How we handle your data at nuqtaty

nuqtaty (referred to below as "nuqtaty" or "we") is a cloud platform that issues digital loyalty cards stored directly inside Apple Wallet and Google Wallet. It is built for small merchants in Saudi Arabia — restaurants, cafés, salons, bakeries, car washes — who want a stamp card without making their customers download an app.

Based in: Saudi Arabia.
Privacy contact: info@nuqtaty.com or WhatsApp +962 78 297 9385.

We collect two distinct categories: data about merchants who subscribe to nuqtaty, and data about their end customers (the loyalty cardholders).

2.1 Merchant data (subscriber)

• First and last name
• Email address
• Phone number
• Business name
• Password (stored hashed; we cannot read it in plain text)
• Automatic technical signup data: IP address, approximate country and city, device and browser type, timezone

2.2 End-customer data (loyalty cardholder)

• Name (as entered by the customer when joining)
• Phone number
• Email, birthday and gender — only when the merchant has enabled those fields for their card
• Visit history and stamp count per card
• Apple Wallet / Google Wallet identifiers required to push updates to the pass (push tokens, device IDs)

We never collect payment data. We do not use advertising trackers. We do not set third-party cookies on the customer signup pages.

• To create and run the loyalty card: issue the pass to Apple Wallet or Google Wallet, increment the stamp count after every visit, and redeem the reward when the card is full.
• Operational communication: pass-bound push notifications (reward ready, stamp added) and WhatsApp campaigns the merchant chooses to send to their own customers.
• Platform safety: detect and prevent fraud, verify the account belongs to a real human and a real business, prevent abuse.
• Service improvement: aggregated, anonymous analytics about platform usage (no individual records).
• Legal compliance: respond to lawful requests from competent KSA authorities.

Under the Saudi Arabia Personal Data Protection Law (PDPL), we rely on the following bases:

• Contract performance: your data is necessary to deliver the loyalty service you subscribed to or joined.
• Consent: when an end customer signs up they explicitly consent to their data being stored on the merchant's loyalty card.
• Legitimate interest: protecting the service from fraud and improving user experience.

We work with a limited number of trusted third-party processors:

• Apple Inc. — to issue the pass in Apple Wallet via the PassKit API. Apple receives only the data required to render the pass (merchant name, customer name, stamp count, update-token QR).
• Google LLC — to issue the pass in Google Wallet via the Google Wallet API. Same dataset as above. See Google Privacy Policy for details on how Google handles wallet pass data.
• Supabase (managed PostgreSQL) — to store the merchant and customer database.
• Vercel — to host the website and run the backend.
• WhatsApp Business API (Meta) — only when a merchant chooses to send a win-back campaign to their own customer via WhatsApp.

We do not sell your data to any third party. We do not use your data for any marketing outside the merchant you signed up with.

Our hosting providers (Supabase, Vercel) operate data centers that may be located outside Saudi Arabia (Asia / Europe / North America). We apply the contractual and technical safeguards required by Article 29 of the PDPL to ensure a comparable level of protection.

As a data subject in Saudi Arabia you are entitled to:

• Right to be informed: know how and why we use your data (this page).
• Right of access: request a copy of all data we hold about you.
• Right to correction: update inaccurate data.
• Right to deletion: have your account and data fully erased.
• Right to data portability: export your data in machine-readable CSV format.
• Right to object: to specific processing of your data.

To exercise any of these rights write to info@nuqtaty.com. We will respond within 30 days at the latest.

• Active merchant accounts: kept as long as the subscription is active.
• Cancelled merchant accounts: retained for 90 days after cancellation (so the account can be reinstated) then permanently deleted. You may request immediate deletion at any time.
• End-customer data: deleted when the merchant removes that customer from their dashboard, or when the merchant account is closed.
• System logs: 30 days, then automatically purged.

We apply technical and administrative measures appropriate to the data we hold, including:

• TLS encryption for all browser-to-server traffic
• Password hashing with bcrypt
• Database-level isolation between merchants via Row Level Security (RLS)
• Access-log monitoring for unusual activity
• Daily encrypted backups

Our service is not directed at children under 18. We do not knowingly collect data from minors. If you become aware that a child has signed up, contact us and we will delete their data immediately.

We use a minimal set of strictly necessary cookies:

• Session cookies to keep you signed in
• A language cookie to remember Arabic vs. English

We do not use advertising cookies or third-party analytics tools such as Google Analytics.

We may update this policy from time to time. For any material change we will publish the new version here and update the "Last updated" date at the top. For significant changes we will also email merchants.

If you believe nuqtaty has not handled your data correctly, you can:

• Contact us first at info@nuqtaty.com
• File a complaint with the Saudi Data and AI Authority (SDAIA) at sdaia.gov.sa