Help
Help and Support
عربي
Privacy Policy

Introduction

Saudi Post | SPL is dedicated to safeguarding the privacy and security of the personal data processed during the provision of our postal, logistics, digital, and financial services. This Privacy Notice, prepared in compliance with the Personal Data Protection Law (PDPL) and its Implementing Regulations, outlines how we collect, use, store, destroy, disclose, and protect personal data. It also highlights your rights as a data subject under the law.

 

Personal Data Processing & Purpose

Personal data refers to any information that can identify an individual directly or indirectly. We process only the personal data necessary to deliver and improve SPL services, including but not limited to:

  • Name, gender, date of birth, nationality → For account setup and verification.
  • ID/Iqama/passport number → For secure identification.
  • Address details → For shipment delivery and location-based services.
  • Email and phone numbers → For notifications, customer support, and account recovery.
  • Payment information → For billing and transaction processing.
  • Device and usage data → For analytics, fraud detection, and improving digital experiences.
  • Shipment data, geolocation, and call recordings → For service fulfilment, quality assurance, and dispute resolution.

This data is processed for the following purposes:

  • Account creation and/or identity verification via Nafath.
  • Address and shipment management.
  • Digital notifications and customer support.
  • Compliance with regulatory requirements.
  • Data analytics and marketing communications (with consent).

 

Methods of Collection

  • Personal Data is collected directly through online forms, mobile applications, service counters, call center interactions, and smart devices (such as parcel lockers).

We do not buy or harvest personal data from third party sources for selling.

 

Use of Personal Data

Personal data is used exclusively for the purposes specified in Clause Two. We do not sell it or use it for advertisements unrelated to the services, nor for the benefit of entities not affiliated with SPL.

SPL is committed to ensuring that any third party (processor or sub-processor) handling the data on its behalf complies with the Personal Data Protection Law and its implementing regulations, through contracts and agreements that enforce such compliance and guarantee the protection of the data subject’s rights.

Appropriate protective measures are also applied to such data, including encryption, access control policies.

Compliance is regularly monitored through audits and internal reviews., including annual audits and compliance testing, to ensure all requirements of the Personal Data Protection Law are met.

In the event that personal data is processed for a purpose different from the purpose for which it was originally collected, the data subject will be notified in advance, and the legal basis and procedures followed to ensure compliance with applicable laws and regulations will be clearly explained.

 

Storage, Retention & Secure Destruction

"SPL" is committed to storing personal data in accordance with the regulations and laws of the Kingdom of Saudi Arabia, on secure servers managed by authorized service providers, ensuring full compliance with all relevant regulations and laws. "SPL" implements strict technical and organizational controls, including encryption, access control procedures, and risk management, in line with the National Cybersecurity Policies, ISO/IEC 27001 standards, and international best practices.

Personal data is retained only for the duration necessary to fulfill the purposes specified in the Privacy Notice or as required by applicable laws and regulations. Once the purpose for data collection is achieved or the statutory retention period has ended, the data is securely destroyed in a manner that ensures unauthorized access is prevented.

 

Legal Bases for Processing

"SPL" processes personal data in accordance with Article (6) of the Personal Data Protection Law and Article (16) of its Implementing Regulations. Each type of processing is based on a specific legal basis as follows:

  • Consent: We rely on your consent for optional services such as marketing messages, which you may withdraw at any time using any legally available means.
  • Contractual Obligations: We process your data to fulfill contractual obligations, such as creating an account or providing shipping and delivery services.
  • Legal Compliance: In some cases, we process data to comply with legal obligations, such as customs requirements or responding to requests from competent authorities.
  • Legitimate Interest: We may rely on SPL's legitimate interest in protecting systems, preventing fraud, and improving service quality. This interest is carefully evaluated through impact assessment models to ensure it does not conflict with your legally established rights.
  • Sensitive Personal Data: If sensitive personal data is processed, it is done in accordance with the Personal Data Protection Law by obtaining consent and applying strict security measures to protect such data.

 

Data Subject Rights under PDPL

  1. The right to be informed about the purposes of processing and its legal basis.
  2. The right to access the personal data held by SPL.
  3. The right to request and obtain the personal data held by SPL in a clear and readable format.
  4. The right to correct inaccurate, incomplete, or outdated data, in accordance with the legal requirements governing this right.
  5. The right to request the destruction of personal data if the purpose for which it was collected no longer exists, unless retention is required by law.
  6. The right to withdraw consent and object to the processing of data for direct marketing purposes.
  7. The right to restrict or suspend processing temporarily in certain cases.
  8. The right to file a complaint with the competent regulatory authority (Saudi Data and Artificial Intelligence Authority – SDAIA / National Data Management Office).

 

Sharing & Cross‑Border Disclosure

"SPL" does not sell or rent personal data under any circumstances. Personal data may only be shared in the following cases:

  • With service providers and affiliates within Saudi Arabia: This is done under written contracts that include terms and guarantees for data protection, in compliance with the Personal Data Protection Law (PDPL), its Implementing Regulations, and the Data Sharing Policy.
  • With regulatory, judicial, or security authorities: This occurs only when required by law or by an order issued by a competent authority in Saudi Arabia.

Transfer of Data Outside the Kingdom

The transfer of personal data outside Saudi Arabia is conducted in accordance with Articles (29 to 32) of the Personal Data Protection Law, the Personal Data Transfer Regulations, and SPL's commitments as follows:

  • Equivalent Protection: Data is transferred only to countries or entities that provide a level of protection equivalent to what is stipulated in the law, based on an official classification by the competent authority.
  • In the Absence of Official Classification: If there is no official classification for the receiving country, SPL relies on contractual guarantees or internal regulations to ensure data protection in compliance with the provisions of the law and its Implementing Regulations.
  • All transfers are subject to a Transfer Impact Assessment (TIA) to identify and address potential legal and security risks.
  • Additional Safeguards: Measures such as encryption, access restriction, and purpose limitation are applied to protect data during and after the transfer.
  • Documentation and Approvals: No international transfer is executed without documenting the justifications, conducting a legal review, and obtaining approval in accordance with applicable regulatory requirements.

 

Exercising Your Rights

Under the Personal Data Protection Law (PDPL), you have the right to access, correct, or request the destruction of your personal data. You may also submit privacy-related complaints or inquiries through one of the following methods:

To protect your data and prevent unauthorized access, we may require identity verification (e.g., national ID number or supporting documents) before processing your request.

We will acknowledge receipt of your request within five (5) business days, and respond within Ninety (90) calendar days, unless an extension is permitted under the PDPL.

If you are not satisfied with our response, you may escalate your complaint to the competent regulatory authorities:

 

Personal Data Protection Officer

For any inquiries, concerns, or complaints related to personal data protection, you may contact our Data Protection Officer (DPO) through the following:

Data Management Office – SPL
📧 Email: privacy@splonline.com.sa
📍 Address: SPLD2929  

 

Record of Processing Activities (RoPA)

In accordance with the Implementing Regulations of the Personal Data Protection Law, SPL maintains a Record of Processing Activities (RoPA), which includes:

  1. Processing purposes and legal bases:
    Clearly defining the objectives for processing personal data and the legal or regulatory bases supporting these activities.
  2. Categories of Data Subjects and data types:
    Describing the categories of individuals whose data is processed (e.g., customers, employees) and specifying the types of personal data collected.
  3. Recipients and processors:
    Identifying entities and processors with whom personal data is shared, including internal and external parties.
  4. Retention and deletion protocols:
    Outlining the policies for retaining personal data and the procedures for securely deleting it when no longer needed.
  5. Cross-border transfer safeguards:
    Detailing the measures and guarantees in place to protect personal data during transfers outside the Kingdom.
  6. Risk classification per activity:
    Conducting a risk analysis for each data processing activity, classifying risks, and describing measures to mitigate potential impacts.
  7. Contact details of the controller:
    Including the name and contact information of the entity responsible for personal data processing.
  8. Data Protection Officer (DPO) information:
    Providing the name and contact details of the designated officer responsible for overseeing data protection compliance.
  9. Security measures:
    Documenting the technical and organizational measures implemented to safeguard personal data and ensure its integrity.

 

Security Incidents & Data Breach Response

In the event of a personal data breach, SPL will notify the competent authority within seventy-two (72) hours of becoming aware of the incident and will inform affected individuals if the breach is likely to harm their personal data or rights.

 

Related Regulations and Policies

This Privacy Policy has been prepared in accordance with the following regulations, policies, and guidelines:

  1. The Personal Data Protection Law (PDPL)
  2. The Implementing Regulations of the Personal Data Protection Law
  3. Policies issued by the National Data Management Office (NDMO)
  4. Controls and guidelines issued by the National Data Management Office (NDMO)

These regulations, policies, and guidelines have been referenced to follow best practices in personal data protection and to ensure full compliance with regulatory and legal requirements within the Kingdom.

 

SPL Administration

SPL is responsible for implementing the Privacy Notice, overseeing its application, and ensuring compliance with it.

This notice may be updated as needed to comply with the applicable regulations in the Kingdom of Saudi Arabia, and any changes will be published on the official website.

SPL conducts internal assessments to ensure full compliance with the law, including conducting Privacy Impact Assessments when necessary, such as when using new technologies or processing sensitive data.

 

The last update to this Privacy Notice was made on 26 August 2025