Introductory Disclaimer
This Privacy Policy outlines how YAL, a Kuwait-based travel and social connection platform operated under EHTIKAM Group, collects, uses, and safeguards personal information in compliance with the laws of the State of Kuwait (Law No. 20 of 2014 on Electronic Transactions, Law No. 63 of 2015 on Cybercrime, and CITRA data-protection regulations). It also reflects the principles of the GCC Unified Data Protection Framework (2024) and international best practices aligned with the EU GDPR. By using YAL, you agree to this Policy and consent to lawful processing of your data in accordance with Kuwaiti and regional standards.
1. Introduction
YAL is a digital travel platform connecting travelers, hosts, and adventure enthusiasts across Kuwait and beyond. We maintain transparency and privacy in every data-handling activity. This Policy explains how we collect and use personal information throughout your interaction with YAL. It applies to all users browsing, booking, or organizing trips via our website and mobile application. Our aim is to process data securely, responsibly, and in full compliance with Kuwaiti law.
2. Legal Foundations
YAL processes personal data in accordance with Law No. 20 of 2014 (E-Transactions Law), Law No. 63 of 2015 (Cybercrime Law), and CITRA Cybersecurity Guidelines. We apply GCC Data Protection Principles (2024) to ensure data is collected for legitimate purposes and safeguarded from misuse. International best practices like GDPR are integrated to guarantee high protection standards. All processing is lawful, transparent, and limited to the minimum necessary scope.
3. Scope
This Policy applies to everyone interacting with YAL, including users, hosts, and partners. It governs all data collected through our digital channels within and outside Kuwait. It also covers emails, forms, and in-app messages. By accessing YAL from other jurisdictions, you agree that processing is subject to Kuwaiti law and this Policy. Third-party processors working on our behalf are equally bound by these rules.
4. Categories of Data Collected
YAL collects identification and contact data (name, email, phone, nationality, date of birth), Persona ID verification data (ID image, facial recognition), technical data (IP, device, browser), usage data (searches, trip history, messages), and financial data (payments and transactions). All data is lawfully collected to provide services and improve platform performance. Collection is limited to what is relevant and necessary for legitimate operations.
5. Purpose of Processing
Data is processed only for legitimate business and operational purposes such as account management, booking facilitation, identity verification, and platform security. It also supports customer service, personalization, and legal compliance. We do not sell personal data; every processing activity has a lawful basis under Kuwaiti and GCC frameworks. Our goal is to maintain trust and transparency in data handling.
6. Persona ID Verification
To verify user identity, YAL uses Persona, a CITRA-compliant verification provider. Persona validates government IDs and facial biometrics through encrypted systems to prevent fraud and duplicate accounts. All biometric data is retained for no longer than 90 days before secure deletion. Both Persona and YAL comply with Kuwaiti, GCC, and international laws on biometric data protection.
7. Data Accuracy
Users must ensure that the information they provide is accurate and current. Updated data enables smooth transactions and effective communication. YAL may suspend accounts containing false or outdated details. Accurate records support regulatory compliance and platform integrity. We periodically verify stored data to maintain reliability.
8. Payment and Financial Security
Payments are processed via PCI-DSS-certified gateways such as UPayments and Stripe. We comply with Central Bank of Kuwait and CITRA e-payment standards and encrypt sensitive financial data. Full card numbers are never stored; only transaction references and billing details are kept for audit purposes. Regular security audits protect users against fraud and unauthorized access.
9. Data Retention
YAL retains personal data only as long as necessary to fulfil legal and operational purposes. Booking records are kept up to seven years for tax and audit compliance. Persona verification data is deleted after 90 days. Customer support records are stored for two years, while anonymized analytics may be kept indefinitely. Expired data is securely deleted or anonymized.
10. Data Security
We apply comprehensive security controls including encryption, firewalls, and access management to protect data confidentiality and integrity. Employees handling data receive training and sign confidentiality agreements. Systems undergo periodic audits under CITRA and ISO 27001 standards. While no system is risk-free, YAL continuously improves security to safeguard user trust.
11. Cloud Infrastructure and Sub-Processors
YAL's data is hosted securely in CITRA-approved data centers located in Kuwait and selected GCC regions, including AWS and Google Cloud that meet ISO/IEC 27001 and 27701 certifications. We engage specialized sub-processors for analytics, messaging, and cloud backup. Each provider operates under a Data Processing Agreement with strict confidentiality and security terms. All vendors are vetted for compliance with Kuwaiti and GCC privacy regulations. Oversight and audits ensure that personal data remains protected and lawfully processed.
12. Cross-Border Data Transfers
If data must be transferred outside Kuwait, YAL ensures equal protection under the CITRA Cross-Border Transfer Framework and GCC Data Protection Principles (2024). Transfers are encrypted and governed by Standard Contractual Clauses (SCCs) or equivalent safeguards. We never transfer data to jurisdictions without adequate privacy laws unless additional legal protections are in place. Users will be informed of non-GCC transfers when required. Our goal is to ensure data sovereignty while maintaining global service reliability.
13. Sharing of Data
YAL shares data only with authorized service providers such as payment processors, cloud hosts, and identity-verification partners. All recipients are contractually obligated to handle information securely and confidentially. YAL does not sell or rent personal data to any third party. Data may be disclosed to regulators or courts only upon lawful request under Kuwaiti jurisdiction. All sharing is limited to the minimum information necessary to perform essential functions.
14. Automated Processing and Artificial Intelligence Systems
YAL employs AI-based tools to improve recommendations, detect fraud, and analyze trends. These systems assist human moderators but do not make binding or legally significant decisions autonomously. Users may request explanations or human review of any automated decision. Our AI operations comply with CITRA's Responsible Data Use Charter and ethical AI standards. Automation is designed to enhance user experience while ensuring fairness and accountability.
Important Note: For more details about our complete privacy policy, please contact us at legal@yalapp.co