1. Company Name: Vision Bank Closed Joint Stock Company.
2. Commercial Registration No.: 1010850478
3. Registreed Address: 6537 King Abdulaziz Rd., King Salman Dist. 12432 Riyadh, Saudi Arabia.

1. Personal Data: Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.
2. Sensitive Personal Data: Personal Data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual’s parents are unknown
3. The Law: The personal data protection law (PDPL) in the Kingdom of Saudi Arabia issued pursuant to Royal Decree No. (M/19) dated 09/02/1443 AH corresponding to 16/09/2021 G and any amendments to the law.
4. Personal Data Protection Officer (PDPO): The person responsible for overseeing our compliance with data protection laws and regulations.
5. Know Your Customer (KYC) Requirements: Are regulations that require financial institutions to verify the identity of their customers and assess the risks associated with money laundering and terrorism financing.
6. Anti Money Laundering (AML) Law: Is a law that aims to prevent and combat money laundering and terrorism financing in the Kingdom of Saudi Arabia. It includes measures such as reporting suspicious transactions.
7. SAMA: Saudi Central Bank.

The following are examples of the personal data we collect (but not limited to):

1. Data collected through the bank's official mobile application and website, such as ID number, mobile number, email address, place of work, sources of income, and sensitive information such as if the customer is a politically exposed person.
2. Data collected from government services such as Nafath and Saudi Post which includes name, date of birth, and national address, and children name and date of birth (if account is opened by legal guardian).
3. Data collected through the use of the bank's services, website, or official mobile app (such as cookies, IP address, GPS location, call center and chatbot interactions).
4. Personal data related to banking services such as account numbers, credit cards, and financial transactions.

We collect and use your personal data for the following purposes:

1. Opening and managing accounts: We need your personal data to verify your identity, assess your financial information, and open and manage your accounts, such as current, saving, credit card, and loan accounts.
2. Providing banking services: We use your personal data to process transactions, issue payments, receive deposits, eligibility assessment, provide online banking access, loyalty programs, and to answer your inquiries about our products and services.
3. Detecting and preventing fraud: We use your personal data to monitor suspicious activity and prevent fraud, money laundering, and other financial crimes.
4. Complying with legal and regulatory requirements: We are required to collect and use your personal data to comply with laws and regulations, such as know-your-customer (KYC) requirements and anti-money laundering (AML) law.
5. Customer service and support: Personal data is used to provide customer support, respond to inquiries, resolve issues, and communicate essential account and service information.
6. Marketing and promotional activities: We use your personal data to provide you with personalized offers and marketing messages, and you can request to stop this at any time through the mobile app.
7. Analytics: We use your personal data to conduct market research and analysis to improve the products and services offered to you.

Without collecting your personal data, we may not be able to provide you with the highest level of our services and products, or we may be unable to provide them to you at all.

We process your personal data based on the following lawful grounds:

1. Contract: We process your personal data to fulfill our contractual obligations to you, such as managing your accounts and providing you with the banking services you have requested.
2. Legal obligation: We are required to process your personal data by law, to fulfill KYC requirements, AML law, and SAMA regulations.
3. Legitimate interest: We may process your personal data for our legitimate business interests, such as preventing fraud, conducting market research, enrolling you in loyalty programs, and improving our products and services. In these cases, we will always balance our legitimate interests against your data protection rights.
4. Consent: Your consent to the processing of your personal data for specific purposes, such as sending you marketing messages or sharing your data with a third party for the purpose of providing banking services while maintaining confidentiality and ensuring that the sharing is limited to the scope of the required service, and you can withdraw your consent at any time.

As part of our banking services and the legitimate processing of your data, we may share your personal data with certain third parties, both inside and outside the Kingdom of Saudi Arabia, for specific purposes as outlined in this privacy notice. When we share your data, we are committed to ensuring the highest level of security and protection of your privacy through the following safeguards:

1. Compliance with SAMA Requirements: We will only share personal data with third parties that meet the requirements and after obtaining the necessary approvals from SAMA.
2. Data Processing Agreements: We enter into strict data processing agreements with third parties. These agreements require them to process your data only for the purposes we specify, maintain confidentiality, and implement appropriate security measures.
3. Robust Security Measures: We implement and require our third-party partners to implement robust technical and organizational security measures, including encryption, access controls, and regular security assessments, to protect your personal data during transfer and processing.

We may disclose your personal data to the following categories of recipients for the purposes outlined earlier:

1. Regulatory bodies like SAMA and the National Data Management Office (NDMO)
2. Law enforcement authorities
3. Third-party service providers who support our operations
4. Saudi Credit Bureau (SIMAH)

The bank has the right to retain personal data in accordance with the relevant laws and regulations. We are committed to the following with regards to the storage and retention of personal data:

1. We will implement the highest standards of protection to ensure the security of data and guarantee safe and efficient access to it. We use advanced encryption techniques and access control management to ensure the integrity, confidentiality, and availability of data
2. Personal data collection by the Bank will be limited to which is strictly necessary for the fulfillment of its contractual commitments.
3. Personal data will be used solely for the purpose it was collected for, and it won’t be used for any other purpose without your explicit consent.
4. We will observe all the rights of the data subjects as stipulated in the law
5. In the unlikely event of a data breach incident, we will notify you and the relevant authorities as required by law.

The Bank processes data of minors and legally incapacitated individuals only after obtaining explicit consent from the legal guardian. Guardians have the right to access, correct, or request deletion of the personal data of the minors or legally incapacitated individuals under their care.

The Bank ensures to verify minor’s age and legal capacity of the guardian before processing the data. A strict verification procedure is implemented to ensure that consent is valid and that data is processed securely and only for legitimate purposes.

In our commitment to providing efficient and secure services, we may utilize Artificial Intelligence (AI) and automated decision-making processes in certain aspects of our operations.

This may include the use of AI-powered features such as chatbots to assist with customer inquiries and provide information. These chatbots are designed to enhance your experience and facilitate some of the common tasks.

Furthermore, we may employ automated decision-making processes for specific purposes, for example in areas related to customer protection and fraud prevention. These automated systems analyze various data points to identify potentially fraudulent activities or assess risks, helping us to safeguard your accounts and maintain the security of our services.

It is important to note that while these processes are automated, they are designed and monitored by our teams to ensure fairness and accuracy.

As outlined in the “Your Data Subject Rights” section of this Privacy Notice, you have the right to object to certain types of processing, including automated decision-making. Please refer to that section for details on how to exercise these rights.

To support secure and seamless access to our digital services, we may allow the use of biometric authentication methods (such as fingerprint or facial recognition) available on your personal device.

The Bank explicitly disclaims any involvement in the collection, storage, or processing of your biometric data. By design, your biometric information remains exclusively on your device and is managed solely by the device’s operating system. The Bank receives only confirmation of successful authentication from your device, without having access to or control over your biometric information.

Our Data Protection Officer is responsible for overseeing our compliance with data protection laws and regulations. You can contact the bank at data-pri.contact-info.[email protected] with any questions about our privacy notice or how we handle your personal data.

To exercise your rights related to your personal data, refer to the following section.

You have the following rights under the Law:

1. Right to know: You have the right to know the purpose and the lawful basis for processing your personal data.
2. Right to access: You have the right to access your personal data that we hold.
3. Right to rectification: You have the right to correct any inaccurate or incomplete personal data we hold about you, without prejudice to official government records.
4. Right to erasure: You have the right to request that we erase your personal data in certain circumstances, without prejudice to the regulations issued by the central bank in this regard.
5. Right to data portability: You have the right to request a copy of your personal data in a readable and portable format.
6. Right to object: You have the right to object or withdraw your previous consent to certain types of processing, such as direct marketing.
7. Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.

The Bank respects your right to control your personal data under the Law. You can practice your data subject rights by any of the following means:

1. Calling our customer care center at 800 .contact-info. 100 0010 .
2. Sending an email to data-pri.contact-info.[email protected] from the email registered with the bank.
3. Through the mobile app's email functionality.
4. The preferred method for updating your personal data is through the personal data update feature in our mobile app, specifically the profile section. However, If the information you wish to update is not yet supported by the app’s automated feature, please contact us using one of the three methods described above.

How to submit a request using the mobile app:

1. Open Vision Bank mobile app.
2. Navigate to the "More" menu by tapping on the 3 dots at the bottom of the screen.
3. Select "Customer Care".
4. Choose "Email" to launch your preferred email application.
5. Compose your email, clearly stating:
   1. The specific data subject right you wish to exercise (e.g., access, rectification, erasure)
   2. The personal data to which your request applies
   3. Any relevant details or supporting information
6. Send your email from the email registered with the bank.

Processing Your Request:

The Bank will process all Data Subject Requests within 30 days of their receipt. This period may be extended to an additional 30 days, in case the implementation requires disproportionate effort, or if the Bank receives multiple requests from the data subject. You will be notified in advance of the extension with the reasons for the delay.

The following steps will be followed by the Bank to process your request:

1. Upon receiving, you will receive a message confirming receiving your request with a reference number.
2. Your request will then be forwarded to our personal data protection officer for validation and processing in accordance with data protection regulations.
3. The personal data protection officer will assign your request to the appropriate team for fulfillment.
4. We will keep you informed of the progress and notify you on your verified email once it's completed.

We reserve the right to amend this Privacy Notice from time to time in accordance with changes to the Bank's internal procedures, regulations and related laws.

Privacy Notice updated on 21st July 2025