Privacy Notice — World Cup 2026 Fan Zone
Version 1.4 · Last updated June 2026
1. Who we are (Data Controller)
This site (towncenter.sa) is operated by Blacksand (blacksand.sa) ("Blacksand", "we", "us"), the company behind the World Cup 2026 Fan Zone at Town Center Mall, Al Aarid, Riyadh, Saudi Arabia.
- Privacy / Data Protection point of contact:
[email protected]
2. What personal data we collect
When you register your interest, we collect:
| Category | Fields | Mandatory? |
|---|---|---|
| Identity | Full name, mobile number, email address, preferred language | Name, mobile, email required |
| Profile (optional) | Favourite team, number of companions, group type (family/friends/solo), area of Riyadh (one of five broad zones, asked after you register) | Optional |
| Consent records | Which purposes/channels you opted into, the notice version, timestamp | Captured automatically |
| Technical / attribution | Referral source / campaign parameters (UTM), landing page, a salted hash of your IP address, browser type | Captured automatically |
We do NOT collect your National ID or Iqama number, and no identifiable data about children — companions are recorded only as a count on the registering adult’s record.
3. Why we use it, and our legal basis
We rely on different legal bases for different purposes. Delivering the Fan Zone you registered for — including contacting you by email and WhatsApp about it — rests on performing the service you requested and our legitimate interest (PDPL Art. 6). Marketing and profiling rest on your separate, optional consent, which you can withdraw at any time.
| Purpose | Basis |
|---|---|
| Register your interest, send your confirmation / essential Fan Zone logistics, and contact you about the Fan Zone (email + WhatsApp) | Performance of the service you requested / our legitimate interest (PDPL Art. 6) |
| Send you marketing about future Blacksand events, experiences and offers (only if you opt in) | Your separate marketing consent |
| Personalise our messages using your preferences, e.g. your team (only if you opt in) | Your separate profiling consent |
| Understand and improve how the site performs (aggregate analytics) | Consent |
Marketing and profiling are optional and are never required to register. You can withdraw any consent at any time (Section 7).
When you register, we generate a random pseudonymous identifier (not your name, email, or phone) and attach it to your otherwise-anonymous analytics events so we can understand the registration journey. It cannot be used to contact you, is not shared with third parties, is deleted or anonymised with your registration data, and analytics events are retained for 180 days.
4. Who we share it with (Processors)
We use trusted service providers who process data on our behalf, under contract:
- Microsoft Azure — hosting and database (see cross-border transfer below)
- Azure Communication Services — sending your confirmation / notification emails
- Cloudflare — content delivery, security and bot protection
- An SMS / WhatsApp provider — only if and when you opt into those channels
Separately — and not as a processor acting on our behalf — when you choose to reserve a seat, the "Reserve" button hands you off to our reservations partner, The Chefz (its app links are powered by Branch, branch.io, for app deep-linking). The Chefz is an independent data controller: it collects and handles your booking and payment under its own privacy policy and terms. We do not receive your payment details, and we do not pass your name, email or phone to The Chefz through that link. Please review The Chefz’s own privacy policy before you book.
We do not sell your personal data.
5. Cross-border transfer (important)
Your data is currently hosted on Microsoft Azure in the United Arab Emirates (UAE North) region, because Microsoft’s Saudi Arabia cloud region is not yet generally available. This is a transfer of personal data outside the Kingdom. It is carried out under PDPL Article 29 and the Regulation on Personal Data Transfer, relying on:
- Standard Contractual Clauses (SCCs) with Microsoft,
- a documented Transfer Risk Assessment, and
- data minimisation and encryption in transit and at rest.
By submitting the form, you consent to this transfer. If hosting moves in-Kingdom, this notice will be updated and the transfer disclosure removed.
6. How long we keep it (Retention)
- Registration data — if you opted into Blacksand marketing: kept for future Blacksand events, experiences and offers for up to 24 months from your last interaction, or until you withdraw consent, whichever is sooner.
- Registration data — if you did not opt in: deleted or anonymised within 6 months after the Fan Zone event.
- Behavioural / analytics events: retained for 180 days.
- Consent and audit records: retained longer as evidence of lawful processing, as required by PDPL.
7. Your rights
Under PDPL you have the right to: be informed, access your data, correct it, request its deletion, withdraw consent, object to direct marketing, and complain to SDAIA (the regulator). You may also seek compensation for damage caused by a violation.
To exercise any right, contact [email protected]. We will respond within 30 days (extendable by a further 30 days in limited cases). Withdrawing consent or unsubscribing is free and as easy as opting in — every marketing message includes an opt-out.
8. Direct marketing
We only send marketing if you opted in, on the channels you chose (email / WhatsApp). Marketing may include future Blacksand events, experiences and offers (Blacksand operates Town Center and runs other experiences). Every message identifies us and includes a clear opt-out. If we ever use SMS, it is sent under a registered CST sender ID, within permitted hours, honouring the national Do-Not-Disturb list.
9. Security & breaches
We protect your data with encryption, access controls and bot protection. If a personal data breach occurs that may harm you, we will notify SDAIA within 72 hours and affected individuals without undue delay.
10. Changes & complaints
We may update this notice; the version and date above will change. If you have a concern, contact [email protected]. You also have the right to lodge a complaint with SDAIA (sdaia.gov.sa).