Privacy Policy

1. Introduction

Alinma Capital, licensed by the Capital Market Authority (CMA) under licence number (37-09134), is committed to protecting the personal data of its clients and all related parties. The Company places significant importance on transparency in how personal data is collected, used, processed, and safeguarded in the course of its investment and financial activities.

This Privacy Policy sets out the Company's approach to the processing of personal data, including the rights of data subjects and the means by which those rights may be exercised, in accordance with applicable laws and regulatory requirements. For the purposes of this Policy, a "Data Subject" refers to any natural person who is directly or indirectly identifiable through the personal data processed by the Company.

The Company processes personal data in accordance with the Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree No. (M/19) dated 9/2/1443H (the "Law"), its Implementing Regulations, and the instructions and controls issued by the Saudi Data and Artificial Intelligence Authority (SDAIA), the Capital Market Authority (CMA), and other competent regulatory authorities.

This Policy applies to all clients, counterparties, and related parties with whom the Company engages in connection with its investment and financial services — including domestic and international securities brokerage, asset management, investment funds, investment banking, wealth management, custody services, and alternative investments — as well as to job applicants through the Company's recruitment channels.

2. Definitions and Terminology

The following terms, as used in this Privacy Policy, shall have the meanings set out below, unless the context otherwise requires:

Personal Data: Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.
Processing: Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.
Data Controller / the Company: The entity that determines the purposes and means of processing personal data, whether such processing is carried out by the Controller itself or by a processor acting on its behalf. For the purposes of this policy, the Data Controller is Alinma Capital.
Data Processor: Any public entity, natural person, or private legal person that processes personal data for the benefit of and on behalf of the Data Controller.
Data Subject: The natural person to whom the personal data relates, and who is directly or indirectly identifiable through such data.
Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The Law: The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree No. (M/19) dated 9/2/1443H.
SDAIA: The Saudi Data and Artificial Intelligence Authority, the competent authority responsible for overseeing the implementation of the Law.
Data Protection Officer (DPO): One or more natural persons appointed by Controller to be responsible for monitoring the implementation of the provisions of the Law and its Implementing Regulations, overseeing procedures applicable by Controller, and receiving requests relate to Personal Data in accordance with provisions of the Law and its Implementing Regulations.
Cookies: Small data files or similar digital technologies stored on the user's device when browsing the Company's website or using its application, which enable the website or application to recognize the device, retain user preferences, analyses usage patterns, and support marketing activities, in accordance with the Company's Cookie Policy and applicable regulations.

3. Categories of Data Subjects

The Company processes the personal data of various categories of data subjects in connection with its investment and financial services and activities, including the following:

3.1 Contracting Party

A natural person who has, or is seeking to establish, a contractual relationship with the Company, including but not limited to:

Subscribers or prospective subscribers to investment funds, including public, private, family, real estate, endowment, and private equity funds.
Holders of local or international brokerage portfolios, or applicants to open such portfolios.
Recipients of investment advisory services, or persons seeking to obtain such services.
Recipients of wealth management and investment portfolio management services.
Participants in Initial Public Offerings (IPOs) and capital markets offerings in their personal capacity.
Strategic partners or business owners acting in their individual natural capacity.
Recipients of custody services for local or international securities.

3.2 Related Party

A natural person associated with a Contracting Party or prospective Contracting Party, including but not limited to:

Board members or authorized signatories of legal entities.
Direct or indirect shareholders, beneficial owners, and controlling persons of legal entities.
Beneficiaries of investment funds, private family funds, or endowment funds.
Founders, board members, or supervisors of endowments (Waqf).
Authorized signatories on investment portfolios or brokerage accounts.
Authorized representatives, staff of external asset managers, institutional clients, and fund distributors.
Shari'a advisors or Zakat advisors appointed by the Contracting Party.
Family members or persons authorized to communicate with or receive correspondence on behalf of the data subject in emergency situations.

3.3 Other Data Subject

Natural persons who do not hold a direct contractual relationship with the Company, but who communicate with it or interact with its services or activities, including but not limited to:

Visitors to the Company's offices and premises.
Attendees of investment events, seminars, and fund launch sessions.
Social media users who engage with the Company's digital content.
Journalists and media representatives.
Any person who contacts the Company for any lawful purpose.

3.4 Digital and Electronic Channel Users

Natural persons who use the digital channels and platforms made available by the Company, including but not limited to:

Users of the Alinma Capital electronic trading platform for local or international markets, including Alinma International services.
Users of the Alinma Capital mobile application.
Users of telephone trading services or interactive voice response systems.
Users of technical analysis or financial purification (Tatheer) services via the Company's digital platforms.
Users of the "Nasih" digital financial advisory service provided through the Company's digital channels.

4. Categories of Personal Data Collected by the Company

The Company may collect and process various categories of personal data depending on the nature of the relationship and the services provided, including but not limited to the following:

Basic Identification Data: Full name, residential address, phone number, email address, date and place of birth, nationality, and handwritten or electronic signature.
Official Identification Numbers: National ID number, residency number, passport number, and tax identification number for international clients where applicable.
Professional and Occupational Data: Nature of professional activity, job title, employer, salary, employment history, and classification as a Politically Exposed Person (PEP) where applicable.
Family Data: Marital status, number of dependents, and data relevant to wealth management services or family and endowment fund arrangements.
Financial and Economic Data: Asset size, sources of funds and wealth, annual income, and outstanding financial liabilities.
Contract and Authorization Data: Portfolio management agreements, fund subscription contracts, powers of attorney, and delegation authorities.
Account and Investment Portfolio Data: Local and international brokerage portfolio numbers, fund account numbers, and custody account references.
Due Diligence and Compliance Data: Results of anti-money laundering and counter-terrorism financing (AML/CTF) checks, Politically Exposed Persons (PEPs) screening, sanctions list checks, and beneficial ownership verification.
Investment Data: Investment profile, risk tolerance level, suitability and appropriateness assessment results, and investor classification.
Transaction Data: Buy and sell orders in local and international markets, fund subscription and redemption requests, transfer instructions, and related financial transactions.
Behavioral and Digital Data: Trading patterns and investment behavior, and usage patterns across digital platforms and electronic channels.
Identifiers and Electronic Data: IP address, session data, browsing behavior, marketing communication tracking data, device type, and operating system.
Identification and Electronic Authentication Data: Login credentials, biometric verification data where applicable (such as fingerprint or facial recognition), and verification data obtained via the Nafath platform or related services.
Physical and Security Data: CCTV recordings at the Company's premises, and personal photographs where required.
Telephone Call Recordings: Recordings of telephone trading and customer service interactions, retained for regulatory, quality assurance, and compliance purposes.
Shari'a Compliance Requirements Data: Financial purification (Tatheer) data, Zakat calculations on portfolios and investments, and verification of compliance with approved Shari'a standards.
Endowment and Waqf Fund Data: Data relating to the endowment founder (Waqif), endowment supervisors, and beneficiaries, together with any data required to administer the endowment or Waqf fund in accordance with applicable regulations and instructions.
Real Estate Fund and Alternative Investments Data: Unit ownership data, distribution records, acquisition and exit documentation, and any data associated with the management of alternative investments.

5. Sources of Personal Data Collection

The Company may collect personal data from a variety of sources, whether before, during, or after the commencement of a contractual relationship, including but not limited to the following:

5.1 Direct Interaction with the Data Subject

Visits to Alinma Capital's offices and premises.
Relationship managers and wealth management staff during meetings or in-person communications.
Forms, documents, and contracts submitted by the client or prospective party.
Electronic, telephone, or written correspondence with the Company.

5.2 Digital Channels and Automated Technologies

The Alinma Capital electronic trading platform for local and international markets.
The Alinma Capital mobile application.
Telephone trading services or interactive voice response (IVR) systems.
Cookies and similar technologies, in accordance with the Company's Cookie Policy.
The Nasih digital financial advisory service.
Social media platforms, when the data subject interacts with the Company's digital content or services.

5.3 Third Parties and Publicly Available Sources

Government and regulatory authorities, including the Capital Market Authority (CMA), the Ministry of Interior, the Nafath platform, and Elm Company for identity verification purposes.
The Securities Depository Center ("Edaa") and the Saudi Exchange ("Tadawul").
The Aamal platform, commercial registries, and other relevant official sources for the verification of legal entity data.
The Saudi Financial Intelligence Unit (SAFIU) and specialized compliance databases for anti-money laundering and counter-terrorism financing purposes.
Banks and other financial institutions, within the scope of operational or regulatory relationships connected to the services provided.
Alinma Bank, as the parent company, within the limits of shared services or joint operations permitted under applicable law.
Publicly available sources, including websites, media outlets, and social media platforms.

5.4 Counterparties and Transaction-Related Parties

International brokerage firms or execution partners for trading orders in local or international markets.
Counterparties in acquisitions, initial public offerings (IPOs), and capital markets transactions.
External asset managers or entities to which the Company provides custody or related investment services.
Securities issuers and regulatory or supervisory authorities in jurisdictions where the Company conducts international brokerage or investment operations.

6. Purposes of Personal Data Processing and Legal Bases

The Company processes personal data in accordance with the provisions of the Personal Data Protection Law (PDPL) and its Implementing Regulations. The table below sets out the purposes of processing and the applicable legal basis for each.

Legal basis	Scope of application
Contractual Necessity	Performing contracts entered into with the data subject, or taking steps at the data subject's request prior to entering into a contract, including: local and international securities brokerage services, asset management and investment funds, wealth management, investment banking, custody services, and digital services through the Nasih platform, the trading platform, and the electronic application.
Legal Obligation	Compliance with legal and regulatory obligations, including: CMA requirements, suitability and appropriateness assessments, AML/CTF requirements, Securities Depository Center (Edaa) requirements, international tax reporting obligations (CRS/FATCA), SDAIA requirements, and call recording obligations under applicable regulations.
Legal Obligation / Explicit Consent	Fulfilling obligations arising from the provisions of Islamic Shari'a or related regulatory requirements, including: financial purification (Tatheer) services for shares and investment funds, Zakat calculation on investment portfolios, and verification of compliance with the standards of the Shari'a Committee for Financial Development.
Legitimate Interest	Pursuing the legitimate interests of the Company or its clients, including: the security of technical networks and systems, operation of CCTV and access control at Company premises, credit and liquidity risk management, analysis of clients' investment needs, development of financial products and services, market research and sectoral studies, and targeted marketing activities (subject to the data subject's right to object).
Explicit Consent	Marketing communications relating to investment products and services; automated processing in connection with suitability and appropriateness assessments through the Nasih platform and wealth management services; and data sharing with Alinma International or international partners for the execution of transactions in international securities, where no other legal basis is applicable. The data subject may withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
Vital Interest	Protecting the vital interests of the data subject or of third parties in emergency situations where consent cannot be obtained, such as death, incapacity, or sudden health crises requiring communication with heirs or legal guardians in order to safeguard investment assets.

7. Retention of Personal Data

The Company shall retain personal data for the period necessary to fulfil the purposes for which it was collected, or for such period as required by applicable regulations and instructions, whichever is longer, as set out in the table below.

Data Category	Retention Period
Anti-money laundering data, Know Your Customer (KYC) documentation, and client data in accordance with CMA requirements	Ten (10) years from the date of termination of the relationship or completion of the transaction
Contract and investment portfolio data	Duration of the contractual relationship, plus ten (10) years
Telephone call recordings (trading services and customer service)	Ten (10) years in accordance with Capital Market Authority requirements
International tax reporting data (CRS/FATCA)	In accordance with the requirements of applicable tax regulations and international agreements
CCTV recordings	In accordance with approved internal policy and applicable regulatory requirements
Cookies and session data	In accordance with the Company's Cookie Policy
Data subject to dispute or legal proceedings	Until conclusion of the proceedings or issuance of a final judgment or decision

The Company may retain personal data beyond the periods set out above where required by applicable regulations, instructions, or orders issued by competent judicial or supervisory authorities, or for the duration of any judicial, regulatory, or supervisory proceedings to which the Company is a party.

8. Recipients of Personal Data

The Company may disclose or share personal data in accordance with the provisions of the Law and applicable regulations and instructions, for legitimate purposes connected to the services provided, with the following categories of recipients:

8.1 Company Employees

Access to personal data is restricted to authorized employees of the Company whose job responsibilities require such access in order to fulfil contractual or regulatory obligations, in accordance with the need-to-know principle, and subject to the professional confidentiality obligations stipulated in applicable regulations and instructions, including the requirements of the Capital Market Authority (CMA).

8.2 Subcontractors and Data Processors

The Company may disclose personal data to entities acting as data processors on its behalf, including but not limited to the following:

IT service providers, electronic systems operators, and cloud service providers.
Domestic and international electronic trading platform providers.
Identity verification and due diligence service providers, including the Nafath platform and Elm Company.
Communication service providers, email service providers, and customer relationship management (CRM) system operators.
Alinma Bank, as the parent company, within the framework of shared services or joint operations permitted under applicable law.

The Company is committed to entering into appropriate data processing agreements with these entities to ensure the protection of personal data and to require them to implement appropriate technical and organizational measures in accordance with applicable laws and instructions. The Company does not sell personal data or share it for commercial purposes with any party not authorized under the Law.

8.3 Competent Authorities and Other Recipients

Personal data may be disclosed to the following entities where necessary or required under applicable regulatory obligations:

Judicial, administrative, and supervisory authorities, including the Capital Market Authority (CMA), the Saudi Data and Artificial Intelligence Authority (SDAIA), the Saudi Financial Intelligence Unit (SAFIU), and the competent courts.
Brokerage firms operating in local or international financial markets.
The Securities Depository Center ("Edaa") and the Saudi Exchange ("Tadawul").
Issuers of securities and investment funds, and their appointed agents.
Counterparties in financial or investment transactions.
External auditors, professional advisors, and legal counsel.
Shari'a supervisory bodies or committees, and valuation bodies connected to the services provided.
Local or international custodian entities within the framework of custody and investment services.

9. Transfer of Personal Data Outside the Kingdom of Saudi Arabia

The Company may transfer personal data to recipients outside the Kingdom of Saudi Arabia in accordance with the provisions of the Law and its Implementing Regulations, in the following circumstances:

Fulfilment of contractual obligations through the execution of transaction orders in international securities via Alinma International.
Compliance with legal obligations relating to international tax reporting requirements (CRS/FATCA).
Where the data subject has provided consent for the transfer in cases where the Law requires it.
Where the transfer is necessary to fulfil regulatory, supervisory, or operational obligations connected to the investment services provided.

Where personal data is transferred to a country that does not ensure an adequate level of data protection, the Company shall ensure that such transfers are subject to appropriate safeguards, including standard contractual clauses and other legally recognised transfer mechanisms as approved by SDAIA, and that any necessary technical measures are applied.

10. Automated Decision-Making and Profiling

10.1 Automated Decision-Making

The Company does not make decisions based solely on fully automated processing, without human intervention, where such decisions produce legal effects or otherwise significantly affect the interests of the data subject.

Any results or indicators generated by technical systems or analytical tools are used exclusively to support human decision-making, and are always subject to review and assessment by competent personnel, in accordance with applicable regulations and instructions.

10.2 Profiling

The Company may process personal data using technical or automated means for legitimate purposes and in accordance with the provisions of the Law, including but not limited to the following:

Assessing the suitability and appropriateness of investment products and services in accordance with CMA requirements.
Classifying risk levels and monitoring unusual patterns for the purposes of fraud detection and anti-money laundering and counter-terrorism financing (AML/CTF) compliance.
Tailoring services to align with clients' investment objectives and preferences.
Analyzing data for the purposes of service improvement, systems development, and the enhancement of oversight and risk management frameworks.

The Company does not rely on profiling or automated processing as the sole basis for any decision that produces legal effects or otherwise materially affects the data subject. All relevant outputs are subject to appropriate human review in accordance with applicable regulations and instructions.

11. Security and Protection of Personal Data

The Company implements appropriate technical and organizational measures to protect personal data against loss, unauthorized access, unlawful alteration, unlawful disclosure, or destruction, including the following:

Encryption: Protection of personal data in transit and at rest using approved encryption protocols.
Access Controls: Restriction of access to personal data to authorized personnel only, on the basis of the need-to-know principle.
Security Monitoring: Continuous monitoring of systems and networks to detect and respond to security threats.
Penetration Testing: Periodic security assessments of systems and infrastructure to identify and address vulnerabilities.
Training and Awareness: Regular programmes to build the data protection and cybersecurity awareness of Company employees.
Incident Management: Approved procedures for the detection, reporting, and handling of personal data security incidents.

In the event of a personal data breach that is likely to pose a risk to the rights and freedoms of data subjects, the Company shall notify the competent authorities in accordance with the requirements of the Law, its Implementing Regulations, and the directives of SDAIA.

Note: While the Company takes all reasonable measures to protect your personal data, the security of data transmitted over the internet cannot be fully guaranteed. You are advised to keep your login credentials confidential and not to disclose them to any third party.

12. Cookies and Similar Technologies

The Company uses cookies and similar technologies across its website and applications for the purposes of enhancing user experience, analyzing usage patterns, strengthening system security, and managing marketing and user preferences where applicable.

For further details on the types of cookies used, their purposes, and how they may be managed, please refer to the Company's Cookie Policy, published on the Company's website and applications.

13. Data Subject Obligations and Consequences of Non-Disclosure

13.1 Obligation to Provide Data

The provision of certain personal data may be a statutory or contractual requirement for establishing a contractual relationship with the Company and for the provision of certain financial and investment products and services.

In accordance with applicable regulations and instructions, including AML/CTF requirements, the Company is required to verify the identity of clients and related parties as appropriate.

The data subject is also required to provide the Company with accurate and up-to-date personal data, and to notify the Company of any material changes to their data in connection with the services provided, including identification, suitability, and appropriateness data, where required.

The Company shall take reasonable steps to verify the accuracy, completeness, and currency of personal data in accordance with the purpose of processing and the nature of the services provided.

The data subject is responsible for maintaining the confidentiality of their login credentials and for refraining from sharing them with any third party. The data subject must notify the Company immediately upon suspecting any unauthorized use of their account or credentials.

13.2 Consequences of Non-Disclosure

Failure to provide the Company with required personal data, or failure to keep such data up to date, may result in the Company's inability to provide certain services or to maintain the contractual relationship, in accordance with applicable legal and regulatory requirements. The Company may also be required to restrict or suspend certain services, or to terminate the contractual relationship, in circumstances where the relevant regulations so require.

14. Data Subject's Rights

Every data subject whose personal data is processed by the Company has the right to exercise the rights stipulated in the Personal Data Protection Law, to the extent permitted by the relevant regulations and instructions.

The Company is committed to acknowledging and responding to requests within a period not exceeding thirty (30) days from the date of receipt of a complete request. This period may be extended by a further thirty (30) days where required, as permitted under the applicable regulations, provided that the data subject is notified of such extension.

The truth	Content
Right to be Informed	Access information about the personal data being processed, the purposes of processing, the legal basis, and the applicable retention period.
Right of Access	Obtain a copy of the personal data held by the Company, in accordance with applicable legal requirements.
Right to Rectification	Request the correction of inaccurate data, or the completion or updating of incomplete data.
Right to Erasure	Request the erasure of personal data in cases permitted under the Law, taking into account applicable legal and regulatory obligations.
Right to Restriction of Processing	Request the restriction of the processing of personal data in cases permitted under the Law.
Right to Object	Object to processing based on legitimate interest, or to processing connected to direct marketing.
Withdrawal of Consent	Withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
Right to Lodge a Complaint	Submit a complaint to the Saudi Data and Artificial Intelligence Authority (SDAIA) in the event of an alleged violation of the provisions of the Law.

Requests may be rejected in whole or in part in cases excluded under the Law, with reasons provided to the data subject where possible.

The exercise of certain rights is subject to statutory limitations or exceptions, including circumstances relating to national or public security, legal and regulatory obligations, the protection of trade secrets and confidential information, or the rights and privacy of third parties.

Requests to exercise the above rights should be submitted through the communication channels set out in Section 17 of this Policy. The Company reserves the right to verify the identity of the applicant prior to processing any request.

15. Job Applicants

The Company processes the personal data of job applicants received through its careers page or other recruitment channels, for the purposes of managing recruitment processes and evaluating employment applications, in accordance with the provisions of the PDPL and applicable regulations and instructions.

15.1 Categories of Data Processed

The personal data that the Company may process in connection with job applicants includes the following:

Personal Identification Data: Full name, national ID number or residency number where applicable, date of birth, nationality, address, and contact details.
Professional and Educational Data: Curriculum vitae (CV), academic qualifications, work experience, professional certifications, and letters of recommendation.
Recruitment and Assessment Data: Results of interviews, tests, and evaluations conducted as part of the recruitment process.
Compliance Data (where applicable): Background screening results or any regulatory requirements associated with the relevant position.

15.2 Purposes of Processing and Legal Bases

The Company processes the personal data of job applicants for the following purposes:

Reviewing employment applications, conducting interviews and assessments, and taking all necessary steps in connection with the recruitment process, based on the need to take steps at the request of the data subject prior to entering into the contract, or with explicit consent where appropriate.
Compliance with applicable regulations, instructions, and regulatory requirements on the basis of legal obligation.
Protecting the interests of the company, and ensuring the security of its systems and operations, based on the basis of legitimate interest.

15.3 Retention of Applicant Data

The Company shall retain the personal data of job applicants for a period not exceeding two (2) years from the date of the last communication or action related to the employment application, unless a longer retention period is required by applicable regulations or regulatory requirements, or unless the data subject requests erasure of their data prior to that period where legally permissible.

15.4 Applicants' Rights

Job applicants are entitled to exercise all rights set out in the Data Subject's Rights section of this Policy, and may do so by contacting the Data Privacy Team through the communication channels described in the Contact Details section. Certain rights may be subject to legal limitations or exceptions in accordance with applicable laws and instructions.

16. Privacy of Minors and Persons with Limited or No Legal Capacity

16.1 Minors (Under the Age of Eighteen)

The Company's services are not directly targeted at minors under the age of eighteen (18), and the Company does not knowingly collect their personal data except where required by applicable regulations or the nature of the service necessitates it. The Company encourages parents, guardians, and trustees to monitor their children's and wards' use of digital platforms and to refrain from providing the Company with any personal data relating to minors without their supervision.

Exceptionally, the Company may process the data of minors in the following cases:

Where the minor is a beneficiary of a family or endowment investment fund, on the basis of consent granted by their guardian or legal trustee.
Where the minor is an heir in inheritance proceedings or ownership transfer procedures, in accordance with approved documentation or judicial decisions.
Where the minor is a beneficiary of accounts or arrangements subject to legal guardianship, with the approval of the competent authority or legal guardian.

Should the Company determine that the personal data of a minor has been collected without a lawful basis, or without the consent of their guardian or legal trustee where required, it will take appropriate remedial measures, including the erasure of such data where legally permissible.

16.2 Persons with Limited Legal Capacity

A person with limited legal capacity is a natural person who possesses partial legal capacity under the provisions of the Personal Status Law, such as a minor approaching the age of majority or a person subject to a judicial ruling limiting their legal capacity. The Company processes the personal data of such persons in accordance with the following:

Consent provided by their guardian, trustee, or legal representative, accompanied by the relevant legal documentation establishing the guardianship or representation.
Approved legal bases — including contractual necessity or legal obligation — where a court order or fiduciary obligation requires the Company to engage with such person.
The scope of authority granted under applicable law, which the Company shall not exceed.

16.3 Persons with No Legal Capacity

A person with no legal capacity is a natural person against whom a judicial ruling of full interdiction has been issued, or who lacks the legal capacity to conduct legal acts under applicable law. The Company shall only engage with such persons through their guardian, trustee, or court-appointed curator acting under valid legal documents or statutory provisions, including:

Judicial rulings or decisions relating to guardianship, trusteeship, or curatorship.
Any delegations of authority or statutory documents specifying the scope of powers to act on behalf of the data subject.

The Company is committed to periodically verifying the currency and authenticity of relevant legal documentation, and to taking appropriate measures upon its expiry, revocation, or cancellation.

16.4 Responsibilities of Guardians, Trustees, and Court-Appointed Curators

The guardian, trustee, or court-appointed curator shall be responsible for the following:

Providing the Company with the legal documentation establishing their status and authority, and any additional documentation the Company may require to verify this in accordance with the instructions of the competent authorities.
Providing the Company with accurate and up-to-date personal data relating to the data subject they represent.
Notifying the Company of any change in the data subject's legal capacity status, or in the scope of the guardianship, trusteeship, or delegated authority.
Exercising the data subject's rights on their behalf to the extent permitted by applicable regulations and instructions.

17. Contact Details & Personal Data Protection Officer

The Company has appointed a Data Protection Officer and a dedicated data privacy team to oversee compliance with the Personal Data Protection Law (PDPL) and its Implementing Regulations, and to receive data subjects' requests, inquiries, and complaints relating to personal data.

Entity	Alinma Capital
Personal Data Protection Officer Mail	dataprivacy.AIC@alinmacapital.com
Customer Service Phone	8004413333 (Free within the Kingdom)
Address	Olaya, Riyadh, Saudi Arabia
Website	www.alinmacapital.com

Data subjects may contact the Company through the channels set out above to submit requests to exercise their rights under this Policy, or for any inquiries or complaints relating to personal data.

Should a data subject be dissatisfied with the manner in which their request was handled, or should they not receive a response within the statutory period, they have the right to submit a complaint directly to the Saudi Data and Artificial Intelligence Authority (SDAIA) through its official channels, available at the following link:

https://dgp.sdaia.gov.sa/wps/portal/pdp/services/reportscomplaints

Privacy Policy Updates

The Company reserves the right to amend or update this Policy at any time to reflect changes in its activities or in applicable legal and regulatory requirements.

In the event of material amendments, the Company will notify data subjects by appropriate means, including notification by email or publication of a prominent notice on the Company's website and applications. Amendments shall take effect from the date of their publication or notification to data subjects, as required by applicable regulations and instructions.

This Policy was last updated on: May 2026 - Second Version

Brokerage

Reports and Research

Assets

Alternative investments

Privacy Policy