Compliant with Saudi Personal Data Protection Law (PDPL)

Privacy Policy

Learn how we collect, use, and protect your personal data on the EEINA platform. This policy is written in clear language and organized to help you easily find what matters to you.

Last Updated: Version: v2.0 Reading Time: ~15 minutes

Introduction & Scope

We are EEINA Development for Information Technology (Commercial Registration No. 4031086289), with our main headquarters in Makkah, Kingdom of Saudi Arabia. This policy explains how we process your personal data when you use:

  • Our website eeina.com and application site app.eeina.com
  • EEINA applications on iOS and Android
  • Communication channels via WhatsApp and email lists
  • Integrations with grocery delivery and licensed merchant partners

This policy applies to all personal data we collect or process about you in the context of using our services, whether you are an individual consumer or a business representative.

Why PDPL Matters to You

The Saudi Personal Data Protection Law grants you clear rights: access, correction, deletion, objection, and withdrawal of consent. All of these are outlined in the "Your Rights" section.

Data We Collect

We collect only the data necessary to provide and improve the service, in accordance with the principle of data minimization. The main categories include:

1. Basic Personal Data

  • Full name, phone number, email address
  • Content of communications and inquiries

2. Authentication Data

  • Username and password (encrypted)
  • Authentication Tokens
  • Logins through third-party services (Google, Apple, Facebook) · only with your explicit consent

3. Health & Food Preference Data (Sensitive)

Includes diets, avoided foods, allergies, height, weight, activity levels, and BMI. We process this data only with your prior explicit consent, in accordance with Article (28) of the Executive Regulations of the Saudi PDPL.

4. Usage & Location Data

  • Shopping lists, recipes you interact with, visit durations
  • IP address, browser type, operating system
  • Approximate or precise location (requires your direct consent)

5. Financial Data

We do not store your credit card information. All payment transactions are executed through licensed service providers (HyperPay for Mada and Visa, Tabby and Tamara for splitting payments, Apple Pay, and STC Pay). We only save: order number, payment status, and the last 4 digits of the card (if any) for accounting purposes.

How We Collect Your Data

  • Directly from you: during registration, completing the quiz, or contacting support
  • Automatically: via cookies (see the Cookies section) and server logs
  • From grocery and delivery partners: when integrating your shopping list with them (with your consent)
  • From other users: during comments, reviews, or referrals

How We Use Your Data

We use your data for the following legitimate purposes:

  1. Providing the service (account creation, verification, displaying recipes and plans)
  2. Personalizing content and improving recommendations based on your preferences
  3. Sending service notifications (order confirmation, medicine reminders, plan updates)
  4. Aggregated analytics (without identifying you) to understand user behavior
  5. Sending marketing newsletters · only with your separate consent, and you can unsubscribe at any time
  6. Complying with legal and regulatory obligations in the Kingdom

AI & Predictive Processing

We use machine learning techniques to improve our nutritional recommendations · such as suggesting recipes that suit your dietary pattern or predicting a potential nutrient deficiency. This processing:

  • Is subject to human supervision and does not make automated decisions affecting your rights without review
  • Uses aggregated and anonymous data where possible
  • Adheres to the ethical principles approved by the Saudi Data and AI Authority (SDAIA)

Details of the scientific methodology are available on the Methodology page.

Parties We Share With

We do not sell your data. We share it only in the following cases:

  • Technical service providers (hosting, analytics, support) committed to PDPL regulations
  • Grocery and delivery partners · only data necessary to fulfill your order
  • Government entities · when required by a legal obligation (judicial, tax, regulatory)
  • In case of merger or acquisition · ensuring the transfer of protection obligations

Data Transfer Outside KSA

We may need to transfer your data outside the Kingdom for hosting or analytical purposes. We comply with Article (29) of the Executive Regulations of the Personal Data Protection Law, which requires:

  1. That the transfer is necessary for a legitimate interest of the data subject
  2. That the country transferred to applies a level of protection not less than that in the Kingdom
  3. Obtaining approval from SDAIA when necessary

Currently, Saudi customer data is hosted in AWS Bahrain region (within GCC) to minimize the need for transferring data outside the regulatory scope.

Data Retention Period

  • Account Data: Until you choose to delete your account (with an additional 90-day period for disputes)
  • Billing and Transaction Data: 10 years (accounting obligation by ZATCA)
  • Logs and Security: 12 months
  • Temporary Cookies: Minutes · Long-term cookies: Up to 2 years
  • Sensitive Health Data: Deleted immediately upon deleting your account (no additional retention period)

Securing Your Data

We implement multi-layered technical and organizational measures:

  • Encryption: TLS 1.3 in transit · AES-256 at rest
  • Two-Factor Authentication (2FA) is available for all accounts
  • Passwords: Are not stored in plain text · we use the bcrypt algorithm for hashing
  • Access reviews and permissions (least privilege principle)
  • Continuous monitoring of systems in accordance with Saudi cybersecurity standards

Nonetheless, no system is 100% secure. We commit to notifying you within 72 hours of discovering any breach affecting your data, in accordance with SDAIA requirements.

Your Rights Under PDPL

The Saudi system grants you the following rights, which you can exercise by emailing our Data Protection Officer:

  1. Right to be informed of the purposes of processing and its legal basis
  2. Right of access to your data stored with us
  3. Right to rectification or update of inaccurate data
  4. Right to destruction (deletion) when the purpose for its collection ceases to exist
  5. Right to restrict processing in cases of objection or dispute
  6. Right to data portability to another service provider (to the extent technically possible)
  7. Right to object to processing for unlawful purposes
  8. Right to withdraw consent at any time, without affecting the lawfulness of previous processing

We commit to responding to your request within 30 business days. If you are not satisfied with our response, you have the right to lodge a complaint with SDAIA via the National Personal Data Protection Platform.

Cookies Policy

We use three categories:

  • Necessary cookies (consent not required): for login, cart, language
  • Analytics cookies (opt-in consent): to measure performance and improve the site
  • Marketing cookies (opt-in consent): for retargeting via Meta and Google

You can manage your preferences from the consent banner at the bottom of the page, or from the Privacy Settings in your account.

Protection of Minors

Our services are directed at adults over 18 years old. We do not knowingly collect data from minors. If we discover an account belongs to a minor, we delete it immediately and contact the guardian. Family accounts (Family Plan) are managed entirely by the guardian.

Policy Updates

We may update this policy from time to time. For any material change (such as expanding processing purposes or changing shared entities), we will notify you via:

  • Email for active accounts
  • In-app notification upon opening
  • A prominent notice on the home page for 30 days

Amendments take effect immediately upon publication, unless otherwise stated.

Contact Our Data Protection Officer

For any inquiry or request regarding your personal data, contact us directly:

Email Address (DPO) privacy@eeina.com
General Inquiries info@eeina.com
Address Makkah, Kingdom of Saudi Arabia · CR 4031086289
Supervisory Authority Saudi Data and AI Authority (SDAIA) · sdaia.gov.sa