Privacy Policy

This Data Protection Notice (“Notice”) sets out the basis on which Koyikodan Restaurant (“we”, “us”, or “our”) may collect, use, disclose or otherwise process personal data of our customers in accordance with the Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19 dated 9/2/1443 AH (corresponding to 16 September 2021) and its Implementing Regulations. This Notice applies to personal data in our possession or under our control, including personal data in the possession of organizations which we have engaged to collect, use, disclose or process personal data for our purposes.

PERSONAL DATA

As used in this Notice:

- “customer” means an individual who (a) has contacted us through any means to find out more about any goods or services we provide, or (b) may, or has, entered into a contract with us for the supply of any goods or services by us; and

- “personal data” means any information, in any form, that relates to an identified or identifiable natural person, whether directly or indirectly.

Depending on the nature of your interaction with us, some examples of personal data which we may collect from you include name, national ID/Iqama number, residential address, email address, telephone number, IP address, user-agent and financial information.

Other terms used in this Notice shall have the meanings given to them in the PDPL and its Implementing Regulations (where the context so permits).

COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

4. We generally do not collect your personal data unless (a) it is provided to us voluntarily by you directly or via a third party who has been duly authorized by you to disclose your personal data to us (your “authorized representative”) after (i) you (or your authorized representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorized representative) have provided explicit consent to the collection and usage of your personal data for those purposes, or (b) collection and use of personal data without consent is permitted or required by the PDPL, its Implementing Regulations or other applicable laws. We shall seek your explicit consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorized by law).

5. We may collect and use your personal data for any or all of the following purposes:

(a) performing obligations in the course of or in connection with our provision of the goods and/or services requested by you;

(b) verifying your identity;

(c) responding to, handling, and processing queries, requests, applications, complaints, and feedback from you;

(d) managing your relationship with us;

(e) processing payment or credit transactions;

(f) complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority, including the Saudi Data and Artificial Intelligence Authority (SDAIA);

(g) any other purposes for which you have provided the information;

(h) transmitting to any unaffiliated third parties including our third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in the Kingdom of Saudi Arabia or abroad, for the aforementioned purposes, subject to compliance with cross-border transfer requirements under the PDPL; and

(i) any other incidental business purposes related to or in connection with the above.

6. We may disclose your personal data:

(a) where such disclosure is required for performing obligations in the course of or in connection with our provision of the goods and services requested by you; or

(b) to third party service providers, agents and other organizations we have engaged to perform any of the functions with reference to the above mentioned purposes, provided that such parties are bound by appropriate data protection obligations.

7. The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under a contract with you).

## RELIANCE ON LEGITIMATE INTERESTS

8. In compliance with the PDPL, we may collect, use or disclose your personal data without your consent where it is necessary for the legitimate interests of Koyikodan Restaurant or another person, provided that such interests do not override your fundamental rights and freedoms. In relying on this exception, Koyikodan Restaurant will conduct a legitimate interests assessment to ensure that any adverse impact on you is minimized and outweighed by our legitimate interests.

9. In line with the legitimate interests exception, we will collect, use or disclose your personal data for the following purposes:

a. Fraud detection and prevention;

b. Detection and prevention of misuse of services; and

c. Network analysis to prevent fraud and financial crime, and perform credit analysis.

The purposes listed in the above clause may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter.

WITHDRAWING YOUR CONSENT

10. The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is withdrawn by you in writing. You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.

11. Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within fifteen (15) business days of receiving it.

12. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described in clause 10 above.

13. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclosure without consent is permitted or required under the PDPL, its Implementing Regulations or other applicable laws.

ACCESS TO AND CORRECTION OF PERSONAL DATA

14. If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.

15. Access and correction requests will be processed free of charge unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged. If so, we will inform you of the fee before processing your request.

16. We will respond to your request as soon as reasonably possible. In general, our response will be within fifteen (15) business days. Should we not be able to respond within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the extended timeline. If we are unable to provide you with any personal data or to make a correction requested by you, we shall inform you of the reasons (except where we are not required to do so under the PDPL).

PROTECTION OF PERSONAL DATA

17. To safeguard your personal data from unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks, we have implemented appropriate administrative, physical and technical measures in accordance with the PDPL and its Implementing Regulations, including but not limited to: minimized data collection, role-based access controls, encryption of data in transit and at rest, regular security audits, and employee training.

18. You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures in line with SDAIA guidelines.

ACCURACY OF PERSONAL DATA

19. We generally rely on personal data provided by you (or your authorized representative). In order to ensure that your personal data is current, complete and accurate, please update us promptly if there are changes to your personal data by informing our Data Protection Officer in writing or via email at the contact details provided below.

RETENTION OF PERSONAL DATA

20. We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by the PDPL, its Implementing Regulations or other applicable laws.

21. We will cease to retain your personal data, or anonymize it so that it can no longer be associated with you, as soon as it is reasonable to assume that such retention no longer serves the original purpose and is no longer necessary for legal or business purposes.

DATA PROTECTION OFFICER

22. You may contact our Data Protection Officer if you have any enquiries, complaints or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:

Contact No. : +966 50 783 8858

Email Address : koyikodanjed@gmail.com

DATA SUBJECT RIGHTS

23. In addition to access and correction, you have the right under the PDPL to:

- Request restriction of processing;

- Object to processing;

- Request data portability (where applicable); and

- Lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA).

CROSS-BORDER DATA TRANSFERS

24. Where personal data is transferred outside the Kingdom of Saudi Arabia, we ensure that such transfers comply with the PDPL and Implementing Regulations, including the use of approved standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms.

EFFECT OF NOTICE AND CHANGES TO NOTICE

25. This Notice applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.

26. We may revise this Notice from time to time without prior notice. You may determine if any revision has taken place by referring to the “Last updated” date below. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.

Effective date: 04/11/2025

Last updated: 04/11/2025