MIS Connect

11.09.2023

Introduction

Welcome to the MIS Connect privacy policy.

MIS Connect as a regulated and licensed entity in the Kingdom of Saudi Arabia aims to offer their Clients access to Open Banking services, especially Account Information Services and Payment Initiation Service (AIS/PIS). MIS Connect empowers financial and non-financial players to provide tailor-made solutions to customers by leveraging the power of transactional and personal data. We help to transform an entire industry to unlock potentials for continuous growth based on ensuring the highest standards of handling personal data.

MIS Connect respects your privacy and is committed to protecting your data. This privacy policy will inform you as to how we look after data when you visit our website or access our services and tell you about your privacy rights and how the law protects you.

This Privacy Policy describes MIS confect's and any of ours affiliates' (collectively, 'MIS Connect,' 'we', 'us', or 'our') practices and the privacy rights of users of MIS Connect Services ('you') regarding our collection, use, storage, sharing and protection of your personal information. It applies to the MIS Connect website, and all related sites, applications, services, and tools.

You accept this Privacy Policy when you sign up for or access, or use our products, services, content, features, technologies, or functions offered on our website and all related sites, applications, and services (collectively 'MIS Connect Services'). We may amend this Privacy Policy at any time by posting a revised version on our website. The revised version will be effective as of the published effective date, indicated at the top of this Privacy Policy, in which case you will be deemed to have accepted the updated Privacy Policy if you continue to use the Services after the new Privacy Policy takes effect.

This website is not intended for children and we do not knowingly collect data relating to children.It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

1. Definition

In this Privacy Policy, the following expressions have the following meanings:

1.1. “MISCo” or “the Company” means MIS Connect, its affiliates, and subsidiaries.

1.2. “Client” or “End-User” in certain instances may be a visitor to the Company's site, a customer that is an individual, or a corporate customer (Bank, Merchant, FinTech, etc.) or a user of the Company's products and services.

1.3. “Staff or Applicant” means any individual who currently holds an employment contract with MIS Connect (either part-time or full-time) or an individual that applies for a job opportunity.

1.4. “Developer” means an entity or an individual person accessing or using MIS Connect's Developer Portal under their sole discretion or on behalf of another entity.

1.5. “Developer Portal” means the development and sandbox environment that is provided by MIS Connect.

1.6. “Data Subject” means the Client, End-User, Staff, or Applicant who owns the data.

1.7. “Data Provider” means the Data Subjects, collectively, which consensually provide their personal data to MIS Connect.

1.8. “Services” means account information services (AIS), payment initiation services (PIS), or developer portal services.

2. Application and acceptance

2.1. This Privacy Policy applies to all data providers. All data Client must read this Privacy Policy i carefully.

2.2. By utilizing MIS Connects' s services, providing information through the website, and when applying for a job through any of the social media channels / other portals, the data providers signify acceptance of the terms of this Privacy Policy and its updates/ amendments from time to time.

3. Change to the Privacy Policy

3.1. To the extent legally permissible by the applicable laws and regulations, any content contained in this Privacy Policy shall be subject to change, modification, alteration, or otherwise, at the Company's sole discretion.

3.2. Unless otherwise indicated, amendments/ updates will be effective immediately upon publishing. Any updates to this Privacy Policy will be available through MIS Connect's website.

4. Personal Data

4.1. MIS Connect undertakes that all information must be processed lawfully, fairly, and in a transparent manner in relation to any data providers. MIS Connect will only collect information needed to provide the services and process the data for the purpose defined in this Privacy Policy.

4.2. MIS Connect will collect and process information for legitimate purposes and:

- not use the information in ways that have unjustified adverse effects on any data providers,

- be transparent about how MIS Connect intends to use the information and provide notification of the same,

- handle the information only in ways any data providers would reasonably expect; and

- not commit any unlawful act with the collected information.

5. Collection of Data

5.1. MISCo collects Personal Data in the following manner:

- For AIS / PIS Clients, MISCo collects the Personal Data obtained from the Account Servicing Payment Services Providers “ASPSPs” (i.e., any payment service provider, such as a bank or a credit card issuer that maintains an online payment account on behalf of the End-User).

- For Clients, MISCo collects Personal Data from the Know Your Business “KYB” form and supporting documentation, email correspondences, and information provided during project execution or through third-party sources.

- For a visitor to MISCo's website, Personal Data is collected when subscribing to the newsletter or through the 'contact us form.

- For employees, MISCo collects Personal Data during the recruitment process and performance reviews either from the employee, third-party application/process, or is created by MISCo in course of the recruitment process after obtaining Staff explicit consent.

- For an Applicant, MISCo collects Personal Data through social media platforms, other recruiting portals, email correspondence, information provided by the Data Subject via email and through MISCo career page in its website.

- For a Developer, MISCo collects Personal Data during registration to the Developer Portal.

5.2. In addition to some of the specific uses of information this Privacy Policy covers, MISCo may use information that it receives in order to:

- manage, develop, operate, improve, deliver, maintain, and protect its service

- communicate by all means of communications, including by email

- monitor, analyse trends and usage of the provided products and services

- enhance the safety and security of services

- verify Client or End-User identity and prevent fraud or other unauthorised / illegal activity

- verify accounts, records, and information

- satisfy governmental agencies' requirements

- manage the data and data bank

6. Retention of Data

6.1. MISCo will not retain the Personal Data for longer than necessary.

6.2. MISCo defines the length of the Personal Data retention period after considering the following factors:

- MISCo's contractual obligations and rights in relation to the Personal Data involved

- Legal obligations and legal retention period as defined in the applicable Data Protection Laws

- Whether MISCo has relied on the Client and End-User consent to use the Personal Data, but the consent has been later withdraw

- MISCo's legitimate interests

- Fraud and risk management

- Potential disputes, and guidelines issued by relevant data protection authorities.

- Data Provider data will be held in the country in which they reside

- For employees and applicants data will be stored in the Kingdom of Saudi Arabia

6.3. By utilising MISCo's AIS/PIS services as an 'End-User', the Personal Data will be shared with the Client (as applicable).

6.4. If MISCo gets involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of its business to another company, MISCo may share the data provider's information with that company before and after the transaction closes.

6.5. MISCo may also share the Personal Data during the occurrence of the following circumstances with due regard to the personal data protection rights of the data providers and post adequate clearance from legal:

- If MISCo reasonably considers that it is under a duty to disclose or share personal data to comply with any legal obligations.

- To protect the rights, property, or safety of the data providers, MISCo's affiliates, or subsidiaries.

6.7. MISCo is restricted to disclose the data provider's personal data under certain circumstances as defined in the applicable Data Protection Law of the Kingdom of Saudi Arabia.

6.8. MISCo shares employees personal information with third parties (employment agencies, background checks, online test providers, credit reference agencies, regulators, and competent authorities) for the purposes of processing applications. MISCo will also share personal data with its affiliates and subsidiaries for the purposes of administration, accounting, and reporting purposes.

7. Accuracy and Security of Data

7.1. MISCo's contractual obligations on the accuracy of data are limited to this Privacy Policy and to the Terms and Conditions which are accessible via MISCo's AIS/PIS services.

8. Data Protection and Confidentiality

8.1. MISCo understands that the information collected and shared by data providers contains sensitive data. Therefore, MISCo undertakes its role to protect the information very seriously. MISCo also provides high-quality security programs on its services based on high industry standards and implements best practices and ensures its vendors (if applicable) provide the same. In addition, MISCo takes a strong defensive approach to countering cyber-attacks and securing information from unauthorised access or misuse.

8.2. Data providers acknowledge and accept, when utilizing MISCo's services, that the provision of services may be susceptible to faults and technical difficulties. As such, MISCo cannot guarantee a fault-free service. If any information subject to MISCo's control is attacked by a cyber-attack as a result of a security breach, MISCo's policy is to take reasonable steps to investigate the situation and to communicate with and compensate the affected data providers provided that the issue at hand is resolved by MISCo as soon as practical.

8.3. MISCo will maintain the confidentiality of the data providers' information and assure secure processing of this information including without limitation how such information is accessed, stored, disseminated, and destroyed.

9. Notification of Breaches

9.1. MISCo undertakes that it will immediately notify its Clients of any breach, hack, leak, cyberattack, or otherwise to the information provided and will take the necessary measures and precautions to remedy the such issue.

9.2. MISCo undertakes that it will process information in a manner that ensures data security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

9.3. MISCo shall not request any sensitive or private information via text message or through any other form of social network communication. MISCo shall contact the data provider directly via the contact information provided in the event of suspected or actual fraud or security threats.

10. Data Subject Rights

The Data Subject rights, as permitted by law are as follows:

10.1. Right to be informed: the right to be informed and be privy to the legal or practical justification for collecting the personal data

10.2. Right to access: the right to request MISCo to view the personal information and the purpose for which it is intended and disclosed. Also, the right to request the nature of personal information collected.

10.3. Right to object to processing: the right to request MISCo to cease processing of personal data for direct marketing purposes and processing causing material or moral damage to the Data Subject or Others.

10.4. Right to rectification, blocking, erasure: the right to request MISCo to rectify, block or erase personal data when the processing of such data is in breach of the law.

10.5. Right to opt out: the right to choose to opt-out of MISCo's communication and mailing services at any time.

10.7. Right to complain: the right to inquire, complain and provide feedback.

10.8. Right to amendment, completion, or update: the right to request an amendment, completion or update to personal data.

10.9. Should the Data Subject wish to utilise its rights, you are requested to kindly do so by raising a ticket to MIS Connect Ticketing system (www.misconnect-dwpext.onbmc.com/dwp/app). The rights of Data subjects will be exercised by MISCo free of charge and within a period not exceeding 30 working days of receiving such request.

10.10. MISCo may reject a request if the Data Subject misuses the right in obtaining information or restrictions to granting data access is necessary to protect the Data Subject and others from any harm in-accordance to the laws of Saudi Arabia.

11. Communication and Mailing Services

11.1. By utilizing MISCo's Services, subscribing to the newsletter, or applying for a job, the data providers hereby consent to receive communication from MISCo, and its affiliates, in the form of, but not limited to, emails, newsletters, and advertisements.

11.2. MISCo may engage with third-party providers during direct marketing. In such cases, MISCo will ensure third parties maintain confidentiality and security measures for Data Subject's data.

11.3. Data providers may choose to opt-out of such communication and mailing service at any time, subject to MISCo's prior notification.

12. Purposes for which we use data

Activity Type of data Purpose for processing including basis of legitimate interest If you are MISCo's Client (Bank, Merchant, FinTech, etc.) (On-boarding information (KYB), incorporation documents, shareholders identities, contact details, financial statements, other supporting documents (as applicable). To conduct due diligence that MISCo is legally required to undertake to ascertain Client fits regulatory requirements and passes background checks (criminal checks, etc.)

If you are an End-User of the AIS service Account details: account balances, details, statements, transactions, beneficiary, standing order details, etc.

Other: personal data registered on the account such as name, contact details, phone number, email, and customer identifiers such as ID information (as applicable). To successfully deliver the AIS Service.

If you are an End-User of our PIS service

Transaction details: (merchant ID, payee identity / payer bank, bank account number (IBAN), transaction reference ID, transaction amount, account names, various other IDs to uniquely identify a transaction, status of transaction) which will also be shared with the merchant / payee for transaction recording, enabling subsequent payments and initiating refunds (if required)

Customer experience data: user journey details, location, device type, IP address, telecom carrier, OS version, etc.

Other: Name, contact details, email, phone number, customer identifiers such as ID.

To successfully deliver the PIS Service and monitor customer experience for analytical purposes.

If you are an End-User of our AIS/PIS service and have raised a complaint, query, or wish to exercise any of your legal rights etc. Name, email address, supporting information/ documents (nature of the complaint, query, transaction record, etc.)

To conduct the investigation that is required to resolve any issues faced. If you register to the Developer Portal Sign up phase: Email id, first name, last name, company name, phone number (optional)

Registration phase: Customer company name, customer contact name, customer contract email, account email, sandbox client id, merchant/client logo, beneficiary account (for PIS) beneficiary account holder name (for PIS), merchant category (for PIS) and maximin transaction limit (for PIS)..

To ensure a seamless user journey for utilizing MISCo products and services.

If you are visitor to MISCo's official website

First name, last name, business email, job title, company name, company industry, country, phone number (optional), unique message

To provide updates on MISCo's activities, services, and products;

To share details with sales team to get in-touch;

to record the marketing preferences and any feedback or responses for the purposes of improving our services. If you are a part of MISCo's employee

Information provided in curriculum vitae, application form, covering letter and during the interview process including: your name, date of birth, age, gender, home address, personal email address, education, qualification and work experience details, and references. Information collected or created by us during the recruitment process including interview notes, test scores and correspondence between us. Information about criminal convictions: we carry out background checks as part of the recruitment process. Sensitive information like your racial and ethnic origin information and information relating to disabilities, religious beliefs or sexual orientation, marital status for visas, physical or mental health information and immigration/naturalization records (if this discloses racial/ethnic origin information Necessary to enter an employment control; to comply with a legal or regulatory obligation; have a legitimate interest to ensure the effective administration and management of the recruitment process; ensure MISCo hires suitable individual for a role; deal with disputes and accidents and take legal or other professional advice; and ascertain Staff fitness to work. Special category data is processed to consider the need to provide appropriate adjustments during the recruitment process and to ascertain fitness to work for equal opportunity monitoring purposes. Criminal conviction information is processed to assess suitability for a regulated role; to protect interests, because it is necessary in relation to legal claims. MISCo is allowed to utilize Staff personal information where it is necessary to carry out employment rights and obligations.

13. Jurisdiction

13.1. This Privacy Policy shall be governed by the laws of the Kingdom of Saudi Arabia. In the event of a dispute arising in connection with the terms stated in this Privacy Policy and/or implementation of the services, such disputes shall be referred to the Courts of the applicable governing jurisdictions.

14. Complaints

14.1. To provide any compliment, lodge complaints, or exercise your rights, please submit a ticket to www.misconnect-dwpext.onbmc.com/dwp/app

14.2. For any queries or requests raised by employees or job applicants, please send an email to hr@misconnect.sa.