Tree Digital Insurance Agency

Privacy Policy


TREE, in its day-to-day operations handles and transacts with a large amount of customers, employees and third party personally identifiable information (PII). It is integral to organization that this information along with all customers confidential data is safeguarded and protected against all risks to the highest extent possible. The organization needs to keep certain information on its employees to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

2. Purpose

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights Personal or individual data protection procedures within the organization.


This policy applies across the entire organization, entire infrastructure, processes and people which are responsible for processing personal information (including customer information) within the organization.. To secure and safeguard the Personal Identifiable Information (PII) or data related to persons (Data Subject) which may be collected during our service offers, interaction and processing.


The executive owner of this policy is the Information Security Manager. This policy must be reviewed once in a year.


The organization shall protect all personal information which it is responsible to maintain, including but not limited to data belonging to its customers, employees and third parties. Individuals’ data privacy shall be given highest importance; personal data shall be strictly used only for its intended purpose and kept up to date as relevant. Such information shall be stored in a secure manner and protected with appropriate levels of security controls. The organization shall adhere to applicable data privacy laws and regulations that govern it.


The following data privacy policy statements shall be implemented by TREE.

6.1 It shall be clearly defined which personnel have access to personal and customer data and under what circumstances.

6.2 Customer support representatives shall only view or access customer data, specific to desired support upon customer request or consent.

6.3 The procedures to collate, process and store/dispose personal information shall be controlled and in adherence to applicable laws.

6.4 Cross border data transfer shall be restricted and controlled as required by applicable laws.

6.5 The organization shall identify cross border data transfer laws prior to starting business within a region to ensure compliance.

6.6 The organization shall process customer data within the defined data boundaries thereby adhering to cross border data transfer laws of the country.

6.7 Security incidents involving personal data shall follow the incident management process.

6.8 Data masking and obfuscation tools, methods shall be used while using personal data in testing environments and in some cases even in production environments, depending on the merit of the data security permissions.

6.9 Role based access shall be provided to view, edit personal data shall be followed in Application and data processing.

6.10 The organization shall develop and regularly impart training and awareness programs to make all users aware about protection of customer data.


The Data (Privacy) Protection procedure addresses the following principles.


1. The management of the organization will ensure that:

a. Everyone managing and handling personal information is trained to do so.

b. Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do.

c. Any disclosure of personal data will be in line with the procedures of the organization.

d. Queries about handling personal information will be dealt with swiftly and politely.

2. To meet these responsibilities, the organization staff will:

a. Ensure any personal data is collected in a fair and lawful way.

b. Explain why it is needed at the start.

c. Ensure that only the minimum information needed is collected and used.

d. Ensure the information used is up to date and accurate.

e. Review the length of time information is held.

f. Ensure it is kept safely.

g. Ensure the rights people have in relation to their personal data can be exercised.

3. Training and awareness about the Data Protection and how it is followed in the organization will be in the form of a General training/ Awareness training once a year.


The organization provides notice about the policies and procedures in all contract agreements and individual quotations.

The organization shall publish a privacy policy on the website of Tree. The organization may collect the following personal details as applicable for providing customer services:

a. Name

b. Address, phone and email addresses for communication

c. Date of Birth

d. Physical characteristics

e. Personal insurance documentation

f. Bank account number

g. Copy of passport

h. Iqama No. Or Social Security Number i. Source IP Address

j. Geographical Location

1. Personal information will / may be kept in the following forms:

a. Physical form (In hard copy)

b. Digital form


The organization will take explicit consent with respect to the obtaining, using, holding, amending, disclosing, destroying and deleting of data as described in this notice. The options of taking consent shall be presented in online portals, Mobile Apps, Physical Application forms as applicable. Explicit consent here means that the person will be clearly presented with an option to agree or disagree with the terms of the collection, use, process or disclosure of personal information.


Before personal information is collected, the organization will consider what details are necessary for its purposes and how long it is likely to need this information. The organization will inform people whose information is gathered about why the information is being gathered. The organization will also send out reminders to all interested parties asking them to check their details to keep the information up to date. Personal sensitive information will not be used apart from the exact purpose for which permission was given.


1. The disposal of personal data will follow Asset Disposal procedure.

2. The organization will ensure that personal data will:

a. Be obtained fairly and lawfully and shall not be processed unless certain conditions are met.

b. Be obtained for a specific and lawful purpose.

c. Be adequate, relevant but not excessive.

d. Be accurate and kept up to date.

e. Not be held longer than necessary.

f. Be processed in accordance with the rights of data subjects.

g. Be subject to appropriate security measures.


Anyone, whose personal information is processed by the organization, has the right to know what information is held and processed by the organization, how to gain access to this information, how to keep it up to date and what the organization is doing to comply with the Regulations.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong. Individuals have a right to access certain personal data being kept about them on computer and certain files.

Any person or user wishing to exercise this right should apply in writing to the designated Data Protection Officer over The following information will be required before access is granted:

a. For Active customers a File number / Policy number

b. Cell#

c. Email

The organization may also require proof of identity before access is granted. Groups of people within the organization who will process personal information are Staff and all office employees with access. Queries about handling personal information will be dealt with swiftly and politely.


The organization will take steps to ensure that personal data is always kept secure against unauthorized or unlawful loss or disclosure. Any disclosure of personal data will strictly be in line with our procedures. Any unauthorized disclosure of personal data to a third party by an employee may result in a warning for employed staff in first instance and any repeat of it will result in termination of the said person.


The organization maintains accurate, complete, and relevant personal information as reasonable as possible and only for the purposes identified in this notice.


All employees and staff who process personal information must ensure that they not only understand but also act in line with this policy and the data protection principles. If any person believes that his/her personal information is not managed in accordance with the applicable law or our privacy policies, he/she may contact the Data Protection Officer designate.


This policy shall be enforced by the TREE Cyber Security Team. It shall enforce the following controls to ensure secure data privacy and reserve the right to conduct audit on a periodic basis to ensure compliance with this policy. Compliance with the statements of this policy is mandatory and is subject to periodic review by the Cyber Security Team. Any violation of this policy shall be reported to the Cyber Security Lead and disciplinary process shall be followed as detailed in “Human Resource Security Procedure” (Section 7).


Any exception to this policy shall be documented with relevant justifications and approved by the Cyber Security Manager.



SAMA CS Framework Reference

3.1.4 -> 2.c.4

3.3.11 -> 4

Policy Statement References

7.1 – 7.9