1. Introduction
Pullman Zamzam Hotels ("Company", "we", "our", "us") operates the Zamzam Staff Learning Platform (the "App"), a mobile and web application designed exclusively for the internal professional development of hotel employees at our Makkah and Madina properties.
This Privacy Policy explains what personal data we collect from you when you use the App, why we collect it, how we use and protect it, and what rights you have over your data. It applies to all versions of the App, including the iOS application, Android application, and the web-based administration portal.
Please read this policy carefully. By creating an account or using the App, you acknowledge that you have read and understood this policy. If you do not agree with any part of this policy, please contact your HR or IT department to discuss your options.
2. Data Controller
The data controller responsible for your personal information under this policy is:
| Detail | Information |
|---|---|
| Entity Name | Pullman Zamzam Hotels |
| Properties | Pullman Zamzam Makkah & Pullman Zamzam Madina |
| Platform Domain | zamzamstaff.com |
| Privacy Contact | PULLMAN.ZamzamMakkah.ITG@accor.com |
3. Information We Collect
We collect the following categories of personal data:
3.1 Account & Identity Data
- Username (assigned by your employer)
- Full legal name (optional, entered by the employee)
- Email address (optional, entered by the employee for password recovery)
- Department and hotel property
- Job position / role
- Employment hire date (provided by hotel management)
- Assigned role within the App (Staff, Department Manager, Hotel Admin, Super Admin)
3.2 Learning & Performance Data
- Quiz question responses and whether answers are correct or incorrect
- Weekly challenge scores and completion status
- Cumulative points, streaks, and ranking positions
- Badges and certificates earned
- Answer attempt history with timestamps
- Department and hotel-wide leaderboard rankings
3.3 Technical & Device Data
- App version in use
- Operating system type (iOS, Android, Web)
- Session timestamps (login and logout times)
- Authentication tokens (stored locally on your device, encrypted)
4. Legal Basis for Processing
We process your personal data on the following legal grounds, in accordance with the Saudi Personal Data Protection Law (PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis |
|---|---|
| Operating your employee account | Performance of employment contract / Legitimate interest |
| Tracking learning progress and scores | Legitimate interest (employee development) |
| Generating leaderboards and reports for management | Legitimate interest (business operations) |
| Issuing certificates of achievement | Legitimate interest / Consent |
| Optional profile data (name, email) | Consent (you choose to provide it) |
| Security and fraud prevention | Legal obligation / Legitimate interest |
5. How We Use Your Information
We use the data we collect for the following purposes:
- Account management — Creating, authenticating, and maintaining your employee account.
- Learning delivery — Displaying weekly challenges, quiz questions, and personalised progress dashboards.
- Performance tracking — Calculating points, streaks, completion bonuses, and updating leaderboard rankings.
- Certification — Generating downloadable certificates of achievement when milestones are reached.
- Management reporting — Providing department heads and hotel administrators with anonymised or identified performance summaries.
- Communication — Sending in-app notifications about new challenges, announcements, or system updates.
- Platform improvement — Analysing usage patterns in aggregate to improve content and functionality.
- Security — Detecting and preventing unauthorised access or misuse of accounts.
- Legal compliance — Fulfilling obligations under applicable Saudi and international law.
We will not use your data for automated decision-making that produces significant legal or similarly significant effects without human review.
6. Data Sharing and Disclosure
6.1 Within the Organisation
Your performance data (scores, rankings, completion rates) is visible to your Department Manager, Hotel Administrator, and authorised corporate staff within Pullman Zamzam Hotels. Your individual quiz answers are visible only to Hotel Administrators and Super Administrators for quality assurance purposes.
6.2 Service Providers
We use limited third-party service providers solely to operate the technical infrastructure of the App. Each provider is bound by a data processing agreement and is prohibited from using your data for any purpose other than providing the contracted service:
| Provider Type | Purpose | Data Shared |
|---|---|---|
| Cloud Hosting (Replit) | Application and database hosting | All App data in encrypted form |
| Domain & CDN (Cloudflare) | Network routing and DDoS protection | IP address, request metadata |
6.3 Legal Requirements
We may disclose your personal data if required to do so by law, regulation, court order, or governmental authority, or if we believe such disclosure is necessary to protect the rights, property, or safety of the Company, our employees, or others.
6.4 No Sale of Data
7. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy:
| Data Category | Retention Period |
|---|---|
| Active employee account data | For the duration of employment |
| Learning activity & scores | For the duration of employment + 1 year |
| Certificates of achievement | 5 years from issue date |
| Authentication logs | 90 days rolling |
| Deactivated accounts | Anonymised within 90 days of deactivation |
After the applicable retention period, data is securely deleted or anonymised so that it can no longer be associated with any individual.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit — All data between your device and our servers is transmitted using TLS 1.2 or higher (HTTPS).
- Password hashing — Passwords are never stored in plain text; they are hashed using industry-standard algorithms.
- Token-based authentication — Session tokens are stored encrypted on your device and expire automatically.
- Access controls — Access to employee data within the platform is restricted by role. Administrators can only access data for their assigned property.
- Infrastructure security — Our hosting infrastructure is protected by Cloudflare's network security layer.
9. Your Rights
Subject to applicable law, including the Saudi Personal Data Protection Law (PDPL) and the EU GDPR where applicable, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Right of Access | You may request a copy of the personal data we hold about you. |
| Right to Rectification | You may request correction of inaccurate or incomplete data. Some fields (name, email) can be updated directly in the App. |
| Right to Erasure | You may request deletion of your personal data, subject to our legal and contractual obligations. |
| Right to Restriction | You may request that we limit how we process your data in certain circumstances. |
| Right to Data Portability | You may request your data in a structured, commonly-used machine-readable format. |
| Right to Object | You may object to processing based on legitimate interests where your individual circumstances warrant it. |
| Right to Withdraw Consent | Where processing is based on consent (e.g. optional profile fields), you may withdraw consent at any time. |
To exercise any of these rights, please submit a written request to your Hotel HR or IT Administrator, or email us directly at PULLMAN.ZamzamMakkah.ITG@accor.com. We will respond to all verified requests within 30 days.
If you are an EU/EEA resident and believe we have not handled your request appropriately, you have the right to lodge a complaint with your local data protection supervisory authority.
10. Children's Privacy
The Zamzam Staff Learning Platform is an enterprise application intended exclusively for use by employees of Pullman Zamzam Hotels who are 18 years of age or older. We do not knowingly collect, process, or store personal data from individuals under the age of 18.
If we become aware that personal data has been submitted by or on behalf of a minor, we will promptly delete that information. If you believe a minor has accessed the platform, please notify us immediately at PULLMAN.ZamzamMakkah.ITG@accor.com.
11. Third-Party Services & Links
The App does not contain links to third-party websites or integrate with any third-party social media platforms, advertising networks, or analytics services that collect data independently.
The only external link in the App is the link to this Privacy Policy page, which is hosted on our own domain (zamzamstaff.com/privacy).
12. International Data Transfers
Your data is processed and stored on servers that may be located outside the Kingdom of Saudi Arabia. When transferring data internationally, we ensure appropriate safeguards are in place, including data processing agreements that require the same standard of protection as required by Saudi PDPL.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the Last Updated date at the top of this page.
- Notify users via an in-app announcement where possible.
- Post the updated policy at zamzamstaff.com/privacy.
Your continued use of the App after any changes to this policy constitutes your acceptance of the revised policy. We encourage you to review this page periodically.
14. Contact & Complaints
If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your personal data, please contact us:
| Channel | Details |
|---|---|
| PULLMAN.ZamzamMakkah.ITG@accor.com | |
| In-App | Contact your Hotel Administrator via your profile screen |
| HR Department | Pullman Zamzam Makkah or Pullman Zamzam Madina HR office |
We are committed to resolving any privacy-related concerns promptly and transparently.