Privacy Policy
1. Diriyah Company ("DIRIYAH GCOMPANY") or (“DC”) Privacy Notice
We may collect, depending on your use of the site, information about your “Personal Data”. The entity responsible for your Personal Data is Diriyah Company.
Diriyah Company is a closed joint stock company with registration number 1010648801 incorporated under the laws of the Kingdom of Saudi Arabia.
Diriyah Company, our affiliates, (also collectively referred to as "we" and "us"), take your data protection and privacy responsibilities seriously.
This Privacy Notice describes how we collect, process, use, disclose and transfer your Personal Data as a "data controller". A "data controller" is an entity which determines why and how Personal Data is processed.
2. Privacy Notice Updates
This notice was updated in September 2024. We reserve the right to amend it occasionally in line with legal requirements and how we conduct our business. Please check this page regularly for the latest version of our Privacy Notice.
3. Third Party Websites
Diriyah Company Websites and Applications may link you to other websites, including those of our partners, advertisers, and affiliates. We are not responsible for the way in which third-party websites operate or the way in which they may process any Personal Data which you provide to them. It is important that you understand this and check their respective privacy policies and terms of use.
We may also, from time to time, partner with advertising networks and other online advertising providers in order to deliver advertisements on our behalf or on behalf of other non-affiliated parties on our websites and across the internet. These advertisements may be presented to you based on products and services the advertising providers think are relevant to your interests. These preferences may be inferred based on information collected about your browsing behavior on our websites and other non-affiliated sites and apps across time. We will always obtain your consent prior to engaging in such targeted advertising.
The information posted by you on public areas of Diriyah Company Websites or elsewhere on the internet may be seen and used by anyone including Diriyah Company. Please be cautious before posting such information.
4. What Personal Data We Collect and When and Why We Use it
What is Personal Data
Personal Data in this Privacy Notice means any statement, regardless of its source or form, that specifically identifies a user or makes it identifiable directly or indirectly, including but not limited to names, personal identification numbers, addresses, contact numbers, license numbers, records, personal property, bank account numbers, credit cards, still and moving user photos, and other data of a personal nature..
In this section, we describe what Personal Data we collect, and how we use that Personal Data and, where required under applicable laws and regulations the legal bases for each processing activity. We do not process your Personal Data in a manner that is inconsistent with the purposes set out below or in a manner that is inconsistent with applicable laws and regulation. A further description of the legal bases is set out at section 5 of this Privacy Notice.
If you choose not to provide us with all or some your Personal Data described below, our ability to provide you with our services and your ability to use the Diriyah Company Websites may be affected.
Purchasing tickets or other Diriyah Company Products
If you use the Diriyah Company Websites to purchase tickets, Diriyah Company merchandise etc., we will collect and use information about you as necessary to manage the purchase. This may include Personal Data such as your name, date of birth, address, contact information (such as phone number and e-mail address), billing information, as well as information collected about your navigation patterns on our websites, gender, nationality and city. We may also seek to collect from you sensitive Personal Data in order to enhance your purchase and visitor experience. These sensitive Personal Data such as biometric data , may include details such as whether you use a wheelchair and whether you have any food preferences or dietary requirements.
Legal basis: Contract Performance, Legitimate Interests (to enable us to operate our business and perform our obligations), Where this includes sensitive Personal Data , we rely on Explicit Consent.
Customer Support and Online Services
If you contact us by way of email, live chat, Whatsapp or any other facility made available by Diriyah Company with a query about any of our services or products, we will need to collect information about you (including your contact details) to help us respond to your query or request or provide our services to you. We may do this when you call our customer support center or interact with us through our online support tools. This information may include identification data (such as your name, date of birth, gender, city, nationality etc.), contact details (such as email address and telephone number).
We may also keep a record of any communications we have with you (including a recording of any calls you make). We do this to help monitor and improve the quality of our customer support services, and to comply with legal obligations to which we are subject. If you do not wish to have your calls recorded, please disconnect and contact us as follows: [email protected].
Legal basis: Contract Performance, Legitimate Interests (to enable us to provide our services and support), Legal Obligations (where applicable).
Creating registered accounts on Diriyah Company Websites. There are a number of sections of the Diriyah Company Websites which we require you to register for in order to be able to make full use of the services available under them.
If you register with us to create a Diriyah Company Websites, account, we may process your Personal Data to manage your access to certain parts of Diriyah Company Websites and, if applicable, allow you to make certain purchases (such as tickets and merchandise) or receive certain services.
If you register with us to create a Diriyah Company Websites account, the Personal Data we will collect from you may include identification data (such as your name, age, gender, and country of residence), contact details (such as your email address, phone number and address), and may also include professional information about you and your photo. If you choose to register an account with us by using a third party app (such as but not limited to Google and Apple), you will be presented with a dialogue box which will ask your permission to allow Diriyah Company to access your Personal Data from that third party app (e.g. your full name, date of birth, email address and any other information you have made publicly accessible). Please note that any information that is not required will not be retained by Diriyah Company.
If you create an account with us, we may use your Personal Data to verify your identity when using the Diriyah Company and provided we obtain your Consent Websites. We may also use your contact details to send you transactional and other non-marketing email messages pertaining to your account and provide certain other account maintenance services to facilitate your transactions with Diriyah Company and/or your use of the services we offer on Diriyah Company Websites.
Legal basis: Contract Performance, Legitimate Interests (to enable us to provide and manage your account and perform our obligations), Legal Obligations (where applicable).
To provide you with Marketing and Advertising Communications
Subject to your marketing preferences. and provided we obtain your Consent, we may use your Personal Data to market and promote our own and selected business partners’ products and services to you by post, email, SMS, social, media, phone including:
Where you would like us to keep you informed about latest news and developments at Diriyah Company through our newsletter or other means;
from time to time, we hold events and special promotions to introduce Diriyah Company to interested parties. If you come to one of these events, or take part in a promotion, we may ask for your personal details to help us run the promotion and keep in touch with you about our services and any special offers or competitions that we think may be of interest.
For more information about direct marketing, please see section 7 below.
Legal basis: Consent (for Direct Marketing), Legitimate Interest (for sending Advertising Material in case of a prior interaction between Diriyah Company and the targeted recipient).
Participation in Diriyah Company as a Volunteer
If you use Diriyah Company Websites to apply to become a volunteer, we will collect and use information about you as necessary to manage the application process and, if successful, your participation in the volunteering program. This may include communicating information with you which we deem to be of relevance to your participation in Diriyah Company. The Personal Data we collect from you may include your name, date of birth, address, nationality, next of kin details, identification information (such as your national or Iqama ID number), contact details (such as phone number and e-mail address), information about your health (such as whether or not you have a disability and dietary requirements), biometric information, employment and education history and third party data about you (to the extent permitted by law), for example, your Twitter, Facebook or other social media profiles.
Legal basis: Contract Performance, Legitimate Interests (to enable us to evaluate your volunteer application). Where this includes sensitive Personal Data , we rely on Explicit Consent.
Participation in Diriyah Company
If you contact us with a view to becoming a business partner of Diriyah Company or to attend Diriyah Company in a business capacity, we will need to collect information about your business, which may include Personal Data (for example, your contact details) to help us respond to your query or request. We may do this when you call us or interact with us through our online support channels The information we collect may include, for example, your name, date of birth, address, email, telephone number, photograph, passport details, nationality, visa details (if applicable), bank account details (such as your IBAN), executive management names and identification information (such as your Saudi or Iqama ID number).
Legal basis: Contract Performance.
In Connection with Legal or Regulatory Obligations
We may process your Personal Data to prevent fraud, protect Diriyah Company’s business, comply with our regulatory requirements or dialogue with regulators as applicable which may include disclosing your Personal Data to third parties (to the extent permitted by law), the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings, or investigations by such parties anywhere in the world or where compelled to do so.
Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
Legal basis: Legal Obligations. Where this includes sensitive Personal Data, we rely on ,Explicit Consent.
Additional Information
Sometimes we will require you to provide additional Personal Data. When we do this, we will provide further information about why we are collecting it and how we will use it. Where we provide personalized content, we may ask your permission (and we therefore rely on Consent as our legal basis) to review third-party data about you, for example, your social media information, to get to know you better and to provide more effective personalization.
Automatic Collection for the Purpose of Analytics, Research and Improvement
Diriyah Company may use cookies, pixel tags, local storage, and other technologies to automatically collect information through the services. These are collected for the purposes of:
· Developing the design and style of our products and services to make improvements.
· Carrying out statistical, technical, and logistical analysis and strategic development.
· Carrying out market research.
· Understanding more about you such as your location and demographic information.
· Providing you with personalized services, such as recommendations on our websites and apps and in direct marketing and tailored advertising.
· If you purchase a ticket from us, to help you to create personalized pathways through the Diriyah Company site on the basis of your preferences which we will have ascertained from your navigation of Diriyah Company Websites and, once you are on the Diriyah Company site, through location tracking carried out through our mobile application.
Diriyah Company Websites collect information about how you use our content online and the device(s) you use to access the site. This includes collecting unique online identifiers such as IP addresses, which are numbers that can uniquely identify a specific computer or another network device on the internet. See our Cookie Policy for more information.
Legal basis: Consent unless we can rely on Legitimate Interest (to keep you updated with news in relation to our products and services and to enable us to analyze how you interact with our communications).
5. Legal Basis for Using Your Personal Data
A description of the legal basis used to process Personal Data referred to in section 4 above are set out below:
Contract Performance: where we need to use your Personal Data to perform a contract or take steps to enter into a contract with you.
Legitimate Interests: where we use Personal Data to fulfil our legitimate interests as an organization (or those of any third party) without prejudices to your data protection rights.
Legal Obligations: where we need to use your Personal Data to comply with a relevant legal or regulatory obligation that we have.
Consent: where we have your consent to use your Personal Data for a particular activity. You are free to withdraw your consent by contacting us at any time using the details set out at section 14 of this Privacy Notice. If you do so, we may be unable to provide a benefit, good or service that requires the use of such Personal Data.
A description of the legal basis used to process Sensitive Data referred to in section 4 above is set out below:
Explicit Consent: Explicit Consent in this Privacy Notice means you giving your direct and explicit consent in any form that clearly indicates your acceptance of the processing of your Personal Data in a manner that cannot be interpreted otherwise and whose obtention can be proven and where you have given explicit consent to the processing of your Sensitive Data for one or more specified purposes or, if you are resident in the Kingdom of Saudi Arabia or your data is processed in the Kingdom of Saudi Arabia.
For the purpose of providing you with direct marketing. You are free to withdraw your consent at any time by contacting us using the details set out at section 14 of this Privacy Notice. If you do so, we may be unable to provide a benefit, good or service that requires the use of such Personal or Sensitive Data.
If you would like to find out more about the legal bases upon which we process Personal Data, please contact us using the details set out at section 14 of this Privacy Notice.
6. How We Share Information with Others
We work closely with a number of trusted partners with whom we may need to share your Personal Data for the purposes (and in strict accordance with applicable laws and regulations) set out at section 4 above, including:
Our affiliates and advisors.
Banks and payment providers, to authorize and complete payments.
third parties who help manage our business and deliver services.
Where permitted to do so and in accordance with applicable laws, we may share your Personal Data with our partners who may send you marketing and promotional information.
From time to time, we may share information about you with government organizations and agencies, including international organizations, to comply with applicable laws, regulations and rules, and legitimate requests from law enforcement, regulatory and other governmental or international agencies, or when to do so is in our legitimate interests, even if we are not compelled to share that information by applicable law.
In all cases when we share your Personal Data, we implement all necessary technical, organizational, administrative and security measures to safeguard your Personal Data. We only share your Personal Data to the minimum extent necessary to achieve the purposes of processing set out in this Privacy Notice and in accordance with applicable law.
7. More About Direct Marketing, Profiling and Automated Decision Making
Direct marketing
We are committed to keeping you informed about Diriyah Company and our products and services that are in line with your personal preferences.
We will usually send this by email, but, depending on your preferences, we may contact you in other ways, for example, by phone, post, SMS, social media, and/or other electronic means if that is more appropriate.
Managing your marketing preferences
To protect privacy rights and to ensure you have control over how we manage marketing with you:
We will only send you marketing communications if you have provided your consent, including direct marketing communications.
We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications that we believe may be of interest or relevance to you.
to stop receiving marketing material from us, you can click the "unsubscribe" link that you will find on any electronic communications that you receive from us, or, for other types of communications, by contacting us as per the details set out at section 14 below.
You can change the way your browser or device manages cookies, which may be used to deliver online advertising, by following the settings on your browser as explained in Diriyah Company’s Cookie Policy.
We recommend you routinely review the Privacy Notice and preference settings that are available to you on any social media platforms.
More about profiling and analytics
In order to assist us in conducting our processing purposes, we may apply profiles to you based on your Personal Data, including the Personal Data you have provided to us; behavioral information (such as pages on our website or app that you have interacted with); demographic data; and Personal Data that we have legitimately obtained from third parties or public sources. Such profiles may be used for processing purposes of enhancing and improving our services, tailoring content to you, personalizing your experience, and for our research and development purposes. Where we make decisions solely on the basis of automated processing of your Personal Data, we will only do so with your Explicit Consent
One of the methods we use is installing and using cookies on your browser or device. You can learn more about how to adjust settings relating to Cookies on your browser and device and about our Cookie Policy at diriyah.sa/en/cookie-policy
8. Transferring Personal Data Internationally
We store and process your Personal Data in the Kingdom of Saudi Arabia. Your Personal Data may also be shared with and processed by other entities outside the Kingdom of Saudi Arabia or the country from which your Personal Data was collected. in accordance with applicable laws.
We only share your Personal Data with entities that provide an adequate level of equivalent protection to your Personal Data with reference to adequacy decisions issued by the competent regulatory authority as we do or where we are otherwise permitted to do so by applicable law.
In the absence of an adequacy decision, we only transfer your Personal Data to jurisdictions that afford the same standard of protection to Personal Data as is provided in the Kingdom of Saudi Arabia or where we are otherwise permitted to do so by applicable law, if, for example, a special circumstance applies (e.g. the transfer is necessary for the performance of a contract with you, the transfer is necessary to comply with certain legal obligations or it is to protect your vital interest) and/or we have implemented certain additional appropriate safeguard security measures to protect it, including:
Ensuring that standard contractual clauses approved by the competent regulatory authority are in place between us and the entity receiving your Personal Data.
Ensuring that there are binding common rules approved by the competent regulatory authority in place between us and the entity receiving your Personal Data.
Ensuring that we have carried out an assessment in respect of the transfer we want to undertake.
In all cases, we implement necessary and appropriate measures to safeguard your Personal Data when we transfer it outside of the Kingdom of Saudi Arabia or to another jurisdiction from where we have collected it and only ever share the minimum amount needed for the transfer.
· You can contact us for more information about the safeguards we have put in place to ensure the adequate protection of your Personal Data when this is transferred, as mentioned above, using the contact details set out in section 14 of this Privacy Notice.
9. How We Protect and Store Your Information
· We take all necessary steps required by applicable laws and regulations to protect your Personal Data, including implementing all appropriate technical, organizational, and administrative security measures. This includes physical, electronic, and administrative procedures that ensure that your Personal Data is safeguarded from loss and misuse as well as unauthorized access, deletion, disclosure, alteration, and destruction.
· Where you disclose information to us using our mobile app, please ensure that your device remains safe. We cannot be held responsible for any data misuse arising from unauthorized access to your device.
· Where we have given you (or where you have chosen) a password that enables you to access certain parts of our websites/mobile apps, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.
· We will store your Personal Data for only as long as is necessary for the purposes for which it was collected, as explained in this Privacy Notice, and any permissible related purpose(s).
· In some circumstances, we may need to store your Personal Data for longer periods of time, for instance, where we are required to do so in accordance with legal, reporting, regulatory, and accounting obligations or in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Data or dealings. Should you require further information about how we retain your Personal Data you can contact us as per the details set out at section 14 below.
· Where your Personal Data is no longer required, we will ensure it is disposed of or anonymized in a safe manner.
10. Your Rights
You have certain rights available to you when it comes to your Personal Data that is processed under this Privacy Notice. Please note that these rights may vary depending on where you are located and the data protection laws that apply to you, and the exercise of such rights may be subject to certain exemptions. In all cases, we comply with and respect the data subject rights granted under applicable laws and regulations to which our processing activities are subject and have implemented all necessary technical, organizational, and administrative measures to guarantee those rights, including the right to access, deletion, portability, information and correction (in each instance, as applicable).
In order to exercise such rights or to obtain further information, you should contact us using the contact details set out at section 14 below. We will check your entitlement and respond in most cases within 30 days.
We will ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to the Personal Data that you have provided to us by contacting us using the contact details set out at section 14 below.
For residents in the Kingdom of Saudi Arabia, you have the following rights (subject to certain limitations)
o To be informed about the processing that affects your Personal Data, including the purpose and legal basis for such processing.
To access your Personal Data in a clear and readable format.
To request a copy of your Personal Data in a readable and clear format.
To withdraw your consent from processing that rely on consent as a legal basis.
To request the correction, completion, or updating of your Personal Data.
o To opt out of receiving marketing communications.
To request the destruction of your Personal Data which Diriyah Company no longer requires and does not need to be retained to comply with our legal obligations.
11. Information About your Dependent and Related Persons
If you provide Diriyah Company with Personal Data about your next of kin and/or related persons for emergency contact or any other purposes, it is your responsibility to inform such individuals about such activities, to direct them to this Privacy Notice, and to obtain their consent, where necessary and required under applicable laws and regulations, to the processing (including transfer) of their Personal Data as set out in this Privacy Notice.
12. Collection of Data from Minors
If you are resident in the Kingdom of Saudi Arabia and under the age of 18 or, alternatively, are resident elsewhere and are not yet the relevant age of majority in the jurisdiction in which you reside, we are not permitted to contract with you directly.
We do not knowingly collect or process Personal Data from individuals who are under the age of 18. If you are under 18, please speak to your parent(s) or legal guardian(s) before using the Diriyah Company Websites or our other services. We will verify that you have obtained your parent’s or legal guardian’s consent before collecting your Personal Data and providing you with our services, where we are required to do so by applicable law.
If you are a parent or guardian of someone under 18 who has provided us with Personal Data, please contact us using the details set out in section 14 of this Privacy Notice.
13. Limitation Of Liability
Under no circumstances shall Diriyah Company be liable for any direct or indirect, special, incidental, or consequential damages that may arise from a claim of breach of this privacy notice.
Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages. Our liability is limited to the greatest extent permitted by applicable law in such jurisdictions.
14. Contact Us
If you have any questions, concerns, or complaints regarding our compliance with this Privacy Notice and applicable laws and regulations, if you wish to withdraw your Explicit Consent, or if you want to exercise your rights, kindly send us an email at [email protected]
We will review and respond to your requests within a period not exceeding (30) days. This period may be extended if the implementation requires disproportionate effort or if Diriyah Company receives multiple requests from you. The extension will not exceed an additional (30) days, and you will be notified in advance of the extension with the reasons for such extension.
If you are dissatisfied with our handling of your personal data or our response to your rights, you may contact the Competent Authority, the Saudi Data and Artificial Intelligence Authority (SDAIA), at https://sdaia.gov.sa/en/Contact/Pages/ContactUs.aspx
We encourage you to resolve any issues with Diriyah Company first before contacting the regulator.