Privacy Policy
Tarabut Holding Limited, its subsidiaries and affiliates ("Tarabut") respects your right to data privacy. In this Notice, “You” or “Your” refers to data subjects [customers (individual or corporate), employees, website visitors, or contingent workers] whose personal data is being processed by Tarabut.
Our company is committed to safeguarding your personal data and ensuring its confidentiality, integrity, and security. We implement stringent security measures to protect your information from unauthorised access, disclosure, or misuse. As part of our ongoing efforts, all employees receive regular training on data privacy, best practices for data protection, and how to securely handle and manage personal information in compliance with the applicable data protection laws and regulations.
This privacy notice explains who we are, how we collect, share, and use personal data about you, and how you can exercise your data privacy rights. The details on what personal data will be processed and which method will be used depend significantly on the services applied for or agreed upon.
If you have any questions or concerns about our processing of your personal data, then please contact us at: support@tarabut.com.
This Data Privacy Notice is governed by the following applicable Data Protection Laws:
Region |
Law |
Abbreviation |
Dubai International Financial Center |
Data Protection Law DIFC Law No. 5 of 2020 |
DIFC |
Abu Dhabi Global Market |
ADGM Data Protection Regulations of 2021 |
ADGM |
United Arab Emirates |
Personal Data Protection Law (Federal Decree by Law No. 45 of 2021) |
UAE’s PDPL |
Kingdom of Bahrain |
Personal Data Protection Law No. 30 of 2018 |
Bahrain’s PDPL |
Kingdom of Saudi Arabia |
The Personal Data Protection Law 2021 |
KSA’s PDPL |
United Kingdom |
General Data Protection Regulation ((EU) 2016/679)] and United Kingdom Data Protection Act 2018 |
GDPR and UKDPA respectively |
In addition to the laws mentioned above, Tarabut is also governed by data protection requirements imposed by Central Bank of the UAE (CBUAE) such as:
- Article 6.1 of the Consumer Protection Regulation
- Article 6.1 of the Consumer Protection Standards
- Article 22 of the Open Finance Regulation
In the event of a dispute arising in connection with the terms stated in this Privacy Policy and/or implementation of the services, such disputes shall be referred to the Courts of the applicable governing jurisdictions.
1. Definitions
1.1. Authority
The personal Data Protection Authority (“DPA”) is the public body that oversees compliance with provisions of privacy laws.
- In the UAE, the DPA has not been established yet.
- In Bahrain, the Ministry of Justice, Islamic Affairs, and Waqf has been assigned as the DPA.
- In the KSA, the Saudi Authority for Data and AI has been assigned as the DPA.
- In United Kingdom, the Information Commissioner has been assigned as the DPA.
1.2. Client, Costumer or End-User
It refers to a customer that is an individual, or a corporate customer (Bank, Merchant, FinTech, etc.) or a user of the Tarabut’s Services and includes users to the customer who has provided consent to Tarabut for Processing of their Personal Data.
1.3. Consent
Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
1.4. Cookies
Cookies means small files store on Data Subject’s device (computer system or mobile device).
1.5. Data Breach
Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored, or otherwise processed.
1.6. Data Controller
A natural or a legal person who decides, solely or in association with others, the purposes and means of the Processing of certain Personal Data. In the events where such purposes and means are prescribed by Law, the data controller shall be the person who is responsible for the processing.
1.7. Data Governance Committee
Tarabut’s Data Governance Committee undertakes the tasks of ascertaining the extent to which the organisation complies with the controls, requirements, and procedures stipulated by the relevant privacy laws.
1.8. Data Processor
A natural or a legal person who processes Personal Data for and on behalf of Tarabut. The Processing is undertaken under Tarabut’s supervision and in accordance with its instructions.
1.9. Data Receiver or Recipient
Any person to whom personal data are disclosed, whether a third party or other, without including the person to whom data are revealed in order to exercise a specific legal jurisdiction or perform a specific public duty.
1.10. Data Subject
The individual or organisation that Tarabut is holding information about, which includes an employee, a client, a customer (directly or indirectly using Tarabut’s Services), a contractor, a supplier, an agent, or any individual who has visited Tarabut’s website or has applied to Tarabut for job.
1.11. Developer
An entity or an individual person accessing or using Tarabut’s Developer Portal under their sole discretion or on behalf of another entity.
1.12. Developer Portal
The development and sandbox environment that is provided by Tarabut.
1.13. Direct Marketing
Any communication, by any means, through which marketing or advertising material is directed to a specific person.
1.14. Joint Controller
Where two or more controllers jointly determine the purposes and means of processing, they shall be labelled as joint controller(s).
1.15. Personal Data
Any information as defined under then Data Protection Laws that can be used to identify an individual or legal person, whether directly or indirectly, and may include, but is not limited to name, email address, postal address, mobile phone number, location information, an online identifier such as login information, or to one or more factors specific to your physical, physiological, biometric, economic, cultural or social information..
1.16. Processing
Any operation or set of operations carried out on personal or Sensitive Personal Data by automated or non-automated means, such as collecting, recording, organising, classifying, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.
1.17. Profiling
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, in particular, to analyse or predict aspects concerning that data subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
1.18. Security Incident
An event or occurrence that affects or tends to affect data protection or may compromise the availability, integrity, and confidentiality of personal data.
1.19. Sensitive Personal Data
Any Personal Data that reveals, directly or indirectly, a ‘Data Subject’’s race, ethnicity, philosophical or political views, religious beliefs, union affiliation, criminal record, or any related data to his/her health, genetic, biometric, or sexual status. Sensitive Personal Data also includes data that indicates that one or both of an individual’s parents are unknown.
1.20. Services
Services means account information services (AIS), payment initiation services (PIS), or developer portal services, open banking related services and any other services provided by Tarabut Group.
1.21. Tarabut Staff
Tarabut staff refers to all individuals employed by Tarabut, including employees, contractors, and third-party personnel, who have access to or handle personal data as part of their responsibilities. They are expected to adhere to the data protection policy to safeguard the privacy and confidentiality of personal information in their possession.
1.22. Tarabut Group
It includes Tarabut Holding Limited, Tarabut Gateway W.L.L., Tarabut Gateway Limited, Tarabut Gateway (DIFC) Limited, Tarabut Gateway for Information Technology (LLC), Tarabut Gateway UK Limited, Bawabat Altarabut Information Technology L.L.C. and Vyne Technologies Limited
1.23. Third party
Any person other than:
- Data Subject;
- Data Controller;
- Data Processor;
- Data Governance Committee; or
Any person working under the supervision of the Data Controller or Data Processor and authorised to process data on behalf of the Data Controller or Data Processor.
1.24. Transfer
The transfer of Personal Data from one country or territory to another.
2. Application and acceptance
2.1. This Privacy Policy applies to following:
· Data Subjects,
· everybody who accesses Tarabut’s website (www.tarabut.com),
· people who use Tarabut’s services; and
· businesses who contact the Company to receive its products or services including payment services, access other merchant services, potential business customers including payment gateways or integrator partners (“Merchants”).
2.2.
Everyone mentioned above must read this Privacy Policy in its entirety and carefully.
2.3.
By utilising Tarabut’s Services, providing information through the website or any other channel related to Tarabut, or when applying for a job through any of the social media channels/ other portals, the Data Subjects signify acceptance of the terms of this Privacy Policy. Tarabut reserves the right to amend/ update this Privacy Policy. In case of any updates/ amendments in the privacy policy, the Data Subjects shall be notified about the same. The Date Provider may withdraw the consent if they do not consent with the amendment/update in this Privacy Policy.
3. When do we Collect Your Personal Data?
3.1. We primarily collect personal data directly from you for the purposes specified at the time of collection or in Appendix-A in the following manner:
-
For AIS/PIS end-users, Tarabut collects the Personal Data obtained from the Account Servicing Payment Services Providers [i.e., any payment service provider, such as a bank or a credit card issuer that maintains an online payment account on behalf of the End-User].
-
For Clients, Tarabut collects Personal Data from the Know Your Business (“KYB”) form and supporting documentation, email correspondences, and information provided during project execution or through third-party sources.
-
For a visitor to Tarabut’s website, Personal Data is collected when subscribing to the newsletter or through the contact us form.
-
For Staff, Tarabut collects Personal Data during the recruitment process and performance reviews either from the Staff, third-party application/process, or is created by Tarabut in course of the recruitment process after obtaining Staff explicit consent.
-
For an Applicant, Tarabut collects Personal Data through social media platforms, other recruiting portals, email correspondence, information provided by the Data Subject via email and through Tarabut career page in its website.
-
For a Developer, Tarabut collects Personal Data during registration to the Developer Portal.
3.2.
In some instances, Tarabut may collect non-personal (aggregate or demographic) data through cookies, weblogs, and web beacons. This information may include, but is not limited to, information such as computer’s internet protocol address (e.g. IP address), browser type, browser version, the pages of website which Data Subject visit, the time spent on those pages, unique device identifiers and other diagnostic data. When Data Subject access Tarabut’s website with a device, the information may also include information such as the type of device they use, device unique ID, the IP address, operating system, the type of internet browser. This information allows Tarabut to better understand and improve the usability, performance, and effectiveness of its website and to correct any problems that may occur. Please read the ”Cookies” section below for more information. Tarabut may also collect and store Data Subject’s location data when they access its website via a mobile device or computer system. Data Subject can enable or disable location services when they use Tarabut’s website at any time through their device settings.
3.3. In certain situations, we may collect personal data from other sources or for different purposes, including:
- With your explicit consent.
- When the data is publicly available or obtained from a publicly accessible source.
- If required for public interest or security purposes, or to comply with legal or judicial obligations.
- If necessary to protect your vital interests or prevent harm.
- For public health and safety, or to protect the life or health of individuals.
- When the data is processed in a way that does not identify you.
- When it is necessary to protect our legitimate interests, provided that your rights and interests are not compromised, and no sensitive personal data is processed.
Direct Interactions
You may give us your identity, contact, resume, or KYC-related information by filling in forms or by corresponding with us by phone, SMS, email, or otherwise:
- Records of your interactions with us like emails and other correspondence and your instructions to us.
- Providing your feedback.
- By filling in forms, for example, to download white papers and / or gather insights on case studies.
- By sharing your personal data such as your resume for recruitment purposes.
- By interacting with us on social media platforms such as Facebook, Instagram, LinkedIn, etc.
- Ordering information regarding our products or services.
- Subscribing to our services, publications, or newsletters.
- Requesting marketing material notifications to be sent to you.
- By sending us emails and text messages
- By adding posts, reviews, and other comments to our website; and
- By liking or disliking our offers and promotions.
Automated Technologies or Interactions
Direct log files
Log information is data about your use of the service, such as IP (Internet Protocol) address, browser type, referring / exit pages, operating system, date / time stamps, and related data, which is stored in log files.
Cookies
- Tarabut uses technologies such as Cookies and web beacons, which allow it to make Data Subject visit to its website easier, more efficient, and more valuable by providing with customised experience and recognition when they return.
- A Cookie cannot read Personal Information off Data Subject’s hard disk or read Cookie files created by other websites. The only Personal Information a Cookie can contain is information that Data Subject has supply themselves. Accepting the Cookies used on Tarabut’s website or portal may give them access to usage information about Data Subject’s browsing behaviour, which Tarabut may use to personalise Data Subject’s experience.
- In addition, Tarabut uses web beacons in conjunction with Cookies to understand user behaviour. Web beacons are simply a convenient way of gathering basic statistics and managing Cookies and do not give away any extra information from Data Subject’s computer. Turning off browser’s Cookies will prevent web beacons from tracking Data Subject’s specific activity.
- If Data Subject prefer not to receive Cookies while browsing Tarabut’s website or portal, they can set their browser to warn them before it accepts Cookies or refuse the Cookie when their browser alerts them to its presence. They may browse most of website or portal without accepting Cookies, however some functionality may be lost by disabling Cookies on their device. Certain features of the website or portal, particularly those which require a login and password, require Cookies, and cannot be used when Data Subject have disabled Cookies in their browser.
Third Parties or Publicly Available Sources
We may receive aggregated personal data about you from various third parties, via public domains such as:
- Technical data from the following parties:
- Analytics providers such as Google, Facebook, etc.
- Social media platforms such as Facebook, X, Instagram, LinkedIn, etc.
- Personal data gathered from publicly available directories / registers are processed fairly, and lawfully with an adequate level of security and are not excessive concerning the purpose for which they are collected.
4. Data Collection from Minors?
If you are under 18, or if you reside elsewhere and are not yet of legal age in your jurisdiction, we are not permitted to contract with you directly. If required by local legislation, your guardian must acknowledge and consent to the terms of this Data Privacy Notice on your behalf. Should we need to obtain your consent for processing your personal data for specific purposes, such consent must be provided by your guardian.
5.What Personal Data do we Collect?
We may collect, store, and use the following categories of personal data about you (for details please refer to the Appendix A):
Identity Data
- First name
- Last name
- Username
- National ID
- Date of birth
- Home address
- Phone numbers
- Passport number
- Gender
- Iqama ID details
- Driving license
- Photographs
- Occupation details
Financial Data
- Bank account number (IBAN #)
- Name as per bank account
- Credit card numbers
- Account balances, statements, transactions, and beneficiary
- Standing Order Derayls
Contact Data
- Email addresses
- Telephone numbers / contact numbers
- Billing addresses
- Shipping / delivery addresses
Transaction Data
Details about payments to and from you and other details of products and services you have purchased from us. These include any relevant billing and delivery addresses. This includes the banking or financial institutions you make payments from via our services, dates, amounts, and beneficiary (merchant) details.
Technical Data
- Internet protocol (IP) address
- We also track how often you visit and use our website. We do this via email and website cookies and similar tracking technology built into our website.
- Please see our Cookie Notice for further details.
Profile Data
- Your interests, preferences, feedback, and survey responses.
- Profile image; and
- About you (mentioned in resume including qualifications).
- Usernames and passwords to access the insurance portal.
Usage Data
- Information about how you use our website, products, and services; and
- For information on what you view, click on, or access by way of our emails and text messages, website and mobile.
Marketing and Communications Data
We may ask you to leave a review or take a survey to provide you better services. We may also collect your personal data for responding to your queries and comments, social media posts, and questions / queries. If you would like to opt-out / unsubscribe from marketing or promotional communications from Tarabut, you can do so by reaching out to support@tarabut.com or fill out form here.
Aggregated Data (sometimes referred to as anonymised data)
Tarabut also collects, uses, and shares aggregated data (sometimes referred to as anonymised data) such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in the applicable law(s) as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this data privacy notice.
Login Data
It may include the username or other customer identifier you use to log in to your online banking, your online banking password, and any security or authentication codes sent to you by your bank when you set up a payment with us.
Sensitive Personal Data
Tarabut does not collect, store, and use the following sensitive personal data:
- Information about your race or ethnicity, religious beliefs, and sexual orientation.
- Any criminal records in relation to you, and
- Biometric information about you, for example, fingerprints, and retina scans.
Our intent is not to collect or process any sensitive personal data about you unless required by applicable laws. And it is only collected after obtaining explicit consent from you. However, in certain circumstances, we may need to collect or request your sensitive personal data for employment-related purposes via resume shared for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws and for government reporting obligations.
6. How and why do we use Your Personal Data?
We will only use your personal data when the law allows us to. We will use your personal data in the following circumstances:
- For provision of Services;
- The processing is necessary for reasons of substantial public interest, or for official purposes or requested for or by the police or governmental authorities on a lawful basis.
- It is necessary for the establishment, exercise, or defence of legal claims, for the purposes of carrying out the obligations and exercising your rights in the field of employment, social security, and social protection law; or
- Based on your explicit consent.
- Where we need to perform the contract, we have entered with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where processing is necessary in order to protect your vital interests or those of another natural person.
Legitimate Interest
- Means the interest of our business in conducting and managing our business to enable us to give you the best service / product and the best and most secure experience.
- We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
- We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by-laws); and
- We may also use your personal data in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest or for official purposes.
Purpose / Activity, Type of Data, and Lawful Basis for Processing
Tarabut has set out below a description of all the ways we plan to use your personal data, and which of the legal base(s) we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
Note that Tarabut may process your personal data for more than one lawful basis depending on the specific purpose for which Tarabut is using your data.
However, Tarabut normally collects personal data from you only where Tarabut has your consent to do so, where Tarabut needs the personal data to perform a contract with you, or where the processing is in the legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In certain cases, Tarabut may also have legal obligations to collect personal data from you or may otherwise need the personal data to protect your vital interests or those of another data subject.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
If Tarabut requests any personal data not mentioned in this notice, we will clearly explain the type of data being requested and the purpose for collecting it at the time of collection.
However, Tarabut may also use your personal data for other purposes such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where they are permitted by applicable laws.
In addition to some of the specific uses of information this Privacy Policy covers, Tarabut may use information that it receives in order to:
- manage, develop, operate, improve, deliver, maintain, and protect its services;
- develop and test new products/services which Tarabut is developing [severally or in collaboration with other business(es)];
- communicate by all means of communications, including by email (for example, to exchange information about its services and promotional offers that it thinks may interest data subjects);
- monitor, analyse trends and usage;
- enhance the safety and security of services;
- verify Client or End-User identity and prevent fraud or other unauthorised/illegal activity;
- verify accounts, records, and information
- satisfy governmental agencies' requirements.
- manage the data and data bank
Tarabut may analyse and evaluate Data Subject information in an automated manner so as to identify significant characteristics or to predict insights and to create profiles which may be used for business related checks, product development and management.
Promotional Offers from Tarabut
If you have explicitly consented to receive marketing information from Tarabut, Tarabut may use your identity, contact, technical, usage, and profile data to form a view on what Tarabut thinks you may want or need, or what may be of interest to you. This is how Tarabut decides which products, services, and offers may be relevant for you.
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us or if you provided us with your details when you entered a competition or registered for an event / promotion and, have not withdrawn your consent to receiving such information.
Third-Party Marketing
Tarabut shall get your explicit consent for sharing your personal data for any marketing activities carried out by our third-party service providers. In such cases, we shall provide you with an option to withdraw your consent from receiving such marketing promotions from our third-party service providers.
Request to Withdraw Consent
At any point, if you wish to withdraw your consent to receive marketing / promotional information from Tarabut, you can write an email to support@tarabut.com or fill out form here.
Kindly note that this does not apply to personal data provided to us due to a product/ service subscription/ purchase or other transactions.
Change of Purpose
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to process your personal data for a purpose other than the one for which it was originally collected, we will first obtain your consent, unless an exception under the law applies. You have the right to withdraw your consent at any time, as governed by the applicable regulations.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the contact details provided.
Processing Without Consent
In certain circumstances, we may process your personal data without your explicit consent:
- If processing serves your actual interests but communicating with you is impractical or impossible.
- If processing is required by law or to fulfil an agreement to which you are a party.
- If processing is necessary for security purposes or to meet judicial requirements.
- If processing is necessary for our legitimate interests, provided it does not infringe on your rights and interests and does not involve sensitive personal data.
Disclosure of Personal Data
We will not disclose your personal data except in the following situations:
- If you have consented to the disclosure in accordance with the applicable laws.
- If the data has been collected from a publicly available source.
- If the disclosure is requested by a public entity for public interest or security purposes, or to comply with another law or judicial requirements.
- If the disclosure is necessary to protect public health, safety, or the lives or health of specific individuals.
- If the disclosure involves subsequent processing in a manner that makes it impossible to identify you directly or indirectly.
- If the disclosure is essential for achieving our legitimate interests, provided it does not infringe on your rights and interests and does not involve sensitive data.
However, we will not disclose your personal data if such disclosure:
- Threatens security or harms the reputation of the countries in which Tarabut operates.
- Impedes crime detection, affects the rights of an accused to a fair trial, or impacts the integrity of criminal procedures.
- Compromises individual safety.
- Violates the privacy of individuals other than you, as set out in applicable regulations.
- Conflicts with the interests of individuals who lack legal capacity.
- Breaches professional obligations or judicial decisions.
- Exposes confidential sources in a manner harmful to the public interest.
7. Who do we Share Your Personal Data With?
On occasion, we may have to share your personal data with the parties below for the purposes set out.
Group Entities / Subsidiaries
Tarabut shall share your personal data with its parent/ group entity / entities for reporting purposes, having similar arrangements, to be able to provide you with the same value for money and high-quality experience for the services provided to you by us. It is also the only way we can provide you with the best benefits.
External Third Parties
- Regulators and other authorities based in the Kingdom of Saudi Arabia, the United Arab Emirates, the Kingdom of Bahrain, or the United Kingdom who request reporting of processing operations in certain circumstances.
- With social media companies such as Facebook, Twitter, LinkedIn, and others: they run promotions for us on their platforms.
- Any new business partners: we may have over time, for example, in the event of a joint venture, reorganisation, business merger, or sale that affects us.
- We may share your personal data with the police, local authorities, courts, or other government authorities if legally required. Additionally, we may share your data with government electronic systems and software, such as the NPHIES platform, which provides a unified health record system to ensure compliance with privacy and confidentiality regulations.
- Other people who make a ‘data subject access request’: where we are required to do so by law.
- We may use your personal data to investigate fraudulent claims or applications made by insurance policy holders, including cases of large-scale or organised fraud, medical malpractice, and to conduct Anti-Money Laundering (AML) checks.
- We may also share the information we collect where we are legally obliged to do so, e.g., to comply with a court order.
- Any social media posts or comments you send to us: (on Tarabut’s Facebook page, for instance) will be shared under the terms of the relevant social media platform (e.g., Facebook, X, LinkedIn, or other) on which they are written, and could be made public. Other people, not Tarabut, control these platforms. Tarabut is not responsible for this kind of sharing. Before you make any remarks or observations about anything, you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you will understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you are unsatisfied about it. It is worth remembering that any blog, review, or other posts or comments you make about us and/or our products and services on any of our blogs, reviews, or user community services will be shared with all other members of that service and the public at large. You should take extra care to ensure that any comments you make on these services, and on social media in general are fit to be read by the public, and are not offensive, insulting, or defamatory. Ultimately, you are responsible for ensuring that any comments you make comply with any relevant policy on acceptable use of those services.
- Third parties / data processors: to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change occurs in our business, we will notify you, and the new owners may use your personal data in accordance with the terms outlined in this privacy notice. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers / data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions / third-party agreements. We share Tarabut Staff’s Personal Data with third parties (like employment agencies, background checks, online test providers, credit reference agencies, regulators, and competent authorities) for the purposes of processing applications. We will also share Personal Data with its affiliates and subsidiaries for the purposes of administration, accounting, and reporting purposes.
- Client/ Customer: by utilising Tarabut’s AIS/PIS services as an ‘End User,’ the Personal data will be shared with the Client as per the contractual arrangement.
International Transfers
Tarabut may share your personal data within the parent / group entity on a need-to-know basis with the confidential obligation mentioned herein. We shall affect the transfer as per the applicable Data Protection Laws and shall ensure compliance with the same while transferring the Personal Data.
Some of our external third parties are based outside the countries in which Tarabut operates in, so their processing of your personal data will involve a transfer of data. Whenever we transfer your personal data, including cloud hosting, backup systems, or data recovery sites, the country the data is being transferred to, is a country or territory which has equivalent or higher Personal Data protection laws and if required the Data Protection Authority approval will be sought.
In cases where data may need to be transferred to countries with no adequate data protection laws in place, we will notify the Data Subjects, and the appropriate safeguards will be deployed to ensure the security of the Personal Data being transferred.
Data Subjects hereby consents to transfer if their Personal Data to processor/ sub-processors mentioned below:
Processor/ Sub-processor: |
Purpose of Processing: |
Privacy notice |
ZINC |
Employee’s background screening |
|
|
|
|
ENBOARDER |
Managing employee’s onboarding |
|
HUMAANS |
Managing employee’s profile information |
|
AWS |
Cloud storage of customer data in Kingdom of Bahrain. |
https://aws.amazon.com/privacy/?nc1=f_pr |
OCI |
Cloud storage of in Kingdom of Saudi Arabia. |
https://www.oracle.com/legal/privacy/ |
Tarabut’s processors and sub-processors undergo a third-party due diligence process to ensure data integrity, data privacy and data security are in compliance with applicable laws.
Please contact us if you want further information on how we transfer your personal data.
8. How do we Protect Your Personal Data?
Tarabut uses appropriate technical and organisational measures to protect the personal data that it collects and processes. The measures Tarabut uses are designed to provide a level of security appropriate to the risk of processing your Personal Data.
A lot of the information we receive reaches us electronically, originating from your devices, and is then transmitted by your relevant telecoms network provider. Where it is within our control, we put measures in place to ensure this ‘in flight’ data is as secure as it possibly can be. However, we cannot guarantee the safety of the in-transit Personal Data during transmission.
Sensitive data like passwords are protected for data in transit by data encryption. In addition to encryption, we have implemented robust network security controls to help protect data in transit.
We do not permit the copying of official documents that identify data subjects, except where required by law or if a competent public authority requests such copying in accordance with applicable regulations.
Tarabut uses secure means to communicate with you where appropriate, such as ‘https’ and other security and encryption protocols.
9. How Long will we Keep Your Personal Data?
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, and such retention is in accordance with the applicable data protection laws. Once the purposes are met, we will securely destroy the data without undue delay, unless there is a legal requirement to retain it for a specific period. In such cases, we will retain the data until the legal retention period expires or the original purpose is fulfilled, whichever is longer. Additionally, if the data is needed for an ongoing judicial matter, we will retain it until the legal process is concluded. Tarabut defines the length of the Personal Data retention period after considering the following factors:
- Tarabut’s contractual obligations and rights in relation to the Personal Data involved (including the Terms and Conditions provided when utilising services);
- Legal obligations and legal retention period as defined in the applicable Data Protection Laws;
- Whether Tarabut has relied on the Client or End-User consent to use the Personal Data, but the consent has been later withdrawn;
- Tarabut’s legitimate interests;
- Fraud and risk management;
- Potential disputes, and guidelines issued by relevant data protection authorities.
Data Subjects data will be held in the cloud service provider.
10. What are Your Rights as a Data Subject?
Your rights in connection with personal data:
Under certain circumstances, by law, you have the right to:
- Be informed of all details regarding the processing of your personal data;
- Access a copy of all personal data belonging to you;
- Transfer your personal data to another data controller;
- Rectify and block inaccurate, incomplete, or outdated personal data;
- Erase your personal data;
- Object to processing of your personal data where solely automated profiling tools are used and where the processing causes moral or material damages to you;
- Opt-out of direct marketing;
- Withdraw your consent at any given time;
- Complain to the relevant data protection authorities;
- Amend, complete, or update your Personal Data.
Please kindly send mail to the email Id support@tarabut.com or fill out form here for exercising any of the above rights. The rights of Data Subjects can be exercised free of charge.
Responding to Your Requests
Depending on the request raised, Tarabut will respond to all legitimate requests in accordance with the timelines mandated by the applicable data protection laws. Occasionally, it may take us longer than usual to respond if your request is particularly complex or if you have made a number of requests simultaneously. In this case, we will notify you and keep you updated.
11. What May Tarabut need From you?
Tarabut may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We may also contact you to ask for further information in relation to your request to speed up our response. If you wish to exercise any of the rights set out above, please contact us at support@tarabut.com or fill out form here.
Your duty is to inform us of changes.It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes by keeping your details up to date on our website and by sharing your updated details at support@tarabut.com.
12. Indemnity and Limitation of Liability
By using this site, you agree to defend, indemnify, and hold harmless Tarabut, its officers, directors, and employees from any claims, liabilities, damages, losses, or expenses, including reasonable legal fees and settlement costs, that arise from or are related to your access to or use of the site.
Although Tarabut shall make every attempt to keep the Website free from viruses, it cannot guarantee that it is virus / malware-free. For your own protection, you should take the necessary steps to implement appropriate security measures and utilise a virus scanner before downloading any information from the website.
Tarabut, its directors, and its employees shall not be liable in any manner whatsoever for any direct, indirect, incidental, consequential, or punitive damage resulting from the use of, access to, or inability to use the information available on the Website or the services provided by us. Tarabut, its directors, and employees shall not be liable in any way for possible errors or omissions in the contents of the Website.
13. Intellectual Property Rights
All information on this Website is protected by copyright and other intellectual property rights. No images, text, or other content from this website may be distributed or reproduced without prior written approval from Tarabut.
14. Changes to This Data Privacy Notice
We may update this Data Privacy Notice from time to time in response to emerging legal, technical, contractual, regulatory, or business developments. When we update our Data Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any changes if and when this is required by applicable laws.
You can see when this Data Privacy Notice was last updated by checking the “last updated” date displayed at the top of this document. If you have any questions or concerns, please do not hesitate to contact us at support@tarabut.com.
Appendix A – Personal Data Collection
Case |
Type of Personal Data collected |
Purpose of processing |
If you are Tarabut’s customer (Bank, Merchant, FinTech, etc.) |
On-boarding information (KYB), incorporation documents, shareholders identities, contact details, financial statements, other supporting documents (as applicable). |
To conduct due diligence that Tarabut is legally required to undertake to ascertain Client fits regulatory requirements and passes background checks (criminal checks, etc.) |
If you are an End-User of the AIS service |
Account details: account balances, details, statements, transactions, beneficiary, standing order details, etc. Other: Personal Data registered on the account such as name, contact details, phone number, email, and customer identifiers such as ID information (as applicable). |
To successfully deliver the AIS Service. |
If you are an End User of our PIS service |
Transaction Data: includes the banking or financial institutions you make payments from via our services, dates, amounts, and beneficiary (merchant) details. Technical Data, which may include your internet protocol (IP) address, and other data necessary to direct you to your bank or financial institution to initiate a transaction; Contact Data, which may include your email address, in cases where a merchant supplies this in order to deliver Company’s “request to pay” email to you, where we are delivering a receipt or payment status update to you as part of a “request to pay” process, or where a Merchant includes this or other contact information in a payment description. We may also link Contact Data to any feedback you provide us on a payment; Usage Data, which includes anonymous analytical data about how you use our products and services; Financial Data, which may include your bank account details (including sort code and account number and/or IBAN), your billing address, and your full name; Login Data, which may include the username or other customer identifier you use to log in to your online banking, your online banking password, and any security or authentication codes sent to you by your bank when you set up a payment with us. (Note that we only collect this data in limited circumstances when you initiate a payment from a bank in the EEA which requires this, and we never store this data, as described below) |
To successfully deliver the PIS service and monitor customer experience for analytical purposes. |
If you a Merchant |
Contact Data, which includes the full names and contact details of key individuals within your organisation relevant to the service we provide; Identity and Screening Data, which includes information required to verify the identity of your organisation’s representatives and beneficial owners and any other personal data which may be necessary for us to comply with our obligations under Anti Money Laundering (AML) legislation or other regulations; Financial Data, which includes the account details (account name, account number and sort code) of trading accounts you wish to receive payments into; Profile Data, which includes any username or passwords you use to log in to our services or administer your account(s) with us, interests, preferences, feedback, and survey responses; Technical Data, which may include internet protocol (IP) addresses, and other data, which is necessary to facilitate payments, administer your account, manage risk, and comply with our legal and regulatory obligations; Usage Data, which includes analytical data about how you use our products and services. |
To provide services to Merchant as per the contractual arrangement. |
If you are an End-User of our AIS/PIS service and have raised a complaint, query, or wish to exercise any of your legal rights etc. |
Name, email address, supporting information/ documents (nature of the complaint, query, transaction record, etc.) |
To conduct the investigation that is required to resolve any issues faced. |
If you register to the Developer Portal |
Sign up phase: Email id, first name, last name, company name, phone number (optional) Registration phase: Customer company name, customer contact name, customer contract email, account email, sandbox client ID, merchant/client logo, beneficiary account (for PIS) beneficiary account holder name (for PIS), merchant category (for PIS) and maximin transaction limit (for PIS). |
To ensure a seamless user journey for utilising Tarabut products and services.
|
If you are visitor to Tarabut’s official website |
First name, last name, business email, job title, company name, company industry, country, phone number (optional), unique message |
To provide updates on Tarabut’s activities, services, and products. To share details with sales team to get in-touch; to record the marketing preferences and any feedback or responses for the purposes of improving our services. |
If you are a part of Tarabut’s Staff |
Information provided in curriculum vitae, application form, covering letter and during the interview process including: your name, date of birth, age, gender, home address, personal email address, education, qualification and work experience details, and references. Information collected or created by us during the recruitment process including interview notes, test scores and correspondence between us. Information about criminal convictions: Tarabut carry out background checks as part of the recruitment process. Sensitive information like your racial and ethnic origin information and information relating to, religious beliefs, physical or mental health information and immigration/naturalisation records (if this discloses racial/ethnic origin information). Personal Data like marital status will be collected for visa purposes. |
Necessary to enter an employment contract; to comply with a legal or regulatory obligation; have a legitimate interest to ensure the effective administration and management of the recruitment process; ensure Tarabut hires suitable individual for a role; deal with disputes and accidents and take legal or other professional advice; and ascertain Staff fitness to work. Special category data is processed to consider the need to provide appropriate adjustments during the recruitment process and to ascertain fitness to work for equal opportunity monitoring purposes. Criminal conviction information is processed to assess suitability for regulation purposes; to protect interests, because it is necessary in relation to legal claims. Tarabut is allowed to utilise Staff personal information where it is necessary to carry out employment rights and obligations. |
If you are an applicant |
Name, contact details, email address, cover letters, and information included in curriculum vitae. |
To verify adequacy of applicant for a job opening. |