We at our own discretion have the right to update this Privacy Policy at any time. An updated version of this Policy will be effective immediately upon the posting of the revised Policy unless otherwise specified. Your use of our services after the effective date of the revised Policy (or such other act specified at that time) will constitute your consent to those changes. To find out the latest update, the user should review the update date at the bottom of this page. We may also provide notice to you in other ways at our discretion, such as through the contact information you have provided.

If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, please contact:

• Customer Care: customercare@quarafinance.com
• Data Protection Officer: dpo@quarafinance.com
• Postal Address: King Abdul Aziz Road, Al Wizarat District, Riyadh 11565, Kingdom of Saudi Arabia
• Phone Number: 800 11 88 999

This Privacy Policy shall be governed by and construed in accordance with the laws and regulations of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL).

This Privacy Policy ("Policy") sets out the terms on which Quara Finance ("Quara", "we", "us", or "our") collects, processes, uses, shares, transfers, secures, and retains personal data within the Kingdom of Saudi Arabia.

This Policy is issued in compliance with the Personal Data Protection Law (PDPL), M/19 of 9/2/1443H (16 September 2021), its Implementing Regulations, and relevant regulations issued by the Saudi Central Bank (SAMA).

By providing your personal data to Quara Finance, you acknowledge and agree to the practices described in this Policy.

This Policy forms part of our terms and conditions and governs your relationship with Quara Finance with respect to your personal data.

Quara Finance is dedicated to upholding the following fundamental principles in its role as a data controller, ensuring compliance with the PDPL

• Transparency: We provide clear and accessible information about our personal data handling practices, including the purposes of data collection, processing activities, and sharing with third parties.​
• Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.​
• Data Minimization: We ensure that personal data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.​
• Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.​
• Data Security: Appropriate technical and organizational measures are implemented to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.​
• Accountability: We are responsible for, and able to demonstrate, compliance with the PDPL principles, maintaining records of processing activities and conducting necessary assessments.​
• Data Subject Rights: We respect and facilitate the rights of data subjects, including the rights to access, rectify, erase, and object to the processing of their personal data, as outlined in Section 7 of this Policy.

We collect and process the following categories of personal data for the purposes outlined below:

Data Type	Purpose	Lawful Basis
Name, contact details, Nationality, National ID, Country, City, Date of Birth	Provide services, communicate	Contract, consent
Financial data	Process loans, payments	Contract, legal obligation
HR data	Manage employment, including recruitment, payroll, benefits, performance reviews	Contract, legal obligation
IP address, cookies	Improve website experience	Consent

Automated processing, such as credit scoring, may be used to determine eligibility for services, where permissible under PDPL.

We will obtain your explicit consent before using your personal data for marketing purposes. You may withdraw your consent at any time by contacting customercare@quarafinance.com.

Quara Finance, as a data controller, may share personal data with third parties under specific circumstances, ensuring strict adherence to the Personal Data Protection Law (PDPL) and its Implementing Regulations. The sharing of personal data is conducted with the utmost consideration for data subject rights and data protection standards.

• Engagement with Data Processors

We may engage third-party service providers (data processors) to perform functions on our behalf, such as payment processing, IT services, and customer support. In such cases:

• Contractual Safeguards: We enter into binding agreements with all data processors, mandating compliance with PDPL requirements and ensuring the implementation of appropriate technical and organizational measures to protect personal data.​
• Data Minimization: We ensure that only the personal data necessary for the execution of the specified services is shared with data processors.​

• Disclosure to Regulatory and Legal Authorities

Quara Finance may disclose personal data to competent authorities when required to comply with legal obligations, including:

• Regulatory Bodies: Such as the Saudi Central Bank (SAMA) and the Saudi Data and Artificial Intelligence Authority (SDAIA).​
• Law Enforcement Agencies: When disclosure is mandated by applicable laws or regulations.​

• International Data Transfers

When transferring personal data outside the Kingdom of Saudi Arabia, Quara Finance ensures that such transfers comply with PDPL requirements:

• Adequacy Decisions: We transfer data to countries recognized by SDAIA as providing an adequate level of data protection.​
• Appropriate Safeguards: In the absence of an adequacy decision, we implement safeguards such as Standard Contractual Clauses (SCCs) to ensure data protection standards are met.​
• Explicit Consent: Where necessary, we obtain explicit consent from data subjects before transferring their personal data internationally.​

• Assurance of Equivalent Data Protection

Quara Finance takes all reasonable steps to ensure that any third party accessing personal data provides a level of data protection equivalent to that mandated by the PDPL.

Quara Finance has implemented robust technical, organizational, and administrative measures to protect personal data, including: • Data encryption • Secure servers and firewalls • Access control mechanisms • Employee training programs • Regular penetration testing and security audits We align our security practices with SAMA’s Cybersecurity Framework. In the event of a personal data breach likely to cause harm, Quara Finance will notify affected individuals and SDAIA within 72 hours, unless legally exempted.

Quara Finance retains personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, regulatory, tax, accounting, or reporting obligations. We may also retain personal data for longer periods where necessary to resolve disputes, address complaints, or defend against potential legal claims related to our relationship with you. In determining the appropriate retention period for personal data, we consider:

• The volume, nature, and sensitivity of the personal data;
• The potential risk of harm from unauthorized use or disclosure of the data;
• The purposes for which the data is processed and whether those purposes can be achieved through other means;
• Applicable legal, regulatory, tax, and accounting requirements.

When personal data is no longer required for the purposes for which it was collected, or when it is no longer subject to mandatory retention obligations, we securely delete or otherwise destroy it.

Subject to the PDPL, you have the following rights:

• Right to be informed about data processing activities.
• Right to access your personal data.
• Right to rectify inaccurate or incomplete data.
• Right to delete personal data where no longer necessary.
• Right to restrict or object to processing.
• Right to obtain a copy of your data in a portable format.

To exercise these rights, please contact customercare@quarafinance.com. We will respond within thirty (30) calendar days of receiving a valid request, unless an extension is legally permissible.

- You must notify us of any changes to any of your Personal Data. - It is essential that the Personal Data we hold about you is accurate and up to date.