Privacy Policy

1. Information We Collect

2. How We Use Your Information

We use your personal data solely for the following purposes: • To verify your identity and authenticate your account • To process, verify, and approve cashback claims against partner restaurant records • To transfer approved cashback amounts directly to your Saudi bank account via IBAN • To enable account recovery via your registered phone number • To detect, investigate, and prevent fraudulent activity • To respond to support requests and communicate service-related information • To track commissions owed to and from restaurant partners • To comply with applicable Saudi Arabian laws and financial regulations We do not use your data for advertising, profiling, or sale to third parties.

3. Data Retention

We retain personal data only as long as necessary for the stated purpose or as required by law: • Bill images: Automatically and permanently deleted 30 days after upload • Transaction IDs & cashback records: Retained for 5 years to comply with Saudi financial audit requirements (SAMA regulations) • IBAN: Retained for the duration your account is active, and deleted 1 year after account closure • Phone number: Stored as an irreversible one-way cryptographic hash — the original number cannot be recovered from the stored value • Device & usage data: Retained for 90 days for fraud detection, then deleted • Email address: Retained until you request deletion or close your account • Restaurant partner data: Retained for the duration of the partnership and for 5 years after termination for commission record compliance

4. How We Protect Your Information

We implement industry-standard technical and organisational security measures: • All data in transit is encrypted using TLS 1.2 or higher (HTTPS) • Bill images and IBAN are encrypted at rest using AES-256 encryption • Phone numbers are stored only as one-way cryptographic hashes (no plain-text storage) • All payment and cashback transfers are processed through a fully automated, encrypted pipeline — no Madyra personnel have direct access to your raw financial data • Access to systems containing personal data is restricted to authorised automated processes only • We follow PCI-DSS guidelines for all payment-related data handling • We conduct regular security reviews of our infrastructure

5. Sharing of Your Information

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances: • Partner restaurants: Transaction verification data (not your IBAN or personal identity) is shared only as necessary to confirm cashback eligibility • Payment processors: Your IBAN and name are shared with our licensed Saudi banking partner solely to execute cashback transfers • Legal compliance: We may disclose data when required by Saudi law, court order, or regulatory authority (e.g., SAMA, ZATCA) • Business transfers: In the event of a merger or acquisition, your data may transfer to the successor entity under the same protections as this Policy In all cases, third parties are contractually required to process your data only for the stated purpose and in compliance with applicable law.

6. Your Rights Under Saudi PDPL

Under Saudi Arabia's Personal Data Protection Law (PDPL), you have the following rights: • Right of Access — Request a copy of the personal data we hold about you • Right of Correction — Request correction of inaccurate or incomplete data • Right of Deletion — Request deletion of your personal data, subject to mandatory legal retention periods • Right to Withdraw Consent — Withdraw consent for processing where consent is the legal basis • Right to Data Portability — Request your data in a structured, machine-readable format • Right to Object — Object to processing in certain circumstances To exercise any of these rights, submit a written request to support@madyra.com. We will acknowledge your request within 5 business days and respond in full within 30 days. We may request verification of your identity before processing sensitive requests.

7. Account and Data Deletion

You may request deletion of your account and all associated personal data at any time by contacting support@madyra.com. Upon verified request: • Your account will be deactivated immediately • Bill images, phone hash, email, IBAN, and device data will be permanently deleted within 30 days • Transaction IDs and cashback records will be retained for the legally required 5-year audit period, after which they will be permanently deleted • You will receive email confirmation once deletion is complete Note: Deletion of your account will forfeit any pending or unclaimed cashback balance.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at support@madyra.com and we will delete it promptly.

9. No Social Login

Madyra does not use Google Sign-In, Apple Sign-In, or any third-party social login mechanism. Your phone number is the sole method of account authentication and is never stored in plain text.

10. Third-Party Services

The Service does not integrate third-party analytics, advertising SDKs, or tracking tools. Any future integration of third-party services will be disclosed in an updated version of this Policy prior to deployment.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the app or email at least 14 days before the changes take effect. The updated Policy will always be available at madyra.com/privacy. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

12. Contact & Data Controller

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us: Madyra Email: support@madyra.com Website: madyra.com We are committed to resolving any privacy concerns promptly and transparently.