1. Introduction

 

Saudi Tourism Authority , is a government entity in the Kingdom of Saudi Arabia (Riyadh), established to highlight the Kingdom as a global and local tourist destination, attract visitors, encourage tourism, and achieve integration and cooperation between the public and private sectors to ensure the improvement of the visitor experience, which benefits the national economy. STA is committed to respecting and protecting your personal data in accordance with the Saudi PDPL, issued pursuant to Royal Decree No. (M/19) dated 09/02/1443 AH corresponding to 16/09/2021 G, and other applicable data protection laws. You can contact us via various available channels, using the below contact details.

 

Contact Details

• Data Governance Office
       Phone Number: +966920022554
       E-mail: DGO-DPO@sta.gov.sa
• Saudi Tourism Authority

 

2. Date of Last Update

 

The Privacy Policy was last updated on [15-Sep-2024]. You can review the updated history at https://www.sta.gov.sa/en/privacy-policy-old.

 

3. What Personal Data is collected?

 

Saudi Tourism Authority collects various categories of personal data directly from you and indirectly. We process sensitive data only with your explicit consent, as required by applicable laws.

 

The Saudi Tourism Authority collects the minimum amount of personal data that achieves the purposes for which it was collected. Personal data includes, but not limited to:

 

Information Provided by You: Required information when using the services, when interacting with STA in person, or information you knowingly choose to disclose that is collected on an individual basis when registering on STA's platforms and applications or creating your user profile. This includes personal data such as your name, ID number, address, contact numbers, email, personal records, bank account numbers, credit card numbers, static or moving images, voice data, and other personal data.

 

Communications Data: Information exchanged through communication with STA, such as customer support requests, inquiries, feedback, and complaints.

Cookie Data: such as information collected via web logs, technologies, cookies, or similar technologies.

Your IP Address data includes your IP address details and details of the web browser version used.

User login information: (example but not limited to authentication credentials).

 

4. Purpose, Legal Basis, and Retention Period

 

The types of Basis:

We will only collect and use your personal data in accordance with applicable Data Protection Law. In most cases, our lawful reasons will include:

•  Processing is based on consent. You can withdraw your consent at any time without affecting processing operations carried out based on other legal bases. To this end, you can contact: DGO-DPO@STA.gov.sa.
•  Processing is carried out due to a legitimate interest of the data owner, and it is not feasible or practical to contact them.
• Processing is in compliance with another legal obligation or is part of an existing agreement to which the data owner is a party.
• If the data controller is a public entity, processing is necessary for security reasons or to fulfill legal requirements.

 

We will keep your personal data for as long as required by law, 120 months or for any period necessary to fulfill our operational responsibilities, including but not limited to:

• Maintaining accounts
• Purchase services from our partners
• Enhance your experience as a user of our platforms
• Deal with your enquiries and complaints,
• Ensure quality control of our services (including call center)
• Ensure security of our systems, premises, employees and visitors
• Manage customer relationships,
• Address legal claims and responding to regulatory requests.

The data will be disposed (post retention expiration) securely in accordance with the relevant laws and regulations.

 

5. How do we collect your personal information data?

 

Direct Methods:

Information and personal data that the user provides directly to STA through online forms, paper inquiry forms, email, or by telephone.

Indirect Methods:

• Data collected from other sources or services operated by STA.
• When interacting with our agents and trusted partners.
• Government agencies or any other entity that share information about you.
•  Other institutions deliver programs in partnership with us.
•  Data collected through cookies when you visit the site.
• From agents who complete forms on your behalf.
•  Collected from a public source.

Or collected in a way that Personal Data is not to be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.

 

6. How do we store your Personal Data?

 

Personal data is stored inside the Kingdom of Saudi Arabia in the servers of the Saudi Tourism Authority, and these servers are protected with the best technologies in accordance with the policies and controls of the National Cybersecurity Authority and relevant laws and regulations.

 

7. Is your personal data disclosed or shared?

 

We do not sell, trade, or otherwise disclose your personally identifiable information. Data may be shared with trusted third-party processors who assist us in our operations, subject to contractual obligations ensuring they protect your data.

 

8. Does this notice apply to your country if you are from outside Saudi Arabia?

 

We adhere to data privacy regulations in the Kingdom of Saudi.

 

9. How do we protect your personal data?

 

To ensure the security and confidentiality of your personal data, we put in place all necessary technical and organizational means in accordance with the requirements issued by the National Cybersecurity Authority.

 

10. What rights do you have in relation to the Personal Data we hold on to you?

 

You have several rights regarding your personal data, including but not limited to:

• Right to be informed: The data subject has the right to know how we will use his/her personal data as explained in this privacy policy.
• Right to access and obtain personal data: The data subject has the right to request a copy of his/her personal data.
• Right to rectify personal data: The data subject has the right to request the correction of his/her personal data that he/she deems inaccurate, incorrect or incomplete, and it will be reviewed and updated.
• Right to destroy personal data: The data subject has the right to request the destruction of his/her personal data in certain circumstances in accordance to the relevant regulations, unless there is a legal text specifying a specific period of retention or contractual requirements.
• Right to withdraw consent to the processing of personal data: The data subject can withdraw his/her consent to the processing of his/her personal data -at any time- unless there are legitimate purposes in accordance with the Saudi Regulations that require the contrary.

For more information, please contact us at This form or through the email address: DGO-DPO@STA.gov.sa.

 

11. How do we protect children’s Personal Data? 

 

All our websites and applications are intended for use only by individuals who are at least 18 years old.

 

12. Cookies Policy

 

 When you use our website, cookies are utilized to recognize you and improve your experience. You have the option to manage your cookie preferences, allowing you to opt-in or opt-out of non-essential cookies.

 

13. Liability Disclaimer

 

This website and the services provided by the Saudi Tourism Authority are available for your personal use, and your access and use of these services are subject to this privacy notice and Saudi laws. Accessing and using the service constitutes unconditional agreement to this notice from the date of first use. Your access and entry to this website is an unconditional or unrestricted acceptance to this privacy notice whether you were a registered user or not. This acceptance is in force as of the first date of your usage for this portal.

 

14. Relevant Legislation

 

For more information about the related policies and laws referred to in this policy, you may use any of the following links:

• National Data Management and Personal Data Protection Standards.
• Policies issued by the National Data Management Office
•  Personal Data Protection Law
•  Controls issued by National Cybersecurity Authority

 

Personal Data Protection Officer

• Address:
  Riyadh, Saudi Arabia
  E-mail: DGO-DPO@STA.gov.sa.

 

15. Complaint or Objection Filing Method for the Personal Data Protection

 

If you have any complaints or inquiries for visit Saudi please fill the contact form here

If you have any Personal Data Protection Law concerns, or if we do not comply with the Personal Data Protection Law, you can file a complaint to the Data Governance Office using one of the following channels:

• Email:
  DGO-DPO@STA.gov.sa.

If you are unsatisfied with how we process your complaint, you can file a complaint to the Competent Authority SDAIA.

• SDAIA Address
  Kingdom of Saudi Arabia
  Riyadh
  Website
  Saudi Data & AI Authority (sdaia.gov.sa)
  National Data Governance Platform “DGP” (dgp.sdaia.gov.sa).