1- About Tamimi Markets

Tamimi Markets was established in 1979 and is considered one of the leading retail chains in the Kingdom of Saudi Arabia. The company aims to provide a wide range of high-quality products and services to its customers. Tamimi Markets conducts its operational and commercial activities in accordance with the applicable laws and regulations in the Kingdom of Saudi Arabia.

Tamimi Markets may process personal data in different contexts, whether:
1. Directly in its interactions with customers during the provision of services; or
2. Through collaboration with other parties under agreements that define the roles and responsibilities of each party, in line with the Personal Data Protection Law (PDPL) and related regulations.

Contact details of Tamimi Markets and the team responsible for implementing this Policy:

Responsible department/team::

Data Protection Officer

Address::

King Abdul Aziz Road, Ar Rakkah Al Janubiyah Al Khobar Saudi Arabia

Data Protection Officer email: :

dataprotection@tamimimarkets.com

2-Scope and Purpose of this Policy

This Privacy Policy explains how Tamimi Markets (“Tamimi”, “we”, “us”, or “our”) handles your personal data. It sets out, among other things:
1- The types of personal data we may collect about you
2- The sources and methods used to collect such data
3- The legal bases and purposes for processing your personal data.
4- The parties with whom your data may be shared, and the situations in which disclosure is permitted.
5- How your personal data is stored, retained, and securely destroyed
6- Your rights in relation to your personal data and how you can exercise them.

This Policy is applied in accordance with:

1- The Personal Data Protection Law (PDPL)and its Implementing Regulations in the Kingdom of Saudi Arabia.
2- The policies, regulations, and guidance issued by other competent authorities, including the Saudi Data and Artificial Intelligence Authority (SDAIA).

3- Types and Sources of Personal Data

First: Types of personal data we may collect (depending on your relationship with Tamimi Markets):

1- Basic identification and contact data:

Name, national ID or residency number, nationality, gender, date of birth (where applicable), postal address, contact numbers, and email address.

2- Transaction and payment data:

Purchase records, order details, payment information, invoices, and financial transaction records related to the company’s products and services.

3- Interaction and service-related data:

Correspondence, complaints and enquiries, your feedback on our services, survey responses, and records of communications through our customer service channels

4- Digital usage data:

Data relating to your use of our website, mobile applications, or other digital channels (such as IP address, browser type, device type, operating system, and information related to cookies and analytics tools).

5- Preferences and purchase behavior data:

Items added or left in your shopping cart, purchase preferences, favorite products, and usage patterns within our digital platforms.

6-Loyalty program data:

Membership details, reward points, redemption and usage history, and account status.

7- Device information:

Device type, technical settings, operating system, and device identifiers used to access Tamimi services.

8-Security-related data:

CCTV footage at our stores or facilities, and access logs to authorized areas or systems where required for safety and security purposes

9- Geolocation data:

Delivery locations, approximate location when using delivery services, and information necessary to complete orders.

10-Social media interaction data:

Comments, messages, and public interactions with Tamimi’s official social media accounts.

11- Professional data:

Job titles, roles within the organization, and professional qualifications

12-Legal data:

Contracts, compliance documents, regulatory adherence records, and any other legal information relevant to the transactions.

Second: Sources of personal data

We may obtain your personal data from one or more of the following sources:

1- Directly from you through your various interactions, such as using our website or mobile applications, visiting our physical stores, participating in events and promotional activities, or contacting customer service through any available channel.
2-Through digital channels by collecting usage data during your interactions with our website or applications, including the use of cookies and other authorized tracking technologies, which help analyze and improve your digital experience.
3-From business partners and service providers through data received from our commercial partners, delivery companies, advertising agencies, marketing providers, and social media platforms, to facilitate service delivery and enhance the quality of your experience.
4-From public or external sources where applicable, such as publicly available information or data provided by external entities, provided there is a legal basis for such collection.
We collect personal data only to the extent necessary and appropriate for the purposes set out in this Policy or as permitted by applicable laws and regulations.

4-Legal Basis for Processing Your Personal Data

As a general rule, Tamimi Markets relies on your explicit consent when processing is not mandated by a specific legal or regulatory obligation and is not necessary for entering into or performing a contract with you, while respecting your right to withdraw such consent in accordance with applicable requirements. In addition to consent, processing may, depending on the circumstances, be based on one or more of the following legal basis:

1- Compliance with laws and regulations:

When processing is necessary to fulfill the statutory or legal obligations applicable to Tamimi Markets, such as tax obligations, labor requirements, or any other regulatory obligations.

2- Performance or conclusion of contracts:

When processing is necessary to enter into a contract with you or to perform it, such as processing orders, registering accounts, or providing the requested services.

3- Protection of vital interests:

Where processing is necessary to protect your vital interests or the vital interests of another person, in situations that require such protection.

4- Publicly available data:

Where the personal data is publicly available or lawfully made available to the public and is collected and used in accordance with applicable laws and regulatory requirements.

5-Legitimate interests:

Where Tamimi Markets has a legitimate interest in processing the data, provided that such processing does not conflict with your fundamental rights and interests and does not involve sensitive personal data except to the extent permitted by law.

6-Explicit consent:

Where the law requires us to obtain your consent before commencing processing – such as in connection with certain direct marketing activities, non-mandatory surveys, or other purposes that are not legally required – your personal data will be collected and processed on the basis of your explicit consent. You have the right to withdraw your consent at any time, without affecting the lawfulness of any processing carried out before withdrawal or of any processing based on other valid legal grounds.

5- Purposes of Using and Processing Your Personal Data

We use your personal data for clear and legitimate purposes, including:
1. Business operations and order fulfillment: To efficiently process and deliver your orders, ensuring customer satisfaction and timely service.
2. Customer support: To provide responsive and effective assistance, resolve enquiries, and enhance your experience with the company.
3. Business development and analytics: To analyze customer behaviors and preferences to support our operational and marketing initiatives, and to improve products and services.
4. Operational excellence and legal compliance: To enhance operational efficiency, ensure service quality, and comply with legal standards, including the Personal Data Protection Law in the Kingdom of Saudi Arabia.
5. Security and safety: To strengthen the security of the company’s premises and facilities using monitoring systems, ensuring a safe environment for all customers and employees.
6. Marketing, loyalty programs, and communications: To manage loyalty programs such as “Themari,” conduct marketing campaigns, and communicate with customers regarding offers, services, and updates.

You may at any time request that we stop processing your personal data for direct marketing purposes by contacting us at: dataprotection@tamimimarkets.com.

6- Change of Processing Purposes

Your personal data will be used for the purposes that have been communicated to you or that are permitted by law. If we need to use your personal data for a new purpose different from the original purpose, Tamimi Markets will:
1- Assess whether the new purpose is compatible with the original purposes and applicable legal requirements.
2- Inform you clearly of the new purpose and the legal basis relied upon.
3- Obtain your explicit consent where required by law before commencing the new processing, unless another legal basis allows processing without consent.

We will not process your personal data in a manner that is incompatible with applicable laws and regulations or that would unfairly prejudice your rights and legitimate interests.

7- Mandatory and Optional Data

1- Mandatory data:

This is data that is necessary to provide the requested service or to comply with legal or regulatory obligations (such as identity information, basic contact details, and certain financial and credit information). If you choose not to provide such data, we may be unable to provide the service or complete your request.

2- Optional data:

This is additional data that helps us improve or personalize our services. You may choose not to provide optional data, and in most cases, you will still be able to obtain the core service.

8- Data Security and Processing Records

Tamimi Markets gives special attention to safeguarding your personal data. Our measures include, for example:
1- Implementing technical controls to protect information systems and databases from unauthorized access or security breaches.
2-Establishing administrative and organizational controls to determine access rights to personal data based on a “need-to-know” principle.
3- Using appropriate techniques for encryption and/or anonymization in suitable cases.
4-Securing premises, devices, and storage locations from a physical security perspective.
5-Training staff and raising awareness on data protection and confidentiality, and requiring them to sign appropriate undertakings and agreements.

Tamimi Marketsalso maintains up-to-date and clear records of its personal data processing activities. These records include key elements such as:
1- Purposes of processing.
2- Categories of personal data
3- Categories of data subjects.
4- Parties with whom data is shared.
5- Retention periods.
6-Security and protection controls.
All of the above are maintained in line with applicable legal and regulatory requirements.

9- Personal Data Breach Incidents

If a personal data breach or security incident occurs that may result in harm to your data or a conflict with your rights and interests, Tamimi Markets undertakes to:
1- Assess the incident and analyze its causes and potential impact.
2- Take appropriate technical and organizational corrective measures to contain the incident and address its root causes.
3- Notify the competent authority within no more than 72 hours from the time Tamimi Markets becomes aware of the breach, where it is likely that the incident may result in serious harm or affect rights and interests. If Tamimi Markets is unable to meet this timeframe, the Company will provide the necessary justifications for any delay in accordance with applicable regulations.
4- Notify you—where required by law or where the incident has a direct impact on you— providing a brief description of the incident, the type of data affected (where possible), the measures taken to address it, and relevant contact channels for enquiries.

10-Sharing Personal Data with Third Parties

We may share your personal data with third parties, strictly to the extent required for legitimate legal or contractual purposes, such as:
1-Service providers and professional partners: This includes IT and cloud service providers, logistics providers such as delivery partners, as well as professional firms such as legal advisors and financial auditors, all bound by clear contractual agreements to ensure data protection and confidentiality.
2- Government and regulatory authorities: To comply with legal obligations or in response to lawful and official requests
3-Financial institutions and payment processors: To process transactions and manage financial operations related to our products and services.
4-Marketing and advertising partners: To conduct marketing and promotional campaigns, within the limits permitted by law.
5- Other third parties with your consent, where you explicitly request or authorize Tamimi Markets to share your data with a specified party.

We do not share your personal data with unauthorized parties or for unlawful purposes.

11- Disclosure of Personal Data

Your personal data may be disclosed in circumstances permitted by law, including:

1-Where you have provided your consent to the disclosure in a specific context.
2-Where the data has been collected from a source that is lawfully available to the public, in accordance with applicable regulatory controls.
3-Where disclosure is made at the request of a public authority for security, regulatory, or lawenforcement purposes, or to implement another law, or pursuant to a court order or similar legal process.
4-Where disclosure is necessary to protect public health, public safety, or the life or health of one or more individuals.
5-Where disclosure is made for subsequent processing in a manner that does not allow you to be identified directly, such as anonymized statistics or aggregated reports.

Tamimi Markets is committed not to disclose your personal data in any situation where such disclosure could threaten the security of the Kingdom, harm its reputation or interests, negatively affect its international relations, or endanger the safety of any individual.

12- Cross-Border Transfer of Personal Data

As a general rule, Tamimi Markets does not transfer your personal data outside the geographical borders of the Kingdom of Saudi Arabia and does not store it in data centers located outside the Kingdom, except where there is:
1- A clear legal requirement; or
2- An operational need; or
3- A contractual obligation
and only in accordance with applicable laws and regulations.

In cases where it is necessary to transfer or process personal data across borders outside the Kingdom, Tamimi Markets will:
1-Ensure that the transfer is carried out in accordance with the Personal Data Protection Law (PDPL), its Implementing Regulations, and the rules governing cross-border data transfers.
2- Verify that the destination country or entity provides an adequate level of data protection, or otherwise implement appropriate contractual or organizational safeguards (such as standard contractual clauses or binding data protection agreements).
3- Comply with any additional requirements issued by the Saudi Data and Artificial Intelligence Authority (SDAIA), the Saudi Central Bank (SAMA), or any other competent regulator.
4- Inform you—where required—about the nature and purpose of the transfer and its key implications, and obtain your consent where mandated by law.

You may request further information about cross-border transfers of your personal data by contacting us.

13- Retention and Destruction of Personal Data (Paper and Electronic)

Tamimi Markets retains your personal data in the following forms:
1- In paper form, within organized and secured physical files and documents.
2- In electronic form, within systems, applications, and databases that are subject to appropriate information security controls

Data is retained for the period necessary for:

1- Achieving the purposes for which the data was collected
2- Complying with applicable laws, regulations, and supervisory instructions. To safeguard your data during the retention period, Tamimi Markets implements measures such as:
To safeguard your data during the retention period, Tamimi Markets implements measures such as:
1-Securing physical storage locations (e.g. rooms or cabinets with restricted access).
2- Protecting electronic systems using passwords, access controls, encryption, and other technical safeguards.
When the retention period expires, or when there is no longer a legal or operational need to retain the data, it is securely destroyed using appropriate methods, such as:
1- Destroying paper documents by shredding or other approved means that prevent reconstruction.
2- Deleting electronic data from systems and databases in a manner that prevents recovery as far as reasonably possible, including using deletion, overwriting, or other approved techniques.

Tamimi Markets confirms that it has documented and clear procedures governing the data lifecycle, including retention and destruction controls, in line with applicable legal and regulatory requirements.

14- Minors and Persons with Limited or No Legal Capacity

1- Tamimi Markets products and services are primarily intended for individuals who are 18 years of age or older, or who otherwise have full legal capacity to enter into financial transactions.
2- Where personal data relates to a minor or a person with limited or no legal capacity, dealings should be conducted through a parent, guardian, or other legally authorized representative, in accordance with applicable laws and regulations.

15- Cookies and Preference Management

Tamimi Markets website uses cookies and similar technologies in order to:

1- Operate the website and provide essential functions.
2- Improve performance and enhance your browsing experience.
3-Tailor certain content and services to your preferences, where you choose to allow this.

When you visit the website, a cookie notice may appear, informing you about the use of cookies and allowing you to:
• Customize the types of cookies allowed through the “Customize Cookies” option, with the following choices:

1. Essential:

To operate the website and its core functionalities.

2. Site Preferences:

To customize website settings according to your choices.

3. Analytics:

To analyze website performance and user behavior.

4. Marketing:

For marketing purposes and personalized advertisements

You can manage your cookie preferences at any time by:
1- Using the cookie preference tool available on the website interface (when displayed or via designated links, where provided); and/or
2- Adjusting your browser settings to block, delete, or restrict cookies, noting that disabling certain types of cookies may affect some website functions and your user experience.
By continuing to use the website after setting your preferences, you agree to the use of cookies in line with your selections and as described in this Policy.

16- Your Responsibility for Data Accuracy and Authorization

1- You are responsible for ensuring that the personal data you provide to us is accurate, complete, and up to date, and for informing us of any changes in a timely manner.
2- If you provide us with personal data relating to another person (such as a person authorized to act on your behalf, a dependent, or your legal representative), you confirm that:
1-This person has been informed, to an appropriate extent, of the contents of this Policy or of the parts that concern them; and
2- You hold a valid legal authority or power of attorney, or other valid legal authorization, enabling you to provide us with their personal data and act on their behalf, and that you can provide proof of such authority upon request.

17- Your Rights in Relation to Your Personal Data

Subject to the conditions and limitations set out in applicable data protection laws and regulations, you have a number of rights in relation to your personal data, including:
1- The right to be informed about how your personal data is processed, the purposes of processing, and the categories of parties with whom it may be shared.
2- The right to request access to the personal data we hold about you.
3- The right to obtain a copy of your personal data in an organized and readable format, to the extent permitted by law.
5- The right to request destruction of some or all of your personal data, subject to legal and regulatory retention requirements and any obligations that require us to retain certain data for a longer period.
6- The right to request restriction of certain types of processing in specific situations.
7- The right to withdraw consent, where processing is based on your consent, at any time, without affecting any processing based on other legal grounds that permit continued processing
8- The right to lodge a complaint with the competent authorities if you believe that your personal data has been processed in violation of applicable data protection laws.

18- How to Exercise Your Rights and Response Time

1- You may exercise your rights or request additional information about how your personal data is processed by contacting Tamimi Markets’ Data Protection Officer at:

dataprotection@tamimimarkets.com

2-We may ask you to provide certain information or documentation to verify your identity before implementing your request, in order to protect your data from unauthorized access
3-Tamimi Markets will review your request and respond within no more than 30 days from the date of receiving a complete request, unless a longer period is required by law or there are exceptional circumstances that justify an extension. In such cases, you will be informed of the need for additional time and the reasons for it.

19- Complaints and Contacting Competent Authorities

First – Contacting Tamimi Markets

If you have any comments or complaints related to the protection of your personal data or the application of this Policy, you can contact Tamimi Marketsvia the Data Protection Officer at:

dataprotection@tamimimarkets.com

Second - If you are not satisfied with the outcome or if there is a delay in response.

You may submit a complaint to the relevant authorities using the channels they provide, including:

1- The Saudi Data and Artificial Intelligence Authority (SDAIA):

Unified beneficiary service number:

8001221111

Email and Website:

• Official Website of the Authority: sdaia.gov.sa
• National Data Governance Platform: dgp.sdaia.gov.sa

20- Updates to this Policy

1- Tamimi Markets may update this Policy from time to time to reflect legal, regulatory, technical, or operational changes
2- Where a material change is made to this notice, Tamimi Markets will, where appropriate, notify you through one of its approved communication channels, such as your registered email address, SMS, or notifications through official digital channels.
3- The updated version will be published on Tamimi Markets website or through other official channels. Your continued use of the website or services after such updates are published will be deemed acceptance of the updated Policy, unless the law requires us to obtain your explicit consent in specific cases.
4- Tamimi Markets recommends that you review this Policy periodically to stay informed about any updates or changes

21-Final Provisions

1- This Policy, in all its provisions, interpretation, and implementation, is subject to the Personal Data Protection Law (PDPL)and its Implementing Regulations in the Kingdom of Saudi Arabia, as well as to the applicable laws, regulations, and instructions issued by the Saudi Central Bank (SAMA) and other competent regulatory authorities.
2- In the event of any conflict between a provision of this Policy and any applicable legal or regulatory requirement, the relevant legal or regulatory requirement shall prevail.