07 · PRIVACY
سياسة الخصوصية
This policy explains what personal data NovaKeys Store (the data controller — KSA sole proprietorship, CR 7053130576) collects, why, on what legal basis, with whom we share it (including with our parent NeoTechnology Solutions LLC of Wyoming, USA, acting as a data processor for engineering and infrastructure), and the rights you have under the KSA Personal Data Protection Law (PDPL, Royal Decree M/19, in full effect from September 2024).
تشرح هذه السياسة البيانات الشخصية التي يجمعها نيوجين ستور (جهة التحكّم في البيانات — مؤسسة فردية سعودية، سجل تجاري 7053130576)، وأغراض الجمع، وأسسه النظامية، والجهات التي نشاركها معها (بما في ذلك الشركة الأم NeoTechnology Solutions LLC في ولاية وايومنغ بالولايات المتحدة، بصفتها جهة معالجة للبيانات لأغراض الهندسة والبنية التحتية)، وحقوقك بموجب نظام حماية البيانات الشخصية السعودي (PDPL، المرسوم الملكي م/19، النافذ بالكامل من سبتمبر 2024).
01 · CONTROLLER
Who controls your data.
الجهة المتحكمة في بياناتك.
Data controller: FAHAD SAAD FAHAD ALMANSOUR Office For electronic services (CR 7053130576).
Contact: support@novakeys.store · +966 57 013 1122.
02 · DATA WE COLLECT
Categories of personal data.
فئات البيانات الشخصية.
Identity — name, billing/shipping address, phone, date of birth (only when legally required for purchase verification).
Contact — email address, phone number, optional WhatsApp handle.
Order data — products purchased, prices, payment method (we never store full card numbers; the gateway tokenises), redemption-region selection.
Encrypted gift-card codes — codes you have purchased, stored at-rest with AES-256-GCM encryption; only readable by you when logged in.
Device & usage — IP address, browser user-agent, device type, referring page, pages viewed (cookies, see Section 08).
Customer-support correspondence — messages you send to support@novakeys.store and our replies.
03 · PURPOSES
Why we process it.
أغراض المعالجة.
We process your personal data to:
Fulfil your order — supply the gift-card code to your account and issue the tax invoice.
Provide customer support — answer questions, resolve warranty claims, troubleshoot redemption errors.
Comply with our regulatory obligations — Commercial Registration record-keeping, ZATCA tax invoicing, Anti-Money-Laundering checks where applicable.
Detect and prevent fraud — flag suspicious purchase patterns, throttle abusive endpoint calls, block known fraud actors.
Improve the storefront — anonymous analytics on what products are viewed, what searches return no results, where customers drop out of checkout.
Communicate marketing — only when you have explicitly opted in, and only until you withdraw consent.
04 · LEGAL BASES
Lawful grounds under PDPL.
الأسس النظامية بموجب PDPL.
We rely on one or more of the following lawful grounds, per Article 6 of the PDPL:
| Purpose group | Lawful ground |
|---|---|
| Order fulfilment, account management | Performance of a contract |
| Tax invoicing, CR record-keeping, AML | Compliance with a legal obligation |
| Fraud detection, abuse rate-limiting | Legitimate interest |
| Marketing communications | Explicit consent |
| غرض المعالجة | الأساس النظامي |
|---|---|
| تنفيذ الطلب وإدارة الحساب | تنفيذ عقد |
| الفوترة الضريبية وسجلات السجل التجاري ومكافحة غسل الأموال | الالتزام بنظام |
| كشف الاحتيال وتقييد الاستخدام المُسيء | المصلحة المشروعة |
| الرسائل التسويقية | الموافقة الصريحة |
05 · SHARING
Who we share with.
الجهات التي نشارك معها.
We share your personal data only with the parties strictly necessary to operate the service:
NeoTechnology Solutions LLC (US parent — data processor). Engineers, hosts, and maintains the novakeys.store platform on behalf of the KSA controller. NTS LLC accesses personal data only as necessary for platform operation, governed by an internal data-processing agreement that follows PDPL processor obligations.
Payment gateways — Mada / SAMA-licensed acquirers, Apple Pay, STC Pay, Tabby, and your card issuer. They receive only the data each needs to authorise the transaction.
Hosting and infrastructure — our website hosting provider and CDN. Data is processed inside their infrastructure to deliver the page you requested.
Customer-support tooling — the email service that handles support@novakeys.store correspondence.
Tax authority — ZATCA receives the tax invoice for every paid order in line with KSA e-invoicing requirements.
Regulators and courts — when required by law (Ministry of Commerce, the Saudi Data & AI Authority, competent courts).
We do not sell personal data and we do not share it with marketing partners outside your consented marketing communications.
06 · RETENTION
How long we keep data.
مدة الاحتفاظ.
We retain personal data only for as long as we need it for the purpose it was collected for, or as required by law:
| Category | Retention period |
|---|---|
| Order records, tax invoices | Ten (10) years from the order date — minimum required by KSA tax/commercial-records law |
| Encrypted gift-card codes | Ten (10) years from the order date, alongside the order record |
| Customer-support correspondence | Five (5) years from the last reply |
| Marketing-consent record | Until consent is withdrawn, plus two (2) years for proof-of-consent |
| Server access logs | Ninety (90) days |
| الفئة | مدة الاحتفاظ |
|---|---|
| سجلات الطلب والفواتير الضريبية | عشر (10) سنوات من تاريخ الطلب — الحدّ الأدنى الذي تشترطه الأنظمة الضريبية والتجارية |
| الأكواد المُشفَّرة | عشر (10) سنوات من تاريخ الطلب مع سجل الطلب |
| مراسلات الدعم | خمس (5) سنوات من آخر ردّ |
| سجل الموافقة على التسويق | حتى سحب الموافقة، إضافةً إلى سنتين (2) لإثبات الموافقة |
| سجلات وصول الخادم | تسعون (90) يومًا |
07 · YOUR RIGHTS
Data subject rights under PDPL.
حقوقك بموجب PDPL.
Under the PDPL you have the right to:
Be informed of what we collect and why (this policy).
Access a copy of the personal data we hold about you.
Correct inaccurate personal data.
Delete your personal data subject to our retention obligations.
Restrict or object to processing for marketing or legitimate-interest grounds.
Withdraw consent at any time, where consent is the legal basis.
Data portability — receive your data in a machine-readable format.
Exercise any right by emailing the data-controller contact above. We respond within thirty (30) days. Where we cannot fulfil a request — for example because of an overriding legal-retention obligation — we explain why.
If you believe we have not handled your request properly, you may complain to the Saudi Data & AI Authority (SDAIA) — the PDPL supervisory authority.
08 · COOKIES
Cookies and tracking.
ملفات الارتباط والتتبع.
We use the following cookie categories:
| Category | Examples | Consent? |
|---|---|---|
| Strictly necessary | session, cart, security tokens | No — required for the site to work |
| Functional | recently-viewed list (ng_recent), referral attribution (nk_ref) |
No (legitimate interest) |
| Analytics | aggregated, anonymised page-view counters | Yes |
| Marketing | retargeting pixels, conversion tags | Yes |
A consent banner is displayed on first visit to capture analytics and marketing consent. You can change your preferences at any time from the Cookies link in the footer.
| الفئة | أمثلة | موافقة مطلوبة؟ |
|---|---|---|
| ضرورية | الجلسة، السلة، رموز الأمان | لا — لازمة لعمل الموقع |
| وظيفية | قائمة المشاهَد مؤخرًا (ng_recent)، إحالة الدعوة (nk_ref) |
لا (مصلحة مشروعة) |
| تحليلية | عدّادات صفحات مجهولة الهوية | نعم |
| تسويقية | بكسلات إعادة الاستهداف، علامات التحويل | نعم |
09 · CROSS-BORDER
International data transfers.
نقل البيانات خارج المملكة.
Personal data flows from the KSA controller to NeoTechnology Solutions LLC in Wyoming, USA for platform engineering, hosting, and security operations. Some additional service providers (payment-gateway tokenisation, email service, CDN edge nodes) also host data in jurisdictions outside the Kingdom of Saudi Arabia. Under PDPL Article 29, cross-border transfers are restricted; we rely on:
Adequacy. Transfers to jurisdictions recognised by SDAIA as offering adequate protection, where applicable.
Binding contractual safeguards with the recipient (data-processing agreement) where adequacy is not established — this is the basis for the KSA → NTS LLC (Wyoming) flow until SDAIA publishes a US adequacy decision.
Explicit consent where neither (1) nor (2) is available.