Privacy Policy
PRIVACY POLICY – GO LOYALTY PROGRAM
LAST UPDATED: ENGLISH VERSION: SEPTEMBER 2022
The following are the Privacy Terms in Arabic. Last updated 2023/01/12. Arabic version in document format. Click here.
English Version:
This is the privacy notice (“Privacy Policy” or “Notice”) for STA’s loyalty Program (“Go Loyalty Program”)
and the associated website and app (the “Digital Platforms”) This Notice is incorporated by reference
into the Member Terms & Conditions of the Go Loyalty Program
1. Who are we and what do we do?
1.1 SAUDI TOURISM AUTHORITY (or “STA”, “Go Loyalty Program Operator”, “we”, “us” or
“our”) is the Saudi government entity responsible for promoting Saudi Arabia as a global
tourism destination, developing a leading tourism brand for the Kingdom, developing the
tourism sector by building partnerships with relevant stakeholders, and coordinating with
destinations and attractions in Saudi Arabia to maximize target visits. We are also responsible
for various types of consumer level engagement in the tourism sector. The Go Loyalty Program
is one such initiative.
1.2 Go Loyalty Program Operator considers it important to protect your Personal Data and
endeavors to process it in accordance with applicable data protection laws and regulations,
primarily Saudi Arabia’s National Data Management Office’s Interim Regulations on Personal
Data Protection (the “Interim Regulations”) and other applicable data protection laws and
regulations (the Interim Regulations and such other laws and regulations referred to generally
herein as “Applicable Data Protection Law”).
1.3 For the purpose of Applicable Data Protection Law, Go Loyalty Program Operator is the
Controller (i.e. person responsible for deciding how your Personal Data is processed) and
responsible for your Personal Data.
2. What is the purpose of this document?
2.1 Go Loyalty Program Operator respects your privacy and is committed to protecting your
Personal Data. Go Loyalty Program Operator has adopted this Privacy Notice to notify (“you”,
“your”) about the Personal Data collected, used and processed relating to you, and how you
can expect your Personal Data to be used and for what purpose. It is important that you read
this Privacy Notice, so that you are aware of how and why we are using such information and
what your rights are under Applicable Data Protection Law.
2.2 This Notice:
(a) applies to anyone registering as a Member of the Go Loyalty Program;
(b) applies to anyone visiting or using the Digital Platforms;
(c) sets out the types of Personal Data we collect about you;
(d) explains how and why we collect and use your Personal Data;
(e) explains how long we keep your Personal Data;
(f) explains how we will share your Personal Data - when, why and with whom;
(g) explains your rights as the Data Subject;
(h) sets out the legal bases we have for using your Personal Data;
(i) explains the effect of refusing to provide the Personal Data requested;
(j) explains the different rights and choices you have as a Data Subject when it comes to
your Personal Data; and
(k) explains how we use automated decision making and/or profiling – when and why;
2.3 The Go Loyalty Program and the Digital Platforms are not intended for children under 18 and
we do not knowingly collect Personal Data from children.
3. Compliance with Data Protection Principles
We will implement measures designed to comply with Applicable Data Protection Law, including
measures designed to ensure that the Personal Data we hold about you is:
(a) used lawfully, fairly and in a transparent way;
(b) collected only for valid purposes that we have clearly explained to you and not used in
any way that is incompatible with those purposes;
(c) relevant to the purposes we have told you about and limited only to those purposes;
(d) accurate and kept up to date;
(e) kept only as long as necessary for the purposes we have told you about;
(f) kept securely; and
(g) kept using appropriate measures and records in a way which allows us to demonstrate
compliance with Applicable Data Protection Law.
4. Changes to this Privacy Notice
We may change/update this Notice at any time in the future, at our sole discretion. Any changes
identifiable will be effective immediately upon posting of the revised Notice. If the changes are
material, we will provide you with additional notice, such as through a banner on our website
and/or by sending you an updated version of this Notice in writing, including electronically where
appropriate, unless you request a different delivery format.
5. What Personal Data do we collect about you?
5.1 We collect your Personal Data for the purposes listed further below in the Schedules.
5.2 “Personal Data” means any information relating to an identified or natural person (‘Data
Subject’). An identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data,
an online identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person.
5.3 For completeness, Personal Data does not include data where the identity has been completely
removed (e.g. completely anonymous data or Aggregate Data), however, it may still include
pseudonymous data. Under Applicable Data Protection Law, there may certain types of more
sensitive Personal Data that require a higher level of protection (“Special Categories of
Personal Data” and “Personal Data relating to criminal convictions”). Special Categories of
Personal Data may include: details about your race or ethnicity, religious or philosophical
beliefs, information about your health, and genetic and biometric data. Information about
criminal convictions and offences may also be considered sensitive and warrant this higher
level of protection.
5.4 We do not normally collect or process Special Categories of Personal Data or Personal Data
relating to criminal convictions. Such categories of Personal Data may be considered more
sensitive under Applicable Data Protection Law, and would typically require more stringent
security measures (technical and organisational measures) whilst processing. In the
exceptional case in which we may be required to collect and process such Personal Data, we
would only collect it from you, and further process it, when permitted by law, such as when one
of the lawful conditions for processing Special Categories of Personal Data detailed in Schedule
2 applies. Where required under Applicable Data Protection Law, we will collect a separate
consent from you before processing your Special Categories of Personal Data.
5.5 We also may collect, use and share “Aggregated Data” (as that term is defined by Applicable
Data Protection Law) for any purpose to the extent permitted by Applicable Data Protection
Law. Aggregated Data could be derived from your Personal Data but is generally not considered
Personal Data under Applicable Data Protection Law as this data will not directly or indirectly
reveal your identity. For example, we may aggregate your Usage Data in accordance with
Applicable Data Protection Law to calculate the percentage of users accessing a specific
feature of the Go Loyalty Program or the Digital PLatforms. However, if we combine or connect
Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we
treat the combined data as Personal Data, which will be used in accordance with this Privacy
Notice.
6. What happens if you do not provide us with the Personal Data we request or ask that we
stop processing your Personal Data?
If you do not provide us with the necessary Personal Data, or ask us not to process your
Personal Data, we may not be able to perform the activities that you are expecting from us (for
example, to provide you with information, or goods or services) or we may be prevented from
complying with our legal obligations. In this case, we may have to review your request or
otherwise not fulfil your expectations – in which case we will seek to notify you.
7. Where do we collect Personal Data about you from?
The following are the different sources from which we may collect Personal Data about you:
7.1 Directly from you. This is Personal Data you provide to us, such as through participating in
the Go Loyalty Program, visiting our Digital Platforms or through direct correspondence with
us, or via other direct interactions with us such as completing a form on our Digital Platform,
applying for Go Points or Benefits , applying for a career with us, creating an account on our
Digital Platform / signing up as a Member of the Go Loyalty Program, subscribing to our service
or publication, requesting marketing to be sent to you, entering a competition or prize draw,
promotion or survey, giving feedback, contacting us by any means to submit an enquiry
complaint, etc.
7.2 From an agent/third party acting on your behalf.
7.3 From publicly available sources. We may use the following public sources:
(a) social media;
(b) events (e.g. participation in promotional events; visits to tourism locations);
(c) directories.
7.4 From analytics providers, advertising networks, search information providers, or
providers of technical, payment (i.e. third party payment gateways) and delivery
services.
7.5 Through any marketing communication we may send you, or through email
communications sent from or received by us. You can opt-out of receiving promotional
emails from us at any time by following the instructions as provided in emails to click on the
unsubscribe link, or emailing us at the email address set out in Section 19 below with the word
UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt-out of nonpromotional
emails, such as those about transactional relations.
7.6 Through automated technologies or interactions. As you interact with our Digital Platform
or download/install our app(s), we will automatically collect Technical Data about your
equipment, browsing actions and patterns. We collect this Personal Data by using cookies,
server logs, and other similar technologies. We may also receive Technical Data about you if
you visit other digital platforms employing tracking technologies, including cookies.
8. How and why do we use your Personal Data (lawful basis for processing and purposes
for collecting and processing Personal Data)?
8.1 We want to give you the best possible user/customer experience while fulfilling our role in
developing the tourism sector in Saudi Arabia. In order to do so, we need to paint an accurate
picture of who you are, and what your preferences are, by combining different types of Personal
Data we have collected relating to you.
8.2 We will only use your Personal Data when the law, including Applicable Data Protection Law,
allows us to do so. Under Applicable Data Protection Law, it may be necessary to justify the
use of Personal Data under one of a number of legal grounds (lawful basis for processing). This
means that we will only collect Personal Data for specified, explicit and legitimate purposes,
and should not process the Personal Data in a matter incompatible with those purposes unless
in limited circumstances. We will only use your Personal Data for the purposes for which we
collected it, unless we reasonably consider that we need to use it for another reason and that
reason is compatible with the original purpose. If we need to use your Personal Data for an
unrelated purpose, we will notify you and we will explain the legal basis which allows us to do
so.
8.3 We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what
we think you may want or need, or what may be of interest to you. This is how we decide which
products, services and offers may be relevant for you. You will receive such marketing
communications from us if you have requested information from us or purchased/received
goods or services from us and you have opted into receiving that marketing. You can ask us or
our affiliates to stop sending you marketing messages at any time - by logging into the Digital
Platform and adjusting your marketing preferences, by following the opt-out links on any
marketing message sent to you, or by contacting us at any time. (Opting out of receiving
marketing messages will not affect any transactional or service messages that we need to send
to you in the context of transactions or services.)
8.4 In summary, we use your Personal Data to allow us to perform our obligations to you, offer you
the best possible customer experience in line with our legitimate interests, and to enable us to
comply with all of our legal obligations. The specific purposes for which we will process your
Personal Data and the corresponding lawful basis for processing are listed in the Schedules.
Please note that we may process your Personal Data without your knowledge or consent, in
compliance with the above rules, where this is required or permitted by law.
9. For how long do we keep your Personal Data?
9.1 We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes
we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting
or reporting requirements. We may retain your Personal Data for a longer period in the event
of a complaint or if we reasonably believe there is a prospect of litigation in respect to our
relationship with you.
9.2 We consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm
from unauthorised use or disclosure of your Personal Data, the purposes for which we process
your Personal Data and whether we can achieve those purposes through other means, and the
applicable legal, regulatory, tax, accounting or other requirements - to determine the
appropriate retention period for Personal Data.
9.3 In some circumstances we may anonymise your Personal Data so that it can no longer be
associated with you, in which case we may retain and use such information without further
notice to you. Once you are no longer (as applicable) a customer, user, employee of us, then
we will retain and securely destroy your Personal Data in accordance with Applicable Data
Protection Law.
10. Who do we share your Personal Data with?
10.1 Our own personnel have access to your Personal Data for the performance of their duties. We
may share your Personal Data with other related entities to perform our role in the Saudi tourism
ecosystem, in the context of assessing or reporting on activities or our performance, in the
context of the reorganisation of STA, for system maintenance support and hosting of data, and
for other operational reasons of this nature.
10.2 We may also share your Personal Data with our service providers (known as “trusted third
parties”) involved in the provision of the information or services you have requested from us via
our Digital Platforms for lawful purposes in order to help us run our business. We rely on such
trusted third parties for a range of our business operations and provision of services. We have
agreements in place with these service providers to protect the confidentiality of your Personal
Data. We do not share your Personal Data with third parties for their own marketing purposes,
except with your specific consent.
10.3 If we share your Personal Data with trusted third parties, we:
(a) only provide them with the information needed for their specific services/specific
purpose;
(b) enter into adequate contractual arrangements designed to ensure that they may only
use your Personal Data for the exact purposes we specified in our contract with them;
(c) collaborate closely with our trusted third parties to ensure that your privacy and
Personal Data are protected; and
(d) where we stop using the services of our trusted third parties, we ensure any of the data
held by them is securely deleted or put beyond further use.
10.4 In summary, our trusted third parties include:
(a) third party providers of payment gateways;
(b) suppliers/ service providers (e.g. delivery couriers, e-commerce service providers,
technicians for handling complaints or fraud management, IT companies and providers
who support the Go Loyalty Program and the Digital Platforms);
(c) professional advisors (e.g. bankers, auditors and lawyers);
(d) insurance (e.g. insurance brokers);
(e) direct marketing companies that help us in our e-communications with our customers;
(f) outsourcing certain business functions. For example, we may use service centres to
whom we outsource functions such as document and information management, office
support, technology and IT services, word processing, photocopying and translation
services (we have agreements in place with these service providers to protect the
confidentiality and security of information (including Personal Data) shared with them).
10.4.2 We also may share your Personal Data with vendors and other parties for analytics and
advertising purposes. These parties may act as our service providers, or in certain contexts,
independently decide how to process your Personal Data. These thirds parties may include:
(a) social media channels (e.g. Instagram, Facebook) to show you interesting products
while you browse the internet, depending on your acceptance of cookies on our Digital
Platform (see Cookie Policy) or your consent to direct marketing;
(b) data analytics/insight companies to help us ensure your details are maintained
accurate and up to date; or
10.5 We may, from time to time, be required to disclose your Personal Data to authorities, such as
the police, law enforcement, regulatory and/or government agencies, in relation to legal
investigations or proceedings conducted anywhere in the world, if required by applicable law or
regulation, or if we reasonably believe it is necessary to protect STA, other customers, or the
public. We will usually notify you before responding to such queries, except where the
circumstances restrict us from doing so. We take your privacy into consideration and address
such requests on a case-by-case basis.
11. What happens if there is a change of control?
If a change happens to the organisation of STA, or the government authorities responsible for
tourism in Saudi Arabia are restructured, then the new ‘successor’ entity may use your Personal
Data in the same way as set out in this Privacy Notice and your Personal Data may be
transferred to such new entity according to the terms of this Notice.
12. Do we transfer your data outside Saudi Arabia?
12.1 We typically utilize data centres located in Saudi Arabia. Accordingly, if you are located outside
Saudi Arabia, we may transfer your Personal Data outside your country of residence. Where
required by Applicable Data Protection Law, you can expect a similar degree of protection in
respect of your Personal Data.
12.2 If you are subject to a jurisdiction that requires adequate levels of protection for Personal Data,
we may transfer your Personal Data to countries that have been deemed to provide an
adequate level of protection for Personal Data pursuant to Applicable Data Protection Law. In
the absence of an adequacy decision, whoever we transfer your Personal Data to outside your
jurisdiction will ensure a similar degree of protection is afforded to your Personal Data by
ensuring appropriate safeguards are in place. Appropriate safeguards may include:
(a) a legally binding and enforceable instrument between public authorities;
(b) Binding Corporate Rules (BCRs);
(c) standard contractual clauses adopted by the local regulatory authority;
(d) standard contractual clauses adopted by a supervisory authority and approved by the
local regulatory authority;
(e) an approved code of conduct; or
(f) an approved certification mechanism.
We will also obtain a separate consent where the Applicable Data Protection Law requires.
12.3 More information about how we safeguard your Personal Data as related to transfers and/or to
request a copy of the model clauses, can be obtained by contacting us.
13. Do we make automated decisions concerning you?
Go Loyalty Program Operator does not carry out processing based on automated decisionmaking,
including profiling, however we will notify you in writing if this position changes.
14. Analytics and Advertising
14.1 We use analytics services to help us understand how users access and use the Digital
Platforms. In addition, we work with agencies, advertisers, ad networks, and other technology
services to place ads on other websites and services. For example, we place ads through social
media platforms that you may view on their platforms as well as on other websites and services.
14.2 As part of this process, we may incorporate cookies and tracking technologies into our Digital
Platforms (including our website and emails) as well as into our ads displayed on other websites
and services. Some of these tracking technologies may track your activities across time and
services for purposes of associating the different devices you use, and delivering relevant ads
and/or other content to you (“Interest-based Advertising”).
14.3 In addition, the companies we work with to provide you with targeted ads are required to give
you the choice to opt out of receiving targeted ads. To learn more about the targeted ads
provided by these companies, and how to opt out of receiving certain targeted ads from them,
please visit: (i) https://www.aboutads.info/choices; and (ii)
https://www.networkadvertising.org/choices. Opting out only means that the selected
participants should no longer deliver certain targeted ads to you, but does not mean you will no
longer receive any targeted content and/or ads (e.g. in connection with the participants’ other
customers or from other technology services).
14.4 Please note that if you opt out using any of these methods, the opt out will only apply to the
specific browser or device from which you opt out. We are not responsible for the effectiveness
of, or compliance with, any opt out options or programs, or the accuracy of any other entities’
statements regarding their opt out options or programs.
14.5 See our Cookie Policy for more details on cookies and tracking technologies.
15. How do we secure your Personal Data?
15.1 We are required, under the Applicable Data Protection Law, to implement appropriate technical
and organizational security measures to ensure your Personal Data is properly protected.
These measures are designed to prevent your Personal Data from being accidentally lost, used
or accessed in an unauthorised way, altered or disclosed.
15.2 This is done in a manner designed to be proportionate to the risks faced by you if your Personal
Data is compromised. We implement measures designed to protect Personal Data we hold and
limit access to your Personal Data by those employees, agents, contractors and other third
parties who have a business need to know. Some of these measures include putting access
controls in place, and restrictions based on function and role on who can access your Personal
Data, even within our organisation. These controls are designed to ensure that your Personal
Information is only processed on instructions and that they are subject to a duty of
confidentiality.
15.3 All of our online databases and filing systems are password protected, and restricted only to
authorised personnel. We also record access to Personal Data by having access logs in place.
We have a customer off-boarding process in place to ensure that once your data is no longer
necessary for the specified purpose (and/or the lawful basis in the Schedules) no longer
applies, all access within Go Loyalty Program is revoked.
15.4 When storing Personal Data electronically, we use encryption measures, as appropriate, to
help ensure this Personal Data is secure. Where appropriate, we may also use
pseudonymisation to help secure your Personal Data, especially when special categories of
Personal Data are involved. Additionally, we may anonymise Personal Data where appropriate
and especially in situations where we do not require the identity of the person who the data is
about and where the purposes for keeping Personal Data have elapsed but the data is of value
to our business.
15.5 We have put in place organisational measures and procedures designed to deal with data
security breaches and our staff is trained on the actions to take in the event of a security breach.
This involves who to contact immediately, who is in charge of the investigations that follow and
who escalates the incident to the relevant supervisory authority and to affected individuals,
where necessary. In any case, where required by Applicable Law, we will inform the supervisory
authority and the affected Data Subjects.
15.6 More details about such measures can be obtained by contacting us.
16. What rights do you have in relation to the Personal Data we hold on you?
16.1 Under Applicable Data Protection Law, and depending on your jurisdiction, you may have a
number of rights when it comes to your Personal Data. Further information and advice about
your rights can be obtained by contacting us.
16.2 We usually act on requests and provide Personal Data free of charge, but may charge a
reasonable fee to cover our administrative costs of providing the Personal Data for:
(a) baseless or excessive/repeated requests; or
(b) further copies of the same Personal Data.
Alternatively, we may be entitled to refuse to act on the request in such circumstances.
16.3 Please consider your request responsibly before submitting it. We will respond as soon as we
can. Generally, this will be within one month from when we receive your request but this could
vary depending on the nature of the request.
17. What we may need from you
17.1 We may need to request specific information from you to help us confirm your identity and
ensure your right to access your Personal Data (or to exercise any of your other rights). This is
a security measure to ensure that Personal Data is not disclosed to any person who has no
right to receive it. We may also contact you to ask you for further information in relation to your
request to speed up our response.
17.2 We may also need your contact details. We may contact you by email or social media. (If you
prefer a particular contact means, please let us know.)
18. Third-party links
Our Digital Platforms may include links to third-party websites, plug-ins and applications.
Clicking on those links or enabling those connections may allow third parties to collect or share
data about you. We do not control these third-party websites and are not responsible for their
privacy statements. When you leave any of our Digital Platforms, we encourage you to read
the privacy policy of every website you visit.
19. How can you contact us?
19.1 If you are unhappy with how we’ve handled your Personal Data, or have further questions on
the processing of your Personal Data, our privacy notice and privacy practices, please contact
us through this form.
19.2 You may have the right, under Applicable Data Protection Law, to make a complaint to the
relevant data protection authority. We would, however, appreciate the chance to deal with your
concerns before you make a complaint, so please contact us in the first instance.
SCHEDULE 1 CATEGORIES OF PERSONAL DATA
We may collect the following types of personal data about you pursuant to this Privacy Policy:
Type of Personal Data Details
A. Identity Data: First name, last name, username or similar identifier, marital status and dependants,
title, date of birth and gender, identification number (e.g. passport number or
national ID number)
B. Contact Data: Billing address, delivery address, email address, telephone numbers, preferences
regarding marketing and communications
C. Demographic and profile data:
such as your general location, origin, age, preferences, interests, feedback and
survey responses
D. Transaction Data: Includes details about payments to and from you, payment card details, and other
details of products and services you have purchased from us.
E. Technical Data Includes: [internet protocol (IP) address, your login data, browser type and version,
time zone setting and location, browser plug-in types and versions, information
collected through cookies, operating system and platform, and other technology on
the devices you use to access the Digital Platform].
F. Usage Data: Includes information about how you use our Digital Platforms, products and services
G. Personal Data: Concerning Health Vaccine status; information on disabilities that may be relevant to the services you request from us; information on health insurance coverage that may be relevant to
the services you request from us
H. Personal Data relating to criminal convictions or related security measures: Information on criminal convictions that may be relevant to the services you request from us
I. Personal Data revealing racial or ethnic origin (e.g. passports or visas): Information on national origin that may be relevant to the services you request from us