Privacy Policy - STAr Employee App

1. Introduction

The Saudi Tourism Authority (STA) is a government entity established to promote Saudi Arabia as a tourist destination. STA is committed to protecting the personal data of its employees and users in compliance with the Saudi Personal Data Protection Law (Royal Decree No. M/19, dated September 16, 2021).

The STAr Employee App is an internal mobile application used by STA employees for daily work operations including attendance tracking, meeting room booking, leave management, payslip access, HR services, and internal communications.

Contact: Data Governance Office | Phone: +966 920022554 | Email: DGO-DPO@sta.gov.sa

2. Personal Data Collected

STA collects the minimum necessary personal data directly and indirectly, including:

User-provided information: name, employee ID, email address, phone number, department, job title
Authentication data: login credentials managed through secure single sign-on (SSO)
Attendance records: clock-in/clock-out times and associated location data
Communication records: support requests, feedback, and issue reports submitted through the app
Technical data: device information, operating system version, app version, and crash/error logs

3. Location Data Collection and Usage

The STAr Employee App collects and uses location data for the following purposes:

Attendance Verification (Geofencing): The app uses background location access with geofencing technology to detect when an employee enters or exits STA office buildings. This enables automated clock-in and clock-out reminder notifications.
Clock-In/Clock-Out Verification: When an employee records attendance, the app verifies that the employee is physically present at an STA office location using GPS coordinates.
Office Map and Seat Finder: The app uses location data to help employees find colleagues, meeting rooms, and available seats within STA buildings.

Background Location Access

The app requests "Allow all the time" (background) location permission only after explicit employee opt-in. Background location is used solely for geofence-based attendance notifications. Employees can disable background location access at any time through the device's system settings, and the app will continue to function for all other features without background location.

Location Data Handling

Location data is transmitted only during clock-in/clock-out actions and is sent to STA servers over encrypted connections.
Location data is not shared with third parties.
Location data is not used for employee tracking or surveillance outside of attendance purposes.
Geofence regions are limited to STA office building locations only.

4. Purpose and Legal Basis

Personal data is processed based on the following legal grounds:

Employee consent (which may be withdrawn at any time)
Legitimate organizational interests for workforce management
Legal and regulatory obligations
Fulfillment of employment agreements

5. Data Retention

Personal data is retained for up to 120 months or as required for operational needs, including account maintenance, service enhancement, complaint handling, security, and legal compliance. Data is securely deleted when no longer required.

6. Data Storage and Security

Personal data is stored within Saudi Arabia on STA servers, protected using standards set by the National Cybersecurity Authority (NCA). Technical and organizational safeguards are implemented to prevent unauthorized access, disclosure, alteration, or destruction of personal data.

7. Data Sharing

STA does not sell or trade personal information. Data may be shared only with vetted third-party service providers under strict contractual data protection obligations, and only to the extent necessary to provide app services.

8. Third-Party Services

The app uses the following third-party services for operational purposes:

Firebase (Google): For crash reporting, performance monitoring, analytics, and push notifications. Firebase may collect device identifiers and usage data in accordance with Google's privacy policy.
Microsoft Azure AD: For single sign-on authentication.

9. Employee Rights

Employees have the following rights regarding their personal data:

Right to be informed about how their data is used
Right to access copies of their personal data
Right to correct inaccurate information
Right to request deletion of data (where legally permitted)
Right to withdraw consent for data processing
Right to disable background location access at any time

To exercise these rights, contact: DGO-DPO@sta.gov.sa

10. Children's Data

The STAr Employee App is intended for use by STA employees only. The app and its services are restricted to individuals 18 years of age and older.

11. Changes to This Policy

STA reserves the right to update this Privacy Policy at any time. Employees will be notified of significant changes through the app or via internal communication channels. Continued use of the app after changes constitutes acceptance of the updated policy.

12. Applicable Law

This Privacy Policy is governed by the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL), National Data Management Standards, and National Cybersecurity Authority controls.

13. Contact and Complaints

For questions, concerns, or complaints regarding this Privacy Policy or data handling practices:

Email: DGO-DPO@sta.gov.sa
Phone: +966 920022554

Unresolved complaints may be escalated to the Saudi Data and AI Authority (SDAIA) through the National Data Governance Platform.