Privacy Policy Statement

Effective Date: August 14, 2020

SIRC Digital Waste Management Platform

INTRODUCTION

Construction and Demolition Services for Waste Recycling Company LLC (“SIRC”) and Base Alpha Limited (“BA”) committed to protecting your personal data and privacy.

This Privacy Policy sets out important information in relation to who we are, which of your personal data we collect and process, how we process such personal data, for what purpose we process such personal data and your rights in relation to the processing of your personal data in the context of the SIRC Digital Waste Management Platform (“Platform”).

In this privacy policy references to “we” or “us” or “our” are references to SIRC and/or BA as the context may require and references to “Authorised Users” or “you” or “your” are references to independent contractors and their employees who provide services to SIRC including but not limited to the collection, transport and delivery of industrial waste.

We trust that you will find this policy helpful and informative. For further information, please contact:

Construction and Demolition Services for Waste Recycling Company LLC

1. Data Protection Contact: Data Protection Officer
2. Email address: sirconomy@sirc.sa
3. Postal address: 7160 King Khalid Road, Unit 18-19, Riyadh 13714, Kingdom Saudi Arabia

Base Alpha Limited

1. Data Protection Contact: Data Protection Officer
2. Email address: dpo@basealpha.io
3. Postal address: DD 14-124-050, 14th Floor, Wework X Hub71, Al Khatem Tower, ADGM Square, Al Maryah Island, Abu Dhabi, United Arab Emirates

We keep our privacy policy under regular review. This version was last updated on 14 August 2020. Our business changes constantly, and our Privacy Policy may therefore also need to change. We will post the current version of this Privacy Policy on the Platform and each such change will be effective upon posting on the Platform or upon the date designated by us as the “effective date”. We may e-mail periodic reminders of our notices and conditions, but you should check our Platform frequently to see recent changes. It is your obligation to regularly check the Privacy Policy. Your continued use of the Platform following any such change constitutes your agreement to this Privacy Policy as so modified.

It is important that the personal data that you store on the PDA (as described below) and make available to and which we hold in the Platform about you is accurate and current. Please update the information on your PDA and keep us informed if your personal data changes during your relationship with us.

If you use our Platform, you consent to the collection, use and sharing of your personal data under this Privacy Policy (which includes all other documents referenced in this Privacy Policy) and agree to the Terms of Use for the Platform. We created this Privacy Policy to give you confidence as you use the Platform and Services and to demonstrate our commitment to the protection of privacy.

Background

BA and SIRC have entered into an agreement pursuant to which BA has developed, hosts and maintains an online waste management platform (“Platform”) which is designed to enable SIRC through a management portal to capture and analyse data and information related to industrial waste generation, accumulation, collection, transport and processing across the Kingdom of Saudi Arabia.

Platform components developed by BA include, but are not limited to the following: Platform file structures and encumbrances; data architecture and databases; identity Management System; Application Programming Interfaces (APIs) to manage certifications, to manage and transfer assets and to expose Platform functionality to its web and mobile apps; frontend interface integrations; AI and machine learning algorithms and integrations. Platform components are owned or controlled by BA or licensed to BA.

The Platform’s end-user facing interfaces (the “Product”) consists of various we and mobile applications, including the mobile Driver application and Vendor web application, to which this Privacy Policy applies. Product components include but are not limited to the source code, interface and graphical design for these web and mobile applications as well as any designs, audio, video, text, photographs, and graphics, and the trademarks, service marks, and logos contained therein (the “Marks”). The Product and Marks are owned by SIRC.

BA has granted to SIRC an Exclusive Master Licence to use the Platform and to purchase subscriptions which enable Authorised Users to access and use the Platform through web and mobile applications.

SIRC requires its independent contractors to use the Platform including inputting their personal data and data relating to waste collection, transport and delivery into the Platform as part of their services to SIRC.

SIRC requires the personal and other data collected through the Platform to be processed for the purposes of its business. BA is hosting the Platform on behalf of SIRC and as such is processing personal data on behalf of SIRC.

SIRC is responsible for the collection and controls the processing of your personal data and as such is solely responsible and liable to you for the collection and processing of your personal data. BA’s sole liability and responsibility is to SIRC in relation to the processing by BA of your personal data under the instructions of SIRC and as such BA has no responsibility or liability to you in relation to such processing of your personal data pursuant to its agreement with SIRC.

Personal data accounts

The Platform requires Authorised Users to establish a Personal Data Account (“PDA”) which contains personal data of Authorised Users including:

1. identity data (being the name, data of birth, nationality, Iqama ID details and driving licence details including the personal details contained in such documents); and
2. contact details (being mobile number and other contact details),

(the “PDA Data”)

PDAs use a new technology called a "HAT Microserver" that enables Authorised Users to own and control their data in the cloud. PDAs are issued by Dataswift Ltd and governed by the HAT Community Foundation to ensure the ethical use of data on behalf of the PDA owners.

Please note that the PDA is subject to a separate privacy policy provided by Dataswift Ltd, a company incorporated in England (company number 09821157), whose registered office is at The Cottages, 8 Comberton Road, Barton, Cambridge, CB23 7BA, UK (“Dataswift”) which is the operator of the PDAs. We do not accept any liability for this privacy policy or for your PDA Data (as defined below) which is put on to your PDA by you or your employer.

The PDA enables each Authorised User to legally own and control their personal data and any other digital data should they so wish. PDAs give Authorised Users full control over their data. PDA Data which relates to the Platform shall be stored in a dedicated part of the PDA called the “SIRC Namespace”.

Neither SIRC, nor any of its data processors (including BA where BA agrees to process personal data on behalf of SIRC), can access any data in your PDA including the SIRC Namespace, without your explicit permission. Accordingly, each Authorised User shall on registering on the Platform provide explicit permission to SIRC and its data processors, to access, extract from and process the PDA Data in the SIRC Namespace section of its PDA for the purposes of the Platform. The provision of such consent is a condition to the engagement by SIRC of an Authorised User to provide services to SIRC.

An Authorised User may only withdraw its permission for SIRC and its data processors to access and process the PDA Data in the SIRC Namespace with the consent of SIRC in writing. SIRC will not provide such permission for the withdrawal of permission for the period during which an Authorised User is providing waste collection, transport and delivery and/or other related services to SIRC.

Furthermore, an Authorised Person will not be entitled to delete any PDA Data in the SIRC Namespace of its PDA without the permission of SIRC in writing. SIRC will not provide such permission for deletion of such data the period during which an Authorised User is providing waste collection, transport and delivery and/or other related services to SIRC

For this Privacy Policy we define the following terms:

1. Personal data that we collect about you that is placed in your Personal Data Account (PDA) is called your PDA Data
2. Personal data that we collect about you that may be PDA data, but may also have a copy in our servers, is called Platform Personal Data.

All other types of data collected or generated by the Platform, including Platform Content Data, may be stored in either your PDA or on Platform servers.

For more information on PDAs, see https://dataswift.io

Types of Personal Data and other data processed by us

As a result of the use of the Platform, we may collect, use, store and transfer the following types of Personal Data of Authorised Users on behalf of SIRC:

1. Platform Personal Data: PDA Data in your PDA may also be kept on our platform. This includes but may not be limited to: (a) identity data (being the name, data of birth, nationality, Iqama ID details and driving licence details including the personal details contained in such documents); and (b) contact details (being mobile number and other contact details).
2. Metadata: Metadata may include information such as information about an Authorised User’s device, the device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Platform that visited, the time and date of any visit, the time spent on those pages, unique device identifiers and other diagnostic data. We may also collect information that a browser sends whenever the Platform is used by or through a mobile device.
3. Platform Content Data: This includes data required to be collected by the Platform including in relation to the collection, transport, delivery and processing of waste including waste load and location details as disclosed by GPS, WiFi or other location tracking technology.
4. Cryptographic Keys: The Platform will create and store cryptographic keys used to encrypt and protect data and in respect of which such keys will be stored inside the relevant PDAs.

Aggregated Data

We also collect, use and share aggregated data such as statistical data for any purpose. Aggregated data may be derived from personal data but is not considered personal data in law as this data does not directly or indirectly reveal an individual’s identity. For example, we may aggregate your Metadata and Platform Content Data to calculate the percentage of users accessing a specific Platform feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

We do not collect other Special Categories of Personal Data

We do not collect any other Special Categories of Personal Data about you (this includes details about your political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about past criminal convictions and offences.

Minors

By accessing, using and/or submitting information to or through the Platform and the Services, you represent that you are not a child (minor). If we learn that we have received any information directly from a child without his/her parent’s written consent, we will use that information only to respond directly to that child (or his/her parent or legal guardian) to inform the child that he/she cannot use the Services, and we will subsequently delete that information.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to terminate your use of the Platform or reject your registration which may adversely impact on your ability to comply with your obligations to SIRC.

Passwords and Confidentiality

If you generate or are provided with a password or any other piece of information as part of our security procedures for our Platform, you are responsible for maintaining the confidentiality of your password and user name for the Platform and you are responsible for all activities that are carried out under them. We do not have the means to check the identities of people using the Platform and we will not be liable where your password or user name is used by someone else. You agree to inform SIRC immediately of any unauthorised use of your password or user name of which you become aware. We have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our opinion, you have failed to comply with any of the provisions of these terms.

How is your Personal Data collected

1. Account Registration: You and your employer directly establish a PDA, if you have not already established a PDA, for you and input your PDA Data into the SIRC Namespace on your PDA through the Platform.
2. Platform Operation: The Platform automatically collects such Personal Data from the SIRC Namespace on your PDA when you register and when you are active on the Platform.
3. Automated technologies or interactions: As you interact with our Platform, we may automatically collect Metadata about your equipment, browsing actions and patterns and your location. We collect this personal data by using cookies, server logs and other similar technologies.
4. Direct input: As you provide your services to SIRC, Platform Personal Data and Platform Content Data will either be automatically or manually entered into the Platform.

How we use your Personal Data

We only use your PDA Data pursuant to the permissions as stated in your HAT Microserver Instruction Contract as set up by Dataswift (HMIC).

We will only use your Platform Personal Data where we are permitted to do so by law. This will most commonly include using data for the following purposes which describe the lawful basis we rely on for the processing of your personal data.

1. to fulfil the terms of a contract with you, or any of your affiliates or entities with whom you have a contractual relationship;
2. where use of the data is necessary for our legitimate interests and your interests and fundamental rights do not override those interests; and
3. where we are required to comply with a legal obligation.

Marketing

We will not use your Platform Personal Data for the purposes of our own or third party marketing.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Platform may become inaccessible or not function properly.

Purposes for which we will use your personal data

We only use your PDA Data according to the permissions stated in your HMIC.

We may use your Platform Personal Data, in combination with Metadata, Platform Content Data and Aggregated Data for the following purposes:

1. to administer your account: to manage your registration as a user of the Platform. The Personal Data you provide can give you access to different functionalities of the Platform that are available to you as a registered user;
2. for the performance of the functions and objectives of the Platform: including but not limited to the generation, recording and analysis of records related to the collection, transfer, processing and analysis of waste on behalf of SIRC; and
3. to contact you: to contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to SIRC business or the functioning or usage of the Platform, including security updates, when necessary or reasonable for their implementation.

Metadata, Platform Content Data, Platform Personal Data, Cryptographic keys and Aggregated Data may be used to improve the Platform in the following ways:

1. to provide maintenance and technical support;
2. to understand the way you use the Platform so that we can improve your experience and the Platform’s features and functionalities;
3. to protect the security of our network and prevent abusive behaviour;
4. to better understand the Platform’s users, which may include behavioural analytics and/or carrying out profiling based on your interactions with the Platform; and
5. to comply with our obligations under applicable law and to prevent fraud and other prohibited or illegal activities.

We may use Platform Personal Data for a purpose other than the originally stated purposes where the new purpose is required by law or where we have obtained consent in writing for each new purpose.

Disclosure of Platform Personal Data

We cannot share your PDA Data unless the permissions have been set up by Dataswift.

We may share your Platform Personal Data only in the following situations

1. With SIRC and other Platform Users: BA host and maintain the Platform on behalf of SIRC. SIRC employees or contractors will have access the Platform and its full range of features and data. Consequently, your Platform Personal Data may be disclosed for purposes pertaining to your professional activities in association with SIRC, including but not limited to the administration of employee and contractor hiring, performance reviews, compliance monitoring and for the purposes of complying with all applicable legislation. We will require SIRC, and its employees and contractors who access the Platform to honour this Privacy Policy.
2. With Service Providers or Business Partners: Some of our activities to host, maintain and improve the Platform may be carried out by third party service providers or business partners. These include cloud, IT and analytical services. In all cases, the activity is conducted for specific purposes, in accordance with our guidance and required to be taken with appropriate security measures.
3. For business transfers: We may share or transfer your Platform Personal Data in connection with, or during negotiations of, any merger, sale of BA or SIRC assets, financing, or acquisition of all or a portion of our business to another company.
4. With affiliates: We may share your information with our affiliates, in which case we will require those affiliates to honour this Privacy Policy. Affiliates include subsidiaries, joint venture partners or other companies that we control or that are under common control with us.

We require all third parties to respect the security of your Platform Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

International transfers

The Platform Personal Data that we collect from you may be transferred to, and stored at, a destination outside of the jurisdictions in which the persons to whom such Personal Data relates being United Arab Emirates, Saudi Arabia, Bahrain and United Kingdom. It may also be processed by staff operating outside such jurisdictions who work for us or for one of our suppliers. Your Platform Personal Data may be transferred, stored, processed and used by our affiliated companies and/or non-affiliated service providers in one or more countries outside your originating country.

We ensure your Platform Personal Data is protected by requiring all our group companies to follow the same rules when processing your Platform Personal Data. Whenever we transfer your platform personal data out of such jurisdictions or to third parties, we aim ensure a similar degree of protection is afforded to it by the use of contractual obligations.

Data security

Your PDA data security is maintained by Dataswift.

We maintain commercially reasonable technical, administrative, and physical safeguards to ensure your Platform Personal Data is treated securely and in accordance with this Privacy Policy, and to protect against unauthorized access or alteration to, disclosure, or destruction of your Platform Personal Data. We may, for example, use encryption technology to secure your Platform Personal Data during transmission to our Platform as well as external firewall and on-host firewall technology to prevent network level attacks. Only those authorized employees, contractors, and agents who need to know your Platform Personal Data in connection with the performance of their services are allowed to access this Platform Personal Data.

It is important for you to protect yourself against unauthorised access to your password and to your devices used to access the Platform. You are responsible for keeping your password confidential. For example, ensure that you sign off when you have finished using a shared device.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Platform Personal Data, we cannot guarantee the security of your Platform Personal Data transmitted to our Platform and any transmission is at your own risk.

Data Retention

The data retention policy for your PDA data is set by Dataswift and subject to their terms and conditions when you signed up to a PDA.

We will only retain your Platform Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your platform personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the Platform Personal Data, the potential risk of harm from unauthorised use or disclosure of your Platform Personal Data, the purposes for which we process your platform personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Generally, the retention periods for different aspects of your platform personal data will be six years.

In some circumstances you can ask us to delete your data: see your legal rights below for further information.

In some circumstances we will anonymise your platform personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your legal rights

You have full legal rights to your PDA data.

Under certain circumstances, you have rights under data protection laws in relation to your Platform Personal Data. Subject to the terms of this Privacy Policy, in particular, you have the right to:

1. Request access to your platform personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
2. Request correction of the platform personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
3. Request erasure of your personal data. This enables you to ask us to delete or remove Platform Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Platform Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
4. Object to processing of your Platform Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
5. Request restriction of processing of your Platform Personal Data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
   1. If you want us to establish the data's accuracy.
   2. Where our use of the data is unlawful, but you do not want us to erase it.
   3. Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
   4. You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
6. Request the transfer of your Platform Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Platform Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
7. Withdraw consent at any time where we are relying on consent to process your Platform Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact SIRC by email at sirconomy@sirc.sa

You will not have to pay a fee to access your Platform Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Platform Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Platform Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.