Privacy Policy

Sathtak is a technology platform that matches customers with independent tow truck drivers across Saudi Arabia. For the purposes of the PDPL we are the controller of the personal data we collect from customers and drivers through our apps and website.

Account data: phone number, display name, preferred language, and the role you register under (customer or driver).

Driver verification data: national ID number, driving licence, vehicle registration, vehicle photos, optional authorization letter, and the truck type you operate. We rely on this data to meet our lawful obligation to verify operators on the Platform.

Trip and location data: pickup and destination coordinates, addresses, route information, and live GPS position while a trip is active. Live position is collected only while you are actively using the relevant trip.

Photo evidence: photos captured at pickup, loading, delivery, and completion, which are used to document the service.

Payment data: the agreed trip price, payment identifiers, authorization and capture status. Card numbers and CVV are collected and processed directly by our payment service provider (Tap Payments) and are not stored by Sathtak.

Device and diagnostics: IP address, device model, operating system, approximate location from network signals, crash reports, and basic analytics.

Communications: messages sent to support, notifications delivered via SMS or WhatsApp, and records of in-app actions.

To operate the Platform: create and authenticate accounts, match customers with nearby drivers, show offers, compute trip progress, deliver notifications, and display ratings.

To process payments: authorize the agreed amount, capture on trip completion, void authorizations on cancellation, and handle refunds where applicable.

To protect safety and prevent fraud: verify driver documents, detect suspicious patterns, investigate incidents, and enforce these Terms and our internal safety policies.

To comply with legal obligations, including requests from competent authorities and tax, consumer protection, and transport regulations.

To improve the service: aggregated and de-identified analysis of usage patterns and service performance.

We process personal data on the following bases, as permitted by the PDPL: (a) performance of the contract you entered with us when you accepted the Terms; (b) compliance with legal obligations; (c) protection of vital interests (for example, sharing location with emergency services in a safety incident); and (d) our legitimate interests in operating and securing the Platform, where these are not overridden by your rights.

The other party to your trip: customers see the driver's name, truck type, plate, rating, and live location while the trip is active; drivers see the customer's pickup and destination and the agreed price. We do not share your phone number with the other party by default.

Tap Payments: payment service provider that processes card data and authorizations.

Cloud storage: we use Cloudflare R2 (S3-compatible object storage) to host uploaded photos and documents under secure URLs.

Messaging providers: SMS and WhatsApp providers used to deliver OTPs and trip notifications.

Law enforcement and regulators, where we are required by law or compelled by a valid order to disclose data.

Professional advisors (legal, accounting, auditors) bound by duties of confidentiality.

We do not sell personal data. We do not use your personal data for third-party advertising.

Account data: retained while your account is active and for a reasonable period after closure to support dispute resolution, legal obligations, and anti-fraud analysis.

Driver KYC documents: retained for the period required by Saudi law and internal risk policy, and for the duration of the driver's relationship with Sathtak.

Trip records and location traces: retained to support customer support, audits, and legal claims. Raw high-frequency location points may be aggregated or deleted after a shorter period.

Payment records: retained for the period required by tax and accounting law.

We delete or anonymize personal data when the retention period ends and there is no other lawful ground to keep it.

Our primary infrastructure is hosted in the Kingdom of Saudi Arabia or in regions permitted under the PDPL. Where a service provider processes data outside the Kingdom, we rely on the PDPL's conditions for cross-border transfers and require the provider to apply safeguards equivalent to those we apply ourselves.

Subject to the PDPL you have the right to: be informed of how your data is processed; access your data; request correction of inaccurate data; request deletion where processing is no longer necessary and no other lawful ground applies; and object to processing for specific purposes.

To exercise a right, write to Support@sathtek.app from the phone number or email linked to your account. We may ask you to verify your identity. We respond within the period required by the PDPL.

You also have the right to file a complaint with the competent Saudi authority supervising personal data protection.

We use industry-standard technical and organizational measures to protect personal data, including encryption in transit (HTTPS/TLS), authenticated object-storage URLs, JWT-based access control, role separation, and logging. No system is entirely secure; we continually improve our controls and promptly notify affected users of any breach that poses material risk, as required by law.

The Platform is not directed to persons under the age of 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will remove the account.

Our websites and apps use strictly necessary cookies and local storage to keep you signed in, remember your language preference, and secure sessions. We do not use third-party advertising cookies. You can clear cookies from your device at any time, but doing so may log you out.

We may update this Policy to reflect changes in law, technology, or our operations. We will notify you of material changes through the Platform or by email at least seven (7) days before they take effect.