Privacy Policy – EN – Nayifat Finance Company

Privacy Policy – Nayifat Finance Company

Effective Date: 04-12-2023
Last Updated: 18-09-2025

At Nayifat Finance Company (“Nayifat,” “we,” “us”), we are committed to protecting your privacy and ensuring the confidentiality and security of your personal data. This policy explains how we collect, use, share, and protect your data when you use Nayifat’s portal, mobile application, or any other digital channels, in compliance with the Personal Data Protection Law (PDPL) and its implementing regulations, the requirements of the National Data Management Office (NDMO), and the relevant instructions of the Saudi Central Bank (SAMA).

⸻

1) Scope and Purpose

This policy applies to all collection and processing of personal data relating to individuals residing in the Kingdom of Saudi Arabia or processed within the Kingdom. Its purpose is to clearly inform you of the types of data we collect, the purposes of processing, the legal bases, your rights and how to exercise them, as well as the procedures for security, retention, and disposal.

⸻

2) Who We Are

Nayifat Finance Company is the Data Controller responsible for determining the purposes and means of processing personal data.
• Commercial Registration: 1010176451
• Headquarters: Kingdom of Saudi Arabia – Riyadh – Al Wurud District

⸻

3) Data Protection Officer (DPO) / Data Management Office (DMO)
• Position: Data Protection Officer – Data Management
• Email: Privacy@nayifat.com
• Phone: 8001000088 Ext. 2023
• Postal Address: 12253

Responsibilities of the DPO:
• Monitor compliance with PDPL, NDMO, and SAMA requirements.
• Receive and process data subject requests and complaints.
• Provide internal guidance on impact assessments and privacy protection.
• Communicate with regulatory authorities when required.
• Oversee awareness and training programs for employees.

⸻

4) What Data Do We Collect?

We collect only the minimum amount of data necessary to achieve legitimate, pre-defined purposes. This includes, but is not limited to:
1. Identification and Account Data: Full name, ID/Iqama number, date of birth, gender, marital status, contact details (mobile, email, postal address), customer number, device identifiers.
2. Financial and Credit Data (Sensitive Data): Income, obligations, repayment records, credit evaluation reports, details of financial products used.
3. Usage and Interaction Data: Device type and operating system, IP address, login records, in-app/portal navigation, application errors.
4. Location Data: Approximate or precise location (GPS/Wi-Fi) when location services are enabled.
5. Cookies and Similar Technologies: To personalize your experience, analyze usage, and improve performance.
6. Biometric Data: Fingerprints, facial recognition – for verification and to prevent fraud or unauthorized access.

Third-Party Data Sources: We may obtain your data from licensed and authorized entities for verification and compliance purposes (e.g., Yaqeen, Dakhli, Elm, local credit bureaus), in line with regulatory requirements.

⸻

5) Accuracy and Completeness of Data

We are committed to keeping your data accurate, up-to-date, and complete to the extent possible. We request your cooperation in providing necessary updates or corrections. If we become aware that data is inaccurate or incomplete, we will correct or complete it without delay.

⸻

6) How Do We Collect Your Data?
• Directly from you: Through electronic forms, account opening, financing requests, phone/email communications, and supporting documents.
• Automatically: Through our systems and digital channels (technical logs, cookies).
• From licensed third parties: For identity verification, creditworthiness, and regulatory compliance.

⸻

7) Why Do We Use Your Data? (Processing Purposes)
• To provide financial services and products, execute contracts, and manage the customer relationship.
• To verify identity, combat fraud, manage risks, and meet regulatory requirements.
• To operate digital channels, enhance user experience, and provide technical support.
• For operational communication (notifications, service updates).
• For direct marketing and sending offers – only with your revocable consent.

⸻

8) Legal Basis for Processing Your Data
• Explicit consent.
• Contractual necessity.
• Legal/regulatory obligations.
• Legitimate interest.

⸻

9) Your Rights and How to Exercise Them

Under the PDPL, you have the following rights:
• Right to be informed
• Right of access
• Right to rectification/update
• Right to deletion
• Right to withdraw consent
• Right to object/restrict processing
• Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format for reuse or transfer to another party.

How to exercise your rights?
• By email: DMO@nayifat.com
• By phone: 8001000088 Ext. 2023 or choose option 6
• Through the electronic form on our website: Nayifat.com

We commit to responding within 30 days.

Notice to Third Parties:
If you correct or delete your data, we will – where possible and reasonable – notify any third party with whom we previously shared your data of such changes.

⸻

10) Data Sharing and Disclosure

We do not share your data except where legally required, ensuring binding contracts with subcontracted processors. We also conduct periodic automated audits of service providers to verify their compliance with data security and privacy standards.

⸻

11) Data Retention and Disposal

We retain your data for as long as necessary to achieve processing purposes or as required by law:
• Account and service data: Throughout the relationship and service provision.
• Financial transaction data: For at least 10 years, in line with statutory retention requirements.

After the retention period ends, we delete the data or anonymize it through secure methods that prevent unauthorized access or recovery.

⸻

12) Information Security

We apply security controls including encryption, anonymization, strict access controls, regular testing, and employee training.

In case of a data breach: SAMA is notified immediately, and affected individuals are notified within 72 hours.

Training and Awareness:
We conduct regular employee training programs on privacy, data security, and their regulatory obligations.

⸻

13) Policy Updates and Notifications

If we make material changes to this policy, we will notify you directly via email, SMS, or in-app notifications, in addition to publishing the updated version on our website.

⸻

14) Regulatory Registration

If we obtain any registration or formal accreditation from SDAIA or another competent authority as a “Data Controller,” the registration number and approval date will be disclosed in this policy.

⸻

15) Complaints and Escalations

You may raise complaints through our channels. If you are not satisfied with our handling, you may escalate the matter to SDAIA through its official website or the DGP platform.

⸻

16) Reference Policies and Regulations
• Personal Data Protection Law (PDPL).
• Relevant NDMO regulations.
• SAMA instructions.
• Nayifat internal policies.

⸻

17) Contact Us
• Phone: 8001000088 Ext. 6 or 2023
• Email: DMO@nayifat.com
• Electronic Form: Available on Nayifat.com via customer care ticket forms.
• Postal Address: 12253

By using our services, you acknowledge that you have read and understood this policy. In case of discrepancy between the Arabic and English versions, the Arabic version shall prevail.