Back to home

Qahwa Privacy Policy

Last updated: 7 July 2026·Effective: 7 July 2026

1. Who we are

Qahwa (“we”, “us”, “our”) operates a pickup-only coffee ordering marketplace in the United Arab Emirates (“UAE”). Customers use the Qahwa mobile app and website to browse participating cafés, place orders for in-person pickup, pay in-app, and manage loyalty rewards.

This Privacy Policy explains how we collect, use, share, store, and protect personal data when you use our customer-facing services (the “Services”).

Data controller
[Legal entity name — e.g. Qahwa Platform LLC]
[Registered address, UAE]
Privacy contact: [email protected]
Support: [email protected]

If you are a café owner or staff member using our merchant or barista dashboards, separate terms and notices may apply to those products.


2. Scope and important notes

  • Pickup only. Qahwa does not offer delivery. We do not collect a delivery address for fulfilment. Location data, where you allow it, is used to show nearby outlets and improve your experience — not to deliver goods to your door.
  • UAE law. We process personal data in line with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, “PDPL”) and applicable regulations.
  • Children. The Services are not directed at children under 18. You must be at least 18 years old (or the age of majority in your emirate, if higher) to create an account and place orders.

3. Personal data we collect

We collect only what we need to operate the Services, fulfil orders, prevent fraud, and — with your consent where required — send optional marketing.

CategoryExamplesHow we collect it
Account & identityMobile phone number (E.164), display name, optional email, date of birth (if you provide it), profile photo URLYou provide this when signing up or editing your profile
AuthenticationOne-time passcodes (OTP) sent to your phone; session tokensGenerated when you sign in; OTP codes are short-lived and not stored in plain text
Orders & transactionsOrder items, customisations, cup message, outlet, pickup code, order status, amounts in AED, payment status, refundsCreated when you place or manage an order
Payment informationPayment method type, last four digits, wallet type (e.g. Apple Pay / Google Pay), Stripe payment identifiersCollected by Stripe on our behalf; we do not store full card numbers or CVV
Vehicle informationMake, model, colour, plate details, nickname (optional)You provide this to help staff identify you at curbside pickup
LocationApproximate or precise device location (with your permission)From your device when you enable location services
Loyalty & rewardsPoints balance, stamp progress, reward redemptions, wallet pass identifiersGenerated through your use of loyalty features
Gift cardsPurchase and redemption records, recipient phone (if you send a gift), optional messageYou provide this when buying or sending gift cards
CommunicationsPush notification tokens, notification preferences (order updates, rewards, marketing)From your device and in-app settings
Support & safetyMessages you send to support, fraud signals, abuse reportsYou provide this, or we generate it to keep the platform safe
Technical & usageDevice type, operating system, app version, IP address, request logs, crash/diagnostic dataAutomatically when you use the Services

We do not knowingly collect sensitive categories of data (such as health, biometric, or government ID) unless you voluntarily include something in a free-text field (e.g. a cup message). Please do not include sensitive information in optional text fields.


4. How we use personal data

We use personal data for the following purposes:

  1. Provide the Services — create and secure your account, show nearby cafés and menus, process orders, facilitate payment, display order tracking and pickup codes, and operate loyalty and gift-card features.
  2. Communicate with you — send transactional messages (OTP codes, order status, pickup readiness) by SMS and/or push notification.
  3. Customer support — respond to enquiries and resolve disputes.
  4. Safety & integrity — detect fraud, abuse, and security incidents; enforce our Terms of Service.
  5. Improve the platform — analyse aggregated, de-identified usage to improve performance and features.
  6. Legal compliance — meet tax, accounting, anti-fraud, and regulatory obligations.
  7. Marketing (opt-in only) — with your explicit consent, send promotional offers and café updates by push or SMS. You can withdraw consent at any time in app settings.

We do not sell your personal data.


5. Legal bases (PDPL)

Depending on the processing activity, we rely on one or more of the following:

  • Contractual necessity — to perform our agreement with you (account, orders, payments, loyalty).
  • Legitimate interests — to secure the platform, prevent fraud, and improve the Services, balanced against your rights.
  • Consent — for optional marketing, precise location (where required), and certain analytics or communications.
  • Legal obligation — to retain financial records and respond to lawful requests.

Where consent is required, you may withdraw it without affecting the lawfulness of processing before withdrawal.


6. How we share personal data

We share personal data only as needed:

RecipientPurpose
Participating cafés (merchants)Fulfil your order — they receive order details, pickup code, cup message, and vehicle info you provide; they do not receive your full payment card details
StripePayment processing, refunds, and fraud prevention (Stripe Privacy Policy)
SMS providers (e.g. Unifonic, Twilio)Deliver OTP and transactional SMS
Push notification services (Apple, Google)Deliver order and loyalty notifications
Map / location providers (e.g. Mapbox)Display maps and nearby outlets when you use location features
Cloud hosting & storage (e.g. DigitalOcean, object storage/CDN)Host and operate the platform; encrypted at rest and in transit
Professional advisers & authoritiesLegal, accounting, or regulatory requirements

All processors are bound by contracts requiring appropriate security and use limitations. Merchants are independent businesses responsible for their own handling of order information at the point of pickup.


7. International transfers

Our primary infrastructure is hosted in or near the UAE / region. Some processors (e.g. Stripe, SMS, or push providers) may process data outside the UAE. Where required, we implement appropriate safeguards (such as contractual clauses) and document transfers in our records of processing.


8. Retention

We keep personal data only as long as necessary:

Data typeTypical retention
Account profileWhile your account is active, then deleted or anonymised within 30 days of a confirmed deletion request (subject to legal holds)
Orders & paymentsUp to 7 years for accounting, tax, and dispute purposes
OTP challengesMinutes; hashed records may be kept briefly for abuse prevention
Server logsUp to 90 days, unless needed for a security investigation
Marketing preferencesUntil you opt out or delete your account

We may retain anonymised or aggregated data that cannot identify you.


9. Security

We apply technical and organisational measures including TLS encryption in transit, access controls, role-based permissions, encrypted storage for sensitive fields, rate limiting, and monitoring. Payment card data is handled by Stripe’s PCI-compliant infrastructure; our servers receive tokens and payment identifiers only.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact [email protected] immediately.


10. Your rights (PDPL)

Subject to applicable law, you may:

  • Access a copy of your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (right to be forgotten), subject to legal retention
  • Restrict or object to certain processing
  • Port your data in a structured, commonly used format where feasible
  • Withdraw consent for marketing or optional processing

To exercise these rights, use in-app account settings where available or email [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

Deleting your account triggers anonymisation or deletion across our services, except where we must retain records for legal or financial compliance.


11. Cookies and similar technologies (website)

Our marketing website (qahwa.io) may use essential cookies and similar technologies for security and basic functionality. We do not use invasive third-party advertising trackers on the customer app without disclosure and, where required, consent.


12. Third-party links

The Services may link to café websites or third-party payment wallets. Their privacy practices are governed by their own policies. We are not responsible for third-party sites you visit outside Qahwa.


13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version at https://qahwa.io/privacy and update the “Last updated” date. For material changes, we will provide notice in the app or by other appropriate means. Continued use after the effective date constitutes acceptance where permitted by law.


14. Contact & complaints

Privacy enquiries: [email protected]
General support: [email protected]

You may also lodge a complaint with the UAE Data Office if you believe your data protection rights have been violated.


Appendix — App Store privacy labels (summary)

For Apple App Store Connect / Google Play Data Safety declarations, the customer app may collect:

  • Contact info: phone number, name, email (optional)
  • Financial info: payment info (via Stripe; not stored on Qahwa servers)
  • Location: coarse/precise (optional, for nearby cafés)
  • User content: cup message, profile photo, gift message
  • Identifiers: user ID, device/push tokens
  • Usage data: product interaction, diagnostics

Data is not used for third-party advertising. Marketing use is opt-in.