Privacy Policy

AANI Solutions LLC for Information Technology (operating under the registered trademark Razza®, hereinafter "Razza", "we", "us", or "our") is committed to protecting the personal data of all individuals who interact with our Platform, services, and marketplace.

This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how long we retain it, and what rights you have over your own data. It applies to all users of the Razza Platform, including business subscribers and end users of the Razza marketplace.

§ 01

Data Controller #

Razza acts as the Data Controller for all personal data collected through the Platform, website, and marketplace. Razza processes personal data in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations issued by the Saudi Data and Artificial Intelligence Authority (SDAIA).

Legal entity: AANI Solutions LLC for Information Technology
Operating as: Razza® — SAIP No. TM‑01‑00‑51379‑25
CR Number: 7051934136
Address: AlMuhammadiyah District, Jeddah, Kingdom of Saudi Arabia
Contact: support@razza.sa · www.razza.sa

§ 02

Scope & who this policy applies to #

This Policy applies to:

Business Subscribers — business entities and individuals (including Freelance Work Document holders) who subscribe to the Razza Platform to manage their salon, barbershop, spa, beauty clinic, or wellness business.
End Users — consumers who access the Razza marketplace, website, or mobile application to discover, browse, or book beauty and wellness services.
Visitors — any person who visits the Razza website or application without registering.

This Policy does not apply to third‑party websites or services that may be linked to or integrated within the Razza Platform. Those third parties operate under their own privacy policies, for which Razza bears no responsibility.

§ 03

What personal data we collect #

3.1 Business Subscribers

We collect the following categories of personal data from Business Subscribers:

Identity data — full name, national ID or Iqama number, commercial registration number or Freelance Work Document number.
Contact data — email address, mobile number, national address.
Business data — business name, activity type, VAT registration (if applicable), bank details (IBAN, beneficiary name) for invoicing and refunds.
Staff data — names, contact details, and scheduling information of staff added to the Platform by the Subscriber.
Account data — login credentials, access logs, account activity, subscription history.
Financial data — payment records, invoice history, and transactions processed through the Platform.
Communications — messages and support requests submitted to Razza.
Visual content — photographs, images, and videos of premises, services, and staff uploaded by the Subscriber. Where content includes identifiable individuals, the Subscriber is responsible for obtaining their consent.

3.2 End Users & Marketplace Visitors

Identity data — full name.
Contact data — mobile number, email address.
Booking data — appointment history, selected services, preferred providers, booking notes, and cancellations.
Payment data — payment method details processed through Razza's payment infrastructure or integrated third‑party processors.
Health and sensitivity data — allergy or special‑needs information voluntarily provided prior to a booking. This category is treated as sensitive data and is subject to heightened protection under PDPL.
Device and usage data — IP address, device type, browser, operating system, pages visited, and session duration.
Location data — approximate location when used for service discovery, with your consent.

§ 04

How we collect your data #

Directly from you — when you register, subscribe, complete onboarding, make a booking, submit a support request, or communicate with us.
Automatically — through cookies, web beacons, and similar tracking technologies when you interact with the Platform.
From third parties — payment processors, identity verification services, or other integrated service providers, where necessary to provide the Services.
From Business Subscribers — when a Subscriber uploads or enters data about their customers or staff into the Platform.

Where third‑party data (a Subscriber's customers or staff) is uploaded, the Subscriber is responsible for ensuring it was collected lawfully and that individuals have been informed of its use.

§ 05

Legal basis for processing #

Under the Saudi PDPL, Razza processes personal data on the following lawful bases:

Contractual necessity — to perform the subscription agreement and provide the Services (account management, billing, onboarding, technical support).
Consent — including non‑essential cookies, location data, and health or sensitivity data. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation — to comply with applicable Saudi laws, including ZATCA e‑invoicing, PDPL obligations, and the Anti‑Cybercrime Law.
Legitimate interest — Platform security, fraud prevention, service improvement, and aggregated anonymous market insights, provided such processing does not override your rights.

§ 06

How we use your data #

6.1 Business Subscribers

Create, manage, and maintain your Razza account and subscription.
Process payments, issue ZATCA‑compliant invoices, and manage refunds.
Provide onboarding, technical support, and platform updates.
Verify your identity and business credentials during onboarding.
Communicate with you about your account, subscription, and service updates.
Comply with applicable Saudi legal and regulatory requirements.
Investigate and resolve complaints or disputes.
Produce aggregated anonymous market insights pooled across subscribers, in which no individual subscriber is identifiable.

6.2 End Users

Create and manage your marketplace account.
Process and confirm bookings and appointments.
Facilitate payment transactions between you and the service provider.
Send booking confirmations, reminders, and service‑related notifications.
Share relevant booking and health information with the business subscriber to enable service delivery — with your consent where sensitive data is involved.
Resolve disputes or complaints relating to bookings or payments.
Improve the Platform through aggregate usage analysis.

§ 07

Data sharing & disclosure #

Razza does not sell personal data to third parties. We may share personal data only in the following circumstances:

With Business Subscribers — end user booking data (name, contact details, appointment details, and any health or sensitivity information provided for the purpose of a booking) is shared solely to enable service delivery.
With service providers and processors — payment processors, cloud hosting, communications providers (email, SMS, messaging), and analytics providers. All processors are bound by obligations consistent with PDPL.
For legal compliance — where required by Saudi law, a court order, or a competent regulatory authority.
Business transfer — in the event of a merger, acquisition, or sale of substantially all Razza assets, subject to equivalent privacy protections.
With your consent — in any other circumstance, only with your explicit prior consent.

Cross‑border transfers. Razza stores and processes data primarily within the Kingdom. Where transfer outside the Kingdom is necessary, Razza ensures adequate protection measures in compliance with PDPL, or obtains your explicit consent where required.

§ 08

Data retention #

Razza retains personal data only for as long as necessary, or as required by applicable Saudi law:

Account & subscription: Active subscription + 5 years after termination
Financial / invoicing: Minimum 10 years (ZATCA record‑keeping)
Bookings & transactions: 3 years from date of transaction
Health & sensitive data: Duration of the specific booking, deleted promptly thereafter
Marketing & comms: Until consent is withdrawn or opt‑out
Device / usage logs: 12 months

Upon expiry of the applicable retention period, personal data is securely deleted or permanently anonymized.

§ 09

Data security #

Razza implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction — including encrypted transmission (TLS/HTTPS), access controls and authentication, regular security assessments, and data‑minimization practices.

No method of electronic transmission or storage is completely secure. In the event of a personal data breach likely to result in risk to individuals' rights, Razza will notify the affected individuals and, where required, SDAIA, within the timelines prescribed by PDPL.

Users are responsible for maintaining the confidentiality of their account credentials. Razza is not liable for unauthorized access resulting from the user's failure to protect login information.

§ 10

Your rights under PDPL #

Under the Saudi PDPL, you have the following rights with respect to your personal data:

Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate or incomplete data.
Deletion — request deletion where there is no lawful basis for continued retention.
Objection — object to processing based on legitimate interest.
Withdraw consent — at any time, where processing is consent‑based.
Portability — receive your data in a structured, commonly used format.
Restrict processing — in certain circumstances.

To exercise any right, email support@razza.sa. Razza responds within PDPL timeframes. We may need to verify your identity. You may also complain to SDAIA if you believe your rights have been violated.

§ 11

Cookies & tracking technologies #

Razza uses cookies and similar tracking technologies on its website, Platform, and marketplace:

Essential — required for core functionality (authentication, session management, security). Cannot be disabled.
Functional — remember your preferences and settings.
Analytics — understand how users interact with the Platform. Data collected is aggregated and anonymous.
Marketing & targeting — deliver relevant content and targeted advertising. Activated only with explicit consent.

You may manage cookie preferences via your browser or the cookie consent tool on the Razza website. Disabling certain cookies may affect Platform functionality.

§ 12

Updates to this policy & contact #

Policy updates

Razza reserves the right to update this Privacy Policy to reflect changes in our practices, services, or applicable law. Material changes are communicated to registered users via email or a prominent notice on the Platform at least thirty (30) days before they take effect. The current version is always available at www.razza.sa. Continued use of the Platform following any update constitutes acceptance of the revised Policy.

Contact

Email: support@razza.sa
Website: www.razza.sa
Address: AlMuhammadiyah District, Jeddah, Kingdom of Saudi Arabia
Legal entity: AANI Solutions LLC for Information Technology
CR: 7051934136

This Privacy Policy is governed by the laws of the Kingdom of Saudi Arabia and is subject to the Saudi Personal Data Protection Law (PDPL) and its implementing regulations.