Who we are
This Privacy Policy explains how Sekkara (“Sekkara”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use the Sekkara loyalty platform. Sekkara is an e-money-backed loyalty points platform that lets shoppers earn and redeem points with participating merchants.
For the purposes of applicable data-protection law, Sekkara is the data controller of the personal data described in this policy. Our registered address is Riyad. If you have any questions about this policy or how we handle your data, contact us using the details in the Contact section below.
Scope
This policy applies to all of the following Sekkara services (together, the “Services”):
-
The Sekkara consumer mobile app for shoppers
(iOS bundle
io.sekkara.client, Android packageio.sekkara.client), used to earn, view, and redeem loyalty points and vouchers. -
The Sekkara POS merchant point-of-sale app
(Android package
com.loyalty.pos_app), used by partner staff to issue points and process redemptions at checkout. - This marketing and support website at https://sekkara.io.
Cookies and similar technologies used on the website are described in our separate Cookie Notice.
Information we collect & why
We collect only the data we need to operate the loyalty program securely. The table below summarises each category of personal data, why we process it, and the legal basis for doing so.
| Data | Purpose | Legal basis |
|---|---|---|
| Phone number | To create your account and sign you in. We verify your number with a one-time passcode (OTP) delivered over WhatsApp through our verification provider. | Performance of our contract with you (to provide the account and Services). |
| Profile data you provide | Optional details you add to your profile (such as name and preferences) to personalise your experience and tailor offers. | Your consent, and our legitimate interest in providing a useful, personalised service. |
| Device location (precise / approximate) | To show nearby partner stores and relevant offers. The consumer app requests location permission (ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION) and only collects location when you grant it. | Your consent (you may grant or revoke location permission at any time in device settings). |
| Camera | To scan QR codes at checkout. The Sekkara POS app scans the customer’s code, and the consumer app may display or scan codes. Camera images are processed in real time and are not stored by Sekkara. | Your consent (you may grant or revoke camera permission at any time in device settings). |
| Transactions & points data | To operate the loyalty program: each earn, redemption, transfer, and adjustment is recorded in an append-only, double-entry ledger so balances are accurate and auditable. | Performance of our contract, and compliance with our legal and financial obligations. |
| Push notification token | To deliver offers, points updates, and service notifications via Google Firebase Cloud Messaging. | Your consent (you may disable notifications at any time in device settings). |
| Diagnostics & crash data | To detect, diagnose, and fix crashes and errors and keep the apps stable and secure, via Google Firebase Crashlytics. | Our legitimate interest in maintaining a reliable, secure service. |
| Device information | Technical details such as device model and operating system version, used for compatibility, security, and troubleshooting. | Our legitimate interest in operating and securing the Services. |
| Biometric data (Face ID / fingerprint) | Used only to unlock the app on your device. Biometric matching happens entirely on your device using your operating system’s secure hardware; Sekkara never receives, transmits, or stores your biometric data. | Your consent, processed locally on your device only. |
How we use information
We use the personal data described above to:
- Create, secure, and operate your Sekkara account;
- Issue, track, and redeem loyalty points and vouchers, and keep an accurate, auditable ledger;
- Show you nearby partner stores and offers relevant to you;
- Send you transactional and (with your consent) promotional notifications;
- Detect, prevent, and investigate fraud, abuse, and security incidents;
- Diagnose problems, improve the apps, and maintain reliability;
- Comply with our legal, tax, accounting, and regulatory obligations; and
- Communicate with you about support requests and changes to the Services.
We do not sell your personal data, and we do not use it for third-party advertising.
Third parties & processors
We share personal data only with service providers who process it on our behalf and under contract, and only as needed to operate the Services. Our key processors are:
- Google (Firebase Cloud Messaging) — delivery of push notifications.
- Google (Firebase Crashlytics) — crash reporting and diagnostics.
- VerifyWay / WhatsApp — delivery of one-time passcodes (OTP) for phone-number verification.
- Cloud hosting (Amazon Web Services, AWS) — secure hosting and storage of platform data.
- Settlement and payment processors — to support e-money-backed settlement between Sekkara and merchants. [PLACEHOLDER: names of settlement / payment processors]
We also share data with participating merchants strictly as needed to operate the loyalty program (for example, to record that points were earned or redeemed at their store). We may disclose personal data where required by law, regulation, legal process, or a binding request from a competent authority, or to protect the rights, safety, and security of Sekkara, our users, or the public.
Data retention
We keep personal data only for as long as necessary for the purposes set out in this policy. In general, we retain account and profile data for as long as your account is active, and delete or anonymise it after account closure within [PLACEHOLDER: retention period].
Because Sekkara is an e-money-backed financial product, certain financial and ledger records (transactions, points issuance and redemption, and settlement data) are retained for legal, tax, accounting, audit, and fraud-prevention purposes even after you delete your account. Where possible, these records are anonymised or aggregated so they can no longer be linked to you, and are retained for the statutory period required by applicable law. See Delete your account & data for details on what is deleted and what is retained.
Security
We use technical and organisational measures designed to protect your personal data, including:
- Encryption of data in transit (TLS) and encryption of sensitive data at rest;
- An append-only, double-entry ledger so points and balances cannot be silently altered;
- On-device biometric unlock — Face ID and fingerprint matching never leave your device and are never transmitted to Sekkara;
- Secure storage of authentication and push tokens using the operating system’s protected key storage;
- Access controls, monitoring, and least-privilege practices for our systems and staff.
No method of transmission or storage is completely secure, but we work continuously to protect your data and to respond promptly to any incident.
Your rights
Subject to applicable law, you have the right to access the personal data we hold about you, to ask us to correct inaccurate data, and to request deletion of your account and personal data. You may also object to or restrict certain processing and withdraw consent (for example, by disabling location, camera, or notification permissions in your device settings).
To delete your account and data, follow the instructions on our Delete your account & data page. To exercise any other right, contact us at privacy@sekkara.io. We may need to verify your identity before acting on a request, and some data may be retained where the law requires (see Data retention).
Children
The Services are not directed to children. You must be at least [PLACEHOLDER: minimum age] years old to create a Sekkara account. We do not knowingly collect personal data from anyone below that age. If you believe a child has provided us with personal data, please contact us at privacy@sekkara.io and we will take steps to delete it.
International transfers
Some of our processors (such as Google, our OTP provider, and our cloud-hosting provider) may process personal data in countries other than your own. Where personal data is transferred internationally, we take steps to ensure it is protected by appropriate safeguards consistent with this policy and applicable law.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the app or by other reasonable means. Your continued use of the Services after an update means you accept the revised policy.
Contact
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact our privacy team at privacy@sekkara.io, or write to us at:
Sekkara
Riyad
This policy is designed to align with the disclosures made in the Google Play Data safety form and the Apple App Privacy (“nutrition label”) disclosures for the Sekkara apps.