Privacy Policy

This Privacy Policy describes how Rafeqi ("we", "us", "our") collects, uses, protects, and shares your personal data when you use our mobile application and related services within the Kingdom of Saudi Arabia.

We comply with the Saudi Personal Data Protection Law (PDPL), issued by Royal Decree No. (M/19) and its Implementing Regulations, supervised by the Saudi Data and AI Authority (SDAIA), alongside other applicable Saudi regulations.

1. Scope

Rafeqi provides a pet care platform covering: pet adoption and fostering, veterinary clinic bookings, animal rescue reports, provider offers and reviews, and an in-app wallet with payments. This policy applies to all users (individuals, veterinary clinics, foster homes, and licensed associations).

2. Personal Data We Collect

a) Data you provide directly

• Account data: full name, Saudi mobile number, email address, password (hashed), profile photo, city.
• Verification: SMS one-time password (OTP) used to verify your phone number.
• Pet data: name, species, breed, age, gender, photos, health status, and any medical history you choose to share.
• Uploaded content: photos and descriptions of adoption/fostering listings, rescue reports, clinic ratings and reviews.
• Payment data: all card and Mada details are processed directly by Moyasar, a payment provider licensed by the Saudi Central Bank (SAMA). We do not store full card numbers or CVV on our servers.
• Wallet data: deposits, withdrawals, and in-app transaction history.
• Provider data (clinics/foster homes): facility name, commercial registration, professional license, address, working hours, specialties.
• Communications: your messages to support and our replies.

b) Data we collect automatically

• Location: precise or approximate device location — requested only with your explicit consent, used to surface nearby clinics, foster homes, adoption listings, and to geotag rescue reports.
• Device data: device model, OS and version, language, time zone, device identifier.
• Push tokens: Firebase Cloud Messaging or APNs tokens used to send notifications.
• Usage and logs: IP addresses, screens visited, session timestamps, crash reports — for security and performance.

3. Legal Basis for Processing

We process your personal data on one or more of the following lawful bases under the PDPL:

• Explicit consent — for location access and marketing notifications.
• Performance of a contract — to provide adoption, fostering, vet booking, and payment services.
• Legal obligation — to comply with the Zakat, Tax and Customs Authority (ZATCA), anti-money-laundering rules, and lawful governmental requests.
• Legitimate interest — to protect the platform from fraud and abuse, and to improve our services.

4. How We Use Your Data

• Create your account and verify your mobile number via OTP.
• Show nearby adoption listings, foster homes, clinics, and offers.
• Manage adoption and fostering requests, vet bookings, and rescue reports.
• Process payments, fees, and your wallet balance.
• Send account, transaction, and reminder notifications (e.g., booking time).
• Respond to your inquiries and provide support.
• Detect fraud and abuse and suspend non-compliant accounts.
• Improve the app and develop new features using aggregated, de-identified data.
• Comply with Saudi laws and respond to lawful governmental requests.

5. Data Sharing & Disclosure

We do not sell your personal data. We may share specific data only in these cases:

• Payment processor (Moyasar): to process payments and wallet transactions, within Saudi Arabia and in accordance with SAMA regulations.
• Veterinary clinics, foster homes, and adoption listers: we share your name, mobile number, and request/booking details only as necessary to fulfill the service.
• Infrastructure providers: cloud hosting, Firebase (Google) for push notifications and crash analytics, and an SMS provider for sending OTP codes.
• Government and judicial authorities: when a lawful request is received from a competent Saudi authority (SDAIA, Public Prosecution, security agencies, courts).
• Professional advisors: lawyers and auditors when necessary, under confidentiality obligations.
• Corporate transactions: in case of merger or acquisition, with prior notice to you.

6. International Data Transfers

Your core data is stored on servers located in the Kingdom of Saudi Arabia or in approved cloud regions. Limited operational data (such as push tokens and crash reports) may be transferred to trusted international service providers, in accordance with the safeguards required by the PDPL and its Implementing Regulations issued by SDAIA.

7. Data Security

We apply appropriate technical and organizational measures, including:

• TLS/HTTPS encryption for data in transit.
• Hashed (not plaintext) password storage.
• Payment authorization via a PCI-DSS-compliant provider.
• Access controls based on the principle of least privilege.
• Monitoring, intrusion detection, and routine backups.

No system is 100% secure — please choose a strong password and never share your OTP code with anyone.

8. Data Retention

• Account data: for as long as your account is active, until deletion.
• Financial records and invoices: at least 10 years, to comply with the Zakat, Tax and Customs Authority (ZATCA).
• Security and audit logs: up to 24 months.
• Content tied to legal disputes: until the dispute is resolved and statutory periods expire.
• Aggregated, de-identified data: may be retained for statistics and service development.

You may request deletion at any time — see the Data Deletion page.

9. Your Rights Under the PDPL

The Saudi PDPL grants you the following rights:

• Right to be informed about how your data is processed and the legal basis.
• Right of access to a copy of your personal data.
• Right to rectification of inaccurate or incomplete information.
• Right to destruction when the purpose has ended or you withdraw consent.
• Right to data portability in a structured, machine-readable format.
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
• Right to lodge a complaint with the Saudi Data and AI Authority (SDAIA).

To exercise any of these rights, contact us at privacy@rafeqi.sa. We will respond within 30 days of receiving your request and verifying your identity.

10. Minors' Privacy

The app is intended for users 18 years of age or older. We do not knowingly collect personal data from minors below this age. If we become aware that a minor has provided data without parental consent, we will delete it promptly. Parents who believe their child has provided us data may contact privacy@rafeqi.sa.

11. Cookies and Tracking

On our administrative web interfaces, we use essential cookies to manage sessions and protect forms (CSRF). Within the mobile app, we use limited analytics tools (such as Firebase) for performance measurement and crash detection — these can be disabled in your device settings at any time.

12. Marketing Communications

We may send you marketing notifications about offers and new features after obtaining your consent. You can opt out at any time from the app settings or by contacting us.

13. Changes to This Policy

We may update this policy from time to time to reflect changes in our services or applicable regulations. We will notify you of material changes via the app or email a reasonable time before they take effect. Continued use of the app after an update constitutes acceptance of the revised policy.

14. Complaints and Contact

If you have any privacy-related question or complaint, please contact us first — we will work to resolve it promptly:

You also have the right to lodge a formal complaint with the Saudi Data and AI Authority (SDAIA) through its official channels if you are not satisfied with our response.