Privacy Policy

1. Introduction

ExMuseum ("we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how Exclusive Museum Experiences LTD, headquartered at King Abdullah Financial District (KAFD), Area 4, Riyadh 11564, Saudi Arabia, collects, uses, stores, and protects your personal information when you visit our website dubaitick.digital, purchase our digital audio guides, or interact with our services.

This policy complies with the European Union's General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL, Royal Decree M/19 dated 09/02/1443H), and other applicable international data protection frameworks.

By using our website and services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our services immediately.

2. Data Controller

The data controller responsible for processing your personal data is:

• Entity: Exclusive Museum Experiences LTD (trading as ExMuseum)
• Registered Address: King Abdullah Financial District (KAFD), Area 4, Riyadh 11564, Saudi Arabia
• Email: [email protected]
• Phone: +966 11 555 0888

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Information You Provide Directly

• Identity Data: Full name, email address, phone number, and country of residence provided when you create an account, make a purchase, or contact our support team.
• Transaction Data: Purchase history, payment method details (processed securely through third-party payment processors — we do not store full card numbers), billing address, and order preferences.
• Communication Data: Messages, feedback, and support requests sent through our contact forms, email, or other communication channels.
• Preference Data: Language preferences, museum interest areas, and marketing communication preferences.

3.2 Information Collected Automatically

• Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and referring website URLs.
• Usage Data: Pages visited, time spent on each page, click-stream data, search queries on our website, and download activity.
• Cookie Data: Information collected through cookies and similar tracking technologies (see Section 8 — Cookie Policy).
• Location Data: Approximate geographic location derived from your IP address. We do not collect precise GPS location data without your explicit consent.

4. Legal Bases for Processing

Under GDPR and KSA PDPL, we process your personal data based on the following legal grounds:

• Contractual Necessity (GDPR Art. 6(1)(b)): Processing necessary to perform our contract with you, including delivering digital audio guides, processing payments, and providing customer support.
• Consent (GDPR Art. 6(1)(a) / PDPL Art. 6): Where you have given explicit consent for specific processing activities, such as receiving marketing communications or analytics tracking.
• Legitimate Interest (GDPR Art. 6(1)(f)): Processing necessary for our legitimate business interests, such as improving our services, detecting fraud, and ensuring website security, where these interests are not overridden by your rights.
• Legal Obligation (GDPR Art. 6(1)(c) / PDPL Art. 5): Processing required to comply with applicable laws, regulations, or court orders in the Kingdom of Saudi Arabia, the European Union, or other jurisdictions.

5. How We Use Your Data

We use your personal data for the following purposes:

• To process and deliver your digital audio guide purchases and provide download access.
• To manage your account and provide personalized recommendations.
• To respond to your inquiries, support requests, and feedback.
• To send transactional communications (order confirmations, download links, refund notifications).
• To send marketing communications about new guides, promotions, and cultural travel content (only with your explicit consent).
• To improve our website, products, and services through aggregated analytics.
• To detect, prevent, and address technical issues, fraud, and security threats.
• To comply with legal and regulatory obligations in the Kingdom of Saudi Arabia and internationally.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients:

• Payment Processors: Secure payment gateways (e.g., Stripe, PayPal) to process transactions. These processors operate under their own privacy policies and PCI-DSS compliance standards.
• Hosting Providers: Cloud infrastructure providers located in the EU/EEA and Saudi Arabia to host our website and store data securely.
• Analytics Services: Google Analytics (with IP anonymization enabled) to understand website usage patterns. You may opt out of analytics via cookie settings.
• Legal Authorities: Government or regulatory bodies when required by law, such as the Saudi Data & Artificial Intelligence Authority (SDAIA) or EU data protection authorities.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the Kingdom of Saudi Arabia and the European Economic Area (EEA). When such transfers occur, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions recognized by the Saudi Data & Artificial Intelligence Authority (SDAIA).
• Binding Corporate Rules for intra-group transfers.

8. Cookie Policy

Our website uses cookies and similar technologies to enhance your browsing experience. Categories include:

• Strictly Necessary Cookies: Essential for website functionality (e.g., shopping cart, session management). These cannot be disabled.
• Analytics Cookies: Help us understand how visitors use our site (e.g., Google Analytics with IP anonymization).
• Functionality Cookies: Remember your preferences (e.g., language, region filters).
• Marketing Cookies: Used for targeted advertising (only activated with explicit consent).

You can manage cookie preferences through your browser settings or our cookie consent tool upon first visit.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained for the duration of your account relationship plus 3 years after account closure.
• Transaction Data: Retained for 7 years to comply with Saudi commercial law and international tax regulations.
• Communication Data: Retained for 2 years after the last interaction.
• Analytics Data: Aggregated and anonymized after 26 months.

10. Your Rights

Under GDPR and KSA PDPL, you have the following rights regarding your personal data:

• Right of Access (GDPR Art. 15 / PDPL Art. 4): Request a copy of the personal data we hold about you.
• Right to Rectification (GDPR Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (GDPR Art. 17 / PDPL Art. 4): Request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing (GDPR Art. 18): Request limitation of how we process your data.
• Right to Data Portability (GDPR Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to Object (GDPR Art. 21): Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR, or 10 business days as required by KSA PDPL.

11. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• SSL/TLS encryption (256-bit) for all data transmissions.
• Encrypted storage of personal data at rest using AES-256 encryption.
• Regular security audits and vulnerability assessments.
• Access controls and role-based permissions for internal data handling.
• Employee data protection training conducted annually.

12. Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take immediate steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through a prominent notice on our website and, where applicable, via email to registered users. We encourage you to review this policy periodically.

14. Contact & Complaints

For any privacy-related questions, concerns, or to exercise your data subject rights, please contact:

• Data Protection Officer: [email protected]
• Address: ExMuseum, KAFD, Area 4, Riyadh 11564, Saudi Arabia
• Phone: +966 11 555 0888

You also have the right to lodge a complaint with a supervisory authority. For KSA residents, this is the Saudi Data & Artificial Intelligence Authority (SDAIA). For EU residents, this is your local Data Protection Authority.