Now live in Qatar - Join the beta and get your first month free
scroll to top button icon

Merchant Privacy Policy

Last updated: 25 April 2026 - Version 1.0 - For businesses using the Qtap Dashboard

1. Who we are

Qtap is a loyalty platform for small and independent businesses. This document explains what we do with personal data that belongs to you as a Qtap merchant, including the business owner, authorized signatories, and any staff members who use the Qtap Dashboard.

Qtap is operated by Qtap Inc. , registered in Doha, Qatar. This is the entity that acts as the controller of your personal data for the purposes of this policy. Our parent company is Qtap Loyalty LLC , registered in Delaware, USA. The parent company does not directly process your personal data.

You can reach us at:

  • Privacy: privacy@qtap.qa
  • Support: support@qtap.qa
  • WhatsApp: +974 6677 6974
  • Address: [Office address to be filled]

This policy is written to comply with Qatar's Personal Data Privacy Protection Law (Law No. 13 of 2016, the "PDPPL"), the EU General Data Protection Regulation ("GDPR"), and comparable data protection laws.

2. Who this policy is for

This policy applies to you if you are:

  • The business owner or an authorized signatory who signed up your business for Qtap
  • A staff member who has been given a login to the Qtap Dashboard
  • Anyone who interacts with Qtap's sales, support, or billing teams on behalf of a business

If you are a customer using the Qtap mobile app, a different privacy policy applies, published at qtap.qa/legal/privacy.

If you are wondering how customer data is handled when a merchant uses Qtap, that is covered by the Customer Privacy Policy and the Qtap Data Processing Addendum, not by this document.

3. What we collect about you

Information you give us at signup

  • Business name and legal name
  • Business address and operating locations
  • Business registration number and tax ID, where required
  • Your full name, role, email, and phone number as the signing authority
  • Password, stored as a hash that we cannot read

Information you add when using the dashboard

  • Staff accounts you create: name, email, role, and permissions
  • Business details: logo, branding, operating hours, menu or service descriptions
  • Campaigns, reward rules, and loyalty program configuration
  • Support messages you send us
  • Your communications with sales and account management

Information generated by your use

  • Login times, IP addresses, and device or browser information
  • Dashboard actions (what you clicked, what you created, what you deleted)
  • API usage, where applicable
  • Error reports tied to your account

Billing data

  • Payment method metadata (the full card number itself stays with Stripe, not Qtap)
  • Billing address
  • Invoices, receipts, and transaction history
  • Subscription plan, billing cycle, renewal and cancellation history

Information we do not collect

  • We do not collect personal financial data beyond what is necessary for billing
  • We do not collect biometric data, health data, or special categories of personal data
  • We do not collect your customers' personal data under this policy. That is governed by the Customer Privacy Policy and the DPA

4. Why we collect it and legal basis

Under PDPPL and GDPR, we must tell you the legal basis for each use.

What we doLegal basis
Running your merchant account and your subscriptionContract (Merchant Services Agreement)
Billing you and processing paymentsContract plus legal obligation for tax and accounting
Providing supportContract plus legitimate interest in running the service
Sending you service updates, downtime alerts, and billing notificationsContract
Sending you product news, newsletters, and promotional messagesConsent (you can opt out at any time)
Preventing fraud, abuse, and security incidentsLegitimate interest
Meeting tax, accounting, and commercial record-keeping lawsLegal obligation
Improving our service through aggregated analyticsLegitimate interest

You can withdraw any consent you gave, such as for newsletters, at any time. Withdrawal stops the use from that point forward and does not affect anything that already happened.

5. Who we share your data with

We share your data only with the companies that help us run the service for you, and only for the purposes below.

WhoWhat they doWhere
Supabase Inc.Database and authentication hostingUnited States
StripeProcesses your subscription payments and stores your payment methodUnited States
ResendSends transactional and billing emailsUnited States
TwilioSends SMS notifications where you have opted inUnited States
SentryCaptures error and crash reportsUnited States
PostHogDashboard analytics (which features get used)United States or EU
Accounting and legal advisorsTax filings, audits, and legal adviceQatar and other countries

We do not sell your data. We do not share it with advertising networks. We do not share it with other merchants.

We will disclose data when a court or competent regulator orders us to, when we have a legal obligation to report something, or when we need to protect someone's safety. Where permitted, we will notify you before we do.

If Qtap is acquired or merges with another company, your data may be transferred as part of the business assets. We will notify you before such a transfer and give you the chance to close your account if you object.

6. Where your data lives

Your data is processed in Qatar, the United States, and the European Union, depending on which of our service providers is handling it at a given time.

Transfers outside Qatar are protected by:

  • Standard Contractual Clauses where the destination is outside the EU or UK
  • Written data processing agreements with every sub-processor
  • Encryption in transit and at rest
  • Periodic review of each provider's security practices

If you are based in the European Economic Area, the United Kingdom, or another jurisdiction with strict cross-border rules, you can request a copy of the specific safeguards for any transfer by emailing privacy@qtap.qa.

7. How long we keep your data

CategoryRetention
Active account dataFor the duration of your subscription
Billing records and invoices10 years (minimum required by Qatari tax law)
Support communications3 years after the last interaction
Login logs2 years
Marketing consent records3 years after withdrawal
Data after account terminationPersonal identifiers deleted within 30 days, except where law requires longer retention

For what happens to customer data when your merchant account is closed, see the DPA and the Customer Privacy Policy.

8. Your rights

Under PDPPL and GDPR, you have the following rights:

  • Access: get a copy of the personal data we hold about you
  • Correct: fix anything that is wrong or out of date
  • Delete: ask us to remove personal data that is no longer needed, subject to legal retention obligations
  • Restrict: pause our use of your data while we resolve a dispute
  • Object: ask us to stop a specific use that is based on legitimate interest
  • Portability: receive your data in a machine-readable format
  • Withdraw consent: for anything that relies on your consent, such as marketing
  • Complain: to Qatar's National Cyber Governance and Assurance Affairs (NCGAA), or to your local data protection authority

Email privacy@qtap.qa to exercise any of these rights. We respond within 30 days. If the request is complex, we may extend by another 30 days and tell you why.

Some of your data is tied to the business you represent, not to you personally. If your role at the business ends (for example, you leave the company), the business may continue to hold the account. In that case, requests about business data need to come from the current authorized signatory.

9. Security

We apply the following security practices:

  • TLS 1.3 encryption in transit
  • Encryption at rest for all databases
  • Multi-factor authentication for all Qtap staff with production access
  • Role-based access control inside the dashboard and our internal systems
  • Logging of every administrative access to merchant accounts
  • Regular security reviews and vulnerability patching
  • 72-hour breach notification to the NCGAA and, where required, to you directly

Staff accounts you create are your responsibility. Use strong passwords, enable MFA where available, and revoke access for staff who leave your business.

10. Cookies and similar technologies

The Qtap Dashboard uses cookies and similar technologies to keep you logged in, remember your preferences, and understand how the dashboard is used. A separate cookie notice is available at qtap.qa/legal/cookies and in the dashboard footer.

11. Age requirement

The Qtap Dashboard is for use by businesses and adult staff members only. You must be at least 18 years old to use it.

12. Changes to this policy

When we change something material, we will:

  • Email you at the address on your account at least 14 days before the change takes effect
  • Post the updated policy in the dashboard
  • For significant changes (new categories of data, new purposes, new third-party recipients), ask you to acknowledge before continuing

Minor updates (typos, formatting) go live immediately and are reflected in the "Last updated" date at the top.

13. How to reach us

  • Privacy: privacy@qtap.qa
  • General support: support@qtap.qa
  • Legal notices: legal@qtap.qa
  • WhatsApp: +974 6677 6974
  • Mail: [Qtap Inc. office address in Doha, Qatar]

If you prefer to contact the Qatar regulator directly, the NCGAA can be reached at https://assurance.ncsa.gov.qa.

WhatsApp contact icon