Back to home

Privacy Policy

How HalaQR processes personal data in accordance with the Saudi Personal Data Protection Law (PDPL), NDMO standards, and NCA cybersecurity requirements.

Last updated: 1 July 2026

Effective date: 1 July 2026

This Privacy Policy describes how HalaQR (“we”, “us”, or “our”) processes personal data when you visit our website, create an account, use our restaurant dashboard, or interact with a digital menu or ordering experience powered by HalaQR. We process personal data in accordance with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia, applicable Implementing Regulations, relevant National Data Management Office (NDMO) standards, and the National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) where they apply to our operations.

1. Roles and scope

Depending on the context, HalaQR may act as a data controller for account, billing, and platform administration data, and as a data processor on behalf of restaurant customers (“Tenants”) for guest and operational data submitted through the platform.

Tenants are generally the data controllers for personal data relating to their guests, staff, and restaurant operations. Tenants are responsible for providing their own privacy notices to guests where required and for ensuring their use of HalaQR complies with applicable law.

This Policy applies to personal data processed through halaqr.com, the HalaQR dashboard, QR guest menus, ordering flows, APIs, and related support channels unless a separate notice applies.

2. Personal data we collect

We may collect the following categories of personal data:

  • Identity and contact data: name, email address, phone number, job title, and business contact details.
  • Account and authentication data: login credentials, role assignments, session identifiers, and security logs.
  • Tenant and business data: restaurant name, branches, branding, menu content, table or room identifiers, and configuration settings.
  • Guest and transaction data: order details, table or room references, feedback, and optional contact information provided by guests.
  • Technical and usage data: IP address, device type, browser, timestamps, pages viewed, feature usage, cookies, and similar technologies.
  • Billing and subscription data: plan selection, invoices, payment references, and correspondence with our billing team.
  • Support and communications: messages you send to us, call notes, and records needed to resolve enquiries.

3. How we obtain personal data

We obtain personal data directly from you when you register, configure your account, contact support, or subscribe to a plan.

Guest data may be provided by guests themselves through QR menus and ordering flows, or entered by Tenant staff on behalf of guests where permitted.

We may receive limited technical data automatically through cookies, server logs, and analytics tools configured in line with our consent and notice obligations.

4. Purposes and lawful bases

We process personal data only for specified, explicit, and legitimate purposes consistent with the PDPL and NDMO purpose-limitation principles. Depending on the processing activity, our lawful bases may include:

  • Performance of a contract: providing the HalaQR platform, account administration, guest ordering, kitchen workflows, and customer support.
  • Legitimate interests: securing the platform, preventing fraud, improving features, and ensuring service reliability, balanced against data subject rights.
  • Legal obligation: compliance with applicable laws, regulatory requests, tax and accounting requirements, and lawful orders.
  • Consent: where required for optional marketing communications, non-essential cookies, or other processing for which consent is the appropriate lawful basis under the PDPL.

5. Disclosure and sharing

We do not sell personal data. We may share personal data with:

  • Tenants and their authorized staff, according to role-based access within the platform.
  • Service providers and subprocessors that host infrastructure, process payments, deliver email, provide analytics, or support security operations, under written agreements requiring appropriate safeguards.
  • Professional advisers where necessary for legal, audit, or compliance purposes.
  • Regulators, courts, or law enforcement when required by applicable law or to protect rights, safety, and security.
  • We require processors to process personal data only on our documented instructions and to implement appropriate technical and organizational measures.

6. Cross-border transfers

Personal data is primarily processed and stored within the Kingdom of Saudi Arabia or approved GCC hosting environments where practicable.

If personal data is transferred outside the Kingdom, we implement safeguards required under the PDPL and NDMO guidance, which may include adequacy assessments, standard contractual clauses, binding corporate rules, or other approved mechanisms, and we limit transfers to what is necessary for the stated purpose.

7. Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce agreements, in line with NDMO retention and disposal principles.

Retention periods vary by data category and Tenant configuration. Tenants may export certain data through the dashboard. When data is no longer required, we delete or anonymize it using secure disposal methods.

8. Security measures

We implement technical and organizational measures aligned with the NCA Essential Cybersecurity Controls (ECC), including:

  • Role-based access control and authentication for dashboard users.
  • Encryption in transit and, where appropriate, encryption at rest for sensitive data.
  • Logging, monitoring, and incident detection for platform infrastructure.
  • Vulnerability management, secure development practices, and periodic review of security controls.
  • Business continuity and backup procedures appropriate to our service tier.

No method of transmission or storage is completely secure. If we become aware of a personal data breach that poses a risk to your rights, we will notify affected parties and regulators as required by applicable law.

9. Your rights under the PDPL

Subject to applicable law and exceptions, data subjects may have the right to:

  • Be informed about the processing of their personal data.
  • Access personal data held about them.
  • Request correction of inaccurate or incomplete personal data.
  • Request destruction of personal data when it is no longer needed for the purpose collected, subject to legal retention requirements.
  • Withdraw consent where processing is based on consent, without affecting prior lawful processing.
  • Object to certain processing based on legitimate interests where applicable.
  • Receive personal data in a structured, commonly used format where technically feasible (data portability), where applicable.

Guests should generally direct requests relating to restaurant-specific processing to the relevant Tenant. We will assist Tenants in fulfilling such requests where we act as processor.

To exercise rights relating to HalaQR’s own processing, contact privacy@halaqr.com. We may need to verify your identity before responding. We aim to respond within the timeframe prescribed by the PDPL Implementing Regulations.

10. Cookies and similar technologies

We use essential cookies and similar technologies necessary for authentication, security, and core platform functionality.

With your consent where required, we may use analytics or preference cookies to understand usage and improve the service. You can manage cookie preferences through your browser settings and any consent tools we provide.

11. Children’s data

HalaQR is a business-to-business platform and is not directed at children. We do not knowingly collect personal data from children without appropriate authority. If you believe a child’s personal data has been submitted to us improperly, contact privacy@halaqr.com.

12. Changes to this Policy

We may update this Privacy Policy to reflect changes in law, regulatory guidance, or our services. Material changes will be communicated through the website, dashboard, or direct notice where appropriate. The “Last updated” date at the top indicates the latest revision.

13. Contact and supervisory authority

For privacy enquiries, data subject requests, or questions about this Policy, contact:

HalaQR — Privacy Office Email: privacy@halaqr.com General enquiries: hello@halaqr.com

You may also lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA), the competent authority for personal data protection in the Kingdom of Saudi Arabia, if you believe your rights under the PDPL have been infringed.