What is PDPL and why does it apply to thermal receipts?

Saudi Arabia's Personal Data Protection Law (PDPL) came into full force in September 2024 and is enforced by SDAIA. Thermal receipts that contain customer phone numbers, names, or loyalty IDs are personal data under the law. Printing, storing, or discarding them without consent logs, retention policies, and breach procedures is a PDPL violation subject to fines up to SAR 5 million.

How much are PDPL fines in Saudi Arabia?

PDPL fines reach up to SAR 5,000,000 per violation and can be doubled for repeat offenders. SDAIA has already issued 48+ enforcement decisions. Organizations must notify SDAIA of a breach within 72 hours.

How does Wateer make a merchant PDPL-ready?

Wateer replaces thermal printers with digital receipts delivered via NFC or QR. Every receipt is logged with consent, encrypted at rest, structured the way SDAIA expects, and exportable on demand. Integration with any major Saudi POS takes 4 to 5 minutes and covers ZATCA e-invoicing at the same time.

Does Wateer cover ZATCA e-invoicing as well?

Yes. Wateer is ZATCA-aligned end-to-end. A single integration covers both PDPL and ZATCA — no second vendor, no second legal review.

Privacy & Data Protection

1. Who we are

Wateer is operated by Mesarat Wateer for Information Technology, a company registered in the Kingdom of Saudi Arabia. We process personal data as a Data Controller under the Personal Data Protection Law (PDPL) issued by Royal Decree M/148 dated 5/9/1444 AH (27/03/2023 AD) and its Implementing Regulations.

Our Data Protection Officer (DPO) is registered with SDAIA and is the primary contact for any privacy-related inquiry.

2. Data we collect

We collect only what we need to deliver the service:

Account data — name, email, organisation, role.
Identity verification data — when required by ZATCA or KYC obligations.
Receipt data — transaction records you push to us as part of the digital receipt service.
Technical data — IP address (hashed within 24 hours), browser type, device type. Used only for security and abuse prevention.
Analytics data — anonymous, cookieless page views via self-hosted Umami on the same Saudi VPS. No third-party trackers, no cross-site identifiers.

3. Lawful basis for processing

PDPL Article 6 sets out the lawful bases. We rely on:

Contract — to deliver the digital receipts service you signed up for.
Legal obligation — ZATCA e-invoicing, AML, and tax reporting requirements.
Legitimate interest — security, fraud prevention, service improvement (always balanced against your rights).
Consent — for any optional analytics, marketing, or functional cookies. You can withdraw consent at any time from the Privacy settings link in the footer.

4. Where your data lives

All Wateer data — including this website, the Payload CMS database, the analytics database, and uploaded media — is stored on infrastructure inside the Kingdom of Saudi Arabia. We do not transfer personal data outside the Kingdom without an explicit lawful basis under PDPL Articles 29-30 (cross-border transfer) and SDAIA approval where required.

Backups, logs, and operational telemetry remain inside the same jurisdictional boundary.

5. How long we keep it

We keep personal data only as long as we need it:

Account data — for the lifetime of the account, plus 90 days after closure.
Receipt data — as required by ZATCA (currently 6 years) and then deleted.
Hashed IPs — rotated daily. Same IP collapses to the same hash within a day, then is unrecoverable.
Consent audit log — kept for the lifetime of the active consent plus 3 years (PDPL evidentiary requirement).

6. Your rights

Under PDPL Articles 4 and 9-12, you have the right to:

Be informed of how your data is processed (this page).
Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Request deletion (the 'right to be forgotten') subject to legal retention requirements.
Withdraw consent at any time, as easily as it was granted (Privacy settings link in the footer).
Object to processing based on legitimate interest.
Lodge a complaint with the Saudi Data & AI Authority (SDAIA).

7. Cookies and tracking

Wateer uses only strictly necessary cookies by default — session, security, language preference. Anything beyond that requires your explicit, informed consent through the consent banner.

Analytics is provided by self-hosted Umami running on the same VPS as the site. Umami uses no cookies and no fingerprinting; it counts pageviews using a daily-rotating hash. Even so, we ask for your consent before loading the tracker.

We use no third-party advertising pixels, no Facebook/Google tracking, no session-replay tools. If we ever add any, the consent banner will re-prompt you with the new policy version.

8. Security

Wateer is built on encrypted-in-transit (TLS 1.3) and encrypted-at-rest infrastructure. The admin panel is protected by obscured routing, strong password requirements, and per-user access control. We follow the principle of least privilege across the engineering team.

Security incidents that may affect personal data are reported to SDAIA within 72 hours under PDPL Article 22, and to affected users without undue delay.

9. Changes to this policy

When we change what data we collect, who we share it with, or the lawful basis we rely on, we bump the policy version (shown above) and the consent banner re-prompts you on your next visit. Older versions of this policy are archived and available on request from the DPO.

Data Protection Officer

Questions, access requests, deletion requests, or complaints — write to our DPO. Under PDPL Articles 9-12, we'll respond within 30 days.

[email protected]