Privacy Policy

Hiba Health (صحة هبة), a Saudi limited liability company registered in the Kingdom of Saudi Arabia ("we," "us," "our," or "the Company"), is committed to protecting your personal data. This Privacy Policy ("Policy") explains how we collect, use, share, and protect your information when you access or use our AI health coaching services, WhatsApp-based coaching assistant, website (hiba.health), mobile application, and any related services (collectively, the "Services").

This Policy is issued in compliance with:

• The Saudi Personal Data Protection Law (PDPL), issued by Royal Decree No. M/19 dated 9/2/1443H and its Implementing Regulations

• E-commerce trust standards issued by the Ministry of Commerce of the Kingdom of Saudi Arabia

Please read this Policy carefully. By using our Services, you confirm that you have read and understood it. If you do not agree, please discontinue use of our Services.

3.1  Data You Provide Directly

When you register for or use our Services, we may collect:

• Full name, date of birth, and contact information (email address, phone number, mailing address)

• Account credentials (username and password)

• Profile photograph (optional)

• Health information you choose to share, including: health goals, dietary preferences, physical activity data, body measurements, food intake records, health insurance information, diagnoses, and symptom history

• Communications you send through our Services, including WhatsApp messages to our AI health coaching assistant

• Payment information — processed securely by our third-party payment processor; we do not store full payment card details

3.2  Sensitive Personal Data (Health Data)

Health-related information constitutes sensitive personal data under Article 23 of the Saudi PDPL. We collect and process this data solely to provide you with personalised health coaching. We apply heightened security and access controls to all sensitive data and will not process it without your explicit consent, except where required or permitted by applicable Saudi law.

3.3  Data Collected Automatically

When you interact with our Services, we may automatically collect:

• Device information (device type, operating system, device identifier)

• Usage data (pages visited, features used, session duration, interaction logs with our AI coaching assistant)

• IP address and approximate geographic location

• Information collected via cookies and similar tracking technologies (see Section 9)

In accordance with the PDPL, we process your personal data on one or more of the following legal bases:

• Explicit consent — for health (sensitive) data and for marketing communications

• Performance of a contract — to provide the Services you have subscribed to

• Legitimate interests — for service improvement, security, fraud prevention, and analytics, where not overridden by your rights

• Legal obligation — where required by applicable Saudi law to process or retain your data

We use your personal data to:

• Provide, operate, maintain, and improve our AI health coaching Services

• Personalise your experience and health recommendations

• Communicate with you about your account, service updates, and support

• Send marketing and promotional communications — only with your prior consent, which you may withdraw at any time

• Conduct analytics to understand usage patterns and improve Service performance

• Comply with our legal and regulatory obligations under Saudi law

• Protect the safety, rights, and property of our users and the Company

• Conduct internal research and product development using aggregated, de-identified data only

We will never sell your personal data to third parties.

We may share your personal data only in the following limited circumstances:

• Service Providers: Third-party vendors supporting our operations (e.g., cloud hosting, payment processing, analytics), bound by data processing agreements and PDPL-equivalent obligations

• Business Partners: Employer sponsors or health plans, where you subscribe through such a programme, and only to the extent necessary to deliver the Services

• Legal Requirements: Where disclosure is required by Saudi law, a court order, or a competent regulatory authority

• Business Transactions: In the event of a merger, acquisition, restructuring, or asset sale, subject to equivalent data protection obligations for any acquiring party

• With Your Explicit Consent: Any other sharing described to you at the time of collection, or which you specifically authorise

We do not share your personal data for third-party advertising purposes without your explicit prior consent.

Under the Saudi Personal Data Protection Law, you have the following rights:

To exercise any of these rights, contact us at privacy@hiba.health. We will respond within 30 calendar days. Identity verification may be required.

We retain your personal data for as long as necessary to provide our Services, comply with legal and regulatory obligations, and resolve disputes. As a general rule:

• Account data is retained for the duration of your active account and for five (5) years after closure, unless a longer period is required by Saudi law

• Health and sensitive data may be subject to specific retention requirements under applicable healthcare regulations

• Upon expiry of the retention period, data will be securely deleted or irreversibly anonymised

We use the following types of cookies on our platform:

• Essential Cookies: Required for core Service functionality (e.g., login sessions, security)

• Analytics Cookies: Help us understand usage patterns and improve performance

• Marketing Cookies: Used to deliver relevant content — only with your prior consent

You may manage or disable cookies through your browser settings. Disabling certain cookies may limit some features. For more information, visit allaboutcookies.org.

You have the right to object to data processing at any time by contacting privacy@hiba.health.

We implement appropriate technical and organisational security measures to protect your personal data, including:

• SSL/TLS encryption for data in transit and at rest

• Access controls restricting data access to authorised personnel only

• A designated Data Protection Officer responsible for PDPL compliance

• Regular security reviews and assessments

While we take all reasonable precautions, no internet transmission is completely secure. We encourage you to protect your personal data when online.

Data Breach Notification: In the event of a personal data breach posing a risk to your rights, we will notify the Saudi Data and AI Authority (SDAIA) and affected individuals in accordance with PDPL requirements.

Your personal data may be stored and processed in the Kingdom of Saudi Arabia or in other countries where our service providers operate. Where data is transferred outside the Kingdom, we ensure appropriate safeguards are in place in accordance with the PDPL and its Implementing Regulations.

Our Services are not directed at individuals under the age of 18 years. We do not knowingly collect personal data from minors. If we become aware that personal data has been collected from a minor without verified parental or guardian consent, we will promptly delete such data. If you believe a minor has provided us with personal data, please contact us at privacy@hiba.health.

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies independently. No information you share within our Services or through Apple Health will be shared with third-party advertisers.

If you have concerns about how we handle your personal data, please contact us first at privacy@hiba.health. We are committed to resolving all complaints within 15 business days.

If you remain unsatisfied, you have the right to lodge a complaint with the Saudi Data and AI Authority (SDAIA) as the competent supervisory authority for personal data protection in the Kingdom of Saudi Arabia.

We may update this Policy from time to time. For material changes, we will notify you by email to the address associated with your account, or by prominent notice within our Services, at least 30 days before the change takes effect. The updated Policy will be published at hiba.health/privacy-policy.

Continued use of our Services after the effective date of a material change constitutes your acceptance of the updated Policy.