Effective: 14 April 2026 · Version 2.0 · Applies to: Snap A Deal Cafes (Android & iOS)
Snap A Deal ("we," "us," or "our") operates the Snap A Deal Cafes mobile application — a cafe loyalty ecosystem that connects customers with participating cafes in Saudi Arabia. Customers earn and redeem loyalty points on every visit; cafe owners manage their listings, scan QR codes, and receive monthly invoices; and our admin team oversees the platform.
This Privacy Policy explains what personal data we collect when you use our app, how we use it, with whom we share it, and what rights you have. By downloading or using the app you agree to the practices described here.
Regulatory note: Snap A Deal operates as a loyalty-point service, not a payment processor. We invoice cafes for a service fee and do not process, hold, or transfer money on behalf of users. This model keeps us outside the scope of SAMA payment-processing regulations.
When you create an account we collect the information you provide directly. The exact fields depend on the registration method you choose:
| Registration Method | Data Collected |
|---|---|
| Email / Username | Username, email address, password (bcrypt-hashed, 12 rounds), display name, gender, date of birth (optional), referral code (optional) |
| Phone OTP (WhatsApp) | Mobile phone number, OTP verification code (not stored after verification), display name |
| Sign in with Apple | Apple-assigned stable user identifier, name (first sign-in only), email address or Apple private-relay address (first sign-in only) |
| Business Owner | All of the above plus: Commercial Registration (CR) number, VAT registration number, store name, IBAN (for payout requests) |
As you use the app we collect data about your interactions with the platform, including: profile picture (uploaded voluntarily), loyalty wallet balance and transaction history, QR check-in records (store ID, invoice amount, timestamp), points earned and redeemed, vouchers and offers redeemed, table reservations, event registrations, cafe reviews and ratings, cafe suggestions you submit, and your list of favourite cafes and friends.
We automatically collect certain technical data when you use the app: device push-notification
token (Expo Push API), a single-device session token stored locally on your device
(activeDeviceToken) to enforce single-device login, app version, and operating
system type (iOS / Android). We do not collect device advertising IDs,
fingerprints, or any persistent hardware identifiers beyond what is required for push
notifications.
With your explicit permission, we access your device's GPS coordinates to show you nearby cafes on the map, pre-fill your location when you suggest a new cafe, and sort search results by distance. Location access is requested only when you use a location-dependent feature and is never collected in the background.
The app requests camera access for two purposes: (a) scanning a customer's QR code during the cashback check-in flow (business owners), and (b) uploading photos to a cafe listing or your profile. Camera frames are processed locally on your device; no video stream is transmitted to our servers.
When you use the in-app chat feature, message text, timestamps, and sender/recipient identifiers are stored in our database to display your conversation history. Messages are delivered in real time via an encrypted WebSocket connection. We do not read or analyse the content of private messages for advertising purposes.
Images you upload (cafe photos, menu images, profile pictures) and PDF menus submitted for AI extraction are stored on our servers. File metadata (URL, upload timestamp, uploader ID) is recorded in our database.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Registration data, device token | Contract performance |
| Authenticate your identity at login | Username/password, Apple ID, phone OTP, session token | Contract performance |
| Credit and track loyalty points | Check-in records, wallet transactions | Contract performance |
| Show nearby cafes on the map | GPS coordinates (real-time, not stored) | Consent |
| Send push notifications | Push token, notification preferences | Consent |
| Deliver real-time chat messages | Message content, conversation metadata | Contract performance |
| Process table reservations & event registrations | User ID, store ID, date/time, contact info | Contract performance |
| Generate monthly invoices for cafes | Transaction volume, fee tier, business owner details | Contract performance / Legal obligation |
| Operate the admin dashboard & platform analytics | Aggregated transaction data, user counts | Legitimate interest |
| Prevent fraud and enforce security | Login attempts, device tokens, IP addresses (rate limiting) | Legitimate interest |
| Send password-reset emails | Email address | Contract performance |
| AI-assisted menu extraction from PDF | Uploaded PDF content (processed, not retained) | Consent |
We do not sell your personal data, use it for targeted advertising, or share it with data brokers.
The app integrates with the following third-party services. Each provider has its own privacy policy governing how it handles data.
Used for account authentication on iOS devices. When you choose "Sign in with Apple," Apple
authenticates you and returns a stable user identifier and, optionally, your name and email
(or an Apple private-relay email address). Apple's identity token is verified server-side
against Apple's public key infrastructure. Apple may offer you the option to hide your real
email address; we accept and store the relay address in that case.
Apple Privacy Policy →
When you choose phone-number login, a one-time password (OTP) is delivered to your
WhatsApp number via the Meta Business API. Your phone number is transmitted to Meta solely
for OTP delivery. We do not store the OTP after verification is complete.
WhatsApp Privacy Policy →
The Android version of the app uses Google Maps to display cafe locations and allow you to
set a pin when suggesting a new cafe. Google Maps may collect device location and usage
data in accordance with Google's policies.
Google Privacy Policy →
Push notifications are delivered through the Expo Push API. Your device's push token is
stored in our database and transmitted to Expo's servers solely to route notifications to
your device. Expo does not have access to notification content beyond what is required for
delivery.
Expo Privacy Policy →
Our primary application database is hosted on TiDB Cloud, a MySQL-compatible serverless
database service. All data stored in TiDB is encrypted in transit (TLS) and at rest.
PingCAP Privacy Policy →
The cafe listing database and PHP API are hosted on GoDaddy shared hosting
(snapadeal.co). GoDaddy provides the server infrastructure; we control all data stored
on it.
GoDaddy Privacy Policy →
User-uploaded images (cafe photos, profile pictures) and PDF menus are stored in an S3-compatible object store provided by the Manus platform. Files are accessible via HTTPS URLs embedded in the app.
Password-reset emails are sent via Brevo (formerly Sendinblue). Your email address is
transmitted to Brevo solely to deliver the reset message.
Brevo Privacy Policy →
No advertising SDKs: The app does not integrate AdMob, Google Analytics, Firebase Analytics, or any third-party advertising or behavioural-tracking SDK. All analytics are collected internally and used only for platform operations.
| Data Type | Storage Location | Region |
|---|---|---|
| User accounts, wallets, chat, events | TiDB Cloud (PingCAP) | Singapore (ap-southeast-1) |
| Cafe listings, transactions, offers | GoDaddy MySQL | Singapore |
| Uploaded images & PDFs | S3-compatible object storage | Singapore |
| Session token (JWT) | Device local storage (AsyncStorage) | Your device only |
We apply the following technical safeguards to protect your data:
| Measure | Detail |
|---|---|
| Password hashing | bcrypt with 12 salt rounds (app users) |
| Session tokens | HS256-signed JWTs; stored in device AsyncStorage; invalidated on logout |
| Single-device enforcement | Each login generates a new activeDeviceToken; previous device sessions are immediately invalidated |
| Transport encryption | HTTPS enforced on all API calls; TLS with rejectUnauthorized: true on database connections |
| Rate limiting | Login and OTP endpoints: 10 requests / 15 minutes / IP address |
| Role-based access control | All server endpoints require the appropriate role (customer / business / admin); enforced via JWT middleware |
| Apple token verification | Apple identity tokens are verified against Apple's public JWKS before any account action is taken |
Despite these measures, no system is perfectly secure. If you believe your account has been compromised, please contact us immediately at contact@snapadeal.co.
We do not sell, rent, or trade your personal data. We share information only in the following limited circumstances:
We share data with the third-party services listed in Section 4 (Apple, Meta/WhatsApp, Google Maps, Expo, TiDB Cloud, GoDaddy, Brevo) solely to the extent necessary to operate the app. These providers are contractually bound to protect your data and may not use it for their own purposes.
When you check in at a cafe, the cafe owner can see that a check-in occurred (store ID, timestamp, invoice amount). They do not receive your name, email, phone number, or wallet balance unless you initiate a chat conversation with them. Cafe owners can also see the list of users who attended their events or made reservations, as this is necessary to fulfil those services.
Your display name and profile picture are visible to other users when you use social features (chat, friends, nearby users). You control whether to share additional profile information. You can adjust your visibility settings in the app's Profile screen.
We may disclose your information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect the safety of any person, prevent fraud, or protect our rights and property.
If Snap A Deal is acquired, merged, or its assets are transferred, user data may be transferred as part of that transaction. We will notify you via the app or email before your data is subject to a different privacy policy.
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at contact@snapadeal.co.
The Snap A Deal Cafes app is not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
| Data Category | Retention Period |
|---|---|
| Account data (active account) | Retained for the lifetime of your account |
| Account data (deleted account) | Deleted within 30 days of account deletion request |
| Loyalty transaction records | 7 years (financial record-keeping obligation) |
| Chat messages | Retained while the conversation exists; deleted when both parties delete the conversation |
| Push notification tokens | Deleted on logout or account deletion |
| Uploaded images | Retained until you or an admin removes them |
| Login rate-limit logs (IP) | 15 minutes (in-memory only; not persisted) |
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes we will update the "Effective" date at the top of this page and, where appropriate, notify you through a push notification or an in-app banner.
Your continued use of the app after the updated policy takes effect constitutes your acceptance of the revised terms. If you do not agree, please stop using the app and contact us to request account deletion.
| Version | Date | Key Changes |
|---|---|---|
| 1.0 | 1 January 2023 | Initial policy |
| 2.0 | 14 April 2026 | Full rewrite: added Sign in with Apple, WhatsApp OTP, real-time chat, QR check-in, loyalty wallet, camera, single-device enforcement, updated third-party list, removed AdMob/Firebase references, added user rights grid and data retention table |
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please reach out to us: