Privacy Policy

Version 1.0

AANI Solutions LLC for Information Technology (operating under the registered trademark razza®, hereinafter "razza", "we", "us", or "our") is committed to protecting the personal data of all individuals who interact with our Platform, services, and marketplace.

This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how long we retain it, and what rights you have over your own data. It applies to all users of the razza Platform, including business subscribers and end users of the razza marketplace.

This Policy is published in Arabic and English. The Arabic version is the governing and controlling version in all respects. In the event of any conflict or inconsistency between the two versions, the Arabic version prevails.

1. Data Controller

Data Controller: AANI Solutions LLC for Information Technology
Operating as: razza® — Registered trademark, SAIP No. TM-01-00-51379-25
CR Number: 7051934136
Address: AlMuhammadiyah District, Jeddah, Kingdom of Saudi Arabia
Contact:support@razza.sa | www.razza.sa

razza acts as the Data Controller for all personal data collected through the Platform, website, and marketplace. razza processes personal data in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations issued by the Saudi Data and Artificial Intelligence Authority (SDAIA).

2. Scope & Who This Policy Applies To

This Policy applies to:

  • Business Subscribers — business entities and individuals (including Freelance Work Document holders) who subscribe to the razza Platform to manage their salon, barbershop, spa, beauty clinic, or wellness business;
  • End Users — consumers who access the razza marketplace, website, or mobile application to discover, browse, or book beauty and wellness services;
  • Visitors — any person who visits the razza website or application without registering.

This Policy does not apply to third-party websites or services that may be linked to or integrated within the razza Platform. Those third parties operate under their own privacy policies, for which razza bears no responsibility.

3. What Personal Data We Collect

3.1 Business Subscribers

We collect the following categories of personal data from Business Subscribers:

  • Identity data: full name, national ID number or Iqama number, commercial registration number or Freelance Work Document number;
  • Contact data: email address, mobile number, national address;
  • Business data: business name, type of business activity, VAT registration number (if applicable), bank account details (IBAN and beneficiary name) for invoicing and refund purposes;
  • Staff data: names, contact details, and scheduling information of staff members added to the Platform by the Subscriber;
  • Account data: login credentials, access logs, account activity, and subscription history;
  • Financial data: payment records, invoice history, and transaction data processed through the Platform;
  • Communications: messages and support requests submitted to razza.
  • Visual content: photographs, images, and videos of the business premises, service offerings, and staff professionals uploaded by the Subscriber to populate their business profile and service listings on the razza marketplace. Where visual content includes identifiable individuals, the Subscriber is responsible for ensuring that the relevant persons have consented to their image being uploaded and displayed on the Platform.

3.2 End Users & Marketplace Visitors

We collect the following categories of personal data from end users:

  • Identity data: full name;
  • Contact data: mobile number, email address;
  • Booking data: appointment history, selected services, preferred providers, booking notes, and cancellation records;
  • Payment data: payment method details processed through razza's payment infrastructure or integrated third-party payment processors;
  • Health and sensitivity data: any health, allergy, or special needs information voluntarily provided by the user or required by the service provider prior to a booking — this category is treated as sensitive data and is subject to heightened protection under PDPL;
  • Device and usage data: IP address, device type, browser type, operating system, pages visited, and time spent on the Platform;
  • Location data: approximate location when used for service discovery, with the user's consent.

4. How We Collect Your Data

razza collects personal data through the following means:

  • Directly from you: when you register an account, subscribe to the Platform, complete an onboarding form, make a booking, submit a support request, or communicate with us;
  • Automatically: through the use of cookies, web beacons, and similar tracking technologies when you interact with the Platform, website, or marketplace;
  • From third parties: from payment processors, identity verification services, or other integrated service providers, where necessary to provide the Services;
  • From Business Subscribers: when a Subscriber uploads or enters data about their customers or staff into the Platform.

Where personal data of third parties (such as a Subscriber's customers or staff) is uploaded to the Platform, the Subscriber is responsible for ensuring that such data has been collected lawfully and that the relevant individuals have been informed of its use.

5. Legal Basis for Processing

Under the Saudi PDPL, razza processes personal data on the following lawful bases:

  • Contractual necessity: processing required to perform the subscription agreement and provide the Services, including account management, billing, onboarding, and technical support;
  • Consent: processing based on your explicit consent, including the use of non-essential cookies, location data, and health or sensitivity data. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal;
  • Legal obligation: processing required to comply with applicable Saudi laws and regulations, including ZATCA e-invoicing requirements, PDPL obligations, and Anti-Cybercrime Law requirements;
  • Legitimate interest: processing for purposes such as Platform security, fraud prevention, service improvement, and the generation of aggregated anonymous market insights — provided such processing does not override your rights and interests.

6. How We Use Your Data

6.1 Business Subscribers

We use Business Subscriber data to:

  • Create, manage, and maintain your razza account and subscription;
  • Process payments, issue ZATCA-compliant invoices, and manage refunds;
  • Provide onboarding, technical support, and platform updates;
  • Verify your identity and business credentials during onboarding;
  • Communicate with you about your account, subscription, and service updates;
  • Comply with applicable Saudi legal and regulatory requirements;
  • Investigate and resolve complaints or disputes;
  • Produce aggregated anonymous market insights and benchmarks using data pooled across multiple subscribers, in which no individual subscriber is identifiable.

6.2 End Users

We use end user data to:

  • Create and manage your user account on the razza marketplace;
  • Process and confirm bookings and appointments;
  • Facilitate payment transactions between you and the service provider;
  • Send booking confirmations, reminders, and service-related notifications;
  • Share relevant booking and health information with the relevant business subscriber to enable service delivery — with your consent where sensitive data is involved;
  • Resolve disputes or complaints relating to bookings or payments;
  • Improve the Platform and personalize your experience through aggregate usage analysis;
  • Comply with applicable Saudi legal and regulatory requirements.

7. Data Sharing & Disclosure

razza does not sell personal data to third parties. We may share personal data only in the following circumstances:

  • With Business Subscribers: end user booking data, including name, contact details, appointment details, and health or sensitivity information provided for the purpose of a booking, is shared with the relevant business subscriber solely to enable service delivery;
  • With service providers and processors: we engage third-party service providers who process personal data on our behalf, including payment processors, cloud hosting providers, communications providers (email, SMS, messaging platforms), and analytics providers. All such processors are bound by data processing obligations consistent with PDPL;
  • For legal compliance: we may disclose personal data where required by applicable Saudi law, a court order, or a competent regulatory authority;
  • In connection with a business transfer: in the event of a merger, acquisition, or sale of substantially all of razza's assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections;
  • With your consent: in any other circumstance, only with your explicit prior consent.

Cross-border transfers: razza stores and processes data primarily within the Kingdom of Saudi Arabia. Where any transfer of personal data outside the Kingdom is necessary, razza will ensure that adequate protection measures are in place in compliance with PDPL cross-border transfer requirements, or will obtain your explicit consent where required.

8. Data Retention

razza retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable Saudi law. The following retention periods apply:

  • Account and subscription data: retained for the duration of the active subscription and for five (5) years following termination, to satisfy contractual, financial, and regulatory obligations;
  • Financial and invoicing data: retained for a minimum of ten (10) years in compliance with ZATCA record-keeping requirements;
  • Booking and transaction data: retained for three (3) years from the date of the transaction;
  • Health and sensitive data: retained only for the duration necessary to fulfill the specific booking or purpose for which it was provided, and deleted promptly thereafter unless a longer period is required by law;
  • Marketing and communications data: retained until you withdraw consent or opt out;
  • Device and usage data (logs): retained for twelve (12) months.

Upon expiry of the applicable retention period, personal data will be securely deleted or permanently anonymized.

9. Data Security

razza implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. These measures include, without limitation: encrypted data transmission (TLS/HTTPS), access controls and authentication mechanisms, regular security assessments, and data minimization practices.

No method of electronic transmission or storage is completely secure. razza cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to individuals' rights, razza will notify the relevant individuals and, where required, the Saudi Data and Artificial Intelligence Authority (SDAIA), in accordance with the timelines and procedures prescribed by PDPL.

Users are responsible for maintaining the confidentiality of their own account credentials. razza will not be liable for any unauthorized access resulting from the user's failure to protect their login information.

10. Your Rights Under PDPL

Under the Saudi Personal Data Protection Law, you have the following rights with respect to your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your data where there is no lawful basis for continued retention.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw Consent: Withdraw consent at any time where processing is consent-based.
  • Portability: Receive your data in a structured, commonly used format.
  • Restrict Processing: Request restriction of processing in certain circumstances.

To exercise any of these rights, please submit a written request to support@razza.sa. razza will respond within the timeframe prescribed by PDPL. razza reserves the right to verify your identity before processing any request. Some requests may be subject to limitations where processing is required by law or for the performance of a contract.

You also have the right to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) if you believe your data protection rights have been violated.

11. Cookies & Tracking Technologies

razza uses cookies and similar tracking technologies on its website, Platform, and marketplace. Cookies are small text files placed on your device that help us operate and improve our services.

  • Essential cookies: Required for the Platform to function correctly. These cannot be disabled as they are necessary for core functionality such as authentication, session management, and security.
  • Functional cookies: Used to remember your preferences and settings to enhance your experience.
  • Analytics cookies: Used to understand how users interact with the Platform in order to improve performance and usability. Data collected is aggregated and anonymous.
  • Marketing and targeting cookies: Used to deliver relevant content and, where applicable, targeted advertising. These are only activated with your explicit consent.

You may manage your cookie preferences through your browser settings or through the cookie consent tool on the razza website. Please note that disabling certain cookies may affect the functionality of the Platform.

12. Updates to This Policy & Contact

12.1 Policy Updates

razza reserves the right to update this Privacy Policy at any time to reflect changes in our practices, services, or applicable law. Material changes will be communicated to registered users via email or by a prominent notice on the Platform at least thirty (30) days before they take effect. The current version of this Policy is always available at www.razza.sa. Continued use of the Platform following any update constitutes acceptance of the revised Policy.

12.2 Contact

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us:

Email:support@razza.sa
Website: www.razza.sa
Address: AlMuhammadiyah District, Jeddah, Kingdom of Saudi Arabia
Legal Entity: AANI Solutions LLC for Information Technology
CR: 7051934136

razza is committed to responding to all data-related requests within the timeframes prescribed by the Saudi Personal Data Protection Law.

This Privacy Policy is governed by the laws of the Kingdom of Saudi Arabia and is subject to the Saudi Personal Data Protection Law (PDPL) and its implementing regulations.