01 — IntroductionWho we are and what this covers
Jawla Sports Co. ("Jawla", "we", "us", or "our") operates the Jawla mobile applications and the Jawla venue management portal (collectively, the "Service"). Jawla Sports Co. is registered in the Kingdom of Saudi Arabia.
This Privacy Policy applies whenever you use the Service — whether you're a player searching for a court, a venue operator managing bookings, or a visitor browsing our marketing site. It explains what we collect, why we collect it, and the controls you have over your information.
Jawla operates as a data controller for the personal data of players and visitors who interact directly with our consumer products. When we process information on behalf of venue operators using our portal, we may act as a data processor — in those cases, the venue is responsible for its own data handling practices.
02 — What we collectInformation we collect
We collect personal data in three ways: information you provide directly, information generated as you use the Service, and information from third parties where you've authorized it.
Information you give us
- Account details — first name, last name, gender, date of birth, nationality, phone number, and email address.
- Profile information — username (auto-assigned, editable), profile photo, skill level, preferred sports, city.
- Booking information — courts booked, dates, times, party size, partners invited.
- Payment information — handled by certified payment providers (mada, Apple Pay, STC Pay, Visa, Mastercard). We store transaction metadata but never full card numbers or CVV codes.
- Communications — messages you send to support, content you post in matches and crews, reviews you leave for venues.
Information we generate
- Usage data — pages and screens viewed, features used, search queries, taps and clicks.
- Device information — device type, operating system, app version, language, time zone, mobile network, and a randomized device identifier.
- Approximate location — derived from IP address, used to surface nearby venues. Precise location is only collected when you explicitly enable it in app settings.
- Match and rating data — outcomes of matches you play through the platform, and the resulting changes to your skill rating.
Information from third parties
- SSO providers — if you sign in with Apple or Google, we receive the basic profile fields you authorize.
- Venue operators — if a venue books you in directly through their portal, they may share your contact details with us to confirm the booking.
We do not collect biometric data, government identification numbers, health records, or financial account credentials beyond what's required to process a payment.
03 — How we use itHow we use your information
We use the information described above only for the purposes set out below. We don't repurpose your data for unrelated reasons without telling you first.
| Purpose | What we use | Legal basis |
|---|
| Run your account, bookings and matches | Account, profile, booking data | Contract performance |
| Process payments and refunds | Payment metadata | Contract performance |
| Match you with players of similar skill | Match history, rating, sport prefs | Legitimate interest |
| Improve the Service and fix bugs | Usage data, device info | Legitimate interest |
| Send transactional notifications | Contact details | Contract performance |
| Send marketing (you can opt out) | Email, app push | Consent |
| Prevent fraud, abuse and harm | All of the above | Legal obligation / legitimate interest |
We never use your personal data for automated decisions that produce legal effects on you. Our skill-rating system is the only automated process that meaningfully affects your experience, and you can request manual review at any time.
04 — SharingSharing & disclosure
Jawla does not sell your personal data, full stop. We share specific information with specific parties only when it's necessary to operate the Service, comply with the law, or protect users.
- Venue operators — when you book a court, the venue receives your name, contact number, booking time, party size, and any notes you've added. They need this to host you.
- Players you invite — your name, profile photo, and skill rating are visible to players you invite to a match or who join your open match.
- Service providers — cloud hosting (we use providers with regional data residency where available), analytics, error monitoring, push notification delivery, customer support tools. All are bound by data processing agreements.
- Payment providers — to authorize and settle transactions.
- Legal and safety — if required by valid legal process, or to investigate and prevent fraud, abuse, or threats to users.
- Corporate transactions — in the event of a merger, acquisition, or asset sale, your information may be transferred to the successor entity, with continued protection under terms no less protective than this policy.
05 — RetentionHow long we keep your data
We hold personal data only for as long as we have a clear, lawful reason to. When that reason ends, we delete or fully anonymize it.
- Active accounts — for the lifetime of your account.
- Closed accounts — most data is deleted within 30 days of account closure. Some records (transaction history, fraud signals) are retained for up to 7 years to meet Saudi tax, accounting, and anti-money-laundering obligations.
- Support communications — 24 months from the close of the conversation.
- Marketing preferences and unsubscribes — kept indefinitely so we honor your choices.
- Anonymized analytics — may be retained indefinitely once it can no longer identify you.
06 — Your rightsYour rights under PDPL and GDPR
If you're a resident of Saudi Arabia, you have the rights set out in the Personal Data Protection Law (PDPL) issued by the Saudi Data and AI Authority (SDAIA). If you're a resident of the EU/EEA or UK, you have rights under the GDPR. We extend these rights to all users of Jawla regardless of residence, as a baseline standard.
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — correct any inaccurate or incomplete information.
- Right to erasure — request deletion of your account and associated data, subject to retention obligations above.
- Right to restrict processing — pause certain uses of your data while a query is investigated.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interest, including profiling for marketing.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
- Right to lodge a complaint — with SDAIA in Saudi Arabia, or your local supervisory authority in the EU/EEA/UK.
You can exercise most of these rights directly inside the app — Settings → Privacy & data. For anything that isn't self-serve, email privacy@jawla.app and we will respond within 30 days.
07 — CookiesCookies and tracking technologies
On our website (jawla.app and subdomains), we use a small number of cookies and similar technologies. The mobile apps don't use cookies in the traditional sense, but they use comparable local storage and identifiers.
- Strictly necessary — needed for the site to work, e.g. session management. Always on.
- Functional — remember your language and preferences. On by default; you can disable.
- Analytics — help us understand how the site is used in aggregate. You can decline.
- Marketing — measure the performance of campaigns. Off by default; only used with consent.
You can change your cookie preferences at any time via the cookie banner or in your browser settings. We honor "Do Not Track" and Global Privacy Control signals where supported.
08 — ChildrenChildren's data
Jawla is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact privacy@jawla.app and we will delete it promptly.
Where venues offer family programs or junior coaching that involve minors, the venue is responsible for obtaining appropriate parental consent. Jawla provides booking tooling for these programs but does not collect or process information about the participating minors directly.
09 — TransfersInternational data transfers
We host the Service primarily on cloud infrastructure located in the Kingdom of Saudi Arabia and the wider GCC region. In limited cases — for example, certain analytics or error-monitoring providers — your data may be processed in other jurisdictions.
When personal data is transferred outside the Kingdom, we rely on safeguards permitted under PDPL: transfers to jurisdictions deemed adequate, contractual safeguards equivalent to Standard Contractual Clauses, and explicit consent where required. A list of our material sub-processors and their locations is available on request.
10 — SecurityHow we protect your data
We treat security as a product requirement, not a checkbox. Our practices include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls, with the principle of least privilege.
- Multi-factor authentication for all employee access to production systems.
- Regular third-party penetration testing and vulnerability scanning.
- Logging, monitoring, and incident response procedures with defined escalation paths.
- Tokenized payment handling — your full card details never touch our servers.
⚡ In the event of a breach
If a personal data breach occurs that is likely to result in risk to your rights, we will notify you and the relevant authority (SDAIA in Saudi Arabia) within 72 hours of becoming aware, in line with PDPL requirements.
11 — ChangesChanges to this policy
We may update this Privacy Policy as our Service evolves or as the law changes. The "Last updated" date at the top of this page reflects the most recent version. For material changes, we'll notify you in advance through the app and by email, and where required by law we'll seek your renewed consent.
Older versions of this policy are kept on file and available on request, so you can compare what changed.