Back to home

Privacy Policy

Last updated: June 10, 2026

This Privacy Policy describes how Kood Khafeef For Information Technology Establishment ("CarRoots," "we," "us," or "our"), established in the Kingdom of Saudi Arabia, collects, uses, stores, and shares your personal information when you use the CarRoots mobile application and related services (the "Services").

CarRoots is a marketplace platform that connects vehicle owners with independent automotive service providers ("Vendors") for mobile car wash, detailing, and related vehicle care services in supported cities in Saudi Arabia.

We process personal data in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations.

Questions or concerns? Contact us at basel.khamis@gmail.com. If you do not agree with this Policy, please do not use the Services.

1. Information We Collect

1.1 Information you provide to us

  • Account information: name, email address, mobile phone number (verified by a one-time code sent via SMS or WhatsApp), and password.
  • Vehicle information: vehicle make, model, and specifications; license plate number; photos of your vehicle that you upload.
  • Location and address information: saved service addresses and locations where you want services performed.
  • Booking information: services and add-ons you select, appointment dates and time slots, booking history, reschedule and cancellation records, and package or subscription purchases.
  • Payment information: processed by our third-party payment gateway (see Section 4). We never receive or store your full card number or security code. If you save a card, we store only a secure payment token and masked card details.
  • Communications: messages you exchange with Vendors through the in-app chat (scoped to a specific appointment), ratings and reviews, and complaints or support requests.

1.2 Information collected automatically

  • Precise geolocation (with your permission), to show nearby Vendors and support service delivery. You can withdraw this permission at any time in your device settings; some features may stop working.
  • Device and usage data: device model, operating system, unique device identifiers, IP address, app version, language preference, crash reports, and diagnostic logs.
  • Push notification tokens, used to deliver booking status updates, reschedule alerts, and chat notifications.
  • Analytics data, collected through Google Analytics for Firebase to understand how the Services are used and improve them.

We do not knowingly collect sensitive personal information (such as health, religious, or biometric data).

2. How We Use Your Information

We use your information to:

  1. Create and manage your account, including phone number verification;
  2. Display nearby Vendors and their services based on your selected city and location;
  3. Create, confirm, fulfill, reschedule, and cancel bookings;
  4. Process payments, verify payment outcomes, prevent fraudulent or duplicate charges, and maintain payment audit records;
  5. Issue tax-compliant electronic invoices in accordance with ZATCA (Zakat, Tax and Customs Authority) requirements;
  6. Enable appointment-scoped chat between you and your Vendor;
  7. Send notifications about your bookings, payments, and messages (you can disable push notifications in your device settings);
  8. Provide customer support and respond to complaints;
  9. Monitor, secure, and debug the Services, including crash reporting and app-integrity protection;
  10. Comply with our legal obligations under the laws of Saudi Arabia.

We rely on legal bases recognized by the PDPL, including your consent, the performance of our contract with you, and our legitimate and legal interests.

3. How Your Information Is Stored

Our backend is built on Google Firebase (a service of Google LLC):

  • Account data is managed by Firebase Authentication;
  • Bookings, vehicles, addresses, and chat messages are stored in Cloud Firestore;
  • Images you upload are stored in Firebase Cloud Storage;
  • Server-side processing (payment verification, notifications, invoicing) runs on Google Cloud Functions.

Access to your data is restricted by server-enforced security rules, so each user and Vendor can access only the records they are authorized to see.

Your data may be stored and processed on Google servers located outside the Kingdom of Saudi Arabia. Where personal data is transferred outside the Kingdom, we do so in accordance with the requirements of the PDPL and its regulations on cross-border data transfers.

4. Payments and Third-Party Payment Gateways

All card payments are processed by Moyasar, a licensed third-party payment gateway, including credit/debit card and Apple Pay transactions in Saudi Riyals (SAR).

  • Your card details are entered into and processed by the payment gateway — CarRoots never receives or stores your full card number or security code.
  • If you choose to save a card, the gateway issues a secure token; we store the token and masked card details only so you can reuse the card for future bookings.
  • Every payment is independently verified on our servers (amount, currency, and status) before a booking is confirmed.

Moyasar processes your payment data under its own privacy policy.

5. What We Share with Vendors — and What We Keep Private

To fulfill your booking, we transmit only the information the Vendor needs to perform the service.

Shared with the Vendor you book:

  • Your name and contact phone number;
  • The service address / location where the service will be performed;
  • Your vehicle details relevant to the service (make, model, plate number, and any vehicle photos you attached);
  • The booked service, add-ons, appointment time, booking status, and the amount paid for that booking;
  • Messages you send in the appointment chat, and ratings or reviews you submit;
  • Package or subscription balances you hold with that Vendor.

Never shared with Vendors:

  • Your payment card details or saved-card tokens;
  • Your account credentials;
  • Your booking history with other Vendors;
  • Your saved addresses other than the one selected for the booking;
  • Your device identifiers, analytics data, or crash reports.

Vendors are independent businesses. They are required to use your information only to fulfill the booked service and to handle it in accordance with applicable data protection law.

6. Other Third Parties

Recipient Purpose Data involved
Moyasar Payment processing (cards, Apple Pay) Payment card data, transaction amount
Twilio One-time verification codes via SMS / WhatsApp Phone number
Google (Firebase, Maps) Hosting, database, push notifications, analytics, crash reporting, maps Account, booking, device, and location data
Qoyod Accounting and ZATCA-compliant e-invoicing Name and invoice/transaction details

We do not sell your personal information. We may disclose information where required by law, court order, or a competent governmental authority in Saudi Arabia.

7. Security

We use industry-standard safeguards, including encrypted connections (TLS), server-enforced access rules, app-integrity attestation, and server-side payment verification. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Your Rights

Subject to the PDPL, you have the right to:

  • Be informed about how we process your personal data;
  • Access the personal information we hold about you;
  • Correct inaccurate or incomplete information (you can edit your profile, vehicles, and addresses in the app);
  • Request deletion of your account and associated personal information;
  • Withdraw consent for optional processing, such as location access and push notifications, at any time through your device settings.

To exercise these rights, contact us at basel.khamis@gmail.com. We will respond in accordance with applicable data protection laws. We may retain certain records (such as payment and invoicing records) where the law requires us to do so.

9. Data Retention

We retain your information for as long as your account is active and as long as needed for the purposes described in this Policy, including legal, tax, and accounting retention obligations. When data is no longer required, it is deleted or anonymized.

10. Children

The Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from minors. If you believe a minor has provided us personal information, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be communicated through the app. Your continued use of the Services after an update constitutes acceptance of the revised Policy.

12. Contact Us

Kood Khafeef For Information Technology Establishment Kingdom of Saudi Arabia Email: basel.khamis@gmail.com