Privacy policy

Last Updated: 08/01/2026

Clause One: Introduction

This Privacy Policy reflects THEMAR’s commitment to protecting the privacy of personal data of our clients, employees, and other stakeholders, in accordance with the Personal Data Protection Law in the Kingdom of Saudi Arabia. THEMAR recognizes the importance of handling personal information responsibly and transparently. This Policy explains how personal data is collected, used, stored, disclosed, and protected, as well as the rights of individuals regarding their personal data.

THEMAR is committed to ensuring that personal data is processed lawfully, fairly, and securely, in line with individuals’ rights and the principles of the Personal Data Protection Law, including data minimization, clarity of purpose, accuracy, and confidentiality. This Policy applies to all personal information we collect from clients, employees, collaborators, and any relevant third parties while providing our services. THEMAR is committed to providing a secure environment that respects individuals’ privacy and protects their personal data from unauthorized access or unlawful use.

Clause Two: Policy Objectives

This Policy aims to inform data subjects—such as customers, employees, and third parties associated with THEMAR—about how THEMAR collects, processes, and stores the personal data it obtains. All individuals associated with THEMAR, whether employees, customers, or beneficiaries, should review this Privacy Policy regularly for updates.

Clause Three: Definitions

  1. “Personal Data Protection Law”: The Personal Data Protection Law issued on 09/02/1443 AH (corresponding to 16/09/2021 AD) by Royal Decree No. (M/19) dated 09/02/1443 AH, including its subsequent amendments and Executive Regulations.
  2. “Personal Data” or “Data”: Any statement—regardless of its source or form—that may lead to identifying an individual specifically, or make it possible to identify them directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, still or moving images of the individual, and other data of a personal nature.
  3. “Personal Data Subject” or “User”: The individual to whom the personal data relates, their representative, or the person who has legal guardianship over them.
  4. “Processing”: Any operation performed on personal data by any means, whether manual or automated, including: collection, recording, archiving, indexing, arranging, organizing, storing, modifying, updating, merging, retrieving, using, disclosing, transferring, publishing, sharing, interconnection, blocking, erasure, and destruction.
  5. “Collection”: The Controller obtaining personal data in accordance with the Personal Data Protection Law, whether directly from the data subject, their representative, the person who has legal guardianship over them, or from another party.
  6. “Destruction”: Any action that removes personal data and makes it impossible to access or retrieve it again.
  7. “Disclosure”: Enabling any person—other than the Controller—to obtain, use, or access personal data by any means and for any purpose.
  8. “Transfer”: The transfer of personal data from one place to another for processing.
  9. “Publishing”: Broadcasting any personal data via a readable, audio, or visual means of publication, or making it available.
  10. “Credit Data”: Any personal statement related to an individual’s request to obtain financing, or their obtaining of financing—whether for a personal or family purpose—from an entity that practices financing, including any statement related to their ability to obtain credit, their ability to meet obligations, or their credit history.
  11. “Controller”: THEMAR, as the owner of the Platform, and the party that determines the purpose and manner of processing personal data.
  12. “Processor”: THEMAR or any other entity designated by THEMAR to process data on its behalf.
  13. “Platform”: The debt crowdfunding platform owned by THEMAR and licensed to establish and manage it in accordance with the license issued by the Saudi Central Bank to THEMAR under No. 75/Ash/202307. The Platform can be accessed via: www.themar.sa.
  14. “THEMAR”: THEMAR Crowdfunding Company (a Saudi closed joint stock company), Commercial Registration No. 4030489679 (Jeddah Commercial Registry Office), headquartered in Jeddah, and licensed by the Saudi Central Bank to practice debt crowdfunding under License No. 75/Ash/202307. THEMAR was established in accordance with the Companies Law 1437 AH issued by Royal Decree No. (M/3) dated 28/01/1437 AH and Council of Ministers Resolution No. (30) dated 27/01/1437 AH. THEMAR is the Controller under this Policy.
  15. “Debt Crowdfunding”: Collecting funds from participants through a digital platform to extend credit through contracts to beneficiary establishments.
  16. “Rules for Practicing Crowdfunding Activity”: The rules for practicing debt crowdfunding activity issued by the Saudi Central Bank in Jumada Al-Ula 1443 AH / December 2021 AD, pursuant to the powers granted under the Finance Companies Control Law issued by Royal Decree No. (M/51) dated 13/08/1433 AH, including subsequent amendments.
  17. “Visitor”: A user who visits the Platform without logging in.

Clause Four: Scope of the Agreement

THEMAR is committed to providing a safe and fruitful investment experience for all Platform users, ensuring the confidentiality of Users’ personal data, and complying with the applicable laws and regulations in the Kingdom of Saudi Arabia to support a healthy investment environment. Since THEMAR conducts debt crowdfunding activity through its Platform accessible via www.themar.sa, and since practicing debt crowdfunding requires collecting, processing, and disclosing personal data of Platform users in accordance with this Policy and applicable laws, the User’s use of the Platform constitutes acceptance of this Privacy Policy in accordance with its provisions.

Clause Five: Data Collected by the Platform

Data collected from the Visitor (User without login)

  1. The name of the User’s internet service provider (Service Provider).
  2. Internet Protocol (IP) address.
  3. Information about the browser used.
  4. Cookies.
  5. Information about how you interact with the THEMAR website, which may include clicks and actions. This information is not linked to any personally identifiable information.
  6. The User’s previous and next location.

Data collected from the User (during first login and thereafter)

In addition to the data collected from the Visitor, the following data is collected from the User during first login and thereafter:

  1. Username.
  2. Identity data and personal identification number or residency number.
  3. Personal data such as nationality, date of birth, and gender.
  4. Credit data determined by THEMAR from time to time, including but not limited to: IBAN or banking information.
  5. Contact information such as email, phone number, and address.
  6. Any other data that THEMAR may request to enable it to practice its commercial activity of debt crowdfunding.

In all cases, THEMAR may request all data necessary to comply with the governing rules issued by the Saudi Central Bank or to comply with laws and regulations in force in the Kingdom of Saudi Arabia from time to time.

THEMAR, a Saudi closed joint stock company, Commercial Registration No. 4030489679 (Jeddah Commercial Registry Office), headquartered in Jeddah, is the entity entrusted with collecting the data subject to this Policy, taking into account the Personal Data Protection Law, its subsequent amendments, and its Executive Regulations.

The User acknowledges and consents that THEMAR may store data—especially credit data—in the User’s profile linked to their account registered with the Platform, and authorizes the Platform to use such data and make it available to relevant parties participating in the crowdfunding process (the beneficiary establishment or the financing applicant) or to credit assessment and risk assessment entities.

Clause Six: Purpose of Data Collection

  1. Data is collected to enable login to the Platform and access debt crowdfunding services in accordance with the license issued by the Saudi Central Bank to the Platform; accordingly, collecting the above data (as an example) is required.
  2. To track User preferences through cookies to improve the User experience and make the Platform easier and better to use.
  3. To respond to your inquiries and resolve potential issues you may encounter with the requested service.
  4. To maintain the security of our services, including fraud monitoring and prevention.
  5. To analyze User data and collect statistics to enhance the Platform and provide necessary technical support based on usage needs.
  6. The User acknowledges consent to provide certain credit data that the Platform may request from time to time, since the Platform’s core activity is connecting investors with beneficiaries requesting financing through debt crowdfunding, which requires certain credit data to execute the crowdfunding process.
  7. To obtain User feedback, the Platform may display surveys or opinion questionnaires from time to time related to Platform services.
  8. To comply with legal obligations, respond to legal requests, and exercise or defend legal rights.
  9. The Platform has the right to verify the User’s personal data entered on the website and share it with relevant verification authorities for the purpose of conducting required credit evaluation processes, including verifying commercial records and financial transactions with suppliers and other due diligence procedures required to obtain financing and evaluate the User’s creditworthiness, through verification via government systems or other systems, such as the Ministry of Commerce, Absher, ELM, SIMAH, Bayan (as examples), and other governmental or non-governmental platforms.

Clause Seven: How We Collect Personal Data and How We Store It

Direct collection

We collect certain information automatically without requiring you to log in, as described in Clause Five. This information is collected automatically when a User visits the website to improve User experience, understand how the website is used, and for analytics and security purposes.

When registering on the website, we ask the User to provide certain necessary personal information, as described in Clause Five. This information is necessary to facilitate our services, such as creating and managing accounts, providing technical support, and ensuring compliance with legal requirements.

We also collect information when the User completes the contact form or surveys provided by the Platform from time to time, either on the Platform or through any communication channels the User has shared with THEMAR.

Indirect collection

We collect and process your personal data received from third parties such as: SIMAH, ELM, Wathiq, Yaqeen, Bayan.

Data storage methods

Customer data is stored on secure cloud servers within the Kingdom of Saudi Arabia. We are committed to taking all necessary security measures to protect personal data and ensure the confidentiality and integrity of stored information. These measures include:

  1. Using encryption techniques to protect data during transmission and storage.
  2. Restricting access to personal data to employees who need such data to perform their duties.
  3. Regularly monitoring security systems to prevent and respond to security breaches.

We are committed to applying legal and regulatory standards related to personal data protection and strive to ensure the highest levels of protection and privacy for our Users’ data.

Clause Eight: Legal Basis for Processing Personal Data

We may process personal data under the following legal bases:

  1. Consent: You have provided consent to the processing of personal data for one or more specified purposes.
  2. Performance of a Contract: Providing personal data is necessary for the performance of an agreement with you and/or any relevant pre-contractual obligations.
  3. Legal Obligations: Processing personal data is necessary for compliance with a legal obligation to which THEMAR is subject.
  4. Public Interest: Processing personal data is related to a task carried out in the public interest or in the exercise of official authority vested in THEMAR.
  5. Legitimate Interests: Processing personal data is necessary for the purposes of legitimate interests pursued by THEMAR.

Clause Nine: Cookie Policy

Types of cookies

  1. Necessary cookies: These cookies are necessary to store your preferences on the website. Without these cookies, you will be treated as a new user each time you visit the Site.
  2. Session cookies: Essential for maintaining your session while navigating our website, ensuring a seamless and consistent browsing experience.
  3. Cookie preference cookies: Store your preferences regarding cookie usage on our website and remember your choices for future visits.
  4. Tracking cookies: We use these cookies to collect information about how you use our Site, which helps us improve Site performance and deliver content more relevant to your needs.
  5. Google Ads Conversion Tracking
  6. Google Analytics
  7. Hotjar
  8. Snap Pixel
  9. LinkedIn Insights
  10. Facebook Pixel
  11. TikTok Pixel
  12. Twitter Pixel

You can manage cookies through your browser settings or account settings on the Platform. You can choose to accept or reject cookies; however, rejecting necessary cookies may affect your experience on the Site. To learn more about cookies and how to manage them, you may visit: www.allaboutcookies.org.

Clause Ten: Entities With Whom We May Share Your Personal Data

To provide our services and fulfill our regulatory obligations, your personal data may be disclosed to the following entities, either on a regular basis and/or on a one-time basis, depending on the nature of the services, including but not limited to, and in accordance with the legal basis described above:

  1. Credit assessment and risk assessment entities.
  2. Service providers: carefully selected companies that provide services to us or on our behalf, such as companies that provide service delivery applications and others. These providers are also committed to protecting your information, including:
  3. Background check service providers.
  4. IT service providers, including cloud hosting, application development and support, IT infrastructure services, email services, and others.
  5. Public or regulatory bodies, where we may be legally obligated to share your information in response to legal proceedings or court orders, or as required by applicable laws and regulations, or at their request.
  6. Legal authorities, government agencies, courts, dispute resolution bodies, regulatory bodies, auditors, and any entity appointed by regulators to conduct investigations or audits of THEMAR’s activities.
  7. Parties involved in corporate transactions: in the event of a merger, transfer, acquisition, or sale, your information may be disclosed to the relevant third party.
  8. Other parties with your consent or as required by applicable law: in addition to the disclosures in this Privacy Policy, we may share your information with third parties when you expressly provide consent or request it.
  9. Data analytics providers: to improve THEMAR’s website and applications by measuring digital campaign performance and analyzing visitor activity (such as device/browser information, user engagement metrics, and website/application usage patterns).
  10. Legal and professional advisors.
  11. Fraud prevention agencies: to detect and prevent fraud and other financial crimes.
  12. Social media agencies: to show you messages about THEMAR’s products and services or to ensure you are not shown irrelevant messages.

Clause Eleven: Credit Information

THEMAR complies with the Personal Data Protection Law and applicable regulations governing the processing of credit data in a manner that preserves data subjects’ privacy and protects their rights under the Personal Data Protection Law and the Credit Information Law, in particular notifying the data subject when a request is received to disclose their credit data from any entity.

Clause Twelve: User Rights Related to Personal Data, How It Is Destroyed, and How to Exercise These Rights

THEMAR makes every effort to ensure your rights as outlined below, in accordance with applicable laws and regulations. We will process your request within a maximum of 30 days.

If, due to the nature of your request, we anticipate the need for additional time, you will be notified immediately with an explanation of the reason for the delay. Such extension will not exceed an additional 30 days.

  1. Right to be informed: Informing the User of the legal or practical basis for collecting their personal data and the purpose of collection, and ensuring that the data is not subsequently processed in a manner inconsistent with that purpose.
  2. Right of access: The User’s right to access personal data held by the Controller, including viewing the data and obtaining a copy in a clear format consistent with the records, free of charge, after submitting a request to the Platform. The Platform shall provide the data within a reasonable period determined by THEMAR.
  3. Right to rectification: The User’s right to request correction, completion, or updating of their personal data.
  4. Right to destruction: The User’s right to request destruction of their personal data held by the Controller, taking into account any contracts concluded with the Platform. The User is obligated to retain personal data to the extent necessary to perform contractual obligations until fully completed, and subject to the Rules for Practicing Debt Crowdfunding Activity, which require the Platform to retain User data for a period after contract termination.
  5. Right to reject the Privacy Policy and Terms and Conditions at any time: The User may reject the Privacy Policy and Terms and Conditions at any time. However, THEMAR may be required to suspend the User’s account for legal reasons if the User rejects the Policy and Terms, to ensure compliance with applicable laws and regulations.
  6. Right to opt out of marketing and advertising: The User has the right to refuse to receive marketing or advertising messages from THEMAR at any time.
  7. Right to refuse cookies: The User has the right to refuse the use of cookies on the website. However, some Site features may not function properly as a result.

These rights may not conflict with or exceed regulatory requirements issued by the Saudi Central Bank.

Clause Thirteen: Platform Obligations and Powers

  1. THEMAR takes the necessary organizational, administrative, and technical measures to preserve personal data, including during transfer, in accordance with the provisions and controls specified by the applicable regulations.
  2. The Controller may not process personal data without taking sufficient steps to verify its accuracy, completeness, timeliness, and relevance to the purpose for which it was collected.
  3. The Platform may disclose personal data from time to time according to data processing requirements. However, THEMAR will disclose personal data only where there is a legitimate reason, ensuring that the disclosure request is closely tied to a specific purpose and contains the minimum personal data necessary to achieve that purpose. THEMAR will also undertake due diligence to protect the privacy of the data subject and any other individual.
  4. Disclosure may be made to credit assessment and risk assessment entities.
  5. If an error is corrected, a deficiency is completed, or an update is made to personal data, THEMAR may notify any party to whom the data has been transferred of any modification and enable such modification.
  6. THEMAR may retain Users’ personal data for a period of not less than ten (10) years, taking into account the retention periods stated in the Rules for Practicing Debt Crowdfunding Activity issued by the Saudi Central Bank.
  7. The Controller shall notify the User immediately upon becoming aware of a leak, damage to personal data, or unauthorized access to it.
  8. The Controller must respond to the data subject’s requests regarding their rights within a specified period and through appropriate means.
  9. The Controller must conduct an assessment of the effects of processing personal data for any product or service offered to the public, depending on the nature of the activity carried out by the Controller, and the applicable regulations shall specify the necessary provisions.
  10. When appointing a Processor, the Controller must select a party that provides adequate guarantees to implement applicable laws and regulations, and must continuously verify the Processor’s compliance with instructions related to personal data protection. THEMAR shall not be responsible for the Processor’s breach of any obligations imposed by the Personal Data Protection Law or related applicable laws in the Kingdom of Saudi Arabia.
  11. THEMAR may use the data subject’s personal means of communication—including postal and electronic addresses—to send promotional or awareness materials after obtaining consent, and the User may request to unsubscribe from this service.
  12. THEMAR may amend this Privacy Policy from time to time and periodically, provided that the User is notified.

Clause Fourteen: Security Measures

THEMAR applies appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. THEMAR regularly reviews its data security practices and updates them as needed to address emerging threats. THEMAR ensures that external service providers adhere to comparable security standards.

  1. Data at Rest: Databases, backups, and system snapshots are encrypted using industry-standard encryption mechanisms to protect stored personal data from unauthorized access.
  2. Data in Transit: Data transmitted between Users, applications, and backend systems is protected using Transport Layer Security (TLS) to ensure confidentiality and integrity during transmission.
  3. Third-Party Data Protection: Service Level Agreements (SLAs) and contractual commitments are in place with all third-party service providers (including APIs and payment gateways) to ensure confidentiality, integrity, and lawful processing of personal data.
  4. Network and Application Security: Web Application Firewalls (WAF) and network firewalls are implemented to protect systems from unauthorized access, malicious traffic, and web-based attacks.
  5. Employee and Endpoint Data Protection: Customer data accessed or processed by employees is protected through Data Loss Prevention (DLP) controls, Mobile Device Management (MDM) solutions, Network Access Control (NAC), and Privileged Access Management (PAM). These controls ensure that only authorized and compliant devices and users can access systems, enforce the principle of least privilege, and prevent unauthorized disclosure, use, or privilege escalation.

Clause Fifteen: User Responsibilities

  1. Users are responsible for maintaining the confidentiality of their account credentials and any activities that occur under their accounts.
  2. Users must immediately notify THEMAR of any unauthorized use of their accounts or any other security breach.
  3. Users agree to provide accurate and up-to-date personal data and to update such data as needed to ensure its accuracy.

Clause Sixteen: Governing Law and Dispute Resolution

This Privacy Policy is governed by the laws of the Kingdom of Saudi Arabia.

Any disputes arising from or related to this Privacy Policy shall be resolved through arbitration in accordance with the applicable regulations in the Kingdom of Saudi Arabia.

How to Contact Us and Your Right to Lodge a Complaint with the Supervisory Authority

Users can contact THEMAR for any questions or concerns regarding this Privacy Policy through the contact details provided on the Platform (link).

If you wish to exercise any of your rights, or if you have any questions about this Policy or our use of your personal data, please contact our Data Protection Officer (DPO).

You can contact THEMAR’s DPO via email at: Privacy@themar.sa


logo-white

THEMAR is a platform for financing small and medium enterprises under the supervision of the Saudi Central Bank to practice crowdfunding with debt under license number 75/AC/2023

Official working hours start from Sunday to Thursday, from 9 am to 5 pm

Contact Us

Follow us

THEMAR studies and evaluates the investment projects and risks nominated offered on the platform and the suitability of the establishments benefiting from the financing, as Thamar does what is necessary to ensure the accuracy of the information provided by the parties requesting financing for their Businesses to be compatible with the requirements of the Central Bank to start a financial contractual relationship. We would like to note that our presentation of projects on the Thamar platform is not considered advice to provide financing and participate in the project, as this type of project, whatever it is, is classified as high-risk and may expose the investor to losing capital with profits. Therefore, the selection of projects and participation in them is the responsibility of the participating investor.

© Copyright 2026 - All rights reserved by THEMAR Company
cookies
THEMAR platform uses cookies to improve your experience while browsing the platform. By clicking “Accept All“, you consent to our use of cookies. Read more at Privacy Policy
Accept All
Reject Non-essential