1. Definition

In this Privacy Policy, the following expressions have the following meanings:

1.1. “TG” or “the Company” means Tarabut Gateway Group, its affiliates, and subsidiaries.

1.2. “Client” or “End-User” in certain instances may be a visitor to the Company’s site, a customer that is an individual, or a corporate customer (Bank, Merchant, FinTech, etc.) or a user of the Company’s products and services.

1.3. “Staff or Applicant” means any individual who currently holds an employment contract with TG (either part-time or full-time) or an individual that applies for a job opportunity.

1.4. “Developer” means an entity or an individual person accessing or using TG’s Developer Portal under their sole discretion or on behalf of another entity.

1.5. “Developer Portal” means the development and sandbox environment that is provided by TG.

1.6. “Data Subject” means the Client, End-User, Staff, or Applicant who owns the data.

1.7. “Data Provider” means the Data Subjects, collectively, which consensually provide their personal data to TG.

1.8. “Services” means account information services (AIS), payment initiation services (PIS), or developer portal services – open banking-related services.

  1. Introduction

2.1. TG as a Group of regulated and licensed entities in various jurisdictions aims to build a new world of financial services in the MENA region through its Open Banking services (AIS/PIS).

2.2. TG values transparency and strives to provide its data providers with a clear and concise description of how it treats their personal data and ensures its privacy and security. As such, the Company has developed this Privacy Policy which describes how TG, collects, uses, discloses, shares, and protects personal data.

  1. Application and acceptance

3.1. This Privacy Policy applies to all data providers. All data providers must read this Privacy Policy in its entirety and carefully.

3.2. By utilizing TG’s services, providing information through the website, and when applying for a job through any of the social media channels / other portals, the data providers signify acceptance of the terms of this Privacy Policy and its updates/amendments from time to time.

  1. Change to the Privacy Policy

4.1. To the extent legally permissible by the applicable laws and regulations, any content contained in this Privacy Policy shall be subject to change, modification, alteration, or otherwise, at the Company’s sole discretion.

4.2. Unless otherwise indicated, amendments/ updates will be effective immediately upon publishing. Any updates to this Privacy Policy will be available through TG’s website.

  1. Personal Data

5.1. Data providers must refer to Appendix A for details on the type of personal data TG collects and the purpose of data processing.

5.2. TG undertakes that all information must be processed lawfully, fairly, and in a transparent manner in relation to the data providers. TG will only collect information needed to provide the services and process the data for the purpose defined in this Privacy Policy.

5.3. TG will collect and process information for legitimate purposes and:

  • not use the information in ways that have unjustified adverse effects on the data providers,
  • be transparent about how TG intends to use the information and provide notification of the same,
  • handle the information only in ways the data providers would reasonably expect; and
  • not commit any unlawful act with the collected information. 
  1. Collection of Data

6.1. TG collects Personal Data as stated in Appendix A in the following manner:

  • For AIS/PIS end-users, TG collects the Personal Data obtained from the Account Servicing Payment Services Providers “ASPSPs” (i.e., any payment service provider, such as a bank or a credit card issuer that maintains an online payment account on behalf of the End-User).
  • For Clients, TG collects Personal Data from the Know Your Business “KYB” form and supporting documentation, email correspondences, and information provided during project execution or through third-party sources.
  • For a visitor to TG’s website, Personal Data is collected when subscribing to the newsletter or through the ‘contact us form.
  • For Staff, TG collects Personal Data during the recruitment process and performance reviews either from the Staff, third-party application/process, or is created by TG in course of the recruitment process after obtaining Staff explicit consent.
  • For an Applicant, TG collects Personal Data through social media platforms, other recruiting portals, email correspondence, information provided by the Data Subject via email and through TG career page in its website.
  • For a Developer, TG collects Personal Data during registration to the Developer Portal.

6.2. In addition to some of the specific uses of information this Privacy Policy covers, TG may use information that it receives in order to:

  • manage, develop, operate, improve, deliver, maintain, and protect its services
  • communicate by all means of communications, including by email (for example, to exchange information about its services and promotional offers that it thinks may interest data providers)
  • monitor, analyse trends and usage
  • enhance the safety and security of services
  • verify Client or End-User identity and prevent fraud or other unauthorized/illegal activity
  • verify accounts, records, and information
  • satisfy governmental agencies’ requirements
  • manage the data and data bank
  1. Retention of Data

7.1. TG will not retain the Personal Data for longer than necessary.

7.2. TG defines the length of the Personal Data retention period after considering the following factors:

  • TG’s contractual obligations and rights in relation to the Personal Data involved (including the Terms and Conditions provided when utilizing services)
  • Legal obligations and legal retention period as defined in the applicable Data Protection Laws
  • Whether TG has relied on the Client and End-User consent to use the Personal Data, but the consent has been later withdrawn
  • TG’s legitimate interests
  • Fraud and risk management
  • Potential disputes, and guidelines issued by relevant data protection authorities
  • Data Provider data will be held in the country in which they reside.
  • For Staff and Applicants data will be held in the country in which they reside in and / or shared with sub-processors for reasons mentioned in clause 8.
  1. Sharing of Data

8.1. By utilizing TG’s AIS/PIS services as an ‘End-User’, the Personal Data will be shared with the Client (as applicable).

8.2. If TG gets involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of its business to another company, TG may share the data provider’s information with that company before and after the transaction closes.

8.3. TG may also share the Personal Data during the occurrence of the following circumstances with due regard to the personal data protection rights of the data providers and post adequate clearance from legal:

  • If TG reasonably considers that it is under a duty to disclose or share personal data to comply with any legal obligations.
  • To protect the rights, property, or safety of the data providers, TG, TG’s affiliates, or subsidiaries.
  • To another company in the Group, if this is necessary to ensure continuity in the provision of services to the data providers or to reflect any business reorganization or expansion that TG may engage in from time to time.

8.4. TG is restricted to disclose the data provider’s personal data under certain circumstances as defined in the applicable Data Protection Law.

8.5.TG shares Staff’s personal information with third parties (employment agencies, background checks, online test providers, credit reference agencies, regulators, and competent authorities) for the purposes of processing applications. TG will also share personal data with its affiliates and subsidiaries for the purposes of administration, accounting, and reporting purposes.

  1. International Transfer of Data

9.1. TG might transfer the Personal Data overseas (as needed) and will strive to ensure that the country the data is being transferred to, is a country or territory which has equivalent or higher personal data protection laws and if required the Data Protection Authority approval will be sought.

9.2. In cases where data may need to be transferred to countries with no equivalent or no personal data laws, TG’s Clients will be notified, and the appropriate safeguards will be deployed to ensure the security of the data being transferred.

9.2. The Staff and Applicants hereby consents for its data to be transferred to sub-processors mentioned in clause 15 and in TG’s website privacy policy as and when its updated.

  1. Accuracy and Security of Data

10.1. TG’s contractual obligations on the accuracy of data are limited to this Privacy Policy and to the Terms and Conditions which are accessible via TG’s AIS/PIS services.

  1. Data Protection and Confidentiality

11.1. TG understands that the information collected and shared by data providers contains sensitive data. Therefore, TG undertakes its role to protect the information very seriously. TG also provides high-quality security programs on its services based on high industry standards and implements best practices and ensures its vendors (if applicable) provide the same. In addition, TG takes a strong defensive approach to countering cyber-attacks and securing information from unauthorized access or misuse.

11.2. Data providers acknowledge and accept, when utilizing TG’s services, that the provision of services may be susceptible to faults and technical difficulties. As such, TG cannot guarantee a fault-free service. If any information subject to TG’s control is attacked by a cyber-attack as a result of a security breach, TG’s policy is to take reasonable steps to investigate the situation and to communicate with and compensate the affected data providers provided that the issue at hand is resolved by TG as soon as practical.

11.3. TG will maintain the confidentiality of the data providers’ information and assure secure processing of this information including without limitation how such information is accessed, stored, disseminated, and destroyed.

  1. Notification of Breaches

12.1. TG undertakes that it will immediately notify its Clients of any breach, hack, leak, cyberattack, or otherwise to the information provided and will take the necessary measures and precautions to remedy the such issue.

12.2. TG undertakes that it will process information in a manner that ensures data security using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

12.3. TG shall not request any sensitive or private information via text message or through any other form of social network communication. TG shall contact the data provider directly via the contact information provided in the event of suspected or actual fraud or security threats.

 

  1. Data Subject Rights

The Data Subject rights, as permitted by law are as follows:

13.1. Right to be informed: the right to be informed and be privy to the legal or practical justification for collecting the personal data

13.2. Right to access: the right to request TG to view the personal information and the purpose for which it is intended and disclosed. Also, the right to request the nature of personal information collected.

13.3. Right to object to processing: the right to request TG to cease processing of personal data for direct marketing purposes and processing causing material or moral damage to the Data Subject or Others.

13.4. Right to rectification, blocking, erasure: the right to request TG to rectify, block or erase personal data when the processing of such data is in breach of the law.

13.5. Right to opt out: the right to choose to opt-out of TG’s communication and mailing services at any time.

13.6. Right to withdraw consent: the right to revoke consent for continuous personal data processing subject to notifying TG through email mentioned in clause 18.

13.7. Right to complain: the right to inquire, complain and provide feedback.

13.8 – Right to amendment, completion, or update: the right to request an amendment, completion or update to the personal data.

13.9. Should the Data Subject wish to utilize its rights, you are requested to kindly do so by sending an email to TG Complaints Officer (refer to clause 18). The rights of Data subjects will be exercised by TG free of charge and within a period not exceeding 15 working days of receiving such request.

13.10. TG may reject a request if the Data Subject misuses the right in obtaining information or restrictions to granting data access is necessary to protect the Data Subject and others from any harm in-accordance to the applicable laws

  1. Communication and Mailing Services

14.1. By utilizing TG’s Services, subscribing to the newsletter, or applying for a job through a social media channel/portal, the data providers hereby consent to receive communication from TG, and its affiliates, in the form of, but not limited to, emails, newsletters, and advertisements.

14.2. TG may engage with third-party providers during direct marketing. In such cases, TG will ensure third parties maintain confidentiality and security measures for Data Subject’s data.

14.3. Data providers may choose to opt-out of such communication and mailing service at any time, subject to TG’s prior notification.

 

  1. Third-Party Privacy Policies
    • TG shares Staff and Applicant data with the following third parties for further processing:

Provider :

Purpose of Processing:

 Privacy notice

ZINC

Employee’s background screening

https://zinc.work/privacy.pdf

GREENHOUSE

Managing employee interviews, hiring process.

https://www.greenhouse.io/privacy-policy

ENBOARDER

Managing employee’s onboarding

https://humaans.io/privacy

HUMAANS

Managing employee’s profile information

https://humaans.io/privacy

15.2. TG’s processors and sub-processors undergo a third-party due diligence process to ensure data integrity, data privacy and data security are in compliance with applicable laws,

  1. Regulatory Compliance

17.1. Any services provided by TG shall only be offered in jurisdictions where TG lawfully obtains a regulated license to operate and are not intended for use in jurisdictions that restrict those services.

 

  1. Jurisdiction

18.1. This Privacy Policy shall be governed by the laws of the Kingdom of Bahrain, Kingdom of Saudi Arabia, Dubai International Financial Centre, and the United Kingdom. In the event of a dispute arising in connection with the terms stated in this Privacy Policy and/or implementation of the services, such disputes shall be referred to the Courts of the applicable governing jurisdictions.

 

  1. Complaints

18.1. To provide any compliment, lodge complaints, or exercise your rights, please send an email to complaint@tarabutgateway.com or call the Complaints Officer at +973 17449999.

18.2. For any queries or requests raised by employees or job applicants, please send an email to tgpeople@tarabutgateway.com.

Appendix A – Personal data

Case

Type of personal data collected

Purpose of processing

If you are TG’s Client (Bank, Merchant, FinTech, etc.)

On-boarding information (KYB), incorporation documents, shareholders identities, contact details, financial statements, other supporting documents (as applicable).

To conduct due diligence that TG is legally required to undertake to ascertain Client fits regulatory requirements and passes background checks (criminal checks, etc.)

If you are an End-User of the AIS service

Account details: account balances, details, statements, transactions, beneficiary, standing order details, etc.

Other: personal data registered on the account such as name, contact details, phone number, email, and customer identifiers such as ID information (as applicable).

To successfully deliver the AIS Service.

If you are an End-User of our PIS service

Transaction details: (merchant ID, payee identity / payer bank, bank account number (IBAN), transaction reference ID, transaction amount, account names, various other IDs to uniquely identify a transaction, status of transaction) which will also be shared with the merchant / payee for transaction recording, enabling subsequent payments and initiating refunds (if required)

Customer experience data:  user journey details, location, device type, IP address, telecom carrier, OS version, etc.

Other: Name, contact details, email, phone number, customer identifiers such as ID.

To successfully deliver the PIS Service and monitor customer experience for analytical purposes.

If you are an End-User of our AIS/PIS service and have raised a complaint, query, or wish to exercise any of your legal rights etc.

Name, email address, supporting information/ documents (nature of the complaint, query, transaction record, etc.)

To conduct the investigation that is required to resolve any issues faced.

If you register to the Developer Portal

Sign up phase: Email id, first name, last name, company name, phone number (optional)

Registration phase: Customer company name, customer contact name, customer contract email, account email, sandbox clientid, merchant/client logo, beneficiary account (for PIS) beneficiary account holder name (for PIS), merchant category (for PIS) and maximin transaction limit (for PIS)..

 

To ensure a seamless user journey for utilizing TG products and services.

 

If you are visitor to TG’s official website

First name, last name, business email, job title, company name, company industry, country, phone number (optional), unique message

To provide updates on TG’s activities, services, and products;

To share details with sales team to get in-touch;

to record the marketing preferences and any feedback or responses for the purposes of improving our services.

If you are a part of TG’s Staff

Information provided in curriculum vitae, application form, covering letter and during the interview process including: your name, date of birth, age, gender, home address, personal email address, education, qualification and work experience details, and references. Information collected or created by us during the recruitment process including interview notes, test scores and correspondence between us. Information about criminal convictions:  we carry out background checks as part of the recruitment process. Sensitive information like your racial and ethnic origin information and information relating to disabilities, religious beliefs or sexual orientation, marital status for visas, physical or mental health information and immigration/naturalization records (if this discloses racial/ethnic origin information

Necessary to enter an employment control; to comply with a legal or regulatory obligation; have a legitimate interest to ensure the effective administration and management of the recruitment process; ensure TG hires suitable individual for a role; deal with disputes and accidents and take legal or other professional advice; and ascertain Staff fitness to work. Special category data is processed to consider the need to provide appropriate adjustments during the recruitment process and to ascertain fitness to work for equal opportunity monitoring purposes. Criminal conviction information is processed to assess suitability for a regulated role; to protect interests, because it is necessary in relation to legal claims. TG is allowed to utilize Staff personal information where it is necessary to carry out employment rights and obligations.

If you are an applicant

Name, contact details, email address, cover letters, and information included in curriculum vitae.

To verify adequacy of applicant for a job opening.