Privacy policy

1. Information We Collect

We collect and process the following categories of personal and business information:

2. How We Use Your Information

We process your data for the following purposes:

• To provide, maintain, and improve our restaurant management platform
• To manage user registration, permissions, and authentication
• To deliver key features such as POS, inventory, shift scheduling, and analytics
• To process and manage payments and generate invoices
• To provide technical and customer support
• To send legal notifications, security alerts, and system updates
• To contact you with optional marketing communications (only upon consent)
• To fulfill any legal or regulatory obligations

3. Legal Bases for Processing

We rely on one or more of the following legal bases:

• Performance of a Contract: Most data processing is necessary to provide our SaaS platform to you under agreed terms.
• Legitimate Interest: Includes analytics, security, fraud prevention, and improving our services.
• Consent: Used for sending marketing emails or placing non-essential cookies.
• Legal Obligation: Includes billing records, tax reporting, fraud reporting, and court-ordered compliance.

4. Third-Party Data Sharing

We may share your data with trusted processors and infrastructure providers, strictly for delivering the core functionality of our platform:

• Stripe – Payment processing
• Google Analytics – Website and app usage tracking
• Twilio / SendGrid – Notification emails and SMS alerts
• Firebase (Google Cloud) – Real-time database and user authentication
• Amazon Web Services (AWS) – Cloud storage and application hosting
• Legal Authorities or Regulators – When compelled by law or for audit purposes

All third parties are contractually bound to use the data only in accordance with this policy and relevant regulations.

We do not sell, rent, or commercialize your or your customers' data under any circumstances.

5. International Data Transfers

We may store or process data outside of your country, including in data centers in the UAE, EU, and the United States. When transferring personal data across borders, we implement safeguards such as:

• Data encryption during transit and at rest
• Access controls and internal audit logging
• Standard Contractual Clauses (SCCs) where required
• Sub-processor due diligence and security commitments

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described:

• Account and business data: Retained for the lifetime of the subscription + 12 months
• POS and transaction records: Retained for 5 years to comply with VAT and commercial law
• Customer order data: Retained for 2 years unless deleted by the controller (restaurant)
• Marketing contacts: Deleted upon unsubscribe or inactivity
• Support tickets and logs: Retained for 12–24 months for audit and QA purposes

7. Your Rights

Depending on your location and applicable law, you may exercise the following rights:

• Right of Access – Obtain a copy of your personal data
• Right of Rectification – Update incorrect or outdated information
• Right to Erasure – Delete your data (subject to legal exceptions)
• Right to Restriction – Limit how we process certain data
• Right to Data Portability – Receive a machine-readable copy of your data
• Right to Object – Object to marketing or profiling
• Right to Withdraw Consent – Where processing is based on consent

To exercise any of these rights, email us at info@quickbuy.io. We may require identity verification before acting on certain requests.

8. Security Measures

We are committed to protecting your data using organizational, technical, and physical safeguards:

• Encryption (SSL/TLS) for all traffic and at-rest storage
• Role-based access control (RBAC) for user data segmentation
• Two-factor authentication for admin and support tools
• Continuous monitoring and threat detection
• Daily backups and data integrity verification
• Limited employee access with signed confidentiality agreements

Despite our best efforts, no system is 100% secure. We encourage all users to follow strong password practices and enable 2FA.

9. Children's Privacy

Our platform is not designed or intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe that a child has provided us with personal data, contact us immediately and we will delete it promptly.

10. Processor vs Controller Roles

In relation to data entered into our platform by restaurants (such as customer names, order details, or employee schedules):

• QuickBuy.io acts as a Data Processor under GDPR and UAE PDPL.
• The subscribing restaurant is the Data Controller and remains solely responsible for the accuracy and legality of that data.
• We process this data only on their documented instructions, and never use it for our own purposes.

11. Cookies and Tracking

We use cookies and other tracking technologies for core functionality and analytics. By default:

• Essential cookies: Always enabled for security and session management
• Analytics cookies: Optional, requires consent (e.g., Google Analytics)
• Marketing cookies: Only set with user permission

You may manage cookie preferences through our Cookie Policy and browser settings.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our legal obligations or service offerings. Material changes will be communicated through email or your dashboard. Continued use of the service after changes indicates acceptance.

Previous versions are archived and available upon request.

13. Contact Information

For any concerns, rights requests, or legal queries:

We aim to respond to all inquiries within 14 days.