About SarPrivacy Policy

Privacy Policy

Overview

Saudi Arabia Railway Company (‘SAR’) is the Data Controller responsible for determining the purposes and means of processing Personal and committed to safeguarding your privacy and adhering to the highest standards of data protection, as prescribed by the Personal Data Protection Law of Saudi Arabia (‘KSA PDPL’, ‘Law’).

Personal Data encompasses any information relating to an identified or identifiable individual (Personal Data), which may include but is not limited to, your name, address, photograph, and more. This Privacy Policy serves to inform you about how SAR collects, processes, and protects your Personal Data. The aim of this Privacy Policy is to ensure transparency in our data handling practices and empower you to make informed decisions about your privacy.

Purpose

The purpose of this Privacy Policy is to provide you, our valued (‘Customer’), with clarity on how SAR collects, uses, stores, shares, and processes your Personal Data. This is integral to our commitment of delivering personalized products and services tailored to your specific needs. SAR ensures transparent and lawful processing of your Personal Data and implements comprehensive security measures to safeguard against unauthorized access, disclosure, or destruction

Types of Data Collected

We collect various types of Personal Data (including Personal Data related to minors aged 12 to 17 and incompetence), including but not limited to the following categories:

  • Personal Identification Information Full name, email address, phone number, postal address, National Identification, Passport Number, or similar documentation
  • Service Usage Data: Details about your interactions with SAR services, such as travel history, preferences, and complaints.
  • Payment Information: Payment methods, billing details, and transaction history. We do not store credit card information unless explicitly permitted for recurring payments.
  • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to monitor website performance, improve user experience, and deliver targeted advertisements. You can manage your cookie preferences via your browser settings.
  • Sensitive Personal Data: Any data related to health or biometric information (if applicable), and only collected with explicit consent.

What is the purpose of processing and the legal basis:

In accordance with the KSA PDPL, SAR processes your Personal Data in a lawful, fair and transparent manner solely for the purposes of providing its services and based on the lawful bases specified below

PurposeLegal Basis
To provide and maintain our services (e.g., booking tickets, parcel shipments, customer service).Consent
To send notifications about service updates, or operational changes.Consent
Marketing/Advertising purposes to inform you about our products and servicesLegitimate Interest
To gather analysis and insights that help improve our services and user experiencesLegitimate Interest
To comply with applicable legal and regulatory requirements, including responding to lawful requests from public authorities.Legal Obligation

Your Rights

In accordance with the KSA PDPL, you are entitled to exercise the following rights:

  • Right of access: You have the right to obtain access to your Personal/Sensitive Data which we hold about you.
  • Right to be informed: You have the right to be informed about the legal basis and the purpose of the collection and processing.
  • Right to request obtaining Personal Data: You have the right to request a copy of your Personal/Sensitive Data (held by us) in a readable and clear format.
  • Right to request correction/completing or updating: You have the right to request correction, completion or updating your Personal Data/Sensitive Data if you believe that any of the collected Personal/Sensitive Data we are holding is incorrect or incomplete.
  • Right to request the destruction of Personal Data: You have the right to request the deletion or destruction of your personal data held by SAR. However, SAR is entitled to retain your Personal/Sensitive Data in accordance with applicable laws, regulations, or judicial requirements, and for any legitimate interest as permitted by law.
  • Right to withdraw consent: You have the right to withdraw consent for processing your personal data. However, SAR has the right to retain it in accordance with applicable laws.
  • You have the right to submit a complaint to Saudi Data and AI Authority (SDAIA) as it is the competent authority within (90) days from when incident occurred, or as soon as you are aware of it. You may submit a request to exercise your rights by filling out the Data Subject Request Form and share it with DPO@SAR.COM.SA .

Your Obligation

While SAR takes reasonable measures to ensure the accuracy of Personal Data under its control, you are responsible for ensuring that the Personal Data you provide to SAR is true, accurate, and complete. You are required to promptly inform SAR of any changes to your Personal Data (such as a change to your contact details, address. etc.) to enable SAR to maintain accurate records and to effectively provide its services.

We ensure the lawful and transparent processing of your Personal Data, using it for the following purposes:

  • To provide and maintain our services (e.g., booking tickets, parcel shipments).
  • To send notifications about service updates, promotions, or operational changes. To allow you to participate in interactive features of our service.
  • To respond to inquiries, complaints, and offer relevant assistance.
  • To gather analysis and insights that help improve our services and user experiences with your consent, we may use your Personal Data to provide personalized offers and promotions based on your preferences.
  • To comply with applicable legal and regulatory requirements, including responding to lawful requests from public authorities.

Legal Basis for Processing Personal Data

We will only collect and use your Personal Data in accordance with the requirements under the KSA PDPL. In most cases, our legal justification will be:

  • our Consent, where Parents and legal guardian consent will be obtained for processing Personal Data related to children and incompetents.
  • Processing achieves a definite interest for you, and it is impossible or difficult to contact you.
  • Processing is required by applicable law and is performed in accordance with them.
  • Processing is performed in order to perform an agreement to which you are a party.
  • Processing is necessary for the purpose of SAR’s legitimate interests.

Disclosure

As necessitated by the purposes listed (refer to section 4) above, we reserve the right to disclose your Personal Data, which is defined under the KSA PDPL as allowing a third party to access, collect, or use personal data. Disclosure may occur to our service providers (such as IT and professional service providers) and to competent regulatory or public authorities where required by law or applicable regulatory obligations

We may disclose your Personal Data in accordance with KSA PDPL in the following cases:

  • You consent to the disclosure.
  • Your Personal Data has been collected from a publicly available source.
  • The entity requesting disclosure is a public entity, and the collection or processing of your Personal Data is required for public interest or security purposes, or to implement another law, or to fulfil judicial requirements.
  • The disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
  • The disclosure will only involve subsequent processing in a form that makes it impossible to directly or indirectly identify you.

Cross Border Transfer

We may share your Personal Data minors and incompetents for processing to the extent necessary to fulfil the purposes listed above (refer to section 5). In some circumstances where the law permits, this will involve SAR transferring your Personal Data outside KSA. Such transfers will adhere to the legal provisions concerning cross-border transfers of Personal Data, as stipulated by the KSA PDPL and the relevant laws and regulations.

Data Security

We have implemented appropriate security measures, administrative controls, and legal safeguards issued by the National Cybersecurity Authority (NCA).

Address any suspected Personal Data breaches promptly and thoroughly, in accordance with legal requirements. Should such a breach occur, we will notify the Saudi Data and AI Authority (SDAIA) as it is the competent authority within seventy-two (72) hours of becoming aware of the incident, and notify you without undue delay as mandated by the KSA PDPL

Data Retention

We will retain your Personal Data (including Personal Data related to minors and incompetence) for the period required by KSA PDPL or any other period necessary for us to meet our operational obligations such as maintaining accounts, facilitating client relationship management, responding to legal claims or regulatory requests, etc.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on SAR’s website.

Disclaimer

This Privacy Policy is not intended to, nor does it, create any contractual rights or obligations whatsoever on SAR or you, nor does it create any legal rights or obligations on SAR in respect of any other party or on their behalf.

Contact Us

Maintaining the accuracy and currency of your Personal Data is very important for us. For inquiries about our Privacy Policy or further details, please contact: DPO@SAR.COM.SA