Privacy Policy

Last Updated: March 11, 2026

1. Introduction

This Privacy Policy explains how United Company for Financial Services (UCFS) also known as Tasheel Finance (“we,” “us,” or “our”) collects, uses, discloses, and protects your personal data when you use our services or interact with our website. We are committed to protecting your privacy and ensuring that your personal data is handled in a safe and responsible manner in compliance with the Saudi Arabian Personal Data Protection Law (PDPL).

This policy is designed to be transparent and easy to understand. We encourage you to read it carefully to understand our practices regarding your personal data and how we will treat it. By using our services, you acknowledge that you have read and understood this Privacy Policy.

2. Scope of this Policy

This Privacy Policy applies to all personal data collected by Tasheel Finance from our customers, website visitors, job applicants, and any other individuals whose personal data we process. This includes data collected through our website, mobile applications, branches, and other channels.

This policy does not apply to third-party websites or services that may be linked to our website. We are not responsible for the privacy practices of these third parties, and we encourage you to review their privacy policies before providing them with your personal data.

3. Who is the Data Controller?

For the purposes of the PDPL, the data controller is:

Tasheel Finance

United Company for Financial Services is a closed joint stock company under the supervision and control of the Central Bank of Saudi Arabia (SAMA), under license No. 52/Ash/201905 | S.T. 2051224103| National Address: 8868 Malik Bin Qais – Al Rawabi District, Unit No. 8872, Al Khobar 34421-23176, Kingdom of Saudi Arabia.

If you have any questions about this Privacy Policy or our data protection practices, please contact us using the details provided below.

4. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) to oversee our compliance with the PDPL. If you have any questions or concerns about how we handle your personal data, you can contact our DPO at:

Data Protection Officer

Email: DPO@tasheelfinance.com

Phone: Toll Free number inside KSA 8003044434

International call: 009668003044434

5. What Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity Data: Full name, date of birth, gender, nationality, national ID/Iqama number, passport number, and other government-issued identification details.
• Contact Data: Address, email address, phone number, and other contact information.
• Financial Data: Bank account details, credit/debit card information, income details, credit history, and other financial information required for our services.
• Transactional Data: Details about payments to and from you, and other details of products and services you have purchased from us.
• Technical Data: Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
• Usage Data: Information about how you use our website, products, and services.
• Marketing and Communications Data: Your preferences in receiving marketing from us and our third parties and your communication preferences.
• Sensitive Personal Data: We may collect sensitive personal data, such as health information or biometric data, only when it is necessary for the services we provide and with your explicit consent.

6. How We Collect Your Personal Data

We collect personal data from you in various ways, including:

• Directly from you: When you apply for our products or services, create an account on our website, subscribe to our newsletter, or communicate with us.
• Automatically: When you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies and other similar technologies.
• From third parties: We may receive personal data about you from various third parties, such as credit bureaus, government agencies, and other financial institutions.

7. How We Use Your Personal Data

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We will use your personal data in the following circumstances:

• To provide you with our services: To process your applications, manage your accounts, and provide you with the products and services you have requested.
• To comply with our legal obligations: To comply with applicable laws and regulations, such as anti-money laundering and counter-terrorism financing laws.
• For our legitimate interests: To manage our business, improve our services, and protect our legal rights.
• For marketing purposes: To send you marketing communications about our products and services, but only with your consent.

8. Legal Basis for Processing Personal Data

We will only process your personal data when we have a legal basis to do so. The legal bases for our processing activities include:

• Consent: We will obtain your consent before processing your personal data for specific purposes, such as marketing.
• Contractual necessity: We will process your personal data when it is necessary for the performance of a contract to which you are a party.
• Legal obligation: We will process your personal data when it is necessary to comply with a legal obligation.
• Legitimate interests: We will process your personal data when it is necessary for our legitimate interests, provided that your fundamental rights and freedoms do not override those interests.

9. Data Sharing and Disclosure

We may share your personal data with the following parties for the purposes set out in this Privacy Policy:

• Our group companies: We may share your personal data with other companies in the Tasheel Finance group for internal administrative purposes.
• Our service providers: We may share your personal data with third-party service providers who perform services on our behalf, such as IT services, marketing services, and payment processing services.
• Credit bureaus and government agencies: We may share your personal data with credit bureaus and government agencies as required by law.
• Other third parties: We may share your personal data with other third parties with your consent or as permitted by law.

We will ensure that any third party with whom we share your personal data is contractually bound to protect your data and to use it only for the purposes for which we have shared it.

10. International Data Transfers

We may transfer your personal data to countries outside of Saudi Arabia for the purposes set out in this Privacy Policy. When we do so, we will ensure that your personal data is protected by appropriate safeguards, such as by entering into standard contractual clauses with the recipient of the data.

11. Data Retention

We will retain your personal data in accordance with applicable legal and regulatory requirements, including specific requirements from the Saudi Arabian Monetary Authority (SAMA) for financial institutions.

11.1 General Retention Principles

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

11.2 SAMA Regulatory Requirements

As a financial institution regulated by SAMA, we are required to comply with specific data retention requirements under Royal Decree No. 32749 and SAMA circulars:

• Minimum Retention Period: We retain all records and documents, including personal data, for a minimum of 10 years as required by SAMA regulations.
• Electronic Storage: After the initial storage period, records are stored electronically through secure and highly reliable storage systems in coordination with the Ministry of Communications and Information Technology.
• Data Integrity: All electronic records are maintained in their original form without addition, deletion, or modification, ensuring the integrity and authenticity of your personal data.
• Access Controls: We implement strict access controls with at least two levels of permissions for handling electronic records and documents.
• Audit Trail: All operations performed on electronic records are logged and maintained without allowing modifications to ensure complete audit trails.

11.3 Secure Disposal

Once the retention period expires and there are no legal or regulatory requirements to retain the data, we will securely dispose of your personal data using methods that prevent unauthorized access, recovery, or reconstruction of the data. Where appropriate, personal data may also be anonymized so that it can no longer be linked to an identifiable individual. This includes:

• Secure deletion of electronic records using industry-standard data destruction methods
• Physical destruction of any remaining paper records
• Verification that all copies, including backup copies, have been properly disposed of
• Documentation of the disposal or anonymization process for audit and compliance purposes.
• Irreversible anonymization of personal data where the information needs to be retained for statistical, analytical, or research purposes without identifying individuals

11.4 Data Subject Rights During Retention

During the retention period, you maintain all your rights under the PDPL, including the right to access, rectify, or request erasure of your personal data, subject to our legal and regulatory obligations to retain certain information.

12. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

13. Your Data Protection Rights

Under the PDPL, you have the following rights in relation to your personal data:

• The right to be informed: You have the right to be informed about how we collect and use your personal data.
• The right of access: You have the right to access your personal data and to receive a copy of it.
• The right to rectification: You have the right to have your personal data rectified if it is inaccurate or incomplete.
• The right to erasure: You have the right to have your personal data erased in certain circumstances.
• The right to restrict processing: You have the right to restrict the processing of your personal data in certain circumstances.
• The right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller.
• The right to object: You have the right to object to the processing of your personal data in certain circumstances.
• Rights in relation to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
• The right to withdraw consent: If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time.
• The right to complain: You have the right to lodge a complaint with SAMA if you believe that we have infringed your rights under the PDPL.

To exercise any of these rights, please contact our DPO using the details provided in this Privacy Policy. Upon receiving your request, we will acknowledge it and resolve it within 30 days in accordance with the PDPL requirements.

14. Cookies and Other Tracking Technologies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them, see our Cookie Policy.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes. Your continued use of our services after any changes constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any concerns regarding your personal information on our website or Application, please contact us at:

Email: DPO@tasheelfinance.com

Phone: Toll Free number inside KSA 8003044434 International call: 009668003044434