Privacy Policy

1. Information We Collect

We collect personal data to provide, improve, and secure our payment platform services, including KYC/KYB onboarding, wallet management, transaction processing, and compliance features. The types of data we collect include:

a. Personal Information You Provide

• Identity and Contact Data: Name, email address, phone number, date of birth, address, and government-issued ID details (e.g., national ID, passport number) for verification purposes.
• Financial Data: Bank account details, payment card information (processed via secure third-party gateways compliant with PCI DSS), transaction history, and wallet balances.
• Business Data (for KYB): Company name, registration number, beneficial ownership details, and tax identification for business users.
• Account Data: Username, password, and security questions if you create an account.
• Communications Data: Information you provide when contacting us via email (hello@toroos.com), forms, or support channels.

b. Automatically Collected Information

• Usage Data: IP address, browser type, device information, pages visited, time and date of access, and transaction logs.
• Cookies and Tracking Data: See our Cookie Policy for details on cookies and similar technologies.
• Location Data: Approximate location based on IP address for compliance with regional regulations (e.g., cross-border payments).

c. Data from Third Parties

• Verification data from KYC/KYB providers (e.g., identity document scans, biometric data where permitted).
• Fraud detection data from analytics partners.
• Publicly available data for sanctions screening under anti-money laundering (AML) regulations.

We do not collect sensitive personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data) unless strictly necessary for compliance (e.g., enhanced due diligence under AML/CTF laws) and only with your explicit consent.

2. How We Use Your Information

We use your personal data for legitimate business purposes, ensuring compliance with data minimization principles:

• Service Delivery: To process payments, manage wallets, execute transactions, and provide features like multi-currency support and rules engine.
• Verification and Compliance: For KYC/KYB, risk assessment, sanctions screening, and regulatory reporting under PDPL, UAE PDP Law, GDPR, and AML/CTF frameworks.
• Improvement and Analytics: To analyze usage patterns, enhance platform performance (e.g., 99.9% uptime), and develop new features using aggregated, anonymized data.
• Security and Fraud Prevention: To detect and prevent unauthorized access, fraud, or abuse, including real-time monitoring.
• Communications: To send service updates, transaction confirmations, and marketing (with opt-out options).
• Legal Obligations: To respond to lawful requests from authorities in the Arab world or globally.

We process data based on: (i) your consent; (ii) contractual necessity; (iii) legal obligations; (iv) legitimate interests (e.g., fraud prevention); or (v) vital interests where applicable.

3. Sharing Your Information

We do not sell your personal data. We share it only as necessary and with safeguards:

• Service Providers: Third-party vendors (e.g., cloud hosts in the UAE or KSA, payment processors) bound by data processing agreements compliant with PDPL and GDPR.
• Regulatory Authorities: To comply with laws in Saudi Arabia, UAE, or other jurisdictions (e.g., Saudi Central Bank or UAE Central Bank requirements).
• Business Transfers: In case of merger, acquisition, or asset sale, with notice to you.
• Legal Requirements: If required by court order or to protect rights, safety, or property.

For cross-border transfers (e.g., to non-Arab world processors), we use mechanisms like Standard Contractual Clauses or adequacy decisions under GDPR/PDPL to ensure equivalent protection.

4. Data Security

We implement enterprise-grade security measures, including end-to-end encryption, tokenization, role-based access controls (RBAC), and regular audits to protect against unauthorized access, loss, or breach. Our platform supports PCI DSS compliance for payment data. In the event of a data breach, we will notify affected users and authorities as required by law (e.g., within 72 hours under GDPR or as per PDPL timelines).

5. Your Rights and Choices

Under applicable laws (PDPL, UAE PDP Law, GDPR), you have rights regarding your data:

• Access: Request confirmation of processing and a copy of your data.
• Rectification: Correct inaccurate data.
• Erasure: Request deletion (subject to legal retention periods, e.g., 5-10 years for financial records under AML laws).
• Restriction/Objection: Limit processing or object to certain uses.
• Portability: Receive data in a structured format.
• Withdraw Consent: At any time, though this may affect service provision.
• Cookie Management: Opt-out via browser settings (see Cookie Policy).

To exercise rights, contact us at hello@toroos.com or via our contact form. We respond within one month (extendable under law). For Saudi users, you may also contact the Saudi Data & AI Authority (SDAIA). For UAE users, the UAE Data Office.

6. Data Retention

We retain data only as long as necessary: e.g., transaction data for 7-10 years per regulatory requirements, inactive accounts for 2 years before deletion. Upon request or account closure, data is securely deleted or anonymized.

7. Children's Privacy

Our services are not directed at children under 18. We do not knowingly collect data from minors without parental consent. If we discover such data, we will delete it promptly.

8. International Users

For users outside the Arab world, we comply with local laws (e.g., GDPR for EU residents). By using our services, you consent to data processing in the KSA or UAE.

9. Contact Us

For questions about this Privacy Policy, contact:

This Policy is governed by the laws of the Kingdom of Saudi Arabia.