Website Policies

Subprocessors & Transfers.

SUBPROCESSORS AND TRANSFER NOTICE

Last updated May 21, 2026

This notice explains the categories of providers and transfer lanes that may be used by GPR Business Services in connection with its website, business services, customer portal, platform onboarding, and platform services.

  1. Saudi-operated platform model

For the Saudi-operated platform model, production platform hosting and operation are intended to be performed by GPR in Saudi Arabia where applicable. This reduces routine cross-border processing for core production hosting, but it does not remove cross-border processing where customers enable external providers or where controlled foreign support is required.

  1. Provider categories

Depending on the services used or enabled, GPR may use providers in the following categories:

  • website hosting and platform infrastructure;
  • payment processing;
  • customer relationship management and support;
  • WhatsApp Business Platform and messaging providers;
  • voice providers;
  • email and notification providers;
  • AI service providers;
  • security, monitoring, diagnostics, and logging tools;
  • professional advisors, legal, accounting, and compliance providers; and
  • software licensors, maintenance providers, and controlled support providers.
  1. Transfer lanes

Personal data may be transferred or disclosed outside Saudi Arabia in these lanes:

  • Customer-enabled provider delivery: where the customer enables WhatsApp, voice, email, AI, or another provider that must receive data to deliver the configured service.
  • Payment and business operations: where payment processors, support tools, or professional providers are needed to operate the business relationship.
  • Controlled foreign support: where software licensor or specialist support access is needed for maintenance, troubleshooting, incident response, or service continuity.
  • Legal and compliance: where disclosure is required by law, legal process, regulatory request, or protection of rights.
  1. Safeguards

GPR applies safeguards according to the nature of the provider, transfer, and data. Safeguards may include data minimization, transfer records, transfer assessments, contractual restrictions, confidentiality obligations, access controls, authentication, logging, provider due diligence, and approved transfer clauses where required.

  1. Customer-enabled providers

Some providers are enabled by the customer because they are necessary for the customer's selected service. For example, if a customer enables WhatsApp Business Platform, relevant business account, phone number, message, webhook, token-reference, and provider-status data may be processed by Meta/WhatsApp under applicable provider terms.

WhatsApp Business Platform data must be used only for the enabled messaging service and must not be sold, used to build or augment unrelated consumer profiles, or used for retargeting on or off WhatsApp.

  1. Contact

Questions about subprocessors or transfer handling may be sent to contact@gpr.sa.