Taolefah Privacy Policy

Privacy Policy at Taolefah


Taolefah Tea Trading Company is committed to protecting your privacy and ensuring that you have a positive experience on our website. Our Privacy Policy outlines all practices related to the collection and processing of personal data.

By using any of the online services available on this website, you agree to this policy; therefore, you should read the Privacy Policy to ensure that you understand and accept all personal data collection and processing practices carried out by Taolefah Tea Trading Company (Taolefah).

This Privacy Policy (the "Policy") has been prepared as one of the important steps that help us maintain the privacy of our valued customers, which is one of our top priorities. It has also been ensured that this policy complies with all regulatory requirements set out in the relevant laws, foremost of which is the Personal Data Protection Law issued by Royal Decree No. M/19 dated 09/02/1443 AH, as amended by Royal Decree No. M/148 dated 05/09/1444 AH, referred to hereinafter as the "Law" and its implementing regulations.


1- Introduction:

Taolefah Tea Trading Company (Taolefah) is a Saudi company registered in the Kingdom of Saudi Arabia, and was registered on 04/07/1439 AH under Commercial Registration No. 2055123054. The company offers a wide and diverse range of tea products, herbs, and related tools.

It is hereinafter referred to as the "Company" or the "we/us" pronoun.

You can contact us using the communication methods below.


Contact Information:

If you have any request, complaint, or objection related to the processing of your personal data, you can contact us via:

  • Data Management Office
  • Address: Jubail 35811 – 3403, CR: 2055123054 - Al-Masjid Street 7561 – Al-Fayhaa
  • Contact Number: 0533905888
  • Technical Support Number: 0133448889
  • Email: [email protected]


2- Personal Data to Be Collected:

  • Personal Data: This refers to any data that is essential for providing the service and may include: name, age, ID number or ID image (depending on the circumstances), gender, employment status, address, and phone numbers. This data is classified as mandatory. The purpose of collecting it is to enable us to provide the requested services, ensure the rights of all parties, comply with regulatory requirements, and communicate with you for direct marketing purposes. It is collected directly from you via electronic channels or during a visit to the company.
  • Financial Data: This includes data required to process payments and ensure their integrity, such as transaction numbers, times, dates, associated account numbers, and credit reports. This data is classified as mandatory. The purpose of collecting it is to ensure that the payment process is completed successfully by or to the data owner and to verify the financial and credit status of the data owner. It is collected through banks and financial companies that process the transaction, and it may be requested directly from you if necessary.
  • Device-Related Data: This includes your IP address, technical characteristics, unique identification data, login information, language settings, website customization options, visited pages, time spent on the site, and the number of clicks. Some of this data is classified as mandatory, as it is necessary for the electronic services to function. Other parts are optional. The purpose of collecting this data is to ensure the effective operation of electronic service channels and to provide services that meet your needs. It is collected through technical means, including cookies.
  • Data Collected to Provide Services to You: This includes traffic data, log data, and any data necessary to receive the service. It is classified as mandatory according to regulatory requirements to ensure the quality of the service provided. The purpose of collecting this data is to provide services that require this type of data. It is collected through official entities or directly from you as required.


3- How Do We Disclose Your Personal Data?

We may disclose your personal data to other entities as needed, ensuring that any disclosure is in compliance with the law. The disclosure will be limited to the minimum necessary personal data to achieve the purpose of the disclosure. Below are examples of the types of entities that may receive your personal data, but not limited to:

  • Government and Judicial Entities: We may be required to disclose your personal data to government, semi-government, and judicial entities in compliance with legal obligations or in response to a judicial request.
  • Business Partners: These are entities that the company may contract with to provide operational services and improve services, such as operators of the company’s electronic channels and data analytics entities.
  • Service Providers: These are companies that provide services for us or on our behalf, such as providers of technical infrastructure and cloud services, and providers of marketing and logistics services.
  • Agencies: These may include agencies that help us detect and prevent fraud and financial crimes, legal, consulting, and accounting agencies, and debt collection agencies.
  • Competent Authorities and Regulatory/Supervisory Bodies.


4- Legal Basis for Collecting and Processing Your Personal Data:

According to the Personal Data Protection Law, the legal basis on which we rely for collecting and processing this data includes:

  • Your Explicit Consent: This is obtained when you agree to this policy. You can withdraw your consent at any time, provided that this does not affect processing operations that were carried out based on other legal grounds. To do so, you can contact the company’s Data Management Office, whose details are provided in this policy.
  • Contractual Obligation: We process your personal data to fulfill service obligations to you.
  • Legal or Judicial Obligation: This includes any legal provision or judicial order issued by the competent authorities that authorizes the company to collect and process personal data.
  • Protection of Vital Interests: If the processing of your personal data is necessary to protect your vital interests.


5- How Do We Store Your Personal Data?

Your data is stored securely in the Kingdom of Saudi Arabia according to regulations issued by regulatory and supervisory bodies. We retain your personal data throughout the period during which we provide services to you and for the duration required by regulatory bodies.

After the retention period ends, we securely dispose of this data in a manner that prevents it from being accessed or retrieved again, as follows:

  • Digital Data: This data is deleted using secure deletion techniques (Secure Deletion/Overwriting), which overwrite the data several times before deleting it to ensure that it cannot be recovered. Alternatively, other deletion methods such as (Degaussing/Crushing/Shredding) of data stored on digital media may be used.
  • Paper Data: Paper containing data will be shredded using shredders to ensure that it cannot be reassembled or read.
  • If you decline to receive direct marketing materials, we may retain some of your data to maintain your preferences and ensure that we do not contact you again.


6- Your Rights Regarding the Processing of Your Personal Data:

  • Right to Information: You have the right to know how we collect your personal data, the legal basis for collecting and processing it, how it is processed, stored, and destroyed, and to whom it is disclosed. You can view all the details through this Privacy Policy or contact us directly.
  • Right to Access Your Personal Data: You have the right to request access to your personal data that is still stored with the company.
  • Right to Request Your Personal Data: You have the right to request your personal data from the company in a readable and clear format, where technically feasible.
  • Right to Correct Your Personal Data: You have the right to request that we correct any inaccurate, incorrect, or incomplete personal data by sending a request via the email provided in this policy to the Data Management Office. It will be reviewed and updated within a maximum of 30 working days, and you will be notified through the preferred communication method specified by you in your correction request.
  • Right to Destroy Your Personal Data: You have the right to request that we destroy your personal data under certain circumstances, provided that this destruction does not affect the company's rights or obligations towards you or other parties.
  • Right to Withdraw Your Consent for Processing Personal Data: You have the right to withdraw your consent for processing personal data at any time unless there are legal reasons that require otherwise.
  • It is important to note that you will not be required to pay any fees to exercise these rights, except as prescribed by law. If a request is submitted to exercise any of these rights, we will respond within a maximum of 30 working days from the date of receipt of the complete request. The response period may be extended by an additional 30 days if the request involves additional effort or is unusually complex or if multiple requests are submitted by the same person.
  • For more details about how we process your personal data and how you can exercise your rights, you can contact the Data Protection Office at the company using the contact information provided in this policy.


7- Collection of Data from Minors and Individuals Without Legal Capacity:

If the data owner is under the age of 18 or lacks legal capacity, one of the parents or the legal guardian must provide consent on their behalf to the collection and processing of personal data.


8- How to Submit a Complaint or Objection?

If you have concerns or believe that we have not complied with the Personal Data Protection Law, you can submit a complaint to the Data Protection Office at the company using the contact details provided above.

If you are not satisfied with how we handle the complaint, or if we do not respond within 30 working days from the date of receipt of the complaint, you can submit a complaint to the competent authority, which is the Saudi Authority for Data and Artificial Intelligence (SDAIA):

  • Address: Kingdom of Saudi Arabia, Riyadh.
  • Website: SDAIA official website sdaia.gov.sa - National Data Governance Platform dgp.sdaia.gov.sa


9- Changes to the Policy:

If we decide to change our Privacy Policy in whole or in part, we may do so without notifying you, and we will post the changes on the website. These changes will become effective on the date of publication in the notice and at the end of the revised Privacy Policy. The new policy will apply to all current and former users of the platforms and websites, replacing any previous policies that are inconsistent with the updated policies. Your continued use of the platforms and websites constitutes acceptance of the updated terms of the Privacy Policy. If you do not agree to the Privacy Policy, either before or after it is updated, you may not continue to use the company's platforms and websites.


10- Date of Update:

This policy was updated in September 2024 to comply with the Personal Data Protection Law issued by Royal Decree No. M/19 dated 09/02/1443 AH, as amended by Royal Decree No. M/148 dated 05/09/1444 AH.