Privacy Policy — Qatta
Last updated: April 24, 2026
Thank you for using Qatta ("the App", "the Service"). We respect your privacy and are committed to protecting your personal data. This policy explains what data we collect and how we use it.
1. Data Controller
- Service name: Qatta
- Contact email: suhail.alsaif@gmail.com
2. Data We Collect
a) Data you provide
- Full name and email address when registering
- Trip data: trip name, currencies, expenses, members
- Receipt photos (optional) — if you attach them to an expense
- Voice notes (optional) — for voice-to-text expense entry
b) Data generated automatically
- Unique user ID from Supabase Auth
- Account creation and update timestamps
- App language and preferences
c) Data from sign-in providers
- Apple Sign-In: anonymized Apple ID + email (may be hidden)
- Google Sign-In: Google ID + name + email + profile photo
3. What We DO NOT Collect
- ❌ Your geographic location
- ❌ Device contacts
- ❌ SMS messages or WhatsApp
- ❌ Browsing history
- ❌ Biometric data
- ❌ Any advertising tracking
4. How We Use Your Data
| Use | Purpose |
|---|---|
| Send verification codes + trip notifications | |
| Expense data | Display to you and trip members |
| Receipt photos | Display alongside the expense |
| Unique ID | Link data to your account |
We do NOT use your data for:
- Targeted advertising
- Sale to third parties
- Behavioral analysis
5. Data Sharing
We use trusted service providers:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database + authentication | EU (Ireland) |
| Resend | Email delivery | US/EU |
| RevenueCat | Subscription management | US |
| Apple/Google | Sign-in | Global |
We do not sell or share your data with any third party for marketing.
6. Data Security
- 🔒 All communication encrypted via HTTPS/TLS
- 🔐 Sensitive data encrypted at rest (AES-256)
- 🛡️ Row-Level Security in Supabase ensures you only access your own data
- 🔑 Passwords are never stored (we use OTP + OAuth only)
7. Your Rights
You have the right to:
- Access your data
- Modify your data
- Delete your account (deletes all data within 30 days)
- Export your data in JSON/PDF format
- Withdraw consent at any time
To exercise these rights, email: suhail.alsaif@gmail.com
8. Children
The app is not intended for children under 13. We do not knowingly collect data from them.
9. Data Retention
- Account data retained while account is active
- After account deletion: removed within 30 days (backup period)
- Receipt photos deleted with the trip
10. Changes to This Policy
We'll notify you of any material changes via the app or email. The last updated date appears at the top.
11. Governing Law
This policy is governed by the laws of the Kingdom of Saudi Arabia and the Personal Data Protection Law (PDPL).
12. Contact Us
For any privacy-related questions: