Privacy Policy

KEY NOTICE · PDPL & YOUR DATA RIGHTS

Your data is processed in line with the Saudi PDPL and its Implementing Regulation, with safeguards for your rights as a data subject.

1.1 This Policy applies to all personal data Rasi collects or processes through the website, application, or any other communication channel. 1.2 This Policy is governed by the Saudi Personal Data Protection Law issued by Royal Decree No. M/19, its Implementing Regulation, and any subsequent amendments or issuances. 1.3 This Policy is an integral part of the Terms & Conditions, and your use of the platform constitutes express consent to the data processing practices described herein.

Personal Data: any data, regardless of source or form, that may identify an individual specifically, or make it possible to identify them when combined with other data. Processing: any operation performed on personal data by automated or manual means, including collection, recording, storage, modification, retrieval, use, disclosure, or deletion. Controller: the entity that determines the purpose and means of processing personal data. The Operator is the Controller of Rasi user data. Processor: the entity that processes personal data on behalf of the Controller. Data Subject: the individual to whom the personal data relates. PDPL: the Saudi Personal Data Protection Law. SDAIA: the Saudi Data and Artificial Intelligence Authority, the competent authority for enforcement.

The Data Controller is: Information Technology Integrated Solutions Co. • Unified National Number: 7054044669 • Address: Riyadh, Kingdom of Saudi Arabia • Privacy contact channels: via the Contact Us page on the platform.

Identity Data: full name, national ID or Iqama number, nationality, date of birth; contact data: email, mobile number, address. Account Data: username, encrypted password, account preferences, permissions. Professional and Commercial Data (for service providers): company name, commercial registration, license, classification, specialization, prior work, professional certifications. Project Data: project details, location, budget, timeline, drawings, photos, files. Transaction Data: invoice records, payments, e-invoicing details per ZATCA requirements. Technical Usage Data: IP address, browser type, operating system, device identifiers, visit dates and times, pages viewed, referral links. Communication and Interaction Data: messages exchanged on the platform, ratings, reviews, support requests. Location Data: approximate user location for geo-matching of projects, if the user consents.

Directly from the user: at registration, profile completion, project posting, offer submission, contacting support. Automatically: through use of the platform (cookies, server logs, analytics). From third parties: verification service providers, authorized governmental portals, e-invoicing partners, payment service providers, analytics and digital marketing service providers.

Operating the platform and delivering its services (account creation, project posting, offer reception). User verification and qualification. Performing contractual obligations arising from the Terms & Conditions. Developing and improving platform services and user experience. Compliance with regulatory obligations, including ZATCA, PDPL, and the Anti-Cyber Crime Law requirements. Detecting fraud and misuse, and protecting platform security and user data. Sending operational notifications related to services (transactional messages are not marketing). Marketing communications, only with the user's express consent. Internal analytics and statistics to improve business performance. Responding to requests from competent regulatory authorities. Managing disputes and protecting the platform's legal rights.

Express consent of the user for specific purposes (such as direct marketing). Performance of the user's contract with the platform (the Terms & Conditions). Compliance with statutory obligations binding on the Controller. Legitimate interest of the Controller, provided it is not overridden by the rights of the data subject. Protection of the vital interest of the data subject in exceptional cases.

We share your personal data only in the following cases: (1) With Other Parties on the Platform — users' professional profile data is shown to project-related parties for communication and contracting purposes, in line with the user's role on the platform. (2) With Trusted Processors — we engage external processors for hosting, analytics, e-invoicing, identity verification, payment, communication, and customer service. They are bound by confidentiality through binding Data Processing Agreements (DPAs). (3) With Regulatory Authorities — we disclose data to competent regulatory and judicial authorities when properly requested, when required by law, or to protect the platform's and others' rights. (4) In Restructuring — in case of merger, acquisition, or restructuring, personal data may be transferred to the successor entity under applicable laws. (5) To Protect Rights — to prevent fraud, protect security, or defend legal claims. We do not sell personal data to any third party.

9.1 Personal data is primarily stored on servers within the Kingdom of Saudi Arabia, or in countries providing an adequate level of protection per SDAIA controls. 9.2 Where transfer outside the Kingdom is necessary, the Operator complies with the data transfer chapter of PDPL and its Implementing Regulation, and applies appropriate contractual and technical safeguards. 9.3 We will not transfer your data outside the Kingdom for purposes that conflict with local laws or without a clear legal basis.

10.1 The platform retains personal data for the period required to fulfill the purposes set out in this Policy, or the period required by applicable laws, or the period necessary to protect the platform's legal rights — whichever is longer. 10.2 These periods include, by way of example: ZATCA requirements for tax record retention, anti-money-laundering law requirements, statutory limitation periods for civil claims, and the operational and security needs of the platform. 10.3 After the required retention periods expire, the Operator deletes, anonymizes, or archives the data at its discretion and as the law requires. 10.4 The user has the right to request deletion of data as set out in Clause 12, provided this does not conflict with regulatory retention obligations.

We apply appropriate technical and organizational measures to protect data, including: encryption in transit (HTTPS / TLS) and at rest; access controls on a need-to-know basis; multi-factor authentication for administrative accounts; regular backups and data recovery plans; alignment with the relevant standards of the National Cybersecurity Authority (NCA); periodic staff training on data security and protection. Notwithstanding this, no technical system can guarantee absolute security. The Operator bears no liability for breaches resulting from causes beyond its reasonable control, to the maximum extent permitted by law.

Under the PDPL, the user has the following rights: Right to be informed — to know the legal bases and justifications for collecting and processing data. Right of access — to request a copy of personal data being processed. Right to request correction, update, or completion of data. Right to request destruction when no longer needed, provided this does not conflict with statutory retention obligations. Right to withdraw consent at any time, without affecting prior processing. Right to object to specific processing, especially for marketing purposes. Right to file a complaint with SDAIA. To exercise any of these rights, please contact us through the Contact Us page on the platform. We will respond within the statutory period specified in PDPL, and may request additional data to verify your identity before fulfilling the request. The Operator may refuse a request — wholly or partly — if it conflicts with regulatory obligations, third-party rights, or the platform's fundamental rights, or if the request is repetitive or abusive.

13.1 The platform uses cookies and similar tracking technologies to improve user experience, remember preferences, analyze usage, and present relevant content. 13.2 Cookie categories include: essential operational cookies, preference cookies, analytics cookies, and marketing cookies. 13.3 Users may accept or reject non-essential cookies via browser settings or the on-site consent panel. 13.4 Disabling essential cookies may cause some platform features to malfunction. See Appendix A (Clause 21) for more detail on the cookies used on Rasi.

The platform is not directed at persons under the age of eighteen. We do not knowingly collect personal data of minors. If it becomes apparent that a minor has provided data, we will delete it promptly upon becoming aware. Parents/guardians should notify us if this occurs.

The platform may contain links to third-party websites and applications. We bear no responsibility for the privacy practices or content of those sites. Users should review the privacy policy of each third-party site before providing any data.

16.1 We do not send marketing communications to the user except after obtaining express consent, in line with PDPL and the E-Commerce Law requirements. 16.2 The user may unsubscribe from marketing channels at any time, free of charge, via the links included in marketing messages or in account settings. 16.3 Operational service messages (such as account confirmations, project notifications, invoices) are necessary to provide the service and are not subject to marketing consent.

The Operator may amend this Policy at any time and will publish amendments on the platform. Continued use of the platform after amendment constitutes acceptance of the updated version. Users are advised to review this Policy periodically.

If the Operator becomes aware of any actual breach of personal data that may materially affect user rights, we will notify the competent authority (SDAIA) and affected users within the period and manner required by PDPL and its Implementing Regulation.

For any privacy-related inquiry, request, or complaint: Primary channel: Contact Us on the platform, specifying the nature of the request (access, correction, deletion, objection, etc.). We commit to responding within the statutory period stipulated in PDPL and its Implementing Regulation. If unsatisfied with the response, the user may file a complaint directly with SDAIA through its official channels.

This Policy is governed by and interpreted in accordance with the laws of the Kingdom of Saudi Arabia. Any dispute relating to it is subject to the dispute resolution mechanism set out in the Terms & Conditions (arbitration via the Saudi Center for Commercial Arbitration — SCCA). This Policy is issued in Arabic and English. In case of conflict, the Arabic version shall be the authoritative and binding reference.

This appendix explains the cookies used on Rasi and how to manage them. 1. What are cookies? Small files stored on the user's device when visiting the platform. They help remember preferences and improve the user experience. 2. Types of cookies on Rasi: Essential — necessary for platform operation (login, security, session) and cannot be disabled. Preferences — remember language, settings, and display options. Analytics — measure performance, understand visit behavior, improve features. Marketing — measure campaign effectiveness — only if the user has consented. 3. Managing cookies: via the on-site consent panel on first visit, browser settings, and account settings on the platform. 4. Third-party cookies: we may use cookies from analytics or digital marketing service providers. Such cookies are governed by the privacy policies of those parties.