Panda Logo

Privacy Policy

Panda Retail Company (“Panda”, “we”, “us”, or “our”) is committed to protecting the personal data and privacy of users (“you”, “your”) of our mobile application (the “Panda App”) and website. Please read this Privacy Policy carefully to understand how we collect, use, and protect your personal data when you use our services across our products (including our website and app).

By using our app/website, you agree that we may collect, use, store, transfer, and process your personal data in accordance with this Privacy Policy.

Who We Are and What We Do

Panda Retail Company is a company incorporated in the Kingdom of Saudi Arabia (“Kingdom”), bearing Commercial Registration No. 4030223594 and registered at Savola Group Tower, Taha Khusaifan Street, Ash Shati Dist, 7333 Jeddah 23511, KSA.
Phone: +966 12 239 4000 • WhatsApp: 9200 27707 • Email: customercare@panda.com.sa

Panda is one of the main retail chain businesses in the Middle East and one of the biggest grocery retailers in the Kingdom. This Privacy Policy is intended for Panda’s customers and others who access Panda’s services through online or offline channels.
For the purposes of applicable data protection laws and regulations, Panda’s head office and its branches in the Kingdom are controllers of your personal data. Panda, along with its subsidiaries, affiliates, and related entities, is committed to protecting your personal data in accordance with applicable laws and regulations.

What Is Personal Data & What We Collect

As per applicable data protection laws in the Kingdom, “personal data” means any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual (e.g., name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos, videos, etc.).

The personal data we collect varies by purpose. Examples include:

  • Identity Data: title, full name, gender, nationality, signature sample, National ID/Iqama number, passport details, related documentation, date/place of birth.
  • Contact Data: email address (work/personal), national or business address, job title, phone numbers, marketing preferences.
  • Transaction Data: information about your transactions and products you use, account activity, in-store and online purchases, points earned and redemption (loyalty program), coupons, and vouchers.
  • Payment Data: bank card number, payment amounts, and related details.
  • Third-Party Data: data obtained from other parties.
  • Cookies Data: data collected by website logs, cookies, or similar technologies (including account login details such as username and chosen password).
  • Account Data: information collected from use of our services, websites, or mobile apps (e.g., login info, IP address, mobile number).
  • Usage Data: information about how you use our website, app, and platforms (including date/time, referral, and related analytics).
  • Interaction Data: records of phone calls between you and us, customer support requests, and feedback received via websites, mobile apps, and social media channels.

How We Collect Your Personal Data

We collect personal data directly from you and from other lawful sources. This includes:

  • Onboarding & Product/Service Use: when you become a customer and use our products/services.
  • Direct Interactions: when you use our online services, visit stores, or interact via our various channels.
  • Communication Exchanges: forms uploaded via website/app, email, social posts, call center interactions, and promotional campaigns.
  • Social Media Interactions: posts and interactions you have directly with us on our social media channels.
  • Browsing Patterns: how you explore our website (visit timing, browser type, referrals). See Use of Cookies.
  • Surveys: online surveys about your experience that help us improve our website/app.
  • Third Parties & Public Sources: legal representatives, corporate contacts, service providers, regulators, corporate and business customers, legitimately acquired public sources, and combined external information.

Purpose & Scope of This Privacy Notice

We explain how we collect, use, store, make available, disclose, update, safeguard, destroy, or otherwise process your personal data—and your related rights. Key purposes include:

  • Delivering products and services and processing transactions
  • Assessing and providing products/services
  • Operating our business
  • Improving our products and services

Why We Process Your Personal Information

To provide our products and services and for the reasons set out below. Except where permitted by law, we won’t process your personal data in a way that’s inconsistent with the defined purpose for which it was collected.

Legal Bases & Purposes

We only collect and use personal data as required by our business to provide products and services. Our legal bases and purposes include (but are not limited to):

1) Performance of a Contract

We may need to process your data to:

  • Create your Panda account
  • Provide products/services
  • Enhance products/services and your experience; inform you about key updates/changes (including this Privacy Notice and other terms/policies)
  • Manage identity when you sign in to your Panda account

2) Compliance with Legal Obligations

As a regulated entity, we must meet statutory and regulatory obligations that may require processing your data (e.g., AML/KYC). We also process data to comply with obligations/requirements issued by governmental, legal, and regulatory authorities within the Kingdom.

3) Legitimate Interests

Where necessary to manage our business and protect Panda’s interests, our customers, shareholders, employees, and other third parties. Examples include:

  • Understanding your needs/eligibility for products/services and how you use/interact with them
  • Contacting you for opinions (surveys/market research)
  • Responding to enquiries and recording interactions for analysis/improvement
  • Designing/developing/testing products, services, and solutions (including combining sources/types of data across legal entities and countries, in compliance with laws)
  • Delivering and improving products/services; processing transactions
  • Operating our business; ensuring safety of you and our staff
  • Detecting, investigating, and preventing financial crimes
  • Conducting risk management; ensuring security and business continuity
  • Performing customer targeting analytics
  • Protecting our legal rights

4) Consent

Where required by law, for defined purposes, such as:

  • Sending marketing/advertising communications via telephone, SMS, Email, WhatsApp, in-app notifications, pop-ups (you can opt out at any time—see Direct Marketing).
  • Promoting products/services that may be of interest.

If we rely on consent, you may withdraw it at any time. Withdrawal won’t affect prior lawful processing or other legitimate reasons for processing.

How & Why We Retain Your Personal Data

We keep data in an identifiable form only for as long as needed to:

  • Fulfill the purposes in this Notice
  • Meet business/operational needs
  • Comply with legal and regulatory obligations

We may retain data after its purpose ends if:

  • A legal/regulatory requirement mandates a specific retention period (we then destroy the data upon expiry or when the purpose is satisfied—whichever is longer), or
  • The data is closely related to a case before a judicial authority (we destroy once judicial procedures conclude).

Upon your request, we will delete your account (name, email, phone). A unique, non-identifying customer ID may be retained as per our general T&Cs.

Your Rights

Subject to law, you may have the right to:

  • Be informed about legal basis and purpose of collection
  • Request access to your personal data we hold
  • Request a readable and clear copy of your data
  • Request correction, completion, or updates; restrict processing of incorrect data
  • Request destruction (deletion) of your personal data
  • Withdraw consent you previously gave (where processing is based on consent)
  • Lodge a complaint with the data protection authority regarding our processing
  • Claim compensation for material/moral damage as defined by law

Direct Marketing

We won’t send direct-marketing communications without your prior explicit consent. If you consent and later change your mind, you may opt out at any time by emailing dataprotection@panda.com.sa or following the instructions in the message.

Cross-Border Transfers

We may share your data with affiliates or engage service providers inside or outside the Kingdom (e.g., to deliver services, process transactions/payments, or provide support). We fulfill all requirements related to international transfers of personal data under applicable laws.

Where We Store Your Personal Data

We store data inside and outside the Kingdom (including cloud storage), whether on our servers or those of external providers. We store data for up to three years or as permitted by applicable law/regulation. When destroying data after its intended purpose is fulfilled, we use appropriate technical measures to ensure it cannot be viewed or recovered. Depending on the data type, we use appropriate administrative, technical, and organizational measures to protect against leakage, damage, or illegal access.

How We Protect Your Personal Data

We use physical, technical, administrative, and procedural security measures to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal. Measures include protection against unauthorized access/alteration/disclosure/destruction, considering processing risk and the nature of data processed. Access is restricted to authorized persons with a legitimate need-to-know.

When, How, & With Whom We Share Personal Data

Service Providers
Trusted third parties who help deliver services/run operations, including:

  • Delivery logistics providers
  • Technology providers (analytics, app functionality, marketing/personalization)
  • IT solution providers (hosting, storage, infrastructure, security)

Legal & Regulatory Requirements
We may disclose data to governmental/legal authorities if required by law or in response to valid legal processes.

Payment Processing
Card details and payment information are shared only with authorized payment processors to facilitate transactions. We do not sell, share, rent, or lease your payment information to others.

Business Transfers
In the event of restructuring, sale, merger, or asset transfer, your data may be transferred as part of the transaction.

Employees
Shared on a need-to-know basis for providing services.

Other Third Parties
In limited cases, to fulfill contractual obligations or provide requested services/information, strictly for lawful purposes within the scope of our relationship.

Withdrawing Your Consent

Where we rely on your consent (and no alternate legal basis), you may withdraw it at any time. This does not affect the lawfulness of prior processing.
To withdraw consent, contact our Data Protection Officer (DPO): customercare@panda.com.sa.

If You Don’t Provide Personal Data

The data requested by Panda is necessary to provide products/services. If not provided, we may be unable to comply with legal/regulatory obligations or provide products/services.

Changes to This Privacy Notice

We may amend this Notice at any time. The Effective Date below indicates the latest revision. Check it periodically for updates to ensure you review the most current version.

Use of Social Plugins

We use social plugins (e.g., Facebook, Google) for optional authentication. When you log in, a direct connection to the relevant provider’s servers may be established (which may be overseas), and your plugin content may be transferred to your browser. The provider may receive information about your access even if you don’t have an account or aren’t logged in. If you are logged in and interact with the plugin (e.g., “Like”, comments), the information may be transmitted to the provider and published on your account page per your privacy settings. You can block plugins with browser add-ons (e.g., “Facebook Blocker”). Please read each provider’s privacy policy.

Use of Cookies

To improve your experience, our websites/apps use “cookies” and similar technologies to collect usage information. Some cookies are essential to site/app operation. We limit cookie use to:

  • Providing requested products/services
  • Delivering advertising via marketing communications
  • Enhancing the online experience and tracking performance
  • Helping make our website more relevant to you

Where cookie types aren’t required for basic functionality, we will obtain your consent first.

Limited Employee Access

Access to your personal information is limited to employees with a business need. We educate employees about confidentiality and customer privacy. Approved personnel use individual usernames/passwords to access data, providing audit trails to further safeguard privacy.

Location Services (Mobile)

Our mobile apps may use device location to display the nearest eligible branch for delivery and campaigns/promotions assigned to that store.

Apple Pay

We support Apple Pay for secure checkout. We do not store or process payment information directly. All payment-related data is managed by Apple Pay under its own privacy and security policies. Please review Apple’s Privacy Policy for more details.

Communicating With Us

If you are unhappy with how we process your data or have further questions, contact dataprotection@panda.com.sa.

Complaint or Objection Filing

“Customer Engagement” channels:

  • Contact Center: 9200-27707
  • WhatsApp: 9200-27707
  • Email: customercare@panda.com.sa
  • Social Media: Facebook, Instagram, X, TikTok, Google Reviews
  • App Stores: iOS & Android

Effective Date

Effective Date: May 2025

Disclaimer: This Privacy Notice is not intended to, nor does it, create any contractual rights whatsoever or any other legal rights, nor does it create any obligations on us in respect of any other party or on behalf of any party. When you log in to third parties’ websites, you will not be subject to or under this Privacy Notice. Moreover, we are not responsible for their websites’ content and we do not represent third parties. Therefore, When you leave our website, we recommend you to review the privacy and security policy of each website you visit.