Privacy & Data Protection Policy

Last updated: 19 / 05 / 2026.

Aurages Company (“Aurages”, “we”, “us”) places the highest priority on user privacy and protects personal data in accordance with Saudi Arabia’s Personal Data Protection Law (PDPL) and its executive regulations, alongside international cybersecurity best practices. This policy applies to our website aurages.sa and to the Aurages mobile application available on Google Play and the Apple App Store, and to all associated services.

1. Data we access and collect

1.1 Account & contact data

• Full name and business/trade name.
• Mobile number and email address.
• City, region, and business address.
• Password, stored as a one-way hash that cannot be reversed.

1.2 Device & usage data

• Device model, operating system and version, and advertising identifier.
• IP address, session identifier, crash logs, and performance metrics.
• Screens visited, usage timings, and in-app interaction patterns.

1.3 Location data

The Aurages app accesses, collects, and processes your location data in the three forms described below. We never do so without your explicit permission granted through the operating system’s permission system (Android or iOS). The exact purpose of each form is:

• Approximate (Coarse) Location: derived from cell-tower and nearby Wi-Fi networks, with accuracy ranging from several hundred metres to a few kilometres. Used to localise content by region, show nearby results, apply city-specific service fees, and produce aggregated, anonymised statistics.
• Precise (Fine) Location: derived from the device’s GPS sensor with accuracy down to a few metres. Used when you actively request a feature that depends on your physical position — pickup or drop-off points, dispatching the nearest technician or agent, on-site check-in, route tracing and visit verification, and distance calculation for delivery or field-service work.
• Background Location: we access your location even when the app is not on screen, but only while you are running a feature that requires moment-to-moment tracking — an active delivery run, an open field-service task, or an in-progress field shift. When this is happening:
  • A persistent notification is shown in the status bar to inform you that location is being recorded.
  • Collection stops automatically the moment the task is closed, the shift ends, or you leave the relevant feature.
  • Background location is never used for marketing, advertising, or any purpose you have not explicitly authorised.

1.4 Payment data

Payments are processed directly by Network International (N-Genius). We do not store card numbers or CVV codes on our servers; only the transaction reference and the last four digits are retained for billing and reconciliation purposes.

1.5 Camera & photo library

The app only accesses the camera or photo library when you take an explicit action — capturing a proof-of-delivery photo, or attaching a document to a support ticket. We do not browse, scan, or index the rest of your gallery.

2. Why we collect location data — purposes in detail

We collect location only for specific, legitimate purposes, and never reuse it for other purposes without your consent:

• Operating location-dependent features: delivery, field service, attendance check-in, route tracing, distance calculation.
• Routing the nearest provider or the closest branch to a customer when fulfilling an order.
• Proof of service for the business owner and to protect both parties in case of a dispute.
• Fraud prevention and detection of anomalous behaviour (e.g. an implausibly distant login).
• Safety: the “last known location” capability in emergencies for field staff.
• Aggregated analytics in anonymised form to improve coverage and geographic service distribution.

3. Legal basis for processing

• Your explicit consent granted when you enable the location or any other sensitive permission.
• Performance of a contract for the subscription or service you have requested.
• Compliance with legal obligations such as VAT invoicing and regulatory requirements.
• Legitimate interests in securing the service and preventing fraud, balanced against your fundamental rights.

4. Sharing with third parties

We never sell your data. We share it only with vetted service providers under Data Processing Agreements (DPAs), and only to the minimum extent necessary:

• Network International — N-Genius: payment processing.
• Cloud infrastructure providers (e.g. Google Cloud, Amazon Web Services): server and database hosting in compliant regions.
• Google Maps Platform: map rendering and routing — subject to Google’s own privacy policy.
• Firebase / Google Analytics for Firebase: usage analytics and crash reporting, anonymised where possible.
• SMS & push-notification providers: delivery of operational notifications and verification codes.
• Government and judicial authorities: only when legally compelled by a court order or formal written request.

5. Cross-border data transfers

Operating some services may require transferring data to data centres whose providers maintain infrastructure outside Saudi Arabia. Such transfers are conducted in accordance with the controls issued by the Saudi Data & AI Authority (SDAIA), with adequate contractual safeguards and end-to-end encryption in transit.

6. Retention periods

• Account data: for the lifetime of the account, and then no longer than two years after closure, or as required by applicable law.
• Precise and background location logs: 90 days from collection, after which they are permanently deleted or transformed into aggregated, anonymised form.
• Billing and financial records: 10 years, in accordance with VAT law.
• Support tickets: two years, for follow-up and product improvement.

7. Security

• Encryption in transit via TLS 1.2 and above.
• Encryption at rest at the disk and sensitive-database level.
• Strict least-privilege access controls and continuous audit logging.
• Periodic security reviews and annual penetration tests.
• Notification within 72 hours of any confirmed data breach affecting you, as required by the PDPL.

8. Your rights under the PDPL

As a data subject you have the following rights, exercisable free of charge at any time:

• Right to be informed of how your data is processed and with whom it is shared.
• Right of access and to obtain a copy of your data.
• Right to rectification of inaccurate or outdated data.
• Right to erasure, unless a legal obligation requires retention.
• Right to object to processing and to withdraw consent at any time.
• Right to data portability in a machine-readable format.

To exercise any of these rights, contact us at info@aurages.com. We commit to responding within 30 days at most. You also have the right to lodge a complaint with the Saudi Data & AI Authority (SDAIA).

9. Controlling location permissions & withdrawing consent

You can stop the app from accessing your location at any time without losing your account:

• Android: Settings > Apps > Aurages > Permissions > Location, then choose “Allow all the time”, “Allow only while using the app”, or “Don’t allow”.
• iOS: Settings > Privacy & Security > Location Services > Aurages, then choose “Never”, “Ask Next Time”, “While Using the App”, or “Always”.

Disabling the location permission may disable the features that depend on it, but will not close your account or delete your other data.

10. Account & data deletion

You can request deletion of your account and all associated data from within the app via Settings > Account > Delete account, or by emailing info@aurages.com. We will complete the request within 30 days, except for data we are legally required to retain (such as VAT invoicing records).

11. Children’s privacy

Our services are intended for adults and are not directed at children under 18. We do not knowingly collect data from minors; if we become aware of such data we will delete it immediately. Parents and guardians are responsible for reporting any such cases to us.

12. Cookies & identifiers

Our website uses essential cookies (language preference, session state) and anonymised analytics cookies. The app uses device identifiers (Android Advertising ID and iOS IDFV) for operational and security purposes only, and we do not link them to your personal identity for any advertising purpose.

13. Updates to this policy

We may update this policy from time to time. The updated version is published on this page with a revised “last updated” date, and we will notify you of any material changes by email or in-app notice before they take effect.

14. Contact us

For any privacy question, complaint, or to exercise your rights:

• Email: info@aurages.com
• Phone: 011 506 2594
• Address: Riyadh, King Salman Dist., King Abdulaziz Sub-Road, 12434

Data Controller: Aurages Company — Commercial Registration No. 7053564642, VAT No. 314608646300003.