Privacy Policy
Last updated: 28 April 2026.
This Privacy Policy explains what personal data RestoSnap collects when you use our Service, why we collect it, how we use it, and your rights. By using the Service you agree to the practices described below.
What we collect
We collect only the data needed to operate the Service for you:
| Data | When collected | Why |
|---|---|---|
| Email address | At signup or sign-in | Account identifier; password reset |
| Hashed password | At signup | Authentication (we never store the plain password) |
| Name (optional) | At signup | Personalization |
| Google profile (if you use Google sign-in) | At first Google sign-in | Authentication; name & avatar |
| Business data you enter (items, deliveries, expenses, counts, prices) | While you use the Service | To compute and display the figures the Service is designed to show |
| Session cookie | While you are signed in | To keep you signed in across pages |
| Server-side logs (request URL, status code, IP, timestamp) | Automatic | Operations, security, troubleshooting |
We do not collect: device fingerprints, advertising IDs, cross-site tracking data, or analytics from any third party.
How we use it
- To operate the Service: authenticate you, store your data, compute reports, send you transactional notifications.
- To keep the Service working: detect abuse, debug errors, plan capacity.
- To contact you about your account, security incidents, or material changes to these terms.
We do not:
- sell your data;
- share your data with advertisers;
- use your data to train external AI/ML models;
- access your data except as needed to operate the Service or as required by law.
Where it lives
Your data is stored on servers located in:
- United Arab Emirates (frontend, application servers — GoDaddy and Hetzner data centres in the UAE).
- Germany / Finland (database server and replicas, Hetzner data centres in the EU).
Data may transit between these locations as part of normal operation.
How long we keep it
- Account data: while your account is active. If you delete your account, we delete or anonymize it within 90 days.
- Backups: automated daily backups of the database are kept for 30 days. Deleted data may persist in backups until they expire.
- Server logs: 90 days, then deleted.
Your rights (UAE PDPL)
Under the UAE Personal Data Protection Law you have the right to:
- Access the personal data we hold about you.
- Correct any data that is inaccurate or incomplete.
- Delete your account and personal data (with the limitations noted above for backups).
- Object to or restrict certain types of processing.
- Receive your data in a portable format (JSON / Excel via the built-in export tools).
- Withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email tm.alsayed@gmail.com with the request and we will respond within 30 days.
Security
We protect your data with:
- HTTPS / TLS 1.3 for all traffic;
- bcrypt-hashed passwords (never stored in plain text);
- per-store data isolation (you cannot see another store's data);
- firewalls (UFW) restricting database access to authorized servers only;
- fail2ban brute-force protection;
- daily encrypted backups;
- root SSH disabled on every server;
- principle of least privilege for all administrative access.
No system is perfectly secure. If we become aware of a security breach affecting your data we will notify you and the relevant UAE authorities as required by law.
Cookies
We use one cookie: connect.sid (the session cookie). It keeps you signed in across pages. We do not use any analytics, advertising, or tracking cookies.
Children
The Service is not intended for users under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.
Changes
We may update this Policy from time to time. The "Last updated" date at the top indicates the current version. Material changes will be notified by email or in-app notice.
Contact
For privacy questions or to exercise your rights: tm.alsayed@gmail.com