Privacy Policy

1. Who we are (Data Controller)

halasaves is operated by Nourly FZ-LLC, a Free Zone Limited Liability Company licensed by the Dubai Development Authority (Licence No. 107351), with its registered office at Premise No. HD72B, in5 Tech, Dubai, United Arab Emirates. Nourly FZ-LLC is the data controller for the personal data described in this policy. For privacy questions or to exercise your rights, contact privacy@halasaves.com.

This policy is written to align with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”). Where executive regulations are issued in future, we will update this policy accordingly.

2. What we collect

We try to collect only what we need to run a useful, safe community deals platform.

• Account data. Email address, and (if you sign in with Google) your public Google profile name and profile photo. A username you choose.
• Content you submit. Deals, coupons, comments, votes, deal images you upload, and reports you submit.
• Anonymous-visitor data. If you vote on a deal or submit coupon feedback without an account, we set a long-lived anonymous identifier cookie (anon_voter_id) and record your IP address against that vote or feedback. This is used to prevent vote manipulation and abuse, and to allow you to change your vote later.
• Technical data. Standard server logs (IP address, user agent, request path, timestamp), session and security cookies, and product-analytics events.

We do not knowingly collect personal data from anyone under 18. If you believe a child has registered, please contact us at privacy@halasaves.com.

3. Why we use it (purposes and legal bases)

• To run your account (sign-in, posting, voting, notifications) — performance of our contract with you.
• To moderate content and prevent abuse (rate limits, anti-fraud, vote auditing, takedowns) — our legitimate interest in keeping the platform safe and useful, and compliance with UAE law.
• To send you transactional and lifecycle email (confirmations, replies, weekly recap if you opt in) — performance of our contract and your consent for marketing-style messages, which you can withdraw at any time.
• To understand product usage (aggregate analytics) — our legitimate interest in improving the Service.
• To comply with legal obligations and respond to lawful requests from UAE authorities.

4. What is publicly visible

Your username and the content you submit (deals, comments, profile photo if set) are public. Individual votes are not displayed against your identity; only aggregate counts are shown.

5. Cookies and similar technologies

• Authentication cookies (sb-*-auth-token) keep you signed in.
• Anonymous voting cookies (anon_voter_id, hs_anon) persist for up to one year and let unauthenticated visitors vote and change their votes.
• Analytics cookies (PostHog, Vercel Analytics) are used to understand aggregate usage. We do not run advertising or third-party retargeting cookies.

6. Service providers and where data is processed

We use the following third-party processors. Each operates under its own published security and privacy commitments, which we have reviewed.

• Supabase — database, authentication, and image storage. Our primary database is hosted in the ap-south-1 (Mumbai, India) region.
• Vercel — application hosting and aggregate web analytics / speed insights. Vercel processes data on its global edge network with primary processing in the United States.
• PostHog — product analytics. Events are sent to PostHog's United States cluster via a same-origin proxy on this site.
• Resend — transactional and lifecycle email delivery (United States).
• wsrv.nl — a third-party image-resizing proxy (operated by Andrews & Arnold, United Kingdom) that we use to optimise deal and coupon images before they are displayed in your browser. Your browser's IP address and user agent are visible to wsrv.nl when an optimised image is served.
• Google — OAuth sign-in (only if you choose “Continue with Google”), limited to your basic public profile.

7. International transfers

Because the providers above operate outside the United Arab Emirates, your personal data is transferred to and processed in jurisdictions including India, the United States, and the United Kingdom. By using the Service you acknowledge and consent to this cross-border transfer. We rely on each provider's contractual security commitments and limit the data we share to what is needed to deliver the Service. Where the UAE Data Office issues adequacy decisions or standard transfer mechanisms in future, we will adopt them.

8. How long we keep your data

• Account data and content — for as long as your account exists. After you delete your account, your profile and personal identifiers are removed; deals, comments and votes may remain, dissociated from your identity, to preserve community context.
• IP addresses for anonymous votes and coupon feedback — retained on an indefinite basis for fraud, abuse, and integrity-of-voting purposes. We may shorten this retention period in the future and will update this policy if we do.
• Server and security logs — retained per our hosting providers' defaults (typically 30–90 days).
• Email logs — retained per Resend's defaults for delivery diagnostics.

9. Your rights under the PDPL

Subject to applicable law, you have the right to:

• Access the personal data we hold about you
• Have inaccurate or incomplete data corrected
• Have your personal data deleted (subject to legitimate retention needs)
• Restrict or object to certain processing
• Receive your data in a structured, machine-readable format (portability)
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with the UAE Data Office

To exercise any of these rights, email privacy@halasaves.com. We will verify your identity and respond within 30 days. You may also access and edit much of your data directly from your account settings or via the Contact Us page.

10. Security and breach notification

We implement reasonable technical and organisational measures to protect personal data, including encryption in transit, access controls, and least-privilege admin tooling. No internet service is perfectly secure. If a personal data breach occurs that is likely to prejudice your privacy or rights, we will notify the UAE Data Office and, where required, affected users in accordance with the PDPL.

11. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. Material changes will be highlighted on the Service. Continued use after changes constitutes acceptance.