AR | EN
Last updated
01/012026
Effective date
01/01/2026

Privacy Policy – Qitea Platform

Who We Are

This Privacy Policy explains how we collect, use, share, and protect personal data relating to users of the Qitea Platform. For the purposes of this Policy, the data controller is Lambda Co. Ltd., headquartered in Jeddah, Kingdom of Saudi Arabia, at Tariq Jami‘a, Jeddah 23793.

Contact Details:

Regulatory Framework

This Policy has been prepared in accordance with the Personal Data Protection Law of the Kingdom of Saudi Arabia and its Implementing Regulations issued by the Saudi Data and Artificial Intelligence Authority (SDAIA), together with any other relevant regulatory requirements depending on the nature of the service, including the E-Commerce Law and, where applicable, the regulations governing the provision of cloud computing services issued by the Communications, Space and Technology Commission (CST).

Scope of the Policy

This Policy applies to personal data that we process in relation to the following categories:

  • Visitors.
  • Customers, including individuals and workshops.
  • Merchants and their authorized representatives.
  • Drivers or delivery partners, where such services are enabled.
  • Any person who contacts us regarding orders, complaints, or support.

Types of Data We Collect

Visitor Data

We may collect technical data automatically, such as IP address, browser or device type, operating system, session identifiers or cookies, error and security logs, in addition to usage and analytics data where enabled.

Customer Data

We may collect the following:

  • Name, where requested.
  • Mobile number and one-time password (OTP).
  • Email address, if any.
  • Account data, language or regional preferences, and login history.
  • Orders, invoices, payment or refund status, and communication and complaint records.
  • Location data or address necessary for delivery or for identifying nearby stores.
  • Vehicle data, such as make, model, and year, and we may request the Vehicle Identification Number (VIN) or additional information only where operationally necessary and to the minimum extent required.

Merchant Data

We may collect the following:

  • Establishment representative data, such as name, mobile number, email address, and position or capacity.
  • Establishment data, such as commercial registration, tax number, national address, IBAN, and relevant regulatory documents.
  • Operational store data, such as location, city, area, business hours, logo, and images.
  • Financial and operational data, such as order history, commissions, dues, settlements, and disputes.
  • Electronic signature data, such as the mobile number used for signature, time of signature, IP address, browser or device data, and a copy or reference of the contract.

Driver or Delivery Partner Data

We may collect the following:

  • Name, mobile number, and email address, if any.
  • Location data, trip tracking, and proof of delivery.
  • Licence, vehicle, or identity data where necessary for service operation or regulatory compliance.

Payment Data

Where electronic payment is enabled, we may process data relating to the transaction, its status, the amount, the transaction reference, and refunds. We do not undertake to retain raw card data where such data is processed directly through an approved payment gateway.

Sources of Data

We may collect personal data from the following sources:

  • Directly from the user upon registration, placement of an order, upload of documents, or contact with us.
  • From the user’s device, browser, or application, such as session data, cookies, and usage logs.
  • From the merchant or its authorized representative.
  • From the driver or delivery partner.
  • From service providers, such as messaging, maps, payment, or analytics providers.
  • From lawful public or regulatory sources, or related entities, where necessary for verification or compliance.

Mandatory and Optional Data

Certain personal data is necessary for the provision of the service, execution of an order, creation of an account, verification of the user, or compliance with regulatory requirements, such as the mobile number, OTP, order data, address or location data for delivery, and certain regulatory and operational data relating to merchants. Other data may be optional by nature, such as certain preference data, additional means of contact, or non-essential analytics tools. If mandatory data is not provided, we may be unable to create the account, fulfill the order, provide certain Platform functionalities, or respond to certain requests or regulatory obligations associated therewith.

We process personal data for the following purposes and on an appropriate legal basis depending on the circumstances:

Operating the Platform and Managing Accounts

This includes account creation, identity or mobile number verification through OTP, access management, and communications relating to use and service.

Legal Basis: Performance of a contract, or taking steps necessary to provide the requested service.

Order and Transaction Fulfillment

This includes receiving orders, verifying availability, processing payment or refunds, issuing records or invoices, and providing customer support and customer service.

Legal Basis: Performance of a contract, and legal obligation where financial or regulatory requirements apply.

Delivery and Location Services

This includes calculating delivery, identifying nearby stores or addresses, directing drivers or delivery partners, and proving receipt or delivery.

Legal Basis: Performance of a contract, and we may also rely on the user’s consent to enable precise location permissions on the user’s device.

Matching Parts with Vehicles

This includes using vehicle data to improve search results and reduce errors in part selection.

Legal Basis: Performance of a contract.

Security, Fraud Prevention, and Protection of Rights

This includes monitoring unlawful attempts, detecting fraudulent patterns, verifying transactions, and protecting the Platform and the rights of users and ourselves.

Legal Basis: Legitimate interest, or legal obligation, depending on the circumstances.

Analytics and Performance Improvement

This includes measuring Platform usage, understanding performance, and improving the user experience where relevant tools are enabled.

Legal Basis: Consent where tools or cookies are not functionally necessary, or legitimate interest within the limits permitted by applicable law.

Marketing

We may use contact data to send marketing messages or offers where this function is enabled.

Legal Basis: Consent, with an unsubscribe option available where applicable.

Cookies and Analytics

We may use cookies or similar technologies to operate the Platform, maintain sessions, remember preferences, and improve performance. Where we use cookies or tools that are not functionally necessary, we will apply the appropriate mechanism for obtaining consent or managing preferences in accordance with applicable law and the nature of the technology used.

Sharing Data with Third Parties

We may share personal data, only to the extent necessary, with the following categories:

  • Messaging service providers for sending OTPs and necessary notifications.
  • Maps and tracking service providers for displaying maps, determining locations, and supporting delivery.
  • Hosting, cloud, database, or storage providers.
  • Payment gateways or payment/refund processing providers where electronic payment is enabled.
  • Analytics tools, where enabled.
  • Delivery companies, drivers, or logistics partners when fulfilling orders.
  • Governmental, judicial, regulatory, or security authorities where there is a legal obligation or binding request.

We require service providers, depending on the circumstances and the nature of the contractual relationship, to process data in accordance with lawful instructions and to implement appropriate protective measures. Once the actual service providers become operationally stable, this Policy or any related operational annex may be updated to identify the approved providers more specifically.

Transfer of Data Outside the Kingdom

Certain elements of the technical infrastructure or certain service providers associated with the Platform may involve processing, storage, or remote access from outside the Kingdom of Saudi Arabia, depending on the technical configuration effectively adopted during operation. Where data is transferred, disclosed, or processed outside the Kingdom, we limit such transfer to the minimum necessary to achieve the legitimate purpose, verify the existence of an appropriate legal basis, apply suitable contractual, regulatory, and technical safeguards, and undertake any evaluations or regulatory procedures required in the circumstances.

Information Security

We implement appropriate organizational, administrative, and technical measures to protect personal data against unauthorized access, loss, misuse, alteration, or unlawful disclosure, in a manner proportionate to the nature of the data, the scale of processing, and the anticipated risks. However, no technical system can be guaranteed to be completely secure. Where a personal data incident occurs that requires notification under applicable laws, we shall take the appropriate measures, including notifying the competent authority and the data subject where legally required.

Data Subject Rights

Subject to applicable laws, regulations, and legal exceptions, the data subject may enjoy the rights granted under the Personal Data Protection Law, including:

  • The right to be informed of how their data is collected and the legal basis for its processing.
  • The right to access their personal data and request a copy thereof in accordance with the applicable legal mechanism.
  • The right to request correction, completion, or updating of their data.
  • The right to request destruction or deletion of the data where legally applicable and where no lawful grounds for retention exist.
  • The right to withdraw consent in processing activities based on consent, without prejudice to the lawfulness of processing carried out prior to such withdrawal.
  • The right to submit a request, objection, or complaint relating to their personal data.

To exercise your rights relating to personal data, or to submit any request, objection, or privacy-related inquiry, please contact us through the dedicated email address: privacy@qiteapp.com, or through any electronic means designated by us for that purpose. We may request any information necessary to verify the identity of the requester. We will review and respond to the request within no more than thirty (30) days from the date on which it is complete, and this period may be extended where permitted by law, provided that the requester is notified of the reason for the extension.

If a request or complaint is not handled appropriately, or if the data subject considers that their personal data has been processed in violation of applicable law, the data subject may lodge a grievance or complaint with the competent authority in the Kingdom of Saudi Arabia in accordance with the procedures made available by such authority.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer period is required by law, legitimate interests, or disputes. Under the Platform’s current operating model, the indicative retention periods are as follows:

  • Customer, merchant, or driver account data: for the duration of the account, and for 24 months after closure or inactivity.
  • Orders, invoices, and transactions: 10 years.
  • Merchant regulatory records and attachments: for the duration of the relationship, and for 10 years thereafter.
  • Delivery, tracking, and proof of delivery records: 12 months, extendable to 24 months where necessary for disputes or regulatory requirements.
  • The OTP itself: up to a maximum of 10 minutes.
  • OTP-related verification logs: 90 days.
  • Electronic signature records and the contract or its reference: for the duration of the relationship, and for 10 years thereafter.
  • Complaint, support, and correspondence records: 3 years after closure of the complaint.

After the purpose or the legally required retention period ends, we will take the appropriate action depending on the circumstances, such as secure destruction, masking, or removal of data that identifies the data subject, where possible and appropriate.

Children’s Data

The Platform is not primarily directed to children, and we do not knowingly seek to collect their personal data unless this is permitted by law and supported by an appropriate lawful mechanism. If certain services are used by persons lacking or having limited legal capacity, such use must, where applicable, occur through a guardian or lawful representative. If we become aware that a child’s data has been collected in a manner inconsistent with this Policy or with applicable legal requirements, we may take appropriate steps to restrict processing, rectify the situation, or delete the data where necessary.

Updates to This Policy

We may update this Policy from time to time for operational, legal, or technical reasons. The version published on the Platform shall be the governing version as of its effective date.

Contact and Complaints

For any inquiry or request relating to privacy or personal data, or to submit a complaint, please contact us through: