This Privacy Policy describes how PartsBid ("Company", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you access or use the PartsBid platform ("Platform"), including the website at partsbid.com and all associated services.
We are committed to protecting your privacy in compliance with applicable data protection laws across the GCC and MENA region, including:
- Saudi Arabia — Personal Data Protection Law (PDPL), Royal Decree No. M/19 of 2021
- UAE — Federal Decree-Law No. 45 of 2021 on Personal Data Protection
- Qatar — Law No. 13 of 2016 on Personal Data Privacy Protection
- Bahrain — Personal Data Protection Law (PDPL) No. 30 of 2018
- Kuwait — Electronic Transactions Law No. 20 of 2014
- Oman — Royal Decree No. 69/2008 on Information Technology Crime Law
1. Information We Collect
1.1 Information You Provide
When you register, use our services, or communicate with us, we collect:
| Data Category | Examples |
|---|---|
| Identity Data | Full name, job title, authorised representative details |
| Contact Data | Email address, phone number, business address |
| Company Data | Company name, CR number, VAT number, trade licence, country, city |
| Transaction Data | RFQs, bids, quotations, purchase orders, awarded contracts |
| Catalogue Data | Product listings, part numbers, pricing, specifications, images |
| Credential Data | Hashed passwords, OTP verification records (passwords are never stored in plain text) |
| Communication Data | Messages, comments, support inquiries |
1.2 Information Collected Automatically
When you access the Platform, we automatically collect:
- Device Information: IP address, browser type and version, operating system, device identifiers
- Usage Data: Pages visited, features used, click patterns, session duration, referral source
- Cookies & Similar Technologies: Session cookies for authentication, preference cookies. See Section 8 for details
- Log Data: Server logs including access times, error logs, and security audit trails
2. How We Use Your Data
We process your personal data for the following lawful purposes:
| Purpose | Legal Basis |
|---|---|
| Account registration & verification | Contract performance |
| Facilitating RFQs, bids, and transactions | Contract performance |
| Matching suppliers to relevant RFQs | Legitimate interest |
| Sending email notifications & digests | Legitimate interest / Consent |
| Platform security & fraud prevention | Legitimate interest / Legal obligation |
| Analytics & platform improvement | Legitimate interest |
| Compliance with legal obligations | Legal obligation |
| Invoice generation & VAT compliance | Legal obligation |
3. Data Sharing & Disclosure
We do not sell your personal data. We may share your data in the following limited circumstances:
3.1 With Other Users
When you participate in transactions, certain information (company name, contact details, product listings) is shared with counterparties (e.g., suppliers see buyer RFQ details, buyers see supplier bid details). This sharing is essential for Platform functionality.
3.2 Service Providers
We engage trusted third-party providers who process data on our behalf, including:
- Cloud hosting and infrastructure (data stored in secure, region-appropriate data centres)
- Email delivery services
- Analytics services
- Payment processing partners
All service providers are contractually bound to maintain data confidentiality and security.
3.3 Legal & Regulatory Requirements
We may disclose your data when required by law, regulation, court order, or government request, including requests from authorities in the Kingdom of Saudi Arabia, UAE, or other GCC member states.
3.4 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.
4. Data Security
We implement industry-standard technical and organisational measures to protect your data, including:
- Encryption: All data in transit is encrypted using TLS 1.2+. Passwords are hashed using bcrypt with 12 salt rounds.
- Authentication: Two-factor authentication (2FA) via email OTP is enforced for all logins.
- Access Controls: Role-based access control (RBAC) ensures users only access data relevant to their role.
- Rate Limiting: Brute-force protection on login and registration endpoints.
- Audit Logging: Security-relevant actions are logged for monitoring and incident response.
- Input Sanitisation: All user inputs are sanitised to prevent injection attacks (XSS, SQL injection).
While we take reasonable precautions, no system is completely secure. We cannot guarantee absolute security of your data.
5. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this Policy, subject to the following guidelines:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after deletion |
| Transaction records | 7 years (legal/tax compliance in KSA & GCC) |
| Communication logs | 3 years |
| Security logs | 1 year |
| Marketing preferences | Until consent is withdrawn |
We may retain anonymised or aggregated data indefinitely for analytics and business intelligence purposes.
6. Your Rights
Under applicable GCC data protection laws, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you.
- Right of Rectification: Request correction of inaccurate or incomplete data.
- Right of Erasure: Request deletion of your data, subject to legal retention requirements.
- Right to Restrict Processing: Request limitation of how we process your data.
- Right to Data Portability: Request your data in a structured, machine-readable format.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
- Right to Object: Object to processing based on legitimate interest.
To exercise any of these rights, contact us at privacy@partsbid.com. We will respond within 30 days of receiving your request.
Note: Certain requests may be refused if they conflict with legal obligations or legitimate business needs.
7. International Data Transfers
Your data may be processed and stored in servers located in the Kingdom of Saudi Arabia, the United Arab Emirates, or other jurisdictions where our service providers maintain infrastructure.
When data is transferred outside the GCC, we ensure adequate safeguards are in place, including:
- Standard contractual clauses
- Data processing agreements with sub-processors
- Compliance with local cross-border transfer requirements
8. Cookies & Tracking Technologies
We use the following types of cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, session management, security | Session / 30 days |
| Functional | User preferences, language settings | 1 year |
| Analytics | Usage patterns, performance monitoring | 1 year |
Essential cookies are necessary for the Platform to function and cannot be disabled. You may disable non-essential cookies through your browser settings.
9. Email Communications
We send the following types of emails:
- Transactional emails: Account verification, OTP codes, bid notifications, order updates. These are essential and cannot be opted out of.
- Service emails: Weekly RFQ digests, supplier match notifications. You may unsubscribe via the link in each email or through your account settings.
- Marketing emails: Platform updates, new features, promotions. Sent only with your consent. You may unsubscribe at any time.
10. Children's Privacy
The Platform is intended solely for business use and is not directed at individuals under the age of 18 (or the legal age of majority in your jurisdiction). We do not knowingly collect data from children. If we become aware that we have inadvertently collected such data, we will promptly delete it.
11. Governing Law
This Privacy Policy shall be governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL). Any disputes related to this Policy shall be resolved in accordance with the dispute resolution mechanisms set forth in our Terms of Service.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights, we will:
- Notify the relevant data protection authority as required by applicable law.
- Notify affected users without undue delay, and in any event within 72 hours of becoming aware of the breach.
- Describe the nature of the breach, the data affected, and the measures taken to address it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on the Platform and updating the "Last Updated" date. Your continued use of the Platform after such changes constitutes acceptance.
We encourage you to review this Policy periodically.
14. Contact Us
For questions, concerns, or data subject access requests, contact our Data Protection team:
- Email: privacy@partsbid.com
- General Inquiries: support@partsbid.com
- Platform: partsbid.com