1. Who we are
Qahwa (“we”, “us”, “our”) operates a pickup-only coffee ordering marketplace in the United Arab Emirates (“UAE”). Customers use the Qahwa mobile app and website to browse participating cafés, place orders for in-person pickup, pay in-app, and manage loyalty rewards.
This Privacy Policy explains how we collect, use, share, store, and protect personal data when you use our customer-facing services (the “Services”).
Data controller
[Legal entity name — e.g. Qahwa Platform LLC]
[Registered address, UAE]
Privacy contact: [email protected]
Support: [email protected]
If you are a café owner or staff member using our merchant or barista dashboards, separate terms and notices may apply to those products.
2. Scope and important notes
- Pickup only. Qahwa does not offer delivery. We do not collect a delivery address for fulfilment. Location data, where you allow it, is used to show nearby outlets and improve your experience — not to deliver goods to your door.
- UAE law. We process personal data in line with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, “PDPL”) and applicable regulations.
- Children. The Services are not directed at children under 18. You must be at least 18 years old (or the age of majority in your emirate, if higher) to create an account and place orders.
3. Personal data we collect
We collect only what we need to operate the Services, fulfil orders, prevent fraud, and — with your consent where required — send optional marketing.
| Category | Examples | How we collect it |
|---|---|---|
| Account & identity | Mobile phone number (E.164), display name, optional email, date of birth (if you provide it), profile photo URL | You provide this when signing up or editing your profile |
| Authentication | One-time passcodes (OTP) sent to your phone; session tokens | Generated when you sign in; OTP codes are short-lived and not stored in plain text |
| Orders & transactions | Order items, customisations, cup message, outlet, pickup code, order status, amounts in AED, payment status, refunds | Created when you place or manage an order |
| Payment information | Payment method type, last four digits, wallet type (e.g. Apple Pay / Google Pay), Stripe payment identifiers | Collected by Stripe on our behalf; we do not store full card numbers or CVV |
| Vehicle information | Make, model, colour, plate details, nickname (optional) | You provide this to help staff identify you at curbside pickup |
| Location | Approximate or precise device location (with your permission) | From your device when you enable location services |
| Loyalty & rewards | Points balance, stamp progress, reward redemptions, wallet pass identifiers | Generated through your use of loyalty features |
| Gift cards | Purchase and redemption records, recipient phone (if you send a gift), optional message | You provide this when buying or sending gift cards |
| Communications | Push notification tokens, notification preferences (order updates, rewards, marketing) | From your device and in-app settings |
| Support & safety | Messages you send to support, fraud signals, abuse reports | You provide this, or we generate it to keep the platform safe |
| Technical & usage | Device type, operating system, app version, IP address, request logs, crash/diagnostic data | Automatically when you use the Services |
We do not knowingly collect sensitive categories of data (such as health, biometric, or government ID) unless you voluntarily include something in a free-text field (e.g. a cup message). Please do not include sensitive information in optional text fields.
4. How we use personal data
We use personal data for the following purposes:
- Provide the Services — create and secure your account, show nearby cafés and menus, process orders, facilitate payment, display order tracking and pickup codes, and operate loyalty and gift-card features.
- Communicate with you — send transactional messages (OTP codes, order status, pickup readiness) by SMS and/or push notification.
- Customer support — respond to enquiries and resolve disputes.
- Safety & integrity — detect fraud, abuse, and security incidents; enforce our Terms of Service.
- Improve the platform — analyse aggregated, de-identified usage to improve performance and features.
- Legal compliance — meet tax, accounting, anti-fraud, and regulatory obligations.
- Marketing (opt-in only) — with your explicit consent, send promotional offers and café updates by push or SMS. You can withdraw consent at any time in app settings.
We do not sell your personal data.
5. Legal bases (PDPL)
Depending on the processing activity, we rely on one or more of the following:
- Contractual necessity — to perform our agreement with you (account, orders, payments, loyalty).
- Legitimate interests — to secure the platform, prevent fraud, and improve the Services, balanced against your rights.
- Consent — for optional marketing, precise location (where required), and certain analytics or communications.
- Legal obligation — to retain financial records and respond to lawful requests.
Where consent is required, you may withdraw it without affecting the lawfulness of processing before withdrawal.
6. How we share personal data
We share personal data only as needed:
| Recipient | Purpose |
|---|---|
| Participating cafés (merchants) | Fulfil your order — they receive order details, pickup code, cup message, and vehicle info you provide; they do not receive your full payment card details |
| Stripe | Payment processing, refunds, and fraud prevention (Stripe Privacy Policy) |
| SMS providers (e.g. Unifonic, Twilio) | Deliver OTP and transactional SMS |
| Push notification services (Apple, Google) | Deliver order and loyalty notifications |
| Map / location providers (e.g. Mapbox) | Display maps and nearby outlets when you use location features |
| Cloud hosting & storage (e.g. DigitalOcean, object storage/CDN) | Host and operate the platform; encrypted at rest and in transit |
| Professional advisers & authorities | Legal, accounting, or regulatory requirements |
All processors are bound by contracts requiring appropriate security and use limitations. Merchants are independent businesses responsible for their own handling of order information at the point of pickup.
7. International transfers
Our primary infrastructure is hosted in or near the UAE / region. Some processors (e.g. Stripe, SMS, or push providers) may process data outside the UAE. Where required, we implement appropriate safeguards (such as contractual clauses) and document transfers in our records of processing.
8. Retention
We keep personal data only as long as necessary:
| Data type | Typical retention |
|---|---|
| Account profile | While your account is active, then deleted or anonymised within 30 days of a confirmed deletion request (subject to legal holds) |
| Orders & payments | Up to 7 years for accounting, tax, and dispute purposes |
| OTP challenges | Minutes; hashed records may be kept briefly for abuse prevention |
| Server logs | Up to 90 days, unless needed for a security investigation |
| Marketing preferences | Until you opt out or delete your account |
We may retain anonymised or aggregated data that cannot identify you.
9. Security
We apply technical and organisational measures including TLS encryption in transit, access controls, role-based permissions, encrypted storage for sensitive fields, rate limiting, and monitoring. Payment card data is handled by Stripe’s PCI-compliant infrastructure; our servers receive tokens and payment identifiers only.
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact [email protected] immediately.
10. Your rights (PDPL)
Subject to applicable law, you may:
- Access a copy of your personal data
- Rectify inaccurate or incomplete data
- Erase your data (right to be forgotten), subject to legal retention
- Restrict or object to certain processing
- Port your data in a structured, commonly used format where feasible
- Withdraw consent for marketing or optional processing
To exercise these rights, use in-app account settings where available or email [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
Deleting your account triggers anonymisation or deletion across our services, except where we must retain records for legal or financial compliance.
11. Cookies and similar technologies (website)
Our marketing website (qahwa.io) may use essential cookies and similar technologies for security and basic functionality. We do not use invasive third-party advertising trackers on the customer app without disclosure and, where required, consent.
12. Third-party links
The Services may link to café websites or third-party payment wallets. Their privacy practices are governed by their own policies. We are not responsible for third-party sites you visit outside Qahwa.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version at https://qahwa.io/privacy and update the “Last updated” date. For material changes, we will provide notice in the app or by other appropriate means. Continued use after the effective date constitutes acceptance where permitted by law.
14. Contact & complaints
Privacy enquiries: [email protected]
General support: [email protected]
You may also lodge a complaint with the UAE Data Office if you believe your data protection rights have been violated.
Appendix — App Store privacy labels (summary)
For Apple App Store Connect / Google Play Data Safety declarations, the customer app may collect:
- Contact info: phone number, name, email (optional)
- Financial info: payment info (via Stripe; not stored on Qahwa servers)
- Location: coarse/precise (optional, for nearby cafés)
- User content: cup message, profile photo, gift message
- Identifiers: user ID, device/push tokens
- Usage data: product interaction, diagnostics
Data is not used for third-party advertising. Marketing use is opt-in.