1. Who are we and what do we do?
1.1 developing the tourism sector by building partnerships with relevant stakeholders and coordinating with destinations and attractions all over the world to maximize target visits. We are also responsible for various types of consumer-level engagement in the tourism sector, including via consumer-facing Digital Platforms.
1.2 Sphinx travel considers it important to protect your Personal Data and endeavors to process it in accordance with applicable data protection laws and regulations.
1.3. For the purpose of Applicable Data Protection Law, Sphinx travel is the Controller ( person responsible for deciding how your Personal Data is processed) and responsible for your Personal Data.
2. What is the purpose of this document?
2.1 Sphinx travel respects your privacy and is committed to protecting your Personal Data. Sphinx travel has adopted this Privacy Notice to notify (“you”, “your”) about the Personal Data collected, used, and processed relating to you, and how you can expect your Personal Data to be used and for what purpose. It is important that you read this Privacy Notice so that you are aware of how and why we are using such information and what your rights are under Applicable Data Protection Law.
2.2 This Notice:
(a) Applies to anyone visiting or using the Digital Platforms
(b) Sets out the types of Personal Data we collect about you.
(c) Explains how and why we collect and use your Personal Data.
(d) Explains how long we keep your Personal Data.
(e) Explains how we will share your Personal Data – when, why, and with whom.
(f) Explains your rights as the Data Subject.
(g) Sets out the legal bases we have for using your Personal Data.
(h) Explains the effect of refusing to provide the Personal Data requested.
(I) Explains the different rights and choices you have as a Data Subject when it comes to your Personal Data.
(j) Explains how we use automated decision-making and/or profiling – when and why.
2.3 The Digital Platforms are not intended for children under 18 and we do not knowingly collect Personal Data from children.
3. Compliance with Data Protection Principles
We will implement measures designed to comply with Applicable Data Protection Law, including measures designed to ensure that the Personal Data we hold about you is:
(a) Used lawfully, fairly, and in a transparent way.
(b) Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
(c) Relevant to the purposes we have told you about and limited only to those purposes.
(d) Accurate and kept up to date.
(e) Kept only as long as necessary for the purposes we have told you about;
(f) Kept securely.
(g) Kept using appropriate measures and records in a way that allows us to demonstrate compliance with Applicable Data Protection Law.
4. Changes to this Privacy Notice
We may change/update this Notice at any time in the future, at our sole discretion. Any changes will be effective immediately upon posting of the revised Notice. If the changes are material, we will provide you with additional notice, such as through a banner on our website or by sending you an updated version of this Notice in writing, including electronically where appropriate, unless you request a different delivery format. (You can request it in a different format by contacting us through this form.)
5. What Personal Data do we collect about you?
5.1 We collect your Personal Data for the purposes listed further below in the Schedules. (The specific purposes vary depending on the Digital Platform.)
5.2 “Personal Data” means any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.
5.3 For completeness, Personal Data does not include data where the identity has been completely removed (e.g. completely anonymous data or Aggregate Data), however, it may still include pseudonymous data. Under Applicable Data Protection Law, there may certain types of more sensitive Personal Data that require a higher level of protection (“Sensitive Data”). Sensitive Data may include details about your race or ethnicity, religious or philosophical beliefs, information about your health, and genetic and biometric data. Information about criminal convictions and offenses may also be considered sensitive and warrant this higher level of protection.
5.4 We do not normally collect or process Sensitive Data. Such categories of Personal Data would typically require more stringent security measures (technical and organizational measures) whilst processing under the Applicable Data Protection Law. In the exceptional case in which we may be required to collect and process such Personal Data, we would only collect it from you, and further obtain your explicit consent to process such data, when permitted by law, such as when one of the lawful conditions for processing Sensitive Data detailed in Schedule 2 applies. Where required under Applicable Data Protection Law we will collect a separate consent from you before processing your Sensitive Data.
5.5 We also may collect, use and share “Aggregated Data” (as that term is defined by Applicable Data Protection Law) for any purpose to the extent permitted by Applicable Data Protection Law. Aggregated Data could be derived from your Personal Data but is generally not considered Personal Data under Applicable Data Protection Law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data in accordance with Applicable Data Protection Law to calculate the percentage of users accessing a specific Digital Platform feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data, which will be used in accordance with this Privacy Notice.
6. What happens if you do not provide us with the Personal Data we request or ask that we stop processing your Personal Data?
If you do not provide us with the necessary Personal Data, or ask us not to process your Personal Data, we may not be able to perform the activities that you are expecting from us (for example, to provide you with information, or goods or services) or we may be prevented from complying with our legal obligations. In this case, we may have to reject your request or otherwise not fulfill your expectations – in which case we will seek to notify you.
7. Where do we collect Personal Data about you from?
The following are the different sources from which we may collect Personal Data about you:
7.1 Directly from you. This is Personal Data you provide to us, such as through visiting our Digital Platforms or through direct correspondence with us, or via other direct interactions with us such as completing a form on our Digital Platform, applying for our products or services, applying for a career with us on our Digital Platform, creating an account on our Digital Platform, subscribing to our service or publication, requesting marketing to be sent to you, entering a competition or prize draw, promotion or survey, giving feedback, contacting us by any means to submit an inquiry complaint, etc.
7.2 From an agent/third party acting on your behalf.
7.3 From publicly available sources. We may use the following public sources:
(a) Social media.
(b) Events (e.g. conferences).
7.4 From analytics providers, advertising networks, search information providers, or providers of technical, payment (i.e. third party payment gateways) and delivery services.
7.5 Through any marketing communication we may send you, or through email communications sent from or received by us. You can opt-out of receiving promotional emails from us at any time by following the instructions as provided in emails to click on the unsubscribe link or emailing us at the email address set out in Section 19 below with the word UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt-out of non-promotional emails, such as those about transactional relations.
8. How and why do we use your Personal Data (lawful basis for processing and purposes for collecting and processing Personal Data)?
8.1 We want to give you the best possible user/customer experience while fulfilling our role as the Tourism Authority. In order to do so, we need to paint an accurate picture of who you are, and what your preferences are, by combining different types of Personal Data we have collected relating to you.
8.2 We will only use your Personal Data when the law, including Applicable Data Protection Law, allows us to do so. Under Applicable Data Protection Law, it may be necessary to justify the use of Personal Data under one of a number of legal grounds (lawful basis for processing). This means that we will only collect Personal Data for specified, explicit, and legitimate purposes, and should not process the Personal Data in a matter incompatible with those purposes unless in limited circumstances. We will only use your Personal Data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
8.3 We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services, and offers may be relevant for you. You will receive such marketing communications from us if you have requested information from us or purchased/received goods or services from us and you have opted in to receiving that marketing. You can ask us or our affiliates to stop sending you marketing messages at any time – by logging into the Digital Platform and adjusting your marketing preferences, by following the opt-out links on any marketing message sent to you, or by contacting us at any time. (Opting out of receiving marketing messages will not affect any transactional or service messages that we need to send to you in the context of transactions or services.)
8.4 In summary, we use your Personal Data to allow us to perform our contract with you, offer you the best possible customer experience in line with our legitimate interests, and enable us to comply with all of our legal obligations. The specific purposes for which we will process your Personal Data and the corresponding lawful basis for processing are listed in the Schedules. Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
9. For how long do we keep your Personal Data?
9.1 We will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes we collected it for, including the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
9.2 We consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data, and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements – to determine the appropriate retention period for Personal Data.
9.3 In some circumstances we may anonymize your Personal Data so that it can no longer be associated with you, in which case we may retain and use such information without further notice to you. Once you are no longer (as applicable) a customer, user, or employee of us, then we will retain and securely destroy your Personal Data in accordance with Applicable Data Protection Law.
10. Who do we share your Personal Data with?
10.1 Our own personnel have access to your Personal Data for the performance of their duties. We may share your Personal Data with other related entities to perform our role in the Saudi tourism ecosystem, in the context of assessing or reporting on activities or our performance, in the context of the reorganization of Sphinx travel, for system maintenance support and hosting of data, and for other operational reasons of this nature.
10.2 We may also share your Personal Data with our service providers (known as “trusted third parties”) involved in the provision of the information or services you have requested from us via our Digital Platforms for lawful purposes in order to help us run our business. We rely on such trusted third parties for a range of our business operations and provision of services. We have agreements in place with these service providers to protect the confidentiality of your Personal Data. We do not share your Personal Data with third parties for their own marketing purposes, except with your specific consent.
10.3 If we share your Personal Data with trusted third parties, we:
(a) Only provide them with the information needed for their specific services/specific purpose.
(b) Enter into adequate contractual arrangements designed to ensure that they may only use your Personal Data for the exact purposes we specified in our contract with them.
(c) Collaborate closely with our trusted third parties to ensure that your privacy and Personal Data are protected.
(d) Where we stop using the services of our trusted third parties, we ensure any of the data held by them is securely deleted or put beyond further use.
10.4 In summary, our trusted third parties include:
(a) Third party providers of payment gateways.
(b) Suppliers/ service providers (e.g. delivery couriers, e-commerce service providers, technicians for handling complaints or fraud management, IT companies, and providers who support our Digital Platform).
(c) Professional advisors (e.g. bankers, auditors, and lawyers).
(d) Insurance (e.g. insurance brokers).
(e) Direct marketing companies that help us in our e-communications with our customers.
(f) Outsourcing certain business functions. For example, we may use service centers to whom we outsource functions such as document and information management, office support, technology, and IT services, word processing, photocopying, and translation services (we have agreements in place with these service providers to protect the confidentiality and security of information (including Personal Data) shared with them).
10.4.2 We also may share your Personal Data with vendors and other parties for analytics and advertising purposes. These parties may act as our service providers, or in certain contexts, independently decide how to process your Personal Data. These thirds parties may include:
(b) Data analytics/insight companies to help us ensure your details are maintained accurate and up to date.
10.5 We may, from time to time, be required to disclose your Personal Data to authorities, such as the police, law enforcement, regulatory and/or government agencies, in relation to legal investigations or proceedings conducted anywhere in the world, if required by applicable law or regulation, or if we reasonably believe it is necessary to protect STA, other customers, or the public. We will usually notify you before responding to such queries, except where the circumstances restrict us from doing so. We take your privacy into consideration and address such requests on a case-by-case basis.
11. What happens if there is a change of control?
If a change happens to the organization of Sphinx travel, or the government authorities responsible for tourism are restructured, then the new ‘successor’ entity may use your Personal Data in the same way as set out in this Privacy Notice and your Personal Data may be transferred to such new entity according to the terms of this Notice.