• Login New customer? Register now
Please check your details in the fields marked in red.

Data Protection Statement

  1. Purpose Statement & Legal Basis

This Privacy Notice aims to inform users about how their personal data is collected, processed, stored, and protected when interacting with our website and mobile application. It is designed in accordance with the Saudi Personal Data Protection Law (PDPL) and other applicable international privacy regulations, where relevant.

This Privacy Notice is aligned with applicable data protection laws, including the Saudi Personal Data Protection Law (PDPL - نظام حماية البيانات الشخصية) issued under Royal Decree No. M/19 dated 9/2/1443H.

Legal Basis for Processing
We process personal data based on:

  • The necessity for performing a contract (e.g., for online orders or service delivery)
  • Compliance with legal obligations
  • Your explicit consent (where required)
  • Our legitimate interest in enhancing customer experience and improving our services

  1. Objective and Responsibility

This Data Privacy Statement is to inform you about the nature, scope and purpose JAH Arabia International Duty Free “(“JAH””, “we”, “us”) processing of personal data in the JAH Webshop and the JAH APP.

The data controller for the processing is JAH Arabia International Duty Free
National Address: 3108, Al-Ahsa, Al-Zahraa, 6340, Riyadh, KSA, short REZA6340

Office Address: Floor 2, PMDC Building 7648, Prince Sultan – Az Zahra Dist. Zip Code 23425, Jeddah,

You can contact our data privacy officer at the following e-mail address M.Saraireh@jah-dutyfree.com

  1. Processing of your personal data through our online services

    1. Processing of Logfiles

When visiting our website, personal data is automatically transmitted by the user's terminal device; this includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Legal basis
The processing of this information is based on our legitimate interest according to Art. 6 (1) (f) GDPR in ensuring the smooth set-up of the connection and in ensuring the security of the processing (e.g. for the prevention and investigation of cyber attacks) pursuant to Art. 5 (1) (f) GDPR.

Recipients
To provide this service, we use IT service providers.

Retention period
The log files are automatically anonymized at the end of the session.

  1. Cookie Consent Management

We use cookies, pixels and similar other technologies (collectively referred to as “cookies”), including those from third parties, which we need to operate the website and to monitor performance (“essential cookies”) and to display personalized advertising (“marketing cookies”). For the purpose of recording and documenting your consent to the use of cookies, we use the Usercentrics Consent Management Platform (CMP).

Usercentrics stores opt-in/opt-out and timestamp, device and browser information and anonymized IP address in the local storage of your browser so that your individual settings are saved for further visits to our website and the consent field is not displayed again each time.

For more information about the cookies used and to manage your preferences, visit our CMP at the following link: Cookie Settings

Legal basis
The legal basis for our processing of your personal data is according to Art. 6 (1) (c) GDPR our obligation to comply with Telecommunications Digital Services Data Protection Act (TDDDG) and our legitimate interest pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest lies in the efficient management of consent data and optimizing user experience.

Recipients
To provide this service, we use IT service providers.

Retention period
The consent data (consent given and withdrawal of consent) will be stored for one year, provided that there are no legal obligations to retain data.

  1. “One for all” Customer Account

You need a personal account to be identified and to access certain JAH services such as the Jeddah loyalty program or the Jeddah mobile app. An account also provides a convenient way to use our Click & Collect service, but Click & Collect orders are also possible as a guest without an account. In order to open a Click & Collect account, you must join the loyalty program. For the above purposes, we process first and last name, Salutation, country, E-mail address and the password you have chosen. Providing your date of birth and telephone number within registration is only optional.

You may review and change the information we have stored about you in your account or delete your account at any time.

Legal basis
The legal basis for processing is Article 6 (1) (f) GDPR. Out legitimate interest lies in providing a better user experience, fraud prevention and IT-security.

Recipients
To provide this service, we use IT service providers.

Retention period
Your personal data will be stored as long as your account is active.

  1. Pre-Order processing

You must be in possession of a valid flight ticket in order to pre-order from us. Therefore you will be asked to provide your flight number, flight date, departure airport and arrival airport at checkout to verify your eligibility to order. After submitting your cart , you will receive a pickup ticket with your order ID and your name. For this purpose we process your account data or the information you provided (such as your flight information) when proceeding as a guest.

Legal basis
The legal basis for our processing of your personal data is the initiation of a sales contract (Article 6 (1) (b)).

Recipients
To provide this service, we use IT service providers.

Retention period
Your order history will be kept as long as your account is active. If you have ordered as a guest, we will delete your personal data when the purpose for which it was collected no longer applies.

The provision of the data is a requirement to enter and fulfill the contract. There are no negative consequences if you don’t provide the data; However, if you don’t provide or fail to provide the data, we can’t offer our services and goods.

  1. Pre-Order history

If you have created an account, we store your webshop pre-order history to provide you with an excellent customer experience. Pre-Order history offers you a convenient way to reorder your favorite products and enables us to recommend our customers similar products and related promotions (e. g. tastings) based on previous orders. Your pre-order history can be viewed in your account (webshop and APP).

Legal basis
The legal basis for storing your pre-order history is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest is to create customer satisfaction in order to boost our business.

Recommendations will only be generated and used for our newsletter if marketing consent has been provided. You may revoke your marketing consent at any time with future effect.

Recipients
To provide this service, we use IT service providers.

Retention period
Your pre-order history will be kept as long as your account is active. If you have ordered as a guest, we will delete your personal data when the purpose for which it was collected no longer applies

  1. Abandoned Cart

If you have created an account and have not completed your pre-order, you may receive a reminder email from us, provided you have given us marketing consent.

Legal basis
The legal basis for our processing of your personal data is according to Art. 6 (1) (a) GDPR the marketing consent you have given us. You may revoke your marketing consent at any time with future effect.

Recipients
To provide this service, we use IT service providers.

Retention period
As long as your account is active and you have not completed your pre-order or removed your products, your abandoned card will be retained.

  1. Preference List (only APP)

If you have an account, you will have the opportunity to select your preferred product categories during the APP installation process. Your choice will affect the product recommendations on the webshop home page.

Legal basis
The legal basis for storing your preferences is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest is to boost our business by giving value recommendations. You can review or change your choice and stop sharing your preferences in your account at any time.

Recipients
To provide this service, we use IT service providers.

Retention period
Your preference list will be kept as long as your account is active and you did not stop sharing this information and/or withdraw your explicit consent.

  1. Sharing personal data with third parties

Besides what is described above, disclosure of personal data to third parties only occurs within the framework of legal requirements. We only disclose personal data of users to third parties, if this is required e.g. for billing purposes or other purposes, if the disclosure is necessary to ensure the fulfilment of contractual obligations towards the users (in accordance with Article 6 (1) (b) of the GDPR. We may also disclose personal data to accountants, lawyers and other external advisors based on our legitimate interests in professional consulting services (in accordance with Article 6 (1) (f) of the GDPR and Article 5 (2) (f).

If we engage subcontractors for our online service, we have made appropriate contractual arrangements as well as adequate technical and organizational measures with these companies.

If we transfer your personal data to recipients whose registered offices are located in a third country, this will be based on adequacy decisions or standard contractual clauses. You can obtain a copy of these clauses by contacting us as stated above.

  1. Data Subject Rights

You have the following rights with regards to the processing of your personal data:

  1. Your Rights Under PDPL
    You have the following rights under the Saudi PDPL:
    1. Right to be informed about the collection and processing of your data
    2. Right to access your personal data
    3. Right to correct or update inaccurate data
    4. Right to delete your data (where applicable)
    5. Right to withdraw consent
    6. Right to file a complaint with the competent data protection authority
    7. You may exercise these rights by contacting us at: M.Saraireh@jah-dutyfree.com
  2. Your Rights Under GDPR
    1. Right of access to your personal data
    2. Right to rectification of your personal data
    3. Right to erasure (‘right to be forgotten’)
    4. Right to restriction of processing of your personal data
    5. Right to not be subject to an automated decision, including profiling
    6. The right to lodge a complaint with a competent data protection supervisory authority.
    7. Right to withdraw consent at any time where processing is based on Article 6 (1) GDPR, Article 9 (1) GDPR or Article 5 (1) of the PDPL without effecting the lawfulness of processing based on consent before its withdrawal.

  1. Right to Object

You have at any time the right to object, on the grounds relating to your particular situation, to processing your personal data concerning you which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. In case of objection, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims.

  1. Automated Decision-Making including profiling

Automated decision-making including profiling referred in Article 22 (1) and (4) GDPR does not exist within our processing activities of your personal data.

  1. Security Measures

We have implemented robust technical, administrative, and organizational safeguards to protect your personal data from unauthorized access, loss, misuse, or alteration. This includes but is not limited to:

  • Access control measures
  • Encryption of sensitive data
  • Regular security assessments and penetration testing
  • Secure storage and restricted physical access to data centers
  • Data Breach Notification

In the event of a data breach that may affect your rights or privacy, we will notify the relevant authorities and affected data subjects within 72 hours, as per PDPL requirements.

  1. Cross-Border Data Transfers

Where your personal data is transferred outside the Kingdom of Saudi Arabia, we ensure such transfers comply with PDPL requirements. Transfers will only be made to jurisdictions offering adequate data protection, or appropriate safeguards such as Standard Contractual Clauses will be implemented. We do not transfer data outside the Kingdom without valid justification and appropriate safeguards.

Status: September 2025