Qtap is a loyalty platform that connects customers with local businesses. When you use the Qtap mobile app, you hold a single account that works across every participating business in your city. This document explains what information we collect when you use Qtap, why we collect it, who else sees it, and what control you have over it.
Qtap is operated by Qtap Inc., registered in Doha, Qatar. Our parent company is Qtap Loyalty LLC, registered in Delaware, USA. The parent company does not directly process your personal data. Qtap Inc. is the data controller responsible to you under this policy.
You can reach us at privacy@qtap.qa, WhatsApp +974 6677 6974, or [Office address to be filled]. To reach our Data Protection Officer, use the email above.
This policy is written to comply with Qatar's Personal Data Privacy Protection Law (Law No. 13 of 2016, the "PDPPL") and the EU General Data Protection Regulation ("GDPR"). If you are in another country, additional local laws may apply and this policy still gives you the protections they require.
Qtap works as a joint platform between us and the businesses you choose to join. The roles matter because they decide who you contact when you want to change or delete something.
Qtap is the controller of your Qtap account, your profile, your login details, the list of businesses you have joined, your tap and scan history across the network, your device information, and everything you do inside the Qtap app.
Each business you join is a joint controller for the loyalty relationship between you and that business. A business sees your loyalty activity at their store, runs campaigns for the customers who have joined their program, and decides what rewards they offer. They do not see your activity at other businesses.
If you want to stop a specific cafe from seeing you, you leave their loyalty program inside the app. If you want to leave Qtap entirely, you delete your account and you stop appearing for every business you had joined.
We collect only what we need to run your account and your loyalty relationships. We do not collect data to sell, to build advertising profiles, or to share with anyone outside the list in Section 5.
Your Qtap ID: a permanent identifier we generate for your account (the letter Q followed by seven characters). We use this so businesses never have to know your phone number to link a tap to you.
Loyalty activity: which businesses you have joined, your stamp or point balance at each, the rewards you have earned, and the rewards you have redeemed.
Tap and scan events: when you tap your phone on a Qtap device or scan a QR code, we record the business, the timestamp, the outcome, and your approximate location at that moment.
Campaign responses: whether you opened a message from a business, whether you acted on an offer, and whether you redeemed a reward tied to a campaign.
Qtap uses your location only at the moment you tap or scan. We do this to confirm that the tap actually happened at the business you think it did, and to prevent fraud. We do not track your location in the background. We do not collect your location when the app is closed or running behind other apps. You can revoke location access in your phone's settings at any time, but taps will not register without it.
Under PDPPL and GDPR, we must tell you the legal basis for every purpose we use your data for.
| What we do | Legal basis |
|---|---|
| Creating and running your account | Contract (our Terms of Service with you) |
| Recording your taps, stamps, and rewards | Contract |
| Sending transactional messages (stamp confirmations, reward redemption receipts) | Contract |
| Sending marketing messages from businesses you joined | Consent (you opt in per business, per channel) |
| Preventing fraud and abuse of the tap system | Legitimate interest in platform integrity |
| Running churn prediction and engagement analytics for businesses | Legitimate interest, with identifiable data visible only to the business that already knows you through their loyalty program |
| Meeting legal, tax, and accounting obligations | Legal obligation |
You can withdraw any consent you gave us at any time through the app settings. Withdrawing consent stops the use from that point forward and does not affect anything that already happened.
We share your data only with the companies that help us run Qtap, and only for the purposes below. Each is bound by a data processing agreement that limits what they can do with it.
| Who | What they do | Where they are based |
|---|---|---|
| Supabase Inc. | Hosts our database and authentication systems | United States |
| Apple Push Notification service | Delivers push notifications to your iPhone | United States |
| Firebase Cloud Messaging (Google) | Delivers push notifications to your Android phone | United States |
| Resend | Sends transactional emails | United States |
| Twilio | Sends SMS messages | United States |
| Sentry | Captures crash reports and errors | United States |
| PostHog | Product analytics | United States or EU |
| Anthropic (via API) | Powers churn prediction and personalization. Only aggregated or hashed data is sent, never raw name, email, or phone number | United States |
Businesses you join see your name, your loyalty activity at their store, and your communication preferences for their messages. They do not see your activity at any other business. They do not see your email or phone number in plain form unless you respond to them through Qtap's messaging.
We do not sell your data. We do not share it with advertising networks. We do not share it with other businesses who are not in your loyalty list.
We will disclose data when a Qatar court or competent regulator orders us to, when we have a legal obligation to report something, or when we need to protect someone's safety. We will tell you when this happens unless the law prevents us from doing so.
Qtap is based in Qatar, but some of the companies we rely on (Section 5) host data outside Qatar, mostly in the United States and the European Union. This is a cross-border transfer under PDPPL and GDPR.
We protect these transfers by using only providers who offer Standard Contractual Clauses or equivalent safeguards; signing data processing agreements with each provider; reviewing privacy and security practices before adding a provider; and encrypting data in transit and at rest. If you want a copy of the safeguards for any specific transfer, contact privacy@qtap.qa.
| Category | Retention |
|---|---|
| Active account data | For as long as your account is open |
| Tap, scan, and reward history while account is open | For as long as your account is open |
| Account after deletion | Personal identifiers removed within 30 days |
| Anonymized transaction records at a business | Kept by the business for their own records, with no link back to you |
| Crash logs and error reports | 90 days |
| Financial records required by Qatari law | 10 years (minimum required by Qatari tax and commercial laws) |
| Records of consent, withdrawal, and data requests | 3 years after the event |
Under PDPPL and GDPR, you have the following rights. Exercise any of them by emailing privacy@qtap.qa or by using the relevant button in the app.
Right to access: get a copy of the personal data we hold, in a machine-readable format. Right to correct: fix anything that is wrong or out of date. Right to delete: remove your account and the personal data tied to it. Section 9 explains exactly what happens. Right to restrict: ask us to stop using your data while we resolve a dispute. Right to withdraw consent: turn off any marketing communication at any time. Right to object: tell us to stop using your data for a specific purpose based on legitimate interest. Right to portability: receive your data so you can move it to another service. Right to complain: if you think we mishandled your data, complain to Qatar's National Cyber Governance and Assurance Affairs (NCGAA), or to your local data protection authority if in the EU.
We respond to every request within 30 days. If a request is complicated, we may extend by another 30 days and tell you why. We never charge a fee unless the same person sends repeated requests about the same thing.
You can delete your Qtap account from Settings, Account, Delete Account. This is a permanent action.
If you delete your account by mistake, contact us within 14 days and we may be able to restore it. After 14 days, deletion is final.
No system is perfect. If we discover a breach that puts your personal data at risk, we will notify the relevant regulator within 72 hours (PDPPL Article 14, GDPR Article 33), and we will notify you directly if the breach is likely to seriously affect you.
Qtap is for users aged 16 and over. We do not knowingly collect data from anyone under 16. If we learn that someone under 16 has created an account, we will delete it and any related data. If you are a parent or guardian and you believe your child created a Qtap account, contact privacy@qtap.qa and we will act within 7 days.
When we change something material (what we collect, why we collect it, or who we share it with), we will post the updated policy in the app at least 14 days before it takes effect, send you a notification in the app, and for significant changes ask you to accept the new version before you can keep using Qtap. Minor updates (typos, clarifications) go live immediately and are noted in the "Last updated" date at the top.
If you prefer to contact the Qatar regulator directly, the National Cyber Governance and Assurance Affairs can be reached at https://assurance.ncsa.gov.qa.