Privacy Policy

Last updated: 09 Feb 2026

Aman Debt Collection Company (“Aman”) operates the Aman Collect platform within the Kingdom of Saudi Arabia (KSA). Aman is committed to complying with the Saudi Personal Data Protection Law (PDPL) and related regulations. This policy explains how personal data is collected, processed, stored, and protected.

Data Controller: Aman Debt Collection Company (Aman) – Kingdom of Saudi Arabia.

Contact: info@amanasa.com

Data Protection Officer (if appointed): info@amanasa.com

1. Personal Data

Personal data includes any information that identifies an individual directly or indirectly, such as name, national ID / Iqama, account number, contact details, financial/credit information, and electronic records.

2. Lawful Basis for Processing

• Legal and regulatory obligations
• Contractual obligations and performance of services
• Legitimate interests (where applicable and not overriding data subject rights)
• Explicit consent where required (including for certain sensitive/credit data)

3. Purposes of Processing

• Debt collection case management and communications
• User authentication, access control, and permissions management
• Compliance with regulatory, audit, and legal requirements
• System security, monitoring, incident response, and fraud prevention
• Service continuity and quality improvement (within lawful limits)

4. Data Sharing & Disclosure

Access to personal data is restricted to authorized users only. We do not sell personal data. We may disclose personal data to the following categories, only as needed and on a lawful basis:

• Our client entities (e.g., schools, hospitals, factories, agricultural entities, banks, insurance companies, and other creditors) as needed to execute the contracted service
• Service providers (hosting, IT, security, email/SMS/telecom providers) under contractual confidentiality and data protection obligations
• Competent authorities and courts where required by law or judicial order
• Professional advisors (legal, audit) where necessary and subject to confidentiality

Where applicable, disclosures may be one-time or recurring depending on the operational need and contract scope.

5. Storage & Retention

Personal data is stored within the Kingdom of Saudi Arabia and retained only for the period required by regulations, contracts, and operational purposes. After the retention period ends, data is securely destroyed or anonymized where feasible.

6. Data Subject Rights

• Right to be informed
• Right to access personal data
• Right to request a readable copy (where technically feasible)
• Right to correct inaccurate or incomplete data
• Right to request deletion/destruction where legally permitted
• Right to withdraw consent (where processing is based on consent)
• Right to file a complaint with the competent authority

How to exercise rights: Submit a request using the channels in Section 16. We may verify identity before processing requests.

Withdrawal of consent: Where processing is based on consent, you may withdraw consent using the same channels. Withdrawal will not affect processing already carried out before withdrawal and may not apply where we have another lawful basis.

7. Security Measures

We apply administrative, technical, and organizational controls to protect personal data, including access controls (need-to-know), audit logging, encryption where appropriate, security monitoring, and secure backups.

8. Our Role (Controller / Processor)

Depending on the engagement:

• We may act as a Controller for personal data processed to meet our legal obligations and internal compliance requirements.
• We may act as a Processor when processing personal data on behalf of a client (creditor) under a written contract and documented instructions.

For client-provided cases, we process data for the purposes of case execution, reporting, and lawful compliance.

9. Sources of Personal Data

• Data provided by clients/creditors under contract
• Data provided directly by the data subject during communications
• Data obtained from publicly available sources where legally permitted
• Data generated within the platform (case notes, communication logs, audit trails)

10. Sensitive Data & Special Categories

Some engagements may involve sensitive data (e.g., health data related to hospitals, or minors’ data related to schools), and/or credit/financial information. We process such data only when necessary, using a valid lawful basis, and applying stricter access controls and security measures. Where explicit consent is required by law, we ensure it is obtained through the appropriate channel.

Where a data subject is a minor or lacks legal capacity, requests may be submitted by a parent/legal guardian or authorized representative, subject to verification of authority and identity.

11. Official Documents (IDs) & Minimization

We limit collection to the minimum necessary for the stated purposes. We do not copy or store official documents (e.g., national ID) unless required by law or requested by a competent authority, and we destroy such copies once the purpose ends, in accordance with applicable requirements.

12. No Transfer Outside KSA

The Aman Collect platform is hosted and operated within the Kingdom of Saudi Arabia. We do not transfer, disclose, or allow processing of personal data outside the Kingdom. If this practice ever changes, we will update this policy and apply the required legal and security safeguards before any transfer.

13. Service Providers & Sub-Processors

We may use vetted service providers operating within KSA (e.g., hosting, cloud, email/SMS, IT/security) to operate the platform. Such providers are subject to contractual confidentiality, data protection obligations, and security requirements. They are prohibited from using our data for secondary purposes.

For engagements involving SAMA-regulated clients, additional vendor/cloud controls may apply (e.g., data location, audit rights, approvals).

14. Incidents & Breach Notification

We maintain incident response procedures. In case of a personal data breach, we assess impact and take immediate containment measures. Where required, we notify the competent authority within the legally prescribed timeframe and notify affected data subjects without undue delay.

Where notification is required, the competent authority will be notified within 72 hours of becoming aware of the breach, and affected data subjects will be notified without undue delay when required.

15. Handling Requests

Requests to exercise data subject rights can be submitted through the channels below. We may refuse requests that are repetitive or unfounded where permitted, and will provide the reason for refusal when applicable.

We aim to respond to eligible requests within 30 business days. If additional time is required due to complexity or volume, we may extend the timeframe where permitted and will inform you of the reasons.

16. Contact & Complaints

For privacy requests or inquiries:

Email: info@amanasa.com

Address:Dammam Kingdom of Saudi Arabia

Accepted channels: Email and in-platform submission (where available). Identity verification may be required.

If you are not satisfied with our response, you may file a complaint with the competent authority in Saudi Arabia.

17. Policy Updates

We may update this policy from time to time to reflect changes in laws, regulations, or operational practices. The updated version will be made available within the platform.

18. Automated Processing

The platform may use automated workflows (e.g., reminders, assignment, prioritization) to support operations. We do not rely solely on automated processing to make decisions that produce legal or similarly significant effects without appropriate safeguards, including human review where applicable.