Privacy

Privacy Spotny Technologies

Effective Date: May 1, 2025

Compliant with Saudi Personal Data Protection Law (PDPL) — نظام حماية البيانات الشخصية

1. Who We Are

Spotny Technologies (“Spotny”, “we”, “us”, or “our”) is a Saudi AdTech company operating in the Kingdom of Saudi Arabia. We operate an IoT-powered proximity marketing platform that connects shoppers, brands, and venues through smart beacon technology.

This Privacy Policy applies to all users of the Spotny mobile application, our website at spotny.app, and any related services. It governs how we collect, use, store, and protect your personal data in compliance with:

The Saudi Personal Data Protection Law (PDPL) — نظام حماية البيانات الشخصية — issued by Royal Decree No. م/19 dated 9/2/1443H The implementing regulations and guidelines issued by the Saudi Data & AI Authority (SDAIA) By using Spotny, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.

2. Data We Collect

We only collect the minimum data required to deliver our service. Our core platform is built on anonymous IoT beacon signals — no facial recognition and no biometric data. The only time your device camera is used is when you choose to scan a QR code or use our AR feature (described in Section 3 below), and in both cases, no images are ever captured, stored, or sent to our servers.

We collect the following categories of personal data:

• Account Information: Name, email address, and phone number — collected when you register.
• Location Data: When you grant background location permission on Android, we use your device’s location solely to detect the proximity of Bluetooth beacons installed at partner store locations. We do not collect, store, or transmit your GPS coordinates or location history to our servers. Location is processed on-device only to determine whether you are near a beacon, and is discarded immediately after that determination is made. See Section 4 for full details.
• Proximity Data: Bluetooth Low Energy (BLE) beacon signals indicating your proximity to a venue or aisle — used to deliver nearby offers and promotions.
• Preferences: Categories of interest you select (e.g., fashion, electronics) — used to personalize your experience.
• Device Information: Device model, OS version, app version, and push notification token — used to send notifications and ensure compatibility.
• Usage Data: Offers viewed, offers redeemed, and time spent in-app — used to improve the platform and measure campaign performance for brands.
• Shopping Behavior: Deals browsed or saved, aggregated and anonymized — shared with brands as anonymous reach and engagement metrics only.

We never collect: facial images, photos from your camera or camera roll, biometric data, financial or payment data, national ID numbers, or any other sensitive personal data as defined under Article 23 of the PDPL, without your explicit prior consent.

3. Camera Usage — QR Scanning & Augmented Reality

Spotny may request access to your device camera for two specific, user-initiated purposes only. In both cases, your camera is a tool you control — we never access it in the background, and we never capture, store, or transmit any images or video.

3.1 QR Code Scanning

When a brand or venue displays a QR code on a screen (for example, on a digital display in a mall), you may choose to open your camera through the Spotny app to scan it and unlock a discount or offer.

• Your camera opens only when you tap “Scan” — never automatically or in the background.
• The camera reads the QR code pattern only — no photo is taken, saved, or transmitted.
• No image data is sent to Spotny’s servers.
• You can deny or revoke camera permission at any time in your phone’s system settings.

3.2 Augmented Reality (AR) Experience — Coming Soon

We are developing an AR feature that will allow you to point your camera around a mall or store to see live offers, product information, and interactive experiences overlaid on your screen.

• AR mode activates only when you explicitly enter it within the app — never automatically.
• The camera feed is processed entirely on your device — no video stream or frames are sent to our servers.
• No images or video clips are stored on your device or in the cloud by Spotny.
• Before this feature launches, we will request your explicit camera permission in compliance with PDPL Article 5.
• You may revoke camera permission at any time from your device settings.

3.3 Camera Roll & Photo Library

Spotny does not request, access, or have permission to read your camera roll or photo library — at any time, for any reason. We have no ability to browse, view, or upload any photos stored on your device.

---

4. Location Access — Beacon Detection

To enable automatic beacon detection at partner stores, the Spotny app requests access to your device’s location, including while the app is running in the background (background location). This section explains exactly what we access, why, and how it is used.

4.1 What We Access

On Android devices (API level 29 and above), we request the ACCESS_BACKGROUND_LOCATION permission. This allows the app to detect Bluetooth beacons even when you are not actively using the app. Before requesting this permission, we display an in-app disclosure explaining its purpose and give you the choice to allow or decline.

On iOS devices, Bluetooth proximity detection does not require background location permission. Apple’s native system handles the necessary permission through its standard Bluetooth authorization prompt.

4.2 Why We Need It

Spotny’s core feature is automatic loyalty point crediting and personalized offer delivery when you walk into or near a partner store. Without background location, the app can only detect beacons while it is open on your screen. With it, detection happens seamlessly — so you never miss a reward simply because you forgot to open the app.

4.3 How Location Data Is Used

• Location is used exclusively to determine proximity to registered Bluetooth beacons at partner store locations.
• Your GPS coordinates are never collected, recorded, or transmitted to our servers.
• Location processing happens on your device only — the app checks whether a beacon is nearby and immediately discards the location signal.
• We do not build a location history, track your movements, or store any geolocation data.
• Location data is never sold, shared, or disclosed to third parties, including brand partners. Brands receive only anonymized engagement signals (e.g., a beacon was triggered), never your location.

4.4 Your Control

• You are shown an in-app explanation before background location is requested for the first time.
• You may choose “Not Now” to decline background location — the app will still function, and beacons will be detected while the app is open in the foreground.
• You can revoke location permission at any time from your device’s system settings under Spotny → Location → change to “While Using” or “Never”.

---

5. How We Use Your Data

We process your data only for the following specific, lawful purposes:

• Delivering personalized offers and promotions when you are near a participating venue.
• Sending push notifications for deals matching your interests (you can opt out at any time).
• Providing brands and retailers with anonymized, aggregated analytics — individual identities are never shared.
• Improving the Spotny platform through usage analytics.
• Responding to your support requests.
• Complying with legal obligations under Saudi law.

We process your data on the legal bases of contractual necessity, legitimate interest, and — where required — your explicit consent, in accordance with Articles 4 to 6 of the PDPL.

6. Data Storage & Security

Your data security is our highest priority. We have implemented multiple layers of protection to ensure your data is safe, private, and inaccessible to unauthorized parties.

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
• Access Controls: Strict role-based access — only authorized personnel can access personal data, and only to the extent required for their role.
• KSA Data Residency: Your data is stored on servers located within the Kingdom of Saudi Arabia.
• Regular Security Audits: Security assessments and penetration testing are performed on a regular basis.
• Breach Notification: In the event of a security incident, we notify SDAIA and affected users within 72 hours, as required by the PDPL.
• Data Minimization: We collect only what is strictly necessary and delete it when it is no longer needed.

We guarantee that your personal data is stored in a secure, protected environment. No unauthorized person — inside or outside Spotny — can access, read, or extract your data. We take full responsibility for its protection under Saudi law.

Data Retention

• Active accounts: Data is retained for the duration of your use of Spotny.
• Deleted accounts: Personal data is permanently deleted within 30 days of your deletion request.
• Anonymized analytics: May be retained indefinitely, as they cannot be linked back to any individual.
• Legal holds: Certain data may be retained longer if required by Saudi law or a competent authority.

7. Sharing Your Data

We do not sell, rent, or trade your personal data. We only share data in the following limited circumstances:

• With participating brands and retailers: Only aggregated, anonymized campaign analytics. For example: 500 shoppers saw this offer in the electronics aisle. Individual identities are never shared.
• With service providers: Trusted third parties such as cloud infrastructure and push notification services who process data strictly on our behalf under signed data processing agreements.
• With regulatory authorities: When required by Saudi law, a court order, or a lawful request from SDAIA or other government authorities.
• In a business transaction: If Spotny merges with or is acquired by another entity, your data will only be transferred under equivalent privacy protections.

Any third party that receives data from Spotny is contractually bound to protect it to at least the same standard as this policy, and in full compliance with the Saudi PDPL.

8. Your Rights Under the Saudi PDPL

As a data subject under the Saudi Personal Data Protection Law, you have the following rights, which we are committed to honoring:

• Right to Access: Request a copy of all personal data we hold about you.
• Right to Correction: Request correction of any inaccurate or incomplete data.
• Right to Deletion: Request deletion of your data when it is no longer needed or when you withdraw consent.
• Right to Object: Object to processing for direct marketing purposes at any time.
• Right to Portability: Receive your data in a structured, machine-readable format.
• Right to Withdraw Consent: Withdraw consent for any processing based on consent, at any time, without affecting the lawfulness of prior processing.
• Opt Out of Notifications: Turn off push notifications at any time from within the app or your device settings.
• Right to Lodge a Complaint: File a complaint with SDAIA if you believe your rights under the PDPL have been violated.

To exercise any of these rights, please contact us at privacy@spotny.app. We will respond within 15 business days, as required by the PDPL.

9. Cookies & Tracking Technologies

Our website (spotny.app) uses minimal cookies strictly necessary for the site to function. We do not use third-party advertising or tracking cookies without your consent.

• Essential cookies: Required for login sessions and security. These cannot be disabled.
• Analytics cookies: Anonymous usage statistics to help us improve our website. You may opt out.
• Marketing cookies: Only placed with your explicit consent — never enabled by default.

You can manage cookie preferences in your browser settings at any time. Disabling essential cookies may affect site functionality.

10. Children’s Privacy

Spotny is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we discover that a minor has registered, we will immediately delete their data and terminate the account.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@spotny.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

• We will update the Effective Date at the top of this document.
• We will send a push notification or in-app alert to all active users.
• For significant changes, we may request your renewed consent.

We encourage you to review this policy periodically. Continued use of Spotny after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact our Data Protection Officer:

• Email: privacy@spotny.app
• General inquiries: hello@spotny.app
• Website: spotny.app

You also have the right to file a complaint with the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa if you believe your rights under the PDPL have been violated.

---

ملخص سياسة الخصوصية — باللغة العربية

من نحن؟

شركة سبوتني للتقنية شركة سعودية ناشئة في مجال التقنية الإعلانية، تعمل وفق أحكام نظام حماية البيانات الشخصية الصادر بالمرسوم الملكي رقم م/19 بتاريخ 9/2/1443هـ واللوائح التنفيذية لهيئة سدايا.

ما الذي نجمعه؟

نجمع فقط: معلومات الحساب (الاسم والبريد الإلكتروني ورقم الجوال)، وبيانات الموقع الجغرافي لأغراض الكشف عن الإشارات اللاسلكية فقط (انظر أدناه)، وإشارات التقنية اللاسلكية القريبة للكشف عن قربك من المنافذ التجارية، وتفضيلاتك وبيانات الاستخدام. لا نجمع صوراً ولا بيانات بيومترية ولا معلومات مالية حساسة.

الوصول إلى الموقع الجغرافي — الكشف عن الإشارات اللاسلكية

على أجهزة Android، يطلب التطبيق إذن الوصول إلى الموقع الجغرافي في الخلفية بهدف وحيد: الكشف عن إشارات البلوتوث في المتاجر الشريكة تلقائياً حتى عند عدم استخدام التطبيق. يتم معالجة بيانات الموقع على جهازك فقط ولا تُرسَل إلى خوادمنا ولا تُخزَّن ولا تُشارَك مع أي طرف ثالث. إحداثيات GPS لا تُجمَع إطلاقاً. قبل طلب هذا الإذن، يعرض التطبيق شاشة توضيحية تشرح الغرض منه وتمنحك خيار القبول أو الرفض. يمكنك إلغاء هذا الإذن في أي وقت من إعدادات هاتفك.

استخدام الكاميرا

لا تصل سبوتني إلى كاميرا هاتفك أو ألبوم الصور في أي وقت تلقائياً. الكاميرا تُستخدم فقط في حالتين بمبادرة منك: (1) مسح رمز QR للحصول على عرض، حيث لا تُلتقط أي صورة ولا تُرسَل أي بيانات مرئية لخوادمنا؛ (2) تجربة الواقع المعزز (AR) القادمة قريباً، حيث تتم المعالجة على جهازك فقط ولا تُخزَّن أي صور. كما أننا لا نملك أذونات للوصول إلى ألبوم صورك إطلاقاً.

كيف نحمي بياناتك؟

تُخزَّن بياناتك على خوادم آمنة داخل المملكة العربية السعودية، محمية بتشفير قوي من الدرجة الأولى. لا يمكن لأي شخص غير مصرَّح له الوصول إلى بياناتك أو اختراقها. نُجري اختبارات أمنية دورية ونلتزم بإخطار هيئة سدايا والمستخدمين المتأثرين في غضون 72 ساعة من أي حادثة أمنية.

لا نبيع بياناتك

لا تُباع بياناتك الشخصية أو تُؤجَّر أو تُشارَك مع أطراف ثالثة لأغراض تجارية. يحصل الشركاء فقط على إحصاءات مجمَّعة ومجهولة الهوية.

حقوقك بموجب النظام

يحق لك الاطلاع على بياناتك وتصحيحها وطلب حذفها والاعتراض على معالجتها وسحب موافقتك في أي وقت. للتواصل: privacy@spotny.app — وللشكاوى: هيئة سدايا على sdaia.gov.sa