Privacy Policy

Last Updated: February 2026

This Privacy Policy explains how Sarab.tech ("we", "us", or "our") collects, uses, discloses, and protects personal data across all of its products, platforms, applications, APIs, websites, and services (collectively, the "Services").

By accessing or using any Sarab.tech Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

1. Scope of This Policy

This Policy applies to all Sarab.tech offerings, including but not limited to:

SmartBank (mobile, web, and backend platforms)
SmartBot (WhatsApp and messaging-based banking and service bots)
SmartPay (QR, SMS, and merchant payment services)
SmartATM (cardless and OTP-based ATM services)
SmartAdmin, SmartAnalytics, SmartDesk, SmartStore, SmartOnboarding
APIs, SDKs, dashboards, and administrative tools
Corporate websites, landing pages, and marketing platforms

Where a specific service requires additional or different privacy terms (e.g., bank-mandated disclosures), those terms will supplement this Policy.

2. Data We Collect

2.1 Personal Data You Provide

Depending on the Service, we may collect:

Full name (Arabic and/or English)
National ID or passport number (where required by law)
Date and place of birth
Phone number(s)
Email address
Residential and mailing address
Bank account identifiers (e.g., account number, IBAN)
Business information (company name, registration number, tax ID)
Authentication data (PINs, OTPs, device binding tokens)

2.2 Automatically Collected Data

When you use our Services, we may automatically collect:

Device information (model, OS, app version)
IP address and approximate location
Log data (timestamps, access logs, error logs)
Usage data (features used, transaction counts, interaction flow)
Cookies and similar tracking technologies (for web services)

2.3 Financial and Transactional Data

Subject to banking and regulatory requirements, we may process:

Transaction metadata (amount, currency, timestamp, channel)
Payment references and merchant identifiers
Wallet or virtual account activity
Messaging interaction metadata (not message content unless required)

2.4 Data from Third Parties

We may receive data from:

Partner banks and financial institutions
Payment processors and card networks
Messaging platforms (e.g., WhatsApp Cloud API)
Identity verification and compliance providers
Regulators and lawful authorities

3. How We Use Data

We use personal data strictly for legitimate business and regulatory purposes, including:

Providing, operating, and maintaining our Services
Identity verification (KYC), AML, PEP, and fraud prevention
Processing transactions and service requests
Enabling secure authentication and authorization
Regulatory reporting and audit requirements
Customer support and service communications
System monitoring, analytics, and performance optimization
Product improvement and feature development

We do not sell personal data.

4. Legal Bases for Processing

We process personal data under one or more of the following legal bases:

Performance of a contract
Compliance with legal or regulatory obligations
Legitimate interests (security, fraud prevention, service improvement)
User consent (where explicitly required)

5. Data Sharing and Disclosure

We may share data only with:

Partner banks and licensed financial institutions
Infrastructure and cloud service providers
Messaging and communication platforms
Compliance, audit, and risk management partners
Regulators, courts, or law enforcement when legally required

All third parties are contractually bound to confidentiality, data protection, and security obligations.

6. Data Localization and Cross-Border Transfers

Data may be processed or stored in jurisdictions outside the user’s country, subject to:

Bank and regulator approvals
Adequate data protection safeguards
Encryption and access control standards

Where required, data is hosted locally or within approved geographic boundaries.

7. Data Retention

We retain personal data only for as long as necessary to:

Fulfill contractual and service obligations
Meet legal, regulatory, and audit requirements
Resolve disputes and enforce agreements

Retention periods are defined by applicable banking laws and regulatory directives.

8. Security Measures

Sarab.tech implements industry-grade security controls, including:

End-to-end encryption (data in transit and at rest)
Role-based access control (RBAC)
Network firewalls and WAF protection
Audit logs and continuous monitoring
Secure key management and credential rotation
Regular security testing and reviews

Despite our efforts, no system can be guaranteed 100% secure.

9. User Rights

Subject to applicable law, users may have the right to:

Access their personal data
Request correction or updates
Request deletion (where legally permissible)
Object to or restrict processing
Withdraw consent (where applicable)

Requests are subject to identity verification and regulatory constraints.

10. Children’s Data

Our Services are not intended for individuals under the age of 18 unless explicitly authorized by a licensed bank and permitted by law.

11. Cookies and Tracking (Web Services)

We use cookies and similar technologies to:

Enable core website functionality
Improve performance and user experience
Analyze traffic and usage patterns

Users may manage cookie preferences through their browser settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be effective upon publication, with the updated date reflected at the top of this document.

Continued use of the Services constitutes acceptance of the updated Policy.

13. Contact Information

For privacy-related inquiries, requests, or complaints, contact:

Sarab.tech – Privacy & Compliance Office
Email: [email protected]
Website: https://sarab.tech

14. Governing Law

This Privacy Policy is governed by applicable laws and regulations in the jurisdictions in which Sarab.tech operates, including relevant banking, data protection, and regulatory frameworks.