Data Protection & Privacy Policy

1. What this policy is

TapReserve.Ai is a suite of three products — TapReserve.Ai POS, TapReserve.Ai QR, and TapReserve.Ai SoftPOS — operated by Flamboyant Technologies FZCO (Dubai, UAE) and Flamboyant Technologies Pvt Ltd (India). To deliver these Products to merchants we handle personal data — yours as a merchant, and your customers'. This policy explains what we collect, why, how long we keep it, who we share it with, and the rights you and your customers have.

It is written primarily for merchants in Dubai and the wider UAE, but applies to every individual whose data we handle in connection with the Products, wherever they are.

2. Controller and processor

A controller decides what data is collected and why. A processor handles data on the controller's behalf, under their instructions. We wear both hats depending on which data is in question:

• Controller for the data we collect about you as a merchant — your account, business details, billing, usage, support history, our marketing and product communications with you.
• Processor for the data your business collects from your customers, staff, and suppliers through the Platform — names, contacts, orders, payment metadata, reservations, loyalty, communications. You decide what to collect and why; we run the systems. The contractual terms for this are in our Data Processing Addendum (DPA), part of your Master Subscription Agreement.

When we act as processor, we do so on your instructions. If you ask us to do something with personal data that we cannot lawfully do, we'll tell you and won't do it.

3. Laws we comply with

We apply the strictest applicable standard. The laws that shape our handling of personal data include:

• UAE federal — Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its Executive Regulations, supervised by the UAE Data Office. Full compliance is expected by 1 January 2027; we are operating to that standard now.
• DIFC — DIFC Data Protection Law (Law No. 5 of 2020, amended July 2025), supervised by the DIFC Commissioner of Data Protection.
• ADGM — Data Protection Regulations 2021, supervised by the ADGM Office of Data Protection.
• KSA — Personal Data Protection Law (Royal Decree M/19 of 2021, as amended), supervised by the Saudi Data and AI Authority.
• India — Digital Personal Data Protection Act 2023 and the Information Technology Act 2000.
• EU / EEA / UK — GDPR (Regulation (EU) 2016/679) and UK GDPR, where you serve customers there or are established there.
• South Africa — Protection of Personal Information Act (POPIA).
• Payments and other sectoral law — PCI-DSS v4.0; CBUAE rules for retail payment services; UAE VAT, KSA VAT and ZATCA, India GST, EU/UK VAT, SARS, as relevant.

Where multiple regimes apply (e.g. UAE PDPL and DIFC), we follow both and apply the stricter rule on any conflict.

4. Data we collect about merchants

We collect this data because you are our customer:

• Identity and contact — names, business name (trading and legal), owner/signatory name, email, phone, address.
• Business and licensing — trade licence number, jurisdiction, TRN where VAT-registered, GSTIN where applicable, MOA/constitutional documents where required.
• KYC — identity documents for the owner or signatory and other documents required for AML and acquirer onboarding.
• Billing — payment method (tokenised with our subscription processor; we do not store full card numbers), billing address, VAT/tax registration details, invoice history.
• Account and configuration — users (administrators, cashiers, managers, staff), roles, outlets, menus, catalogue, tax settings, integrations, dashboard preferences.
• Authentication and audit logs — each login (timestamp, IP, device, success/failure) and key actions (sales, voids, refunds, price overrides, configuration changes) with the user who performed them, surfaced through the merchant dashboard. Staff authenticate by email and password — see §6 on biometrics.
• Usage — features used, devices, IP addresses, app/browser versions, diagnostic telemetry.
• Support and communications — tickets, emails, chat content, and (where you have been informed in advance) call recordings.

We collect only what we need for a purpose listed in §7.

5. Data we process on a merchant's behalf

When your customers transact, book, or interact with you through the Platform, the data sits in your account. You're the controller; we process on your instructions:

• Customer identity and contact — name, mobile, email; only if you choose to collect them: date of birth, nationality, address, language preference.
• Transaction and order history — items, modifiers, prices, taxes, discounts, time, outlet, cashier, channel (dine-in, takeaway, delivery, online, in-room, kiosk).
• Payment data — for card payments, only tokens and metadata (truncated PAN, scheme, expiry, authorisation code, transaction reference). Full PAN, CVV, and track data never enter our application database. For other tenders (cash, wallet, voucher, bank transfer) we hold method and reference only.
• Reservation data — date, time, party size, table or seat preference, special requests (including dietary or accessibility notes — see §6).
• Loyalty and CRM data — membership identifiers, points, preferences, marketing consents the customer has given to your business.
• Communications sent through the Platform — SMS, WhatsApp, or email content sent on your behalf, send times, delivery status.
• Behavioural data on customer-facing surfaces — if you operate online ordering or reservation widgets, browsing and interaction data from those surfaces, subject to the cookie consent your End-Customer provides under our Cookie Notice and yours.

6. Sensitive personal data

We minimise sensitive data. We do not handle:

• Biometric data — no facial recognition, fingerprint, or voiceprint anywhere in the Platform. Staff authentication is email + password only.
• CCTV — no integration.
• Voice or call recording integration — we do not capture or store voice or call audio as part of the Platform.

We may process limited operational sensitive data where you collect it for a legitimate operational purpose — for example, dietary requirements (allergies, religious restrictions, vegetarian/vegan), or accessibility requirements on a reservation. Treat such data with extra care and collect it only where your customer reasonably expects you to (for example, allergy fields on a reservation form).

Health data, religious or political views, sexual life, criminal records — we do not knowingly process. If you upload such data, you are the controller and responsible for the legal basis; we will work with you on appropriate safeguards but may decline to continue processing if we believe it cannot be done lawfully.

7. Purposes and legal bases

Where the legal basis is consent, you (or your customer) can withdraw it at any time. Withdrawal doesn't affect prior lawful processing.

8. Cookies and similar technologies

Our use of cookies and similar tracking technologies on our website, the merchant dashboard, and customer-facing widgets we host is governed by our Cookie Notice at tapreserve.ai/cookies. In summary, we use:

• Strictly necessary cookies for login, session, and security — always on.
• Functional cookies for preferences (language, region) — with your consent.
• Analytics cookies for aggregated, first-party analytics — with your consent.
• Marketing cookies only with your explicit consent, never on by default.

For customer-facing widgets you embed on your own website (TapReserve.Ai QR, online ordering), you are the controller for cookies on that surface; we provide a configurable banner you can enable in the dashboard.

9. AI features and automated decisions

Some Platform features use AI — sales forecasting, procurement forecasting, conversational reporting, menu engineering, AI day-end reconciliation, and item categorisation among them. Our commitments:

• All AI processing runs within our managed AWS Middle East (UAE) environment. We do not send personal data to any third-party generative AI provider.
• AI produces suggestions, not decisions. No automated decision-making produces legal or similarly significant effects on individuals without human review. The Platform suggests; humans (you and your staff) decide.
• Training data is your data only when you have consented or where we have a clear legal basis. We do not use your Customer Personal Data to train models that benefit other merchants without aggregation and de-identification appropriate to the use.
• Right to human review. Where AI affects an individual significantly, the individual has the right to request human review (PDPL Art. 22; GDPR Art. 22).

If we ever change these commitments, we will update this policy per §17 and notify subscribed merchants in advance.

10. Who we share data with

We do not sell personal data. We share only with parties needed to operate the service, comply with law, or protect rights:

• Sub-processors who help us operate the Platform — including our cloud hosting provider (AWS Middle East), payment processors and acquirers (Network International, Magnati), SMS/email gateways, support tooling, and others. The current list is at tapreserve.ai/sub-processors, and we commit to giving you 45 days' notice before adding a new one (DPA §7.3).
• Acquirers and payment networks — for the payments your customers make.
• Accredited service providers for e-invoicing — UAE Peppol PINT AE, KSA ZATCA, India GST IRP, EU and UK Peppol Access Points, South Africa SARS-aligned providers. These submit invoice data to the relevant tax authority on your behalf.
• Tax and regulatory authorities — UAE Federal Tax Authority, ZATCA, India GST authorities, EU member-state tax authorities, HMRC, SARS — as required by law.
• Government authorities and law enforcement — only where legally required, and where we have validated the request. We resist over-broad requests and inform you where lawful.
• Professional advisers (auditors, lawyers) under professional duties of confidence.
• Successor entities in case of business sale, merger, or restructuring — with continuity of obligations.

11. Where data is stored and cross-border transfers

Production hosting is on AWS Middle East (UAE region, Dubai data centres). Customer Personal Data is stored in the UAE.

Cross-border situations:

• Flamboyant's engineering team in India has remote access to production systems for operations, support, and incident response. This is a cross-border transfer from the UAE to India. Safeguards: contractual obligations between our UAE and India entities, technical access controls, audit logging, MFA, encrypted sessions, no local copies on engineer machines.
• Where you serve customers outside the UAE (for example, EEA customers using your online ordering widget), the relevant cross-border transfer rules apply. Mechanisms are documented in our DPA Annex 4 — EU SCCs (Commission Decision (EU) 2021/914), UK IDTA, and equivalents under PDPL, DIFC, and ADGM as those regimes prescribe them.

We do not transfer Customer Personal Data to jurisdictions without an appropriate transfer mechanism in place.

12. Retention

13. Security

Detail is in our Information Security Policy and DPA Annex 2; we share both under NDA on request via our Trust Centre at tapreserve.ai/trust. In summary:

• Encryption — TLS 1.2+ in transit, AES-256 at rest, AWS KMS-managed keys.
• Access controls — MFA mandatory for production access; least privilege; just-in-time elevation; full audit logs.
• Network — segmentation, private subnets, restricted egress, WAF, DDoS protection at the AWS edge.
• Application security — SDLC controls, peer code review, SAST/SCA/DAST, dependency management, vulnerability patching to defined SLAs.
• Monitoring — security monitoring with anomaly detection; SIEM; 24×7 alerting.
• People — pre-engagement checks, mandatory training, joiner/mover/leaver controls with same-day access revocation.
• Independent assurance — ISO/IEC 27001:2022 certified ISMS; annual third-party penetration testing; PCI-DSS SAQ-A maintained annually.

14. Your rights — and your customers' rights

Under PDPL, DIFC, ADGM, GDPR/UK GDPR, India's DPDP Act, POPIA, and KSA PDPL (with variations between regimes), data subjects have these rights:

• Access — confirm we hold their data and receive a copy.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion where conditions are met.
• Restriction — limit our processing in specific cases.
• Portability — receive their data in a structured, commonly-used, machine-readable format.
• Objection — to processing on grounds of legitimate interests or direct marketing.
• Withdrawal of consent — where processing relies on consent.
• Not be subject to solely automated decisions producing significant effects — human review available.
• Lodge a complaint with the relevant supervisory authority (§18).

To exercise rights against us as controller (data about you as a merchant), contact rajat@tapreserve.ai. We respond within 30 days (extendable by 60 days for complex requests, with reasons).

To exercise rights as a customer of a merchant, contact the merchant directly (the merchant is the controller for that data). We support merchants in responding via dashboard tools and via the DPA §8 process.

15. Children's data

The Platform is not intended for children under 18, and merchants should not knowingly collect data from children through the Platform without parental or guardian consent and a clear lawful basis. Where a merchant's business model legitimately serves families (for example, family entertainment, in-room dining including minors), the merchant is responsible for age-appropriate consent and processing.

UAE Federal Decree-Law No. 26 of 2025 on Child Digital Safety applies where relevant; equivalent provisions in DIFC, ADGM, KSA, India's DPDP Act, GDPR, and POPIA apply in their respective jurisdictions.

If we become aware that we hold data from a child without appropriate consent, we will delete it without undue delay.

16. Breach handling

If there's a Personal Data Breach:

• We detect through monitoring, vendor notification, customer report, or researcher disclosure under our Vulnerability Disclosure Policy at tapreserve.ai/security.
• We contain and remediate per the Incident Response Plan.
• We assess risk to affected individuals.
• We notify you (as Customer and controller for Customer Personal Data) within 72 hours of becoming aware (DPA §9).
• We notify the relevant Supervisory Authority where required — UAE Data Office, DIFC Commissioner, ADGM ODP, EEA/UK supervisory authorities, KSA SDAIA, India authorities, South Africa Information Regulator — within their statutory timelines.
• We notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms.

Communications are drafted in English and, where the audience requires, Arabic.

17. Changes to this policy

Material changes — new categories of data, new sub-processors, new purposes, changes to cross-border transfer mechanisms, material security changes — are notified to active merchants at least 30 days in advance via dashboard banner and email. Minor changes (clarifications, wording) are published and noted in §22 document control. The effective date and last-updated date at the top are updated on every change.

18. How to reach us, and how to complain

• Data Protection Officer and all privacy enquiries: rajat@tapreserve.ai
• UAE postal address: Flamboyant Technologies FZCO, Dubai Silicon Oasis, IFZA, Dubai, UAE.
• India postal address: Flamboyant Technologies Pvt Ltd, 8th Floor, Majestic Sygnia, A-2,3, Sector 62, Noida, India.
• Support: through the dashboard support channel.

If we have not resolved your concern, you may complain to the supervisory authority that applies to you:

• UAE Data Office (uaedataoffice.ae) — PDPL
• DIFC Commissioner of Data Protection (difc.com) — DIFC entities
• ADGM Office of Data Protection (adgm.com) — ADGM entities
• Saudi Data and AI Authority (sdaia.gov.sa) — KSA PDPL
• Your local EEA/UK supervisory authority — for GDPR or UK GDPR matters
• Information Commissioner of India under the DPDP Act
• South Africa Information Regulator (inforegulator.org.za) — POPIA

19. Product-specific notes

The body of this policy applies to all three Products. The following Product-specific notes call out where data handling differs by Product.

TapReserve.Ai POS

The POS is the merchant-operated platform. Most of the data described in §4 (about you) and §5 (about your customers and staff) is processed through POS. Configuration choices you make in POS — what reservation fields you collect, what loyalty data you keep, which integrations you enable — directly determine what data we process on your behalf.

TapReserve.Ai QR

QR is customer-initiated. When an End-Customer scans a QR code at your venue, the Platform displays your menu and bill, generates a payment session, and (where you offer it) captures booking, ordering, and review data. We do not see, store, or transmit cardholder data — payment is handled by your payment partner's hosted page or SDK. The End-Customer's relationship is with you (the merchant); your privacy notice and your service terms apply to them, not ours.

TapReserve.Ai SoftPOS

SoftPOS runs as an application on payment-partner EDC terminals (Network International M90, A880, A485, and others). The terminal hardware, its firmware, and the PCI-validated payment kernel are owned by the payment partner. We are responsible for the application layer only. We do not see, store, or transmit cardholder data. Transaction-level metadata (token, masked PAN, scheme, amount, authorisation reference) flows through the Platform for reconciliation and reporting.

20. GDPR addendum — when European law also applies

Where GDPR or UK GDPR applies to you or your customers, the additional terms below apply alongside the body of this policy:

• Lawful bases as set out in GDPR Art. 6 (and Art. 9 for special categories) apply as identified in §7.
• Cross-border transfers out of the EEA / UK use EU SCCs (Commission Decision (EU) 2021/914) and the UK International Data Transfer Addendum (in force from 21 March 2022), supplemented by transfer impact assessment where required.
• Data subjects have the rights in GDPR Articles 15–22 and may complain to their local supervisory authority.
• Breach notification follows GDPR Art. 33 (to supervisory authority within 72 hours) and Art. 34 (to data subjects without undue delay where high risk).
• Our EU representative is appointed where required; details available on request.

21. DIFC, ADGM, KSA, India, and South Africa addendum

If you are registered in DIFC — DIFC DP Law 5/2020 (as amended July 2025) applies. The DIFC Commissioner is the supervisory authority. Cross-border transfers use DIFC's prescribed mechanisms.

If you are registered in ADGM — ADGM Data Protection Regulations 2021 apply. The ADGM Office of Data Protection is the supervisory authority.

If you are based in KSA — the Personal Data Protection Law (Royal Decree M/19 of 2021, as amended) applies. The Saudi Data and AI Authority is the supervisory authority. Data localisation requirements under Saudi law are met by processing your data in the AWS Middle East (UAE) region where appropriate or via locally compliant alternatives where required.

If you are based in India — the Digital Personal Data Protection Act 2023 applies. The Information Commissioner is the supervisory authority once functional; meanwhile rights are enforceable as the Act provides.

If you are based in South Africa — POPIA applies. The Information Regulator is the supervisory authority. Cross-border transfers from South Africa use POPIA's prescribed mechanisms.

Where both PDPL and any of the above also apply, we follow both and apply the stricter rule on any conflict.

22. Document control