Privacy Policy

Last updated: 17 April 2026  ·  Version 1.0
النسخة العربية (المرجع الأساسي)

1. Who we are

SmartOrdr ("SmartOrdr", "we", "us", "our") operates a Software-as-a-Service platform that enables restaurants in the Sultanate of Oman to receive and manage customer orders through WhatsApp using a bilingual AI ordering agent. SmartOrdr is the data controller for personal data collected through smartordr.com and its associated services.

2. Personal Data Protection Officer (DPO)

3. Personal data we collect

When you place an order through a restaurant that uses SmartOrdr:

• WhatsApp phone number — required, so the restaurant can receive and confirm your order.
• Name — optional, used only for order identification.
• Delivery address — collected only if you choose delivery.
• Vehicle number or pickup details — optional, only if you choose pickup.
• Order contents, preferences, and special instructions — what you tell the AI agent or the restaurant about your order.
• Payment confirmation — a record that payment succeeded. SmartOrdr does not receive, hold, or process your card details; these are handled exclusively by the licensed payment provider (Thawani).
• Chat transcripts between you and the AI agent, retained for the period set out below.

When you visit smartordr.com or the restaurant dashboard:

• Technical data — IP address, browser and device information, and standard server logs. This is used for security, abuse prevention, and service reliability.

4. Why we process your data (purposes and legal basis)

• To fulfil your order — processing is necessary for the performance of the service you have requested (Art. 11 PDPL).
• To communicate order status via WhatsApp — same legal basis.
• To prevent fraud and abuse of the platform — our legitimate interest in protecting the service and its users.
• To comply with legal obligations — including record-keeping obligations under Omani law.
• Marketing or analytics based on personal identifiers — only with your explicit consent, which you may withdraw at any time.

5. Who we share your data with

We share your data only to the extent necessary to operate the service:

• The restaurant you are ordering from — receives your order details and contact number so it can fulfil the order. The restaurant is a separate data controller for its own use of that data.
• Meta Platforms Ireland Ltd. (WhatsApp Business Cloud API) — to deliver WhatsApp messages between you and the restaurant.
• Google LLC (Gemini API) and Anthropic PBC (Claude API, fallback) — to power the bilingual AI ordering agent. Messages sent to these providers are processed to generate responses and are not used by them to train models.
• Groq, Inc. — used only when voice messages need to be transcribed (Whisper model).
• Thawani Technologies LLC (Thawani Pay) — licensed payment service provider in Oman, for online payment processing.
• Supabase, Inc. (managed PostgreSQL and authentication) — our infrastructure provider.
• Regulators and law enforcement — when we are legally required to do so.

We do not sell personal data. We do not share personal data with advertisers.

6. Cross-border data transfers

Some of the service providers listed above host data outside the Sultanate of Oman (primarily in the European Union and the United States). Where cross-border transfers occur, they are carried out in accordance with Articles 23–27 of the PDPL and the Executive Regulation, relying on either:

• the recipient jurisdiction providing a level of protection equivalent to the PDPL; or
• your explicit consent, obtained before any transfer takes place.

You can contact our DPO for details of the safeguards in place for any specific transfer.

7. How long we keep your data

• Chat messages with the AI agent: 180 days, then deleted automatically.
• Order records: up to 2 years, to support refunds, disputes, and tax/accounting obligations.
• Customer profile (phone, preferences): retained while your account is active with a participating restaurant; deleted on request.
• Audit logs: up to 1 year, for security and compliance.
• Webhook and system logs: 90 days.

8. Your rights under the PDPL

You have the right to:

• Access the personal data we hold about you;
• Correct inaccurate or incomplete data;
• Request deletion of your data ("right to erasure");
• Request a copy of your data in a portable format;
• Object to certain processing or withdraw consent where processing is based on consent;
• Lodge a complaint with the Ministry of Transport, Communications and Information Technology (MTCIT) — Personal Data Protection Centre — at PDPC@mtcit.gov.om.

To exercise any of these rights, contact privacy@smartordr.com or send the message "delete my data" on WhatsApp to the restaurant you ordered from. We will respond within 45 days, as required by the Executive Regulation.

9. Security

We apply technical and organisational measures appropriate to the risk, including:

• TLS/HTTPS encryption for all data in transit;
• Encryption of sensitive credentials at rest;
• Role-based access controls and row-level security in our database;
• Masking of phone numbers in application logs;
• Webhook signature verification for third-party integrations;
• Rate limiting and abuse detection;
• Restricted, audited access to production systems.

10. Data breach notification

In the event of a personal data breach that is likely to affect the rights of data subjects, we will notify the MTCIT within the timeline set out in the Executive Regulation (generally within 72 hours of becoming aware of the breach) and, where required, notify affected individuals directly.

11. Children

The service is intended for customers aged 18 and over. We do not knowingly collect personal data from children. If you believe a child's data has been collected, please contact the DPO and we will take steps to delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The current version number and date appear at the top of this page. Material changes will be communicated through the service.

13. Contact