAL DATA PROTECTION LAW “PDPL”
Reference is made to The Personal Data Protection Law (PDPL) which was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021). It was published in the Official Gazette on 24 September 2021. In this policywe consider the implications of this important development for Tabby.
Saudi Arabia has issued its first comprehensive national data protection law to regulate the collection and processing of personal information. The new Personal Data Protection Law shall be implemented in March 2022, The Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered.The PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent the abuse of personal data which is in line with the Tabby’s vision.
What is the new law?
The Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered. The NDMO is the regulatory arm of SDAIA and had previously published interim data governance regulations in 2020, which we assume have now been superseded by the PDPL insofar as they relate to personal data protection.
According to SDAIA’s announcement, the PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent the abuse of personal data in line with the goals of the Kingdom’s Vision 2030 to develop a digital infrastructure and support innovation to grow a digital economy.
Who and what is in the scope of the PDPL?
Privacy policy defined in the Saudi PDPL is any information, in whatever form, through which a person may be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person.
The PDPL applies to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means whatsoever, including the processing of the personal data of Saudi residents by entities located outside the Kingdom thus Tabby implements these policies.
The PDPL does not apply to the processing of personal data for personal and family use.
What are the main features of the PDPL?
Many of the features of the PDPL are consistent with concepts and principles contained in other international data protection laws, for example:
Data subject rights: Individuals (data subjects) will, subject to some exceptions, have the right to be informed of personal data processing and the legal basis of such processing, the right to access their personal data (including to obtain a free of charge copy of the same), the right to correct or update their personal data, and the right to request its destruction if no longer needed. Data subjects also have the ability to file complaints relating to the application of the PDPL with the regulatory authority.
Controller registration: Organisations such as Tabby, that collect personal data and determine the purpose for which it is used and the method of processing (controllers) will be required to register on an electronic portal that will form a national record of controllers.
Controller obligations: Controllers will be obliged to ensure the accuracy, completeness and relevancy of personal data before processing it, to maintain a record of processing for a period of three years.
Consent: Data subjects may withdraw their consent to the processing of personal data at any time and consent must not be a prerequisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
Non-consent based processing: Notwithstanding the provisions on withdrawal of consent, the PDPL makes clear that data processing does not always require the consent of the data subject. Consent is not required if the processing would achieve a clear benefit and it is impossible or impractical to contact the data subject, if it is required by law or prior agreement to which the data subject is a party, or if the controller is a public entity and the processing is required for security or judicial purposes.
Privacy policy: Tabby is required to implement a privacy policy and make it available to data subjects prior to the collection of their personal data.The PDPL sets out the minimum information that should be included in the privacy policy, including when personal data is collected directly from the data subject.
Purpose limitation and data minimisation: Tabby is required to make clear that the purpose for which personal data is collected and used. Personal data should also be relevant and Tabby should limit collection to the minimum amount required to achieve the intended purpose which is set out in this policy.
Impact assessments: Tabby is required to evaluate the impact of processing personal data and, if personal data is no longer needed to achieve the intended purpose, then Tabby will stop the collection of such data.
Marketing: As described below in this policy.
Breach notification: Any Data breaches, leakages or unauthorised access to personal data. Tabby must notify the supervising authority and incidents that cause material harm to the data subject must be notified to data subjects
WHAT TYPE OF INFORMATION DOES TABBY COLLECT?
Tabby collects two basic types of information from you in conjunction with your use of the Tabby Services (collectively, your “personal information”): (1) personally identifiable information; and (2) non-personally identifiable information.
Personally Identifiable Information is any information that can identify you.
Examples include your name, e-mail address, telephone number, postal address, device identifiers, IP addresses, geolocation information, gender, billing and delivery address and financial account information that you provide, such as credit or debit card numbers as well as your income, any credits, negative payment history and previous credit approvals.
Details concerning the goods/services you have bought or ordered, such as type of item or delivery tracking number.
We may also collect personally identifiable information about you from third parties such as data vendors.
Aggregate and/or de-identified information is not considered personally identifiable information.
Information about your uses of Tabby services and which service(s) and what different functions in these services you have used and how you have used them. This includes information about outstanding and historical debt, your repayment history, and your personal preferences.
Non-personally identifiable information is information that does not identify you directly, but may be linkable to you
Examples include demographic information and general location information.
Technical data such as response time for web pages, download errors and date and time when you used the service.
Recorded phone calls, chat conversations and email correspondence.
IP address, language settings, browser settings, time zone, operating system, platform, screen resolution and similar information about your device settings.
If non-personally identifiable information is directly linked to personally identifiable information, it will be considered personally identifiable information while it is linked. For example, if your payment history and transaction history are linked to your name, then that information will be considered personally identifiable information and subject to heightened privacy and security restrictions, as reflected in this Privacy Policy.
HOW DOES TABBY COLLECT INFORMATION?
Your interactions with or use of the Tabby Services;
Your contact with our customer support team;
Third parties, such as data vendors, your bank or merchants you perform a transaction with;
Through our websites, using cookies, Clear GIFs, web beacons, mobile application plug-ins and similar technologies.
Cookies are small files that are stored on your computer or device when you use the Tabby Services. Cookies record your preferences and the actions you take on your computer or device. We may also use web beacons and mobile application plug-ins, such as software development kits, application programming interfaces and similar technologies. We use these and other similar technologies for security, to monitor traffic, improve the Tabby Services, and make the Tabby Services easier to use and more relevant to you. We may also use these technologies to personalize your experience, deliver advertisements, and for research and marketing.
Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (a.k.a. web beacons, web bugs or pixel tags), in connection with the Tabby Services to, among other things, track the activities of Site visitors, help us manage content, and compile statistics about Site usage.
Third Party Analytics We may use automated devices and applications to evaluate usage of our Site. We use these tools to help us improve our Site, performance and user experiences. These entities may use cookies and other tracking technologies to perform their services.
HOW DO WE USE THE PERSONAL INFORMATION WE COLLECT?
We may use your personal information to:
Provide the Tabby Services and customer support
Process transactions and send notices about your transactions
Resolve disputes and collect payments and/or fees
Verify the accuracy of and authenticate your information
Detect, investigate and prevent potentially prohibited or illegal activities, such as fraud
Communicate about accounts or transactions and send information about features and enhancements
Contact you, for example by phone, text (SMS) or email
Communicate changes to our policies
Personalize content and experiences, including providing recommendations based on your preferences (This service involves profiling you to personalise the contents in the Tabby mobile application and at Tabby’s checkout)
Send offers or promotions for the Tabby Services
Provide advertising, including advertising based on your use of the Tabby Services or third-party websites
Perform statistical, demographic and marketing analyses of users of the Tabby Services and their purchasing patterns
Conduct any other legitimate business activities not otherwise prohibited by law
Information about your use of Tabby services.
Technical information generated through your use of Tabby services
WHY DO WE COLLECT PERSONAL INFORMATION?
We collect personal data and information so we can manage our customer relationship in accordance with our agreements for each service they use. This includes creating and sending information to the customer in electronic format (not marketing).
To be able to perform customer satisfaction surveys and market surveys, through email, text messages, phone or via other communication channels.
To ensure network and information security in Tabby’s services
To be able to help you as a vulnerable customer
To be able to perform risk analysis, prevent fraud, and carry out risk management.
To be able to perform the process of confirming your identity and that the data you provide is correct, as well as to counter criminal activities (This processing constitutes profiling and automated decision-making. We use automated decision-making to be able to determine if you constitute a risk of fraud)
To anonymise your personal data in order to improve our services and products and to analyse customer behaviour.
To perform data analyses for product development and testing to improve our risk and credit models and to design our services.
To check and verify your identity
To protect Tabby from legal claims and safeguard Tabby’s legal right
Filing and accounting in accordance with accounting regulations.
To prevent Tabby’s operations from being used for money laundering or terrorist financing, by monitoring and reviewing transactions, conducting risk assessments and creating risk models.
HOW DO WE SHARE OR USE PERSONAL INFORMATION?
When we share your personal data, we ensure that the recipient processes it in accordance with this policy, e.g. by entering into data transfer agreements or data processor agreements with the recipients. Those agreements include all reasonable contractual, legal, technical and organizational measures to ensure that the customer information is processed with an adequate level of protection and in accordance with Saudi regulations. Also, we will only share your personal information with third parties as described in this Privacy Policy.
We may share your personally identifiable information with:
Service providers affiliates and commercial partners who help with our business operations, including but not limited to, fraud prevention, account maintenance, customer service, marketing and technology services
ELM Information Security Co (ELM) as required for identity verification services
Merchants you order goods or services from using the Tabby Services
Other third parties with your consent or at your direction to do so.
Third parties for any legitimate business purpose not otherwise prohibited by law
Service-specific personal data
If you choose to take advantage of offers and benefits that Tabby delivers within the framework of this service, we will share your personal information with the partner who delivers these.
If you sign up for an event posted on social media, we will process your personal data to provide the requested service.
A person who holds a power of attorney for the customer's financial affairs.
Debts Acquirers, Tabby can transfer your open debt to debt acquirers.Upon transfer of the customer’s debt to an acquirer and continuously until they pay off the debt, Tabby will share their contact and identification information (name, date of birth, social security number, address, and phone number), information about their financial standing (such as residual credit, repayments and any negative payment history in relation to the current debt), as well as information about the goods or services associated with the debt. The buyer will process their personal data in accordance with its own privacy notice, which the customer will receive information about when the debt is transferred.
Credit institutions and other financial institutions, we share the customer’s information with credit institutions and other financial institutions (such as other banks) when they make transactions or payments to other accounts.If the customer have made payments to a Tabby account, Tabby will process the information we receive from the bank you used for the transaction, such as contact and identification data and payment information. If you make transactions or payments to accounts in other banks, Tabby will also pass on some of your contact and identification data as well as payment information to the recipient and also to the recipient’s credit institution or financial institution.
Relevant authorities, Tabby may provide necessary information to authorities such as the police, financial authorities, tax authorities or other authorities and courts of law.
Payment service providers and financial institutions, Payment service providers and financial institutions provide services to the customer, stores and Tabby to implement and administer electronic payments through a variety of payment methods, such as credit cards and bank-based payment methods such as direct debit and bank transfer. Some stores use payment service providers with whom they share the customer’s information for managing their payment. This sharing takes place in accordance with the stores’ own privacy notices. The store may also let Tabby share their information with the payment service provider they use for processing the customer’s payment. Some payment service providers also collect and use the customer information independently, in accordance with their own privacy notices.
Fraud prevention agencies and companies providing identity checks.The customers personal data are shared with fraud prevention agencies and companies that provide identity checks.Tabby shares the customer information to verify their identity, the accuracy of the data the customer has provided, and to combat fraudulent and criminal activities. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to the customer.
Credit information bureau (SIMAH) . If the customer applies to use a service from Tabby that involves us providing credit, we will share your personal data with the credit information bureau. The customer personal information is shared with the credit bureau in order to assess the customer creditworthiness in connection with the customer credit application, to confirm the customer identity and the customer contact information, and to protect the customer and other customers from fraud. This data sharing constitutes a credit report.
Tabby will share the customer’s personal information with logistics and transport companies that deliver the goods for the customer’s order if you have signed up for parcel tracking. Examples of information we share are contact and identification data and tracking numbers.
Social media companies such as Facebook, Instagram or Twitter.If the customer contacts us via social media such as Facebook or Twitter, your personal data will also be collected and processed by these companies.
The customer's personal data will remain within a server hosted in Saudi Arabia at a level 4 security standard as per CITC rules and regulations. However, your data may be accessed by, and processed by across KSA boarded applications for example when we use a vendor located outside of KSA for Fraud prevention services. If a store where you shop is located outside of KSA, our sharing of the customer’s personal data with the store will also mean that your data is transferred outside of KSA. Tabby will ensure that an adequate level of protection is maintained, and that suitable safeguards are adopted in line with Saudi regulations.
We may not share your personal data if such disclosure represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom or its relations with any other state. Further, if such disclosure prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures or compromises the safety of an individual, exposes the identity of a confidential source of information in a manner detrimental to the public interest, or conflicts with the interests of a person that fully or partially lacks legal capacity.
We will also refrain from sharing your data if the disclosure results in violating the privacy of an individual other than you, violates legally established professional obligations, or involves a violation of an obligation, procedure, or judicial decision.
TABBY PROCESSING WHEN CONTACTING TABBY’S CUSTOMER SERVICE
To handle all matters that come to Tabby's customer service (This includes retaining various forms of written conversations to document customer errands, as well as for security purposes and to counter fraud)
Quality and service improvement (to ensure satisfactory customer service) We may also record telephone conversations between you and our employees for quality purposes in order to deliver better products and services to you.
If you contact Tabby via social media such as Instagram or Twitter, your personal data will also be collected and processed by these companies, in accordance with their privacy notices. The same for Tabby as well. Tabby processes this information to answer your questions.
We will only share your Personal Information with third parties as described in this Privacy Policy, as otherwise notified to you at the time of collection with your consent.
HOW TO WITHDRAW CONSENT?
When Tabby uses the customer's personal data based on their consent, they can withdraw their consent at any time. They can do this by sending an email to [email protected] (mailto:[email protected])
The customer can also delete uploaded information from the Tabby app, or end the service where personal data is processed. Tabby will then delete the information. If the customer withdraws their consent or deletes the uploaded information, they may be unable to use the service in cases where Tabby’s processing of personal data takes place based on their consent.
The customer has the right to request a copy of their personal data.
The customer can rectify any inaccurate or incomplete information about themselves.
TABBY’S PROFILING AND AUTOMATED DECISIONS
“Profiling” means an automated processing of personal data to evaluate certain personal matters, for example, by analysing or predicting the customer’s personal preferences, such as buying preferences. At the same time, we compare the customers data with other customers, with similar use of our services, have preferred.
Automated decisions with legal consequences, or automated decisions that similarly significantly affects the customer, means that certain decisions in our services are completely automated, without our employees being involved. These decisions have a significant effect on the customer, comparable to legal consequences. By making such decisions automatically, Tabby increases its objectivity and transparency in the decision to offer the customer these services.
Automated decisions that significantly affect you also mean that profiling is performed based on the customer’s data before the decision is made. This profiling is made to assess the financial situation of a customer (before the decision to grant credit) or to identify whether the customer use of Tabby services involves a risk of fraud or money laundering. We profile the customer’s user behaviour and financial standing and compare this data with behaviours and conditions that indicate different risk levels for us.
We make this kind of automated decision when we:
Decide to approve the customer’s application to use our service.
Decide not to approve the customer’s application to use our service. These automated credit decisions are based on the data the customer provides, data from external sources such as credit bureaus (SIMAH) and Tabby’s own internal information. In addition to information about the customer, Tabby’s credit model includes a large number of other factors, such as Tabby’s internal credit risk levels and our customers’ general repayment rates
Decide whether the customer poses a risk of fraud, if our processing shows that the customer’s behaviour indicates possible fraudulent conduct, that their behaviour is not consistent with previous use of our services, or that they have attempted to conceal their true identity. Automated decisions whereby we assess whether they constitute a fraud risk are based on information that they have provided themselves , data from fraud prevention agencies as well as Tabby’s own internal information.
Decide whether there is a risk of money laundering.
If the customer is not approved under the automated decisions described above, the customer will not have access to Tabby’s services, such as our payment methods. Tabby has several safety mechanisms to ensure the decisions are appropriate. These mechanisms include ongoing overviews of our decision models and random sampling in individual cases.
HOW LONG WE STORE CUSTOMER’S PERSONAL DATA?
Tabby stores your personal data in accordance with the Saudi Personal Data Protection Law (PDPL) as well as the Saudi Anti-Money Laundering Statute and accounting regulations established by the Saudi Organization for Chartered and Professional Accountants (SOCPA).
In addition, we only store your personal data for as long as needed to fulfil the respective purpose of our processing.
Personal data that is important for the contractual relationship between the customer and Tabby is normally stored for as long as the contractual relationship lasts.
We store personal data, however, when the purpose ends we delete the data such as when the contract between the customer and Tabby terminates.
Or when the customer notify us that they are no longer a vulnerable customer or withdraw their consent.
As an exception, only in the following cases, we may retain the personal data after the purpose ceases to exist:
a) If there is a legal basis for retaining the personal data for a specific period, in which case the personal data will be destroyed upon the lapse of that period or when the purpose of the collection is satisfied, whichever longer.
b) If the personal data is closely related to a case under consideration before a judicial authority and the retention of the personal data is required for that purpose, in which case the personal data will be destroyed once the judicial procedures are concluded.
Legal age (Under 18) to use Tabby’s services
Our products and services are not designed for anyone under 18. If we discover that someone under 18 has provided us with personal information, we will delete such information from our systems.
Note to persons between the ages 18-21 under the age 21 where arbitrary restrictions on the usage of Tabby services may be applicable subject to a SAMA non-objection letter.
Updates to the privacy policy
We are constantly working to improve our services so that the customer has a smooth user experience. This may involve modifications of existing and future services. If that improvement requires a notice or consent in accordance with applicable law, the customer shall be notified or given the opportunity to give their consent.
Tabby ‘s email services (available in the Tabby App)
If you connect to the Email services, we will process order information (such as delivery tracking identifiers, supplier information and product information) related to purchases you have made. We will not share data obtained through Email services with third parties, unless necessary to provide or improve the service to you. In particular, we will not transfer data to third parties for serving ads.
How Tabby uses Sponsored Links
If you click on a link that is sponsored which promotes a store, product or service you will be redirected to the store’s website through a third party, a so-called “affiliate network.” The affiliate network might place a tracking technology on your device that contains the information that you clicked on such a link in the Tabby App, which then may be used to track your visit to a store in order to calculate a potential commission to Tabby. The affiliate network may process your data in accordance with its own privacy notice. When balancing interests, Tabby has determined that we have a legitimate interest in supplying you with sponsored links in order to market shops in the Tabby mobile application and on our website. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
HOW DO WE PROTECT PERSONAL INFORMATION
Tabby uses reasonable security measures to protect your personal information from unauthorized access and use in compliance with applicable law. These measures include computer safeguards and encrypted, secured files and buildings. We also maintain other physical, technical, administrative, and procedural safeguards to protect personal information, and access to personal information is limited to the employees who require it for their job functions. Please be aware that despite our efforts, no data security measures can guarantee 100% security. You should take steps to protect against unauthorized access to your password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.
HOW CAN YOU RESTRICT US FROM SHARING YOUR PERSONAL INFORMATION?
Personally Identifiable Information: You may choose not to provide your personally identifiable information to us; however, you will not be able to use the Tabby Services.
You can also limit our use and sharing of your personal information in other ways, such as:
You may unsubscribe from marketing emails, but we will still be permitted to contact you for servicing and account-related purposes by clicking the “Unsubscribe” link in the email footer or by contacting with Tabby Customer Service.
You can modify browser settings to decline cookies, but certain features of Tabby Services may not function properly or may be unavailable if you do.
TABBY CONTACT INFORMATION
You can reach us at Tabby on the following contact information:
Email: [email protected]
Phone: 8001110999
Tabby has a risk team function and team that handles data protection issues.
Tabby Saudi for Communication and IT is a Saudi Arabian limited liability company holding commercial registration no. 1010614810 with registered address at 7259 Jabal Ashaqir, 3631 As Sahafah District, Office 16, Riyadh, Saudi Arabia