Help
Help and Support
عربي
Sign Up
Branches Log in Sign Up
  • Privacy Notice
Privacy Notice

Introduction

Saudi Post | SPL is dedicated to safeguarding the privacy and security of the personal data processed during the provision of our postal, logistics, digital, and financial services. This Privacy Notice, prepared in compliance with the Personal Data Protection Law (PDPL) and its Implementing Regulations, outlines how we collect, use, store, destroy, disclose, and protect personal data. It also highlights your rights as a data subject under the law.

 

Data Processing & Purpose

We process only the personal data necessary to deliver and improve SPL services, including but not limited to:

  • Name, gender, date of birth, nationality → For account setup and verification.
  • ID/Iqama/passport number → For secure identification.
  • Address details → For shipment delivery and location-based services.
  • Email and phone numbers → For notifications, customer support, and account recovery.
  • Payment information → For billing and transaction processing.
  • Device and usage data → For analytics, fraud detection, and improving digital experiences.
  • Shipment data, geolocation, and call recordings → For service fulfilment, quality assurance, and dispute resolution.

This data is processed for the following purposes:

  • Account creation and/or identity verification via Nafath.
  • Address and shipment management.
  • Digital notifications and customer support.
  • Compliance with regulatory requirements.
  • Data analytics and marketing communications (with consent).

 

Methods of Collection

  • Data is collected directly through online forms, mobile applications, service counters, call centre interactions, and smart devices (such as parcel lockers).

We do not buy or harvest personal data from third party sources for selling or marketing purposes.

 

Use of Personal Data

Personal data is used exclusively for the purposes specified in Clause Two. We do not sell it or use it for advertisements unrelated to the services, nor for the benefit of entities not affiliated with SPL.
SPL is committed to ensuring that any third party (processor or sub-processor) handling the data on its behalf complies with the Personal Data Protection Law and its implementing regulations, through contracts and agreements that enforce such compliance and guarantee the protection of the data subject’s rights.
Appropriate protective measures are also applied to such data, including encryption, access control policies.
Compliance is regularly monitored through audits and internal reviews., including annual audits and compliance testing, to ensure all requirements of the Personal Data Protection Law are met.
In the event that personal data is processed for a purpose different from the purpose for which it was originally collected, the data subject will be notified in advance, and the legal basis and procedures followed to ensure compliance with applicable laws and regulations will be clearly explained.

 

Storage, Retention & Secure Destruction

SPL is committed to storing personal data within the geographical boundaries of the Kingdom of Saudi Arabia on secure servers managed by the organization or authorized service providers, ensuring full compliance with applicable laws and regulations. SPL applies strict technical and organizational controls, including encryption, access control measures, and risk management, in accordance with national cybersecurity policies, ISO/IEC 27001 standards, and international best practices.
Personal data is retained only for as long as necessary to fulfil the purposes outlined in this Privacy Notice, or as required by applicable laws and regulations. Once the purpose for which the data was collected is achieved or the legally required retention period has expired, the data will be securely destroyed to prevent unauthorized access.

 

Legal Bases for Processing

SPL processes personal data in accordance with Article 6 of the Saudi Personal Data Protection Law and Article 16 of its Implementing Regulations. Each processing activity is based on a specific legal basis:

  • We rely on your consent for optional services such as marketing communications. Consent is obtained separately for each specific purpose, and you have the right to withdraw it at any time through any legally available means.
  • We process data to perform a contract with you, such as when you register an account or request shipment and delivery services.
  • Certain processing is required to comply with legal obligations, for example, customs requirements or responding to law enforcement requests.
  • In some cases, we rely on SPL's legitimate interests, such as maintaining system security, preventing fraud, and improving services. These interests are carefully assessed to ensure they do not override your fundamental rights and freedoms, in line with a documented Legitimate Interest Assessment.
  • If sensitive personal data, such as health-related information for Pharma shipments, is processed, SPL ensures compliance with the PDPL by obtaining consent and applying robust security measures to protect such data.

 

Data Subject Rights under PDPL

  1. The right to be informed about the purposes of processing and its legal basis.
  2. The right to access the personal data held by SPL.
  3. The right to request and obtain the personal data held by SPL in a clear and readable format.
  4. The right to correct inaccurate, incomplete, or outdated data, in accordance with the legal requirements governing this right.
  5. The right to request the destruction of personal data if the purpose for which it was collected no longer exists, unless retention is required by law.
  6. The right to withdraw consent and object to the processing of data for direct marketing purposes.
  7. The right to restrict or suspend processing temporarily in certain cases.
  8. The right to file a complaint with the competent regulatory authority (Saudi Data and Artificial Intelligence Authority – SDAIA / National Data Management Office).

 

Sharing & Cross Border Disclosure

SPL does not sell or rent personal data under any circumstances.

Personal data may only be shared in the following cases:

  • With service providers and subsidiaries within Saudi Arabia, under formal, written agreements that include data protection clauses fully compliant with the Personal Data Protection Law (PDPL), its Implementing Regulations, and the Data Sharing Regulation.
  • With regulatory, judicial, or security authorities, when required by applicable Saudi laws or official orders.

Cross-Border Transfers

Cross-border transfers of personal data are carried out in accordance with Articles (29 to 32) of the Personal Data Protection Law and the Data Transfer Regulation. SPL is committed to the following:

  • Transfers occur only to jurisdictions that offer a level of protection equivalent to Saudi data protection law, as determined by the competent authority.
  • In the absence of an official classification for the receiving country, SPL relies on contractual safeguards or internal rules to ensure the protection of personal data, in accordance with the requirements of the law and its executive regulations.
  • All transfers undergo a Transfer Impact Assessment (TIA) to identify and mitigate legal and security risks.
  • Additional safeguards such as encryption, access controls, and purpose limitation are implemented to protect personal data during and after transfer.

No international transfer is executed without documented justification, legal review, and approval in line with applicable regulatory requirements.

 

Exercising Your Rights

Under the Personal Data Protection Law (PDPL), you have the right to access, correct, or request the destruction of your personal data. You may also submit privacy-related complaints or inquiries through one of the following methods:

To protect your data and prevent unauthorized access, we may require identity verification (e.g., national ID number or supporting documents) before processing your request.

We will acknowledge receipt of your request within five (5) business days, and respond within Ninety (90) calendar days, unless an extension is permitted under the PDPL.

If you are not satisfied with our response, you may escalate your complaint to the competent regulatory authorities:

 

Personal Data Protection Officer

For any inquiries, concerns, or complaints related to personal data protection, you may contact our Data Protection Officer (DPO) through the following:

Data Management Office – SPL
📧 Email: privacy@splonline.com.sa
📍 Address: SPLD2929  

 

Record of Processing Activities (RoPA)

In accordance with the Implementing Regulations of the Personal Data Protection Law, SPL maintains a Record of Processing Activities (RoPA), which includes:

  1. Processing purposes and legal bases:
    Clearly defining the objectives for processing personal data and the legal or regulatory bases supporting these activities.
  2. Categories of Data Subjects and data types:
    Describing the categories of individuals whose data is processed (e.g., customers, employees) and specifying the types of personal data collected.
  3. Recipients and processors:
    Identifying entities and processors with whom personal data is shared, including internal and external parties.
  4. Retention and deletion protocols:
    Outlining the policies for retaining personal data and the procedures for securely deleting it when no longer needed.
  5. Cross-border transfer safeguards:
    Detailing the measures and guarantees in place to protect personal data during transfers outside the Kingdom.
  6. Risk classification per activity:
    Conducting a risk analysis for each data processing activity, classifying risks, and describing measures to mitigate potential impacts.
  7. Contact details of the controller:
    Including the name and contact information of the entity responsible for personal data processing.
  8. Data Protection Officer (DPO) information:
    Providing the name and contact details of the designated officer responsible for overseeing data protection compliance.
  9. Security measures:
    Documenting the technical and organizational measures implemented to safeguard personal data and ensure its integrity.

 

Security Incidents & Data Breach Response

In the event of a personal data breach, SPL will notify the competent authority within seventy-two (72) hours of becoming aware of the incident and will inform affected individuals if the breach is likely to harm their personal data or rights.

 

Related Regulations and Policies

This Privacy Policy has been prepared in accordance with the following regulations, policies, and guidelines:

  1. The Personal Data Protection Law (PDPL)
  2. The Implementing Regulations of the Personal Data Protection Law
  3. Policies issued by the National Data Management Office (NDMO)
  4. Controls and guidelines issued by the National Data Management Office (NDMO)

These regulations, policies, and guidelines have been referenced to follow best practices in personal data protection and to ensure full compliance with regulatory and legal requirements within the Kingdom.

 

SPL Administration

SPL is responsible for implementing the Privacy Notice, overseeing its application, and ensuring compliance with it.

This notice may be updated as needed to comply with the applicable regulations in the Kingdom of Saudi Arabia, and any changes will be published on the official website.

SPL conducts internal assessments to ensure full compliance with the law, including conducting Privacy Impact Assessments when necessary, such as when using new technologies or processing sensitive data.

 

The last update to this Privacy Notice was made on 24 July 2025