Privacy Policy

1. Definition

In this Privacy Policy, the following expressions have the following meanings:

1.1. “TG” or “the Company” means Tarabut Gateway Group, its affiliates, and subsidiaries.

1.2. “Client” or “End-User” in certain instances may be a visitor to the Company’s site, a customer that is an individual, or a corporate customer (Bank, Merchant, FinTech’s, etc.) or a user of the Company’s products and services.

1.3. “Staff or Applicant” means any individual who currently holds an employment contract with TG (either part-time or full-time) or an individual that applies for a job opportunity.

1.4. “Developer” means an entity or an individual person accessing or using TG’s Developer Portal under their sole discretion or on behalf of another entity.

1.5. “Developer Portal” means the development and sandbox environment that is provided by TG.

1.6. “Data Subject” means the Client, End-User, Staff or Applicant which owns the data.

1.7. “Data Provider” means the Data Subjects, collectively, which consensually provide their personal data to TG.

1.8. “Services” means account information services (AIS), payment initiation services (PIS), or developer portal services – open banking related services.

 

2. Introduction

2.1. TG as a Group of regulated and licensed entities in various jurisdictions aims to build a new world of financial services in the MENA region through its Open Banking services (AIS/PIS).

2.2. TG values transparency and strives to provide its data providers with a clear and concise description of how it treats their personal data and ensures its privacy and security. As such, the Company has developed this Privacy Policy which describes how TG, collects, uses, discloses, shares, and protects personal data.

 

3. Application and Acceptance

3.1. This Privacy Policy applies to all data providers. All data providers must read this Privacy Policy in its entirety and carefully.

3.2. By utilizing TG’s services, providing information through the website and when applying to a job through any of the social media channels / other portals, the data providers signify acceptance of the terms of this Privacy Policy and its updates/amendments from time-to-time.

 

4. Change to the Privacy Policy

4.1. To the extent legally permissible by the applicable laws and regulations, any content contained in this Privacy Policy shall be subject to change, modification, alteration, or otherwise, in the Company’ sole discretion.

4.2. Unless otherwise indicated, amendments/ updates will be effective immediately upon publishing. Any updates to this Privacy Policy will be available through TG’s website.

 

5. Personal Data

5.1. Data providers must refer to Appendix A for details on the type of personal data TG collects and the purpose for data processing.

5.2. TG undertakes that all information must be processed lawfully, fairly, and in a transparent manner in relation to the data providers. TG will only collect information needed to provide the services and process the data for the purpose defined in this Privacy Policy.

5.3. TG will collect and process information for legitimate purposes and:

    • not use the information in ways that have unjustified adverse effects on the data providers,
    • be transparent about how TG intends to use the information and provide notification of the same,
    • handle the information only in ways the data providers would reasonably expect; and
    • not commit any unlawful action with the collected information.

 

6. Collection of Data

6.1. TG collects Personal Data as stated in Appendix A in the following manner:

    • For AIS/PIS end-users, TG collects the Personal Data obtained from the Account Servicing Payment Services Providers “ASPSPs” (i.e., any payment service provider, such as a bank or a credit card issuer that maintain an online payment account on behalf of the End-User).
    • For Clients, TG collects the Personal Data from the Know Your Business “KYB” form and supporting documentation, email correspondences, information provided during project execution or through third-party sources.
    • For a visitor to TG’s website, the Personal Data is collected when subscribing to the newsletter or through the ‘contact us’ form.
    • For Staff, TG collects Personal Data during the recruitment process and performance reviews either from the Staff, third-party application/process or is created by TG in course of recruitment process after obtaining Staff explicit consent.
    • For an Applicant, TG collects Personal Data through social media platforms, other recruiting portals, email correspondence and TG’s website.
    • For a Developer, TG collects Personal Data during registration to the Developer Portal.

6.2. In addition to some of the specific uses of information this Privacy Policy covers, TG may use information that it receives in order to:

    • manage, develop, operate, improve, deliver, maintain, and protect its services
    • communicate by all means of communications, including by email (for example, to exchange information about its services and promotional offers that it thinks may interests data providers)
    • monitor, analyse trends and usage
    • enhance the safety and security of services
    • verify Client or End-User identity and prevent fraud or other unauthorized/illegal activity
    • verify accounts, records, and information
    • satisfy governmental agencies requirements
    • manage the data and data bank

 

7. Retention of Data

7.1. TG will not retain the Personal Data for longer than necessary.

7.2. TG defines the length of Personal Data retention period after considering the following factors:

    • TG’s contractual obligations and rights in relation to the Personal Data involved (including the Terms and Conditions provided when utilizing services)
    • Legal obligations and legal retention period as defined in the applicable Data Protection Laws
    • Whether TG has relied on the Client and End-User consent to use the Personal Data, but the consent has been later withdrawn
    • TG’s legitimate interests
    • Fraud and risk management
    • Potential dispute, and guidelines issued by relevant data protection authorities

7.3. Data Provider data will be held in country which they reside in.

 

8. Sharing of Data

8.1. By utilizing TG’s AIS/PIS services as an ‘End-User’, the Personal Data will be shared with the Client (as applicable).

8.2. If TG gets involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of its business to another company, TG may share the data providers information with that company before and after the transaction closes.

8.3. TG may also share the Personal Data during the occurrence of the following circumstances with due regard to the personal data protection rights of the data providers and post adequate clearance from legal:

    • If TG reasonably considers that it is under a duty to disclose or share the personal data to comply with any legal obligations.
    • To protect the rights, property or safety of the data providers, TG, TG’s affiliates, or subsidiaries.
    • To another company in the Group, if this is necessary to ensure continuity in the provision of services to the data providers or to reflect any business reorganization or expansion that TG may engage in from time to time.

8.4. TG shares Staff’s personal information with third parties (employment agencies, background check and online test providers, credit reference agencies and regulators and competent authorities) for the purposes of processing application. TG will also share personal data with its affiliates and subsidiaries for the purposes of administration, accounting, and reporting purposes.

 

9. Internal Transfer of Data

9.1. TG might transfer the Personal Data overseas (as needed) and will strive to ensure that the country the data is being transferred to, is a country or territory which has equivalent or higher personal data protection laws and if required the Data Protection Authority approval will be sought.

9.2. In cases where data may need to be transferred to countries with no equivalent or no personal data laws, TG’s Clients will be notified, and the appropriate safeguards will be deployed to ensure the security of the data being transferred.

 

10. Accuracy and Security of Data

10.1. TG’s contractual obligations on accuracy of data is limited to this Privacy Policy and to the Terms and Conditions which are accessible via TG’s AIS/PIS services.

 

11. Data Protection and Confidentiality

11.1. TG understands that the information collected and shared by data providers contains sensitive data. Therefore, TG undertakes its role to protect the information very seriously. TG also provides high-quality security programs on its services based on high industry standards and implements best practices and ensures its vendors (if applicable) provides the same. In addition, TG takes a strong defensive approach to countering cyber-attacks and securing information from unauthorized access or misuse.

11.2. Data providers acknowledge and accept, when utilizing TG’s services, that the provision of services may be susceptible to faults and technical difficulties. As such, TG cannot guarantee a fault free service. If any information subject to TG’s control is attacked by a cyber-attack as a result of a security breach, TG’s policy is to take reasonable steps to investigate the situation and to communicate with and compensate the affected data providers provided that the issue at hand is resolved by TG as soon as practical.

11.3. TG will maintain the confidentiality of the data providers information and assure secure processing of these information including without limitation how such information is accessed, stored, disseminated, and destroyed.

 

12. Notification of Breaches

12.1. TG undertakes that it will immediately notify its Clients of any breach, hack, leak, cyberattack, or otherwise to the information provided and will take the necessary measures and precautions to remedy such issue.

12.2. TG undertakes that it will process information in a manner that ensures data security using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

12.3. TG shall not request any sensitive or private information via text message or through any other form of social network communication. TG shall contact the data provider directly via the contact information provided in the event of suspected or actual fraud or security threats.

 

13. Data Subject Rights

The Data Subject rights, as permitted by law are as follows:

13.1. Right to access: the right to request TG to view the personal information and the purpose for which it is intended and disclosed. Also, the right to request the nature of personal information collected.

13.2. Right to object to processing: the right to request TG to cease processing of personal data for direct marketing purposes.

13.3. Right to erasure: the right to request TG to rectify, block or erase personal data when processing of such data is in breach of the law.

13.4. Right to opt out: the right to choose to opt out of TG’s communication and mailing services at any time.

13.5. Right to withdraw consent: the right to revoke consent for continuous personal data processing subject notifying TG through email mentioned in clause 17.

13.6. Right to complain: the right to inquire, complain and provide feedback.

13.7. Should the Data Subject wish to utilize its rights, you are requested to kindly do so by sending an email to TG Complaints Officer (refer to clause 17).

 

14. Communication and Mailing Services

14.1. By utilizing TG’s Services, subscribing to newsletter, or applying to a job through a social media channel / portal, the data providers hereby consent to receiving communication from TG, and its affiliates, in the form of, but not limited to, emails, newsletters, and advertisements.

14.2. Data providers may choose to opt out of such communication and mailing service at any time, subject to TG’s prior notification.

 

15. Trademark and Copyright

15.1. The contents of TG and any other related site thereof, are copyrighted. The data providers are not permitted to store or reproduce any content, such as but not limited to, pictures and charts, displayed or generated by TG.

15.2. All trademarks, brand marks and trade names shown on TG’s website, its Services or social media pages are protected by the applicable laws of their governing jurisdictions. Any unauthorized use of any trademark, logo or product name is strictly prohibited and shall only be permitted under license.

 

16. Third-Party Privacy Policies

16.1. Employee Background Screening: Zinc’s privacy policy can be found here: https://zinc.work/privacy.pdf

16.2. Employee On-boarding: Greenhouse’s privacy policy can be found here: https://www.greenhouse.io/privacy-policy

 

17. Regulatory Compliance

17.1. Any services provided by TG shall only be offered in jurisdictions where TG lawfully obtains regulated license to operate and are not intended for use in jurisdictions that restrict those services.

 

18. Jurisdiction

18.1. This Privacy Policy shall be governed by the laws of the Kingdom of Bahrain, Kingdom of Saudi Arabia, Dubai International Financial Centre, and the United Kingdom. In the event of a dispute arising in connection with the terms stated in this Privacy Policy and/or implementation of the services, such disputes shall be referred to the Courts of the applicable governing jurisdictions.

 

19. Complaints

19.1. To provide any compliment, lodge complaints or exercise your rights, please send an email to complaint@tarabutgateway.com or call the Complaints Officer on +973 17449999.

 

Appendix A – Personal data

Case

Type of personal data collected

Purpose of processing

If you are TG’s Client (Bank, Merchant, FinTech, etc.)

On-boarding information (KYB), incorporation documents, shareholders identities, contact details, financial statements, other supporting documents (as applicable).

To conduct due diligence that TG is legally required to undertake to ascertain Client fits regulatory requirements and passes background checks (criminal checks, etc.)

If you are an End-User of the AIS service

Account details: account balances, details, statements, transactions, beneficiary, standing order details, etc.

Other: personal data registered on the account such as name, contact details, phone number, email, and customer identifiers such as ID information (as applicable).

To successfully deliver the AIS Service.

If you are an End-User of our PIS service

Transaction details: (payee / payer bank name, bank account identifiers such as IBAN, transaction reference ID, payment amount, payment date and time) which will also be shared with the merchant / payee for transaction recording, enabling subsequent payments and initiating refunds (if required)

Customer experience data:  user journey details, location, device type, IP address, telecom carrier, OS version, etc.

Other: Name, contact details, email, phone number, customer identifiers such as ID.

To successfully deliver the PIS Service and monitor customer experience for analytical purposes.

If you are an End-User of our AIS/PIS service and have raised a complaint, query, or wish to exercise any of your legal rights etc.

Name, email address, supporting information/ documents (nature of the complaint, query, transaction record, etc.)

To conduct the investigation that is required to resolve any issues faced.

If you register to the Developer Portal

Registration phase: Name, email, username, phone number and jurisdiction.

Production phase: On-boarding information (KYB), organization incorporation documents, shareholders identities, contact details, financial statements, etc..

To conduct due diligence that TG is legally required to undertake before the Client is provided access to TG’s Services.

If you are visitor to TG’s official website

Name, email address, phone number, any other personal data supplied to the Company website such as comments or feedback.

To provide updates on TG’s activities, services, and products; to record the marketing preferences and any feedback or responses for the purposes of improving our services.

If you are a part of TG’s Staff

Information provided in curriculum vitae, application form, covering letter and during the interview process including: your name, date of birth, age, gender, home address, personal email address, education, qualification and work experience details, and references. Information collected or created by us during the recruitment process including interview notes, test scores and correspondence between us. Information about criminal convictions:  we carry out background checks as part of the recruitment process. Sensitive information like your racial and ethnic origin information and information relating to disabilities, religious beliefs or sexual orientation, marital status for visas, physical or mental health information and immigration/naturalization records (if this discloses racial/ethnic origin information

Necessary to enter an employment control; to comply with a legal or regulatory obligation; have a legitimate interest to ensure the effective administration and management of the recruitment process; ensure TG hires suitable individual for a role; deal with disputes and accidents and take legal or other professional advice; and ascertain Staff fitness to work. Special category data is processed to consider the need to provide appropriate adjustments during the recruitment process and to ascertain fitness to work for equal opportunity monitoring purposes. Criminal conviction information is processed to assess suitability for a regulated role; to protect interests, because it is necessary in relation to legal claims. TG is allowed to utilize Staff personal information where it is necessary to carry out employment rights and obligations.

If you are an applicant

Name, contact details, email address, cover letters, and information included in curriculum vitae.

To verify adequacy of applicant for a job opening.