Privacy Policy for "RSA Auctions" Platform Last Updated: February 11, 2026 General Introduction RSA Platform (RSA Auctions), as a digital platform specialized in managing and organizing online vehicle auctions, affirms its full commitment to protecting the privacy of its users, safeguarding the confidentiality of their data, and processing it in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations, in addition to applying the best industry standards and practices in information security. This policy aims to provide a comprehensive and detailed statement on how personal data is processed within the platform, clarifying user rights, usage mechanisms, protection procedures, data-sharing practices, as well as the obligations of both the platform and the users with respect to personal data. Your use of the RSA Platform or registration therein constitutes your acknowledgment that you have read this policy and agree to all of its contents. Chapter One: General Framework for Personal Data Processing Article (1): Scope of the Policy This policy applies to all personal data collected, processed, stored, shared, or accessed by RSA Platform, including: • Data of registered users (sellers or buyers). • Data of visitors and browsers using the platform without registration. • Data of individuals interacting with support services or official communication channels. • Data generated from the use of the mobile applications, website, and APIs. • Data related to payment transactions, financial transfers, and auctions. This policy does not apply to any external sites, applications, or services linked through hyperlinks. Users must review the privacy policies of those external entities independently. Chapter Two: Data Collected by the Platform Article (2): Personal Data You Provide Directly The platform collects data provided by the user when creating an account or using services, including but not limited to: • Name, ID/Iqama number, and other identity verification data. • Contact information such as email address and phone number. • Login data and password (fully encrypted and inaccessible). • Uploaded documents for verification purposes, such as ID image, driving license, or vehicle ownership documents. • Financial data such as bank account numbers or any information required for settlement of financial dues. • Information provided through support forms, communication channels, or reports. Article (3): Data Collected Automatically The platform automatically collects technical and system-related data when the user accesses its services, including: • Device information (e.g., device type, operating system, app version). • IP address and approximate connection location. • Browser type, system version, and cookies. • Unique device identifiers. • Log data such as timestamps, duration of use, and navigation within the application. • Crash reports and system errors. • Performance analytics used to improve system efficiency. Article (4): Activity Data Within the Platform Data collected as a result of performing activities within the platform includes: • History of sales and purchases. • Bidding history and offer amounts. • User interactions within the system. • E-wallet data, deposit and withdrawal transactions. • Tracking data for suspicious login attempts or abnormal activities. • Audit logs related to security and compliance. Article (5): Payment Data Payment processing is performed through licensed and authorized providers inside or outside the Kingdom. RSA Platform does not store bank card numbers, CVV codes, or similarly sensitive data. Financial transfer data is stored solely for compensation and accounting settlement purposes. Chapter Three: Purposes of Data Use and Processing Article (6): Legitimate, Lawful, and System-Compliant Purposes Personal data is processed within RSA Platform for the following purposes: First: Core Service Purposes • User registration and identity verification. • Enabling participation in auctions and submitting bids. • Executing sales, purchases, and fund transfers. • Providing a complete record of the user’s activities. • Managing the e-wallet and processing payments. Second: Security and Compliance Purposes • Preventing fraudulent or unlawful activities. • Monitoring suspicious behavior. • Compliance with governmental and regulatory requirements. • Recording and storing security events. Third: Operational Purposes • Improving application and service performance. • Feature testing and reducing system failures. • Statistical analysis and product development. Fourth: Official Communication • Sending notifications related to auctions and financial operations. • Responding to inquiries and providing technical support. • Reporting results or policy updates. Chapter Four: Data Sharing and Transfer Article (7): Sharing Data with Third Parties The platform may share user data with the following parties only when necessary: • Electronic payment service providers. • SMS and email service providers. • Hosting and cloud service providers. • Government authorities upon official request. • Financial institutions (banks) for transfer and settlement purposes. • Cybersecurity partners for system protection. The platform pledges not to share any data for commercial, sales, or unauthorized marketing purposes. Article (8): Transfer of Data Outside the Kingdom Personal data may be transferred outside the Kingdom under the following conditions: • The destination country is approved by the competent authorities, or • The transfer complies with PDPL regulations ensuring adequate protection. The platform fully commits to protecting data during transmission, storage, and processing. Chapter Five: Data Protection Article (9): Technical and Organizational Measures RSA Platform applies a comprehensive set of cybersecurity measures, including: • Encryption of communications via HTTPS. • Encryption of passwords using advanced hashing algorithms. • Advanced protection systems (Firewall, IDS, IPS). • Continuous monitoring of security activities. • Access control policies using role-based authorization (RBAC). • Security auditing systems (Audit Logging). • Regular data backups. • Protection against DDoS attacks and intrusion attempts. • Fraud detection and abuse-prevention mechanisms. Chapter Six: User Rights Article (10): Rights Guaranteed Under PDPL Users have the right to: • Obtain a copy of their personal data. • Request correction of inaccurate data. • Request deletion of data where legally permitted. • Know how data is collected and the purpose of processing. • Restrict or limit data processing. • Withdraw consent at any time without affecting prior lawful processing. • File complaints with the competent authorities in case of violations. The platform commits to responding within the legally defined timeframe. Chapter Seven: Data Retention Article (11): Retention Period Data is retained as follows: • For the duration of the user’s use of the platform. • For the legally required period for accounting or legal purposes. Data is permanently deleted once the processing purpose ends or upon user request, unless prevented by legal obligations. Chapter Eight: User Obligations Article (12): User Responsibilities Regarding Data Protection Users must: • Provide accurate and updated information. • Not share login credentials with any party. • Maintain the confidentiality of their account and prevent unauthorized use. • Use the platform only for lawful and legitimate purposes. • Immediately report any suspicious activity. Chapter Nine: Amendments to the Privacy Policy Article (13): Policy Updates The platform has the right to update this policy periodically. Users will be notified of any material changes. Continued use of the platform constitutes implied acceptance of the updated policy. Chapter Ten: Contact Information Article (14): Contact Details For any inquiries or requests related to personal data, you may contact us through: 📧 Email: info@rsa-cars.com 🌐 Website: www.rsa-auctions.com Platform Name: RSA Auctions