Privacy Policy

1. Who we are and how to reach us

[LEGAL ENTITY NAME] is a company registered in [EMIRATE / FREE ZONE], United Arab Emirates under commercial licence number [TRADE LICENCE NUMBER], with its registered office at [REGISTERED OFFICE ADDRESS]. We are the controller of the personal data we collect directly through grouper.spaceand the data that flows through our platform in the course of providing booking-page, payment-routing, and notification services. For data submitted to a Tenant's booking page, we generally act as a processoron the Tenant's behalf — the Tenant is the controller of its own customer data.

General contact

hello@grouper.space

Privacy enquiries and data-subject rights requests

privacy@grouper.space

WhatsApp

+971 55 285 8756

2. Scope of this Policy

This Policy applies to personal data we process when you:

• browse, register for, or interact with the marketing website at grouper.space;
• submit a booking, deposit, or enquiry through a Tenant booking page that we host on our platform (for example, on the book.grouper.space/<tenant> subdomain);
• receive confirmations, reminders, or other transactional communications from us by email, SMS, or WhatsApp;
• subscribe to our services as a service-business owner or authorised administrator (a Tenant); or
• contact us by email, telephone, WhatsApp, or in person.

Tenant booking pages may link to third-party services (Stripe Checkout, Google Maps, Instagram, WhatsApp). Those services are operated by independent controllers and are governed by their own privacy notices. We are not responsible for the privacy practices of third parties.

3. Personal data we collect

We collect the following categories of personal data:

3.1 Information you give us

• Customer booking data: full name, mobile phone number, optional email address, selected services and date/time, consent records, free-text notes you choose to share.
• Tenant account data: trade name, contact name, business address and emirate, contact email and phone, trade licence number (where collected for verification), administrator login credentials.
• Payment data: when you pay a deposit, payment-card details are collected directly by our payment processor (Stripe Payments UAE LLC and/or Stripe, Inc., as applicable) under PCI-DSS-compliant conditions. We do not see or store full card numbers; we store only a pseudonymous payment identifier, the last four digits, brand, and outcome of the transaction.
• Communications: the content of messages you send us, your opt-in confirmations, and our replies.

3.2 Information we collect automatically

• Device and connection data: IP address, approximate geolocation derived from IP, device type, operating system, browser type and version, language preference, and referring URL.
• Usage data: pages viewed, buttons tapped, booking-flow steps reached, timestamps, conversion outcomes, and similar interaction telemetry.
• Cookies and similar technologies: a minimal set of strictly necessary cookies for session continuity and CSRF protection, plus first-party analytics events used to measure aggregate funnel performance. See section 11 for details.

3.3 Information from third parties

• From Stripe and any successor payment processor: transaction status, dispute and refund records, and risk-score signals.
• From Twilio (for WhatsApp) and Resend (for email): delivery and read receipts for transactional messages.
• Aggregated, non-identifying lead data (e.g. publicly listed salon names and phone numbers) we obtain through lawful business-directory sources for outbound sales activity.

4. Why we process personal data and on what legal basis

Under Article 4 of the PDPL, personal data may be processed only where one of the prescribed legal bases applies. The bases we rely on are summarised below.

• Performance of a contract — to take steps at your request before entering into, and to perform, a booking contract (between you and a Tenant) or a subscription contract (between a Tenant and us). This is the primary basis for processing names, contact details, service selections, appointment timestamps, and payment identifiers.
• Consent— for transactional messages on WhatsApp, marketing messages of any kind, optional cookies, and for processing any data the PDPL classifies as “sensitive”. Consent is freely given, specific, informed, and unambiguous, and you may withdraw it at any time without affecting the lawfulness of prior processing.
• Legitimate interest — to maintain platform security, prevent fraud and abuse, provide aggregate analytics, and improve our services. We balance these interests against your rights and exclude processing that would override them.
• Legal obligation — to comply with UAE tax, VAT, anti-money laundering, court orders, and similar mandatory requirements, including retention periods imposed by the UAE Commercial Transactions Law and the UAE VAT Law (Federal Decree-Law No. 8 of 2017) and its Executive Regulation.
• Protection of vital interests — in rare cases where processing is necessary to protect the life or physical integrity of an individual.

5. How we use personal data

• To display Tenant booking pages, render service catalogues, and confirm available time slots.
• To create, modify, cancel, and reschedule bookings, and to issue branded PDF confirmations and receipts.
• To process optional deposits and refunds through our payment processor and to reconcile payments with bookings.
• To send transactional communications — booking confirmations, payment receipts, 24-hour reminders, cancellation acknowledgements — by email and, where you have opted in, WhatsApp.
• To maintain Tenant administrator accounts and authentication.
• To detect, investigate, and prevent fraud, abuse, and security incidents and to enforce our Terms of Service.
• To comply with our legal, tax, and accounting obligations.
• To respond to your enquiries and to operate, evaluate, and improve our platform.
• To send service-related announcements to Tenants (e.g. material changes to this Policy, security advisories, scheduled maintenance).

We do not use customer booking data submitted to a Tenant's booking page for our own direct marketing without that customer's separate, explicit consent.

6. Who we share personal data with

We share personal data only as necessary and only with the recipients below.

• The Tenant whose booking page you used — your booking details (name, phone, optional email, services, time, payment status) are disclosed to the Tenant so it can deliver the service you booked. The Tenant is an independent controller of that data once it receives it.
• Sub-processors and infrastructure providers, each acting on our documented instructions under written processing terms:
  • Supabase (Supabase Inc.) — managed PostgreSQL database, authentication, and storage.
  • Vercel (Vercel Inc.) — application hosting, serverless functions, and CDN.
  • Stripe (Stripe Payments UAE LLC and/or Stripe, Inc.) — payment processing for deposits and refunds.
  • Twilio (Twilio Inc.) — WhatsApp Business API delivery.
  • Resend (Resend, Inc.) — transactional email delivery.
  • Anthropic, OpenAI, or similar AI-platform providers — used internally for engineering and operations support; production customer booking data is not used to train third-party models.
• Professional advisers — lawyers, accountants, and auditors bound by professional confidentiality.
• Authorities and law enforcement — where disclosure is required by a binding court order, regulatory request, or applicable law, including the UAE Telecommunications and Digital Government Regulatory Authority (TDRA) and the UAE Data Office.
• Successors — in connection with a merger, acquisition, financing, or sale of all or part of our business, subject to confidentiality and to this Policy continuing to apply.

We do not sell personal data. We do not share personal data with advertising networks for cross-context behavioural advertising.

7. Cross-border transfers

Some of our sub-processors are based outside the UAE (notably in the United States and the European Union). Where personal data leaves the UAE, we transfer it in accordance with Articles 22 and 23 of the PDPL, which permit transfer to jurisdictions with an adequate level of protection or, in the absence of an adequacy decision, on the basis of appropriate safeguards (such as standard contractual clauses, binding corporate rules, or explicit consent for the specific transfer). On request to privacy@grouper.space, we will provide a summary of the safeguards in place for a given transfer.

8. How long we keep personal data

We retain personal data only for as long as necessary for the purposes for which it was collected, plus any period required by law. Indicative retention periods are:

• Booking records — for the duration of the appointment plus 24 months, to support reschedule, dispute, and chargeback workflows.
• Payment and tax records — for at least 5 years from the end of the relevant tax period, in line with the UAE VAT Law (Federal Decree-Law No. 8 of 2017) and the UAE Commercial Transactions Law.
• Tenant account records — for the duration of the subscription plus 36 months thereafter, to support tax, audit, and dispute-resolution requirements.
• Marketing-website analytics — up to 14 months in aggregated, pseudonymised form.
• Communications — up to 36 months, except where ongoing enquiries, complaints, or legal proceedings require longer retention.

At the end of the retention period we delete or anonymise the data, subject to any overriding legal hold.

9. Your rights as a data subject

The PDPL grants you a number of rights with respect to your personal data, which you can exercise free of charge by writing to privacy@grouper.space. These rights include:

• Right of access — to obtain confirmation as to whether we process your personal data and, if so, a copy of that data.
• Right of correction — to have inaccurate or incomplete personal data rectified.
• Right of erasure — to request deletion of your personal data where the legal grounds for processing no longer apply.
• Right to restrict processing — to limit how we use your data in specified circumstances (for example, while you challenge its accuracy).
• Right to data portability — to receive a structured, commonly used, machine-readable copy of data you have provided.
• Right to object — to object to processing based on our legitimate interest and to opt out of any direct marketing at any time.
• Right to withdraw consent — where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint — with the UAE Data Office (the supervisory authority established under the PDPL).

We will respond to verified requests within the period prescribed by the PDPL and its Executive Regulation. We may require you to verify your identity before acting on a request, to protect the security of your personal data.

10. How we protect personal data

We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. These measures include encryption in transit (TLS) and at rest for sensitive fields, row-level security policies in our database, role-based access control to our administration tooling, structured logging of administrative actions, periodic credential rotation, and incident-response procedures aligned with the obligations of the PDPL and the ETTSL. Payment-card data is handled exclusively by Stripe under its PCI-DSS Level 1 certification.

Where a personal-data breach is likely to result in a risk to the rights of affected individuals, we will notify the UAE Data Office and, where required, affected individuals, within the timeframe prescribed by law.

11. Cookies and similar technologies

We use a minimal set of strictly necessary cookies for session continuity, CSRF protection, and load balancing — these cookies do not require consent under the ETTSL. We also use first-party, privacy-preserving analytics to count visits and measure aggregate funnel performance; these analytics do not set third-party tracking cookies, do not build cross-site profiles, and do not enable advertising re-targeting. We do not use behavioural advertising cookies. Where any future analytics or marketing technology requires consent, we will request it through a clear, granular consent banner before any such cookies are set.

12. Children

Our services are intended for users aged 18 and over. We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent. If you believe a child has provided us with personal data, please contact privacy@grouper.space and we will take prompt steps to delete the data.

13. Automated decisions and profiling

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. Stripe and similar payment processors may apply automated fraud-risk scoring to transactions; the outcome of that scoring is a recommendation that our human operators or the Tenant review before any irreversible action is taken.

14. Changes to this Policy

We may amend this Policy from time to time. The version and effective date at the top of this page always identify the current version. If we make a material change that adversely affects your rights, we will provide reasonable advance notice through the platform or by email before the change takes effect.

15. Governing law

This Policy is governed by the laws of the United Arab Emirates. Any dispute arising under this Policy is subject to the exclusive jurisdiction of the competent courts of [EMIRATE / FREE ZONE], without prejudice to any mandatory rights you may have under UAE consumer-protection law to seek redress in another competent forum.