I. Introduction

A. Purpose of This Privacy Policy

This Privacy Policy explains how Aljabr Rent a Car, a one-person company (referred to as "Aljabr" or "we"), collects, uses, stores, shares, and protects personal data. This document is designed to inform our valued customers of their rights and our obligations under the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL). Our commitment is to transparency and privacy protection, ensuring that personal data is handled with the utmost care and in full compliance with all applicable laws and regulations.

B. About Aljabr Rent a Car: Our Commitment to Your Privacy

Aljabr Rent a Car, a one-person company, is a Saudi car rental company registered under Commercial Registration Number 2050111488, with its headquarters in Dammam, Saudi Arabia. We are dedicated to providing seamless car rental services throughout Saudi Arabia and facilitating travel within GCC countries. As a company operating within the Kingdom, we are fully committed to adhering to the Personal Data Protection Law (PDPL) and its executive regulations, under the supervision of the Saudi Data & Artificial Intelligence Authority (SDAIA).

C. Scope of This Policy: Online, Offline, and Mobile Operations

This policy applies to all personal data collected through our website, mobile applications (including future apps planned with GPS tracking), physical rental locations, customer service and collections department interactions (such as phone calls, emails, and text messages), and any other means through which we collect personal data. It covers data processing activities related to both residents of Saudi Arabia and individuals traveling within GCC countries.

II. Legal Framework and Regulatory Compliance

A. Saudi Arabia’s Personal Data Protection Law (PDPL)

1. Foundational Principles of Data Processing

The PDPL is the cornerstone of data protection in Saudi Arabia. It imposes a strict obligation on any entity that processes personal data to adhere to several fundamental principles. The law stipulates that:

  • Data collection methods must be lawful, appropriate, direct, clear, secure, and free of deception.

  • Personal data must be collected for specific, documented, and legitimate purposes directly related to its intended use, and processing must not exceed these purposes.

  • We are obligated to collect and process only the minimum amount of personal data that is relevant, necessary, and sufficient to achieve the stated purposes.

  • We must ensure that personal data is accurate, complete, and up-to-date, providing individuals with opportunities to correct and update their data when necessary.

  • Personal data will be processed and stored for a period no longer than is necessary for the purposes for which it was collected, unless applicable laws require a longer retention period.

  • We will implement appropriate technical and organizational measures to ensure the security of personal data, protecting its confidentiality, integrity, and availability.

    2. Definition of Personal Data and Sensitive Data

    Under the PDPL, "Personal Data" is broadly defined as any data, regardless of its source or form, that may directly or indirectly lead to the identification of an individual. This includes, but is not limited to, name, personal ID number, addresses, contact numbers, license numbers, records, personal assets, bank account and credit card numbers, photos, and videos.

    "Sensitive Data" is a subset of personal data that requires enhanced protection and explicit consent for processing. This category includes data that reveals ethnic or racial origin, religious, intellectual, or political beliefs, security data, data related to criminal offenses, biometric or genetic data, health data, and data indicating that one or both of an individual's parents are unknown. For Aljabr's operations, driver's license numbers are considered personal data. Any health information collected, for example, to provide adaptive driving devices, would be classified as sensitive data and handled with the highest level of care and explicit consent.

    B. The Role of the Saudi Data & Artificial Intelligence Authority (SDAIA)

    SDAIA is the competent authority responsible for overseeing the implementation and enforcement of the PDPL and its regulations. SDAIA ensures data governance, privacy, compliance, and regulation across various sectors.

    C. Compliance Obligations

    All public and private entities that process the data of Saudi citizens, whether inside or outside the Kingdom, must comply with the Personal Data Protection Law. We adhere strictly to these compliance obligations, taking all necessary measures to ensure your personal data is protected to the highest standards, while recognizing the importance of compliance to avoid any legal or regulatory consequences.

III. The Information We Collect About You

We collect your personal data to provide rental services efficiently and in compliance with regulations. The type of data depends on your interaction with us.

A. Categories of Data We Collect:

  • Identity and Contact Information: Such as your name, ID number, driver's license, and contact numbers.

  • Financial Information: We do not store full card data but may retain encrypted copies and essential payment details.

  • Rental Details: Such as your reservation history, vehicle preferences, and special requests that may include health data with your consent.

  • Vehicle and Usage Data: Such as the vehicle number, mileage, geographical location (GPS), and telemetry data for performance and safety.

  • Application and Device Data: Such as your IP address, device type, geographical location, and camera permission to upload documents.

  • Additional Information: Such as security camera footage, call recordings, and feedback or surveys.

    B. How We Collect Your Data:

  • Directly From You: When you make a reservation, register, rent a car, or use the app or website.

  • From Third Parties: Such as payment gateways, government entities (TAMM, Tajeer), analytics providers, and our partners.

    C. Sensitive Data:

    We handle data like ID and license numbers as sensitive data under the law. In some cases, we collect health information (such as requests for adaptive driving) with your explicit consent, and we ensure its protection according to the highest security standards and approved regulations.

    Legal Basis for Processing Personal Data:

    When we collect your personal data, we rely on several legal justifications, including the following:

  • Your explicit consent to process your personal data.

  • Processing to serve the legitimate interests of the data owner when they cannot be contacted.

  • Processing to serve the legitimate interests of the processing entity in accordance with the Personal Data Protection Law.

  • Processing to comply with another legal obligation.

IV. How We Use Your Information (Processing Purposes)

We process your personal data for specific and legitimate purposes only. These purposes include:

1. Providing Car Rental Services:

  • Processing and confirming reservations and managing rental agreements.

  • Verifying identity and eligibility for rental (such as driver's licenses).

  • Facilitating vehicle pick-up and drop-off (inspection and documentation, mileage verification, and damage assessment).

  • Processing payments securely.

    2. Managing Your Account and Customer Support:

  • Creating and managing customer profiles and providing effective support.

  • Responding to inquiries and resolving issues.

  • Managing service-related communications (reservation confirmations, reminders, policy updates).

    3. Improving and Personalizing Your Experience:

  • Improving the website, applications, and service offerings based on usage and feedback.

  • Personalizing your experience (remembering preferences, providing recommendations and offers).

  • Conducting market research and analysis.

    4. Marketing and Promotional Communications:

  • Sending information about products, services, and special offers (with your explicit consent).

  • Providing the option to unsubscribe at any time.

    5. Ensuring Safety, Security, and Fraud Prevention:

  • Monitoring vehicles using GPS tracking for purposes such as recovering lost or stolen vehicles.

  • Ensuring compliance with rental agreements (geographic restrictions, monitoring travel to GCC countries).

  • Preventing unauthorized use of services.

  • Monitoring and securing premises using surveillance cameras.

    6. Complying with Legal and Regulatory Obligations:

  • Sharing data with government bodies (such as Tajeer, TAMM, Shumous, and SIMAH) for registration and reporting purposes.

  • Disclosing data to law enforcement or judicial authorities when legally required or to protect our rights.

  • Responding to traffic violations or accidents.

    7. Internal Operations and Analytics:

  • Managing internal business operations (financial reports, auditing, IT systems management, ERP system).

  • Conducting analytics and research to improve services and operational efficiency.

V. How We Share Your Information

We do not sell, rent, or give physical possession of personal data to unaffiliated third parties outside of the Aljabr system, except as described in this policy. When sharing data, we limit the scope of information provided to the amount necessary for the specific function and require third parties to protect personally identifiable information (PII) and comply with applicable privacy laws and regulations.

A. With Third-Party Service Providers (e.g., Payment Gateway, Analytics, ERP System, Hosting)

  • Payment Gateway: Necessary transaction data is shared with our trusted third-party payment gateway to process payments securely. These providers operate under their own privacy policies.

  • Analytics Services: Anonymized or aggregated data is shared with analytics providers to understand website and app usage, improve performance, and customize content.

  • Enterprise Resource Planning (ERP) System Providers: Data is stored and processed on our ERP system, which may be managed by a third-party vendor acting as a data processor on our behalf.

  • Hosting Providers: Personal data is hosted with trusted local hosting providers within Saudi Arabia.

  • IT Support and Maintenance: Providers who assist with our IT infrastructure and systems may access data as needed for support and maintenance.

    B. With Government and Regulatory Bodies (Tajeer, TAMM, Law Enforcement)

    We share personal data with government and regulatory bodies, including Tajeer and TAMM, as required by law or for official purposes such as vehicle registration, reporting traffic violations, and complying with national regulations. We may also disclose data to law enforcement, judicial authorities, or other public entities when legally required or to protect our rights, property, or safety, or the safety of others.

    C. With Business Partners (e.g., Insurance Providers, Roadside Assistance)

    Necessary data may be shared with our business partners, such as insurance providers to activate policies and claims, or roadside assistance providers for emergency services related to your rental. This sharing is intended to provide the services you have requested or are entitled to.

    D. Cross-Border Data Transfer (for GCC Travel and International Operations)

    Although we do not physically transfer personal data outside the borders of Saudi Arabia, we confirm our full commitment to the policies of the Saudi Data & Artificial Intelligence Authority (SDAIA) regarding data hosting within the permitted geographical scope, including GCC countries, ensuring that processing operations are consistent with the requirements of the Personal Data Protection Law and relevant regulatory controls.

    E. Other Circumstances Requiring Disclosure

    Personal data may also be disclosed:

  • With your explicit consent for specific purposes not otherwise covered by this policy.

  • In emergencies, such as to protect the life, health, or property of an individual.

  • In connection with a merger, acquisition, or sale of assets, where data may be transferred as part of the business assets, provided appropriate safeguards are in place.

VI. Data Security and Retention

A. Our Security Measures to Protect Your Data

We implement robust technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, destruction, or any other unlawful processing. These measures include:

  • Access Controls: Restricting access to personal data to authorized employees only, based on the "need-to-know" principle.

  • Encryption: Using encryption for data in transit and at rest where appropriate, especially for sensitive information.

  • Anonymization/Masking: Using techniques like data masking, generalization, and aggregation to protect personal data where full identification is not necessary.

  • Regular Security Audits and Vulnerability Assessments: Conducting periodic assessments to identify and address potential weaknesses in our systems.

  • Employee Training: Ensuring our employees are regularly trained on data protection best practices and compliance with the Personal Data Protection Law.

  • Incident Response Plan: Maintaining established procedures for detecting, responding to, and reporting data breaches to the regulatory authority within three days of discovery.

    B. Data Minimization Practices

    In line with the principles of the Personal Data Protection Law, we are committed to collecting and processing only the minimum amount of personal data that is relevant, necessary, and sufficient for the specified purposes. We also avoid collecting data for unspecified future use.

    C. Data Retention Periods (According to PDPL and Other Laws)

    We retain personal data only as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable Saudi laws and regulations. This includes retaining data for legal purposes (such as financial records, traffic violation records) even after the primary purpose of collection has been fulfilled. Once the retention period expires, or the data is no longer required for a legitimate purpose, we will securely destroy or anonymize it.

    D. Data Erasure Procedures (Including SDAIA Requirements for User Data Removal)

    We are committed to securely erasing personal data without delay once its purpose has been fulfilled. This includes responding to requests for data destruction. We adhere to SDAIA guidelines for user data removal, ensuring the secure and permanent erasure of all copies, including backups, and instructing any recipients of the data to destroy it as well. However, please note that we may retain some data if it is necessary for a legal purpose, such as resolving disputes, troubleshooting issues, or fulfilling legal or financial obligations. In such cases, the data will be retained only for the period specified by law.

VII. Your Rights Regarding Your Personal Data

  • The right to know why your data is collected, how it will be used, and the entities it may be shared with.

  • The right to request a copy of the personal data we hold about you in a clear and legible format.

  • The right to correct your data if it is inaccurate or to complete it if it is incomplete.

  • The right to request deletion of your data if it is no longer needed, including from backups.

  • The right to withdraw consent to the use of your data at any time, unless there is a legal impediment.

  • The right to object to the use of your data in some cases, such as for direct marketing.

    How to Exercise Your Rights: You can contact us to request any of these rights, and we will ask for proof of identity to ensure the protection of your data.

VIII. Cookies and Other Tracking Technologies

A. What Are Cookies

Cookies are small text files that websites send to a visitor's computer or other internet-connected device to uniquely identify the visitor's browser or to store information or settings in the browser. They are widely used to make websites work more efficiently, as well as to provide reporting information.

B. How We Use Cookies and Similar Technologies

We use cookies, invisible pixels, web beacons, and similar technologies on our websites, mobile applications, and electronic communications to collect information through automated means. These technologies help us to:

  • Remember your preferences and save time by providing a customized experience.

  • Improve the user experience and personalize advertisements for you.

  • Facilitate sign-in, content delivery, and relevant communications.

  • Understand the source of traffic to our site and analyze website usage patterns.

  • Display the nearest Aljabr branches and inform you of product availability based on location data (collected via GPS, Wi-Fi, or mobile network signals, with user consent).

  • Our cookies are generally limited to our website and do not track you after you leave.

    C. Your Choices Regarding Cookies

    Most browsers will tell you how to stop accepting new cookies, how to receive notification when you receive a new cookie, and how to disable existing cookies. Upon your first visit to our website, you will be asked to provide consent to the use of cookies, except for mandatory cookies which do not require consent. Preferences can be customized through the cookie settings page at any time. If consent is withdrawn or updated, we will honor these choices and remove non-mandatory cookies. However, please note that without cookies, you may not be able to take full advantage of all the features of our website, and rejecting cookies may affect your ability to make certain transactions on the website.

IX. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Any material changes will be posted on this page, and we will obtain your consent where required by law. We encourage you to review this policy periodically to stay informed about how we protect your information.

X. Contact Us

For any questions or concerns regarding this Privacy Policy or our data practices, please contact us at:

  • Aljabr Rent a Car, a one-person company

  • Commercial Registration: 2050111488

  • Headquarters: Dammam, Prince Mohammed bin Fahd Road, Al Badi' District, P.O. Box 4174

  • Phone: 920006379

  • Email: pdpl@jrac.com.sa

    We are committed to responding to your inquiries and ensuring your privacy rights are respected.