Last updated · 22 May 2026

Privacy policy.

This is how Reciptap handles personal data. Compliant with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), and written so a small business owner can read it without a lawyer.

1. The two kinds of data we handle

Merchant data. When you sign up for Reciptap, we collect your business details, contact details, and billing information to provide the service. That’s contract-required.

Customer data. When your customer taps the tile, we process the receipt data they receive and, optionally, the phone identifier that lets us link them to a loyalty record. The merchant is the controller of this data; Reciptap is the processor.

2. What we collect about your customers

  • The transaction (items, amount, time) — from your POS.
  • A device-level identifier that links repeat taps to one customer record.
  • The customer’s email address — only if they choose to receive an email copy of the receipt.
  • The customer’s phone number — only if they opt in to receive a WhatsApp receipt link.

We do not collect names, addresses, ages, or any sensitive categories (health, religion, etc.). We do not buy data from third parties.

3. What we never do

  • Sell customer data to anyone, for any reason.
  • Use customer data to target ads.
  • Share data between merchants without explicit consent.
  • Train AI models on the receipt content.

4. Where the data lives

All Reciptap data is stored on AWS infrastructure hosted in the UAE (me-central-1, Dubai). Customer-facing receipt pages are served from edge locations globally for performance, but the authoritative data store is in-country.

5. How long we keep it

  • Receipt records: 7 years, to comply with UAE record-keeping requirements.
  • Customer loyalty records: as long as the merchant’s subscription is active, then 12 months for transition.
  • Marketing/contact data: until you ask us to delete it.

6. Customer rights under PDPL

Your customers can request to access, correct, or delete their personal data at any time by emailing [email protected]. We respond within 30 days, in line with the PDPL.

7. Cookies and tracking

The customer-facing receipt page is consent-free — we do not run advertising cookies on it. On the marketing site (reciptap.com) and the merchant dashboard, we use first-party analytics (no ad pixels, no third-party trackers).

8. Security

Data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256. Access to production systems is restricted to a small group of named staff, audited, and 2FA-required.

9. Sub-processors

We use a small set of trusted sub-processors to deliver the product: AWS (hosting), Wally (loyalty infrastructure), and our payment processor for subscription billing. Each is bound by the same PDPL processor obligations.

10. Contact

For any privacy question, write to [email protected]. Our Data Protection Officer responds within 5 business days, sooner where the request is urgent.