Controller
[[Company Legal Name]], CR [[Commercial Registration Number]], Address [[Registered Address]], Email [[Privacy/Support Email]], DPO: [[Data Protection Officer / Contact]].
Scope
This Privacy Policy applies to the Thabir mobile apps and websites offering: (a) a marketplace for bariatric, nutraceutical and cosmetic products (sold by Thabir and third‑party suppliers with store pages), (b) telehealth/paid advice by licensed clinicians and pharmacists, (c) e‑learning for clinicians with CME/CPD credit and paid lectures.
Data We Process
We process the following categories of data:
- Identity & Contact: Name, email, phone number, address
- Account Credentials: Username, password (encrypted)
- Orders & Transaction Tokens: We do not store full card data; only transaction tokens
- Device & Usage: Including cookies/SDKs for analytics and functionality
- Health Data (Sensitive): Related to teleconsultations, prescriptions, and clinical records
- Education Data: Enrollments, completions, CME hours for learners
Purposes & Legal Bases
- Contract Performance: Accounts, orders, bookings, e‑learning delivery
- Legal Obligations: Invoicing, health & pharmacy rules compliance
- Explicit Consent: Marketing, non‑essential cookies, certain sensitive processing
- Legitimate Interests: Security/fraud prevention, service improvement balanced against your rights
Telehealth & RX
- Video‑preferred consults where applicable
- KSA‑licensed providers only
- ID verification required
- Electronic prescriptions through approved e‑prescription services (e.g., Wasfaty/Sehhaty) where available
- No session recording without mutual consent
- Emergency cases must call 997/999
Sharing
We may share data with:
- Processors: Hosting, payments, messaging services
- Healthcare Partners: Clinicians, pharmacies, labs
- Logistics/Couriers: For order fulfillment
- Regulators: When required by law
We execute data processing agreements and conduct risk assessments with all partners.
International Transfers
If data is transferred outside KSA, appropriate mechanisms (adequacy, SCCs/BCRs, or permitted exemptions) and transfer risk assessments apply.
Retention
Data is retained limited to purpose/legal retention requirements (e.g., medical records, invoices), then securely deleted/anonymized.
Your Rights
You have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data
- Portability: Receive your data in a structured format
- Restriction/Objection: Limit or object to certain processing
- Withdraw Consent: Revoke consent at any time
Submit requests via [[Privacy/Support Email]].
Security
- Encryption of data in transit and at rest
- Access control and logging
- Incident response procedures
- Payments handled by PCI DSS‑compliant gateways
- We do not store full PAN/CVV
Breach Notification
We will notify the competent authority and affected users when required by law.
Contact
[[Privacy/Support Email]] | [[Support Phone]]
KSA Legal References:
- PDPL & Implementing Regulations; Personal Data Transfer Regulation (SDAIA).
- E‑Commerce Law & Implementing Regulations (Ministry of Commerce).
- Electronic Transactions Law & Implementing Regulations (Digital Government Authority).
- Telehealth/Telemedicine Rules (MOH / Saudi Health Council).
- SAMA Cybersecurity Framework & PCI DSS payment security requirements.
← Back to Home