Privacy Policy

Last updated · 23 April 2026

Plain-English summary: PayLoop is a platform for restaurants, bars, and cafés. We handle two kinds of data — operator data (from the F&B businesses using us) and guest data (diners who order or pay via a PayLoop QR code). We don't sell either. We don't share either with advertisers. We only use data to run the product, keep it safe, and improve it.

1. Who we are

This Privacy Policy is issued by PayLoop ("PayLoop", "we", "us", or "our"), a technology company providing self-service ordering, payment, and loyalty services to food & beverage operators, primarily in the United Arab Emirates. For privacy-related matters you can reach us at info@pay-loop.io.

2. Who this policy applies to

This policy applies to two categories of users:

Operators — restaurants, bars, cafés, and multi-outlet groups using PayLoop as their ordering/payment/loyalty layer.
Guests — diners who scan a PayLoop QR code to order, pay, or redeem cashback at an operator's venue.

3. Information we collect

From operators

When you sign up as an operator we collect: business name and registration details, outlet address(es), authorised representative's name and email, phone number, banking/settlement details (stored via our payment processor, not on PayLoop servers), menu and pricing data, and transaction-level data that flows through our system.

From guests

When a guest uses PayLoop at an operator's venue we may collect: basic device identifiers (to keep a session alive across screens), card / wallet tokens via our payment processor, order contents, bill amount, cashback earned, cashback redeemed, and (if provided voluntarily) an email or phone number to receive receipts or loyalty updates.

We do not store raw card numbers, CVVs, expiry dates, or bank credentials on PayLoop infrastructure. These are handled by our PCI-DSS compliant payment processor (Paymob, in the UAE).

Automatically collected

Standard web analytics data: browser type, referring URL, general geographic region (city-level, not precise location), timestamps, and diagnostic logs needed to operate and secure the service.

4. How we use information

To deliver the service — process orders, payments, cashback, and analytics.
To keep the service secure — fraud detection, rate-limiting, abuse prevention.
To provide operator dashboards — so operators can see their own guests and transactions.
To send transactional notifications — payment receipts, refund confirmations, cashback balances.
To improve the product — aggregated, anonymised usage patterns inform what we build.
To communicate with operators — product updates, onboarding, support responses.

We do not sell personal data. We do not share personal data with advertising networks. We do not use guest data for purposes unrelated to the service they received at the operator's venue.

5. Legal basis (where required)

For users covered by GDPR or UAE Federal Decree-Law No. 45 of 2021 (the UAE Personal Data Protection Law), the legal bases for our processing are: (a) performance of a contract — to provide the service; (b) legitimate interests — to secure and improve the service; (c) legal obligation — to meet tax, accounting, and regulatory requirements; and (d) consent — for optional communications, such as marketing emails, which you may withdraw at any time.

6. Third parties we work with

We share data only with trusted service providers who are contractually bound to process data only on our instructions. Current processors include:

Processor	Purpose	Location
Paymob	Payment processing and card tokenisation	UAE
Cloud infrastructure provider	Hosting and storage of PayLoop services	UAE / EU
Email / notification provider	Transactional emails, receipts	EU / US
Analytics provider	Aggregated product usage analytics	EU / US

We do not share personal data with advertisers, data brokers, or social-media platforms.

7. Data retention

Transaction and cashback records are retained for at least seven years to meet tax and accounting requirements in the UAE. Operator account data is retained for the duration of the contract plus a reasonable wind-down period. Guest data is retained for as long as the operator maintains an active account; guests may request deletion at any time (see Your Rights below).

8. Your rights

Depending on your jurisdiction, you may have the right to: access a copy of your personal data; correct inaccurate data; delete your data; restrict or object to processing; receive your data in a portable format; and withdraw consent for optional processing. To exercise any of these rights, email info@pay-loop.io. We will respond within 30 days.

9. International transfers

Some of our processors store data in the EU or the US. Where data leaves the UAE, we rely on standard contractual clauses or equivalent safeguards approved by the receiving jurisdiction.

10. Security

See our separate Security page for details on encryption, access control, PCI-DSS compliance, and incident response. Card data never touches PayLoop systems — only tokens issued by our PCI-compliant processor.

11. Children

PayLoop is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email (for operators) or via a banner on the site (for guests), with at least 30 days' notice where legally required.

13. Contact

Privacy questions, data requests, complaints: info@pay-loop.io.

Draft notice: This privacy policy is a good-faith starting point drafted from PayLoop's actual operational practices. Please have it reviewed by a qualified UAE data protection lawyer before publishing against your production DNS.