Nafaa Privacy Policy

Effective Date: 2026-01-17
Last Updated: 2026-01-17

This Privacy Policy explains how Nafaa collects, uses, shares, retains, and protects personal data when you use the Nafaa mobile application and related services (the “Services”). It is drafted to align with UAE Federal Decree-Law No. 45 of 2021 (PDPL) and app marketplace transparency expectations.

1) Controller (Who We Are)

  • Data Controller: NAFAA PORTAL (Trade License No. 1503573)

  • Registered Address: Office 205-9, HH Shaikh Saud Bin Saqr Al Qassimi Building, Al Muteena, Deira, Dubai, United Arab Emirates

  • Contact: info@nafaa.app | +971 52 225 7100

2) Summary of Key Practices

  • We use your data to provide subscriptions, verify student eligibility, show nearby vendors/offers, and prevent fraud.

  • We use precise location only while the app is in use (with your permission) and do not store precise coordinates in our database.

  • We use Stripe to process payments; we do not store full card details.

  • You can delete your account in-app or via the web deletion request URL.

3) Personal Data We Process

3.1 Account and Contact Data

• Full name, email address, password (if registering with email).

• Phone number (for OTP verification).

• Third-party sign-in identifiers/tokens (if you use Apple/Google sign-in).

3.2 Student Verification Data

·        Student Identity Card image(s) uploaded by you for eligibility verification.

·        University/school name (if you select/provide it during verification).

·        Verification status and audit metadata (for eligibility confirmation and fraud control).

3.3 Location Data (Precise – While Using the App)

• Precise location coordinates when you grant permission, used only during active app usage to display nearby vendors/offers.

• We do not store precise location coordinates in our database.

3.4 QR/Redemption and Usage Data

• Redemption events (date/time, offer/vendor identifier, redemption status).

• Subscription status (active/expired), plan selection, and entitlement state.

• App interactions necessary to operate the Services and prevent abuse.

3.5 Device, Security, and Technical Logs

• Device model, OS version, app version, language, and technical diagnostics.

• IP address and authentication/security logs to protect accounts and prevent fraud.

3.6 Communications Data

• Support communications (emails/messages) and attachments you send us.

• Service messages (verification updates, security alerts, subscription notices).

4) What We Do Not Do (Based on Current Configuration)

• We do not run ads attribution/advertising tracking (as configured currently).

• We do not store your full payment card number or CVV.

• We do not store precise location coordinates in our database.

5) How We Use Personal Data

• Provide the Services (account creation, login, subscriptions, offers, and redemption).

• Verify student eligibility and maintain platform integrity.

• Enable location-based browsing of nearby vendors/offers while you use the app.

• Operate subscriptions, handle billing support, and manage account status.

• Prevent, detect, investigate, and mitigate fraud, abuse, and security incidents.

• Provide customer support and manage complaints/escalations.

• Comply with UAE legal obligations and respond to lawful requests.

6) Payments

Payments for subscriptions are processed through Stripe. Stripe processes payment credentials in accordance with its own policies and security standards. Nafaa receives limited transaction information necessary to confirm payment status, provide access, and support accounting and customer support. Nafaa does not store full card details or CVV.

7) Sharing and Disclosure

7.1 Vendors (Redemption Validation)

When you redeem an offer via QR, the vendor may see only the information necessary to validate eligibility and the redemption.

• Vendor view at redemption: Name, photo, student ID, verified badge, plan status, expiry date.

• Vendors do not receive your full payment details.

• Vendors must not use redemption data for unrelated marketing unless lawful basis and appropriate consent exist.

7.2 Processors and Service Providers

We use third-party providers to operate the Services:

• Hosting/Storage: AWS S3 (UAE region).

• Google Cloud Platform: Google Maps SDK.

• Payments: Stripe.

• Push notifications: Firebase Cloud Messaging (FCM).

• Email: Hostinger Webmail.

• OTP/SMS/WhatsApp verification or messaging (where used): Twilio and/or Meta (WhatsApp Business Platform) depending on channel used.

7.3 Legal and Safety Disclosures

We may disclose personal data if required by law or necessary to protect rights, safety, and security.

8) International Transfers

Our infrastructure includes cloud and third-party processors. Depending on provider operations and technical routing, personal data may be processed outside the UAE. Where cross-border transfers occur, we apply appropriate safeguards and transfer only where permitted under applicable UAE law.

9) Data Retention

We retain personal data only as long as necessary for the purposes described, including fraud prevention, dispute handling, and legal compliance. Retention may be extended for active disputes or investigations.

  • Student Identity Verification Data:

Student identity card images are retained for up to two years to enable re-verification and to support fraud detection and audit investigations.

  • Redemption and Usage Records:

Redemption logs are stored for seven years to verify eligibility, prevent fraudulent activity, resolve disputes, and meet audit requirements.

  • Security and Access Logs:

Security-related data, including IP addresses and authentication logs, are kept for 24 months to protect user accounts, detect abuse, and investigate security incidents.

  • Customer Support Communications:

Support tickets and customer emails are retained for 36 months to provide ongoing customer support, handle complaints, and ensure service quality.

  • Billing and Financial Records:

Billing records and invoices are maintained for seven years to comply with accounting standards, support billing inquiries, and meet legal and regulatory obligations.

10) Security

• Encryption in transit (TLS).

• Access controls and least-privilege permissions.

• Secure storage of verification documents (including access logging).

• Monitoring designed to detect abuse and protect accounts.

11) Your Rights (PDPL)

Subject to PDPL conditions and exceptions, you may have rights to:

• Access and obtain information about processing.

• Correct inaccurate data.

• Request deletion/erasure where applicable.

• Object to or restrict certain processing in specific circumstances.

• Withdraw consent where processing is based on consent (e.g., location permission via device settings).

12) Account Deletion and Requests

You can request deletion through:

• In-app: Account Settings → Delete Account.

• Web deletion request URL: https://nafaa.app/student/delete-account

• Email: info@nafaa.app (from your registered email address).

Deletion removes your profile and disables access. Certain records may be retained for limited periods where required for legal compliance, accounting, security, fraud prevention, or dispute resolution (see retention schedule).

13) Marketing Communications (Future)

If we send marketing communications by email/SMS/WhatsApp in the future, we will provide notice and, where required, obtain consent and provide opt-out mechanisms. Service communications are not marketing.

14) Children

The Services are intended for users aged 16 and above. We do not knowingly process personal data of children under 16.

15) Changes

We may update this Policy from time to time. We will post the updated version in the app and update the Last Updated date.

16) Contact

For privacy questions or requests, contact info@nafaa.app.