Data We Collect
We collect information you provide directly at signup: restaurant name, email, mobile number, commercial registration number, and tax information required by the Saudi Zakat, Tax & Customs Authority (ZATCA). We also log operational data generated by your use of the platform: order activity, payments, e-invoices, and login records.
How We Use Your Data
Your data is used exclusively to operate the platform: to issue ZATCA-compliant tax invoices, to show you performance reports for your own restaurant (these reports are yours alone), and to send essential operational notifications. We do not sell your data and do not share it with third parties for marketing or advertising.
Security
All data is encrypted in transit over the network using TLS 1.3 and encrypted at rest at the database-provider level (AES-256). Passwords are bcrypt-hashed at 12 rounds. We apply rate limiting and temporary account lockout against password-guessing attempts. Every sensitive action (permission changes, data deletion, settings edits) is recorded in an immutable audit log.
Data Location & Cross-Border Transfer
Our servers are currently hosted in the European Union — specifically in Frankfurt, Germany: the database is on Neon (region eu-central-1), the applications are on Vercel (fra1), and caching is on Upstash. Cross-border transfer of personal data from the Kingdom of Saudi Arabia to the EU is performed under Article 29 of the Saudi Personal Data Protection Law (PDPL), which permits transfer to countries providing an adequate level of protection — a standard met by EU member states under the General Data Protection Regulation (GDPR). All our service providers (Neon, Vercel, Cloudflare, Upstash) hold internationally recognized certifications (SOC 2, ISO 27001) and are GDPR-compliant.
Your Rights Under PDPL
Under the Saudi PDPL you have the right to: access your personal data, correct it, request its deletion, restrict its processing, port it to another provider, or object to processing. To exercise any of these rights, email us at [PRIVACY_CONTACT_EMAIL] (the dedicated contact channel will be finalized before Beta launch) — we commit to responding to your request within 30 days. On deletion requests, we retain only tax invoices for the period required by ZATCA (5 calendar years) and erase everything else.
Cookies
We use only essential cookies for secure session management and login. We do not use cookies for ad tracking, and we do not embed third-party analytics services (such as Google Analytics or Facebook Pixel) on the site.
Policy Updates
We may update this policy from time to time. Material changes are communicated by email or via an in-app notice at least 30 days before they take effect. The latest publication date is shown at the top of this page.