This Privacy Policy explains how Metafor Tech ("we", "us", "our") collects, uses, shares, and protects your personal information when you use the Kabseh mobile applications and related services (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.
Kabseh is a multi-vendor food and grocery ordering and delivery platform operated by Metafor Tech, serving customers in Jordan and the wider Middle East. The Service is provided through three connected mobile applications:
This Privacy Policy applies to all three apps and to our websites and APIs at kabseh.app and kabseh.net.
| Category | Examples |
|---|---|
| Account information | Full name, phone number, email address, password (hashed), profile photo, gender, date of birth (if provided), preferred language |
| Delivery details | Saved addresses, building / apartment / floor numbers, GPS pin, delivery instructions, recipient name and phone |
| Order content | Items ordered, quantities, special requests, scheduled order time |
| Payment information | Payment method (cash, card, wallet), card brand and last 4 digits for repeat purchases. Full card numbers and CVV are entered on the payment provider's secure form and are never stored on our servers. |
| Communications | Support messages, complaints, ratings and reviews you post about vendors, drivers, or items |
| Vendor / driver onboarding (vendor and driver apps only) | Business name, commercial registration / tax ID, ID document number, vehicle type and plate, bank or wallet details for payouts |
| Category | Examples |
|---|---|
| Device and technical data | Device model, OS and version, app version, language and timezone, screen size, network type (Wi-Fi / cellular), IP address |
| Identifiers | Firebase installation ID, push-notification token (FCM / APNs), advertising ID (only if granted by the system), session and account IDs |
| Location | Approximate and precise GPS location while the app is in use; for the driver app, location while a delivery is in progress (see Section 7) |
| Usage data | Screens visited, items viewed and searched, products added or removed from cart, button taps, in-app errors, session duration |
| Diagnostics | Crash logs, stack traces, performance traces (collected by Firebase Crashlytics) |
We use your personal data only for the purposes described below:
We do not sell your personal data, and we do not use your data for cross-app advertising tracking.
Where applicable data-protection law (such as the EU GDPR or comparable Jordan / Gulf regulations) requires us to identify a legal basis, we rely on:
We share the minimum data needed in each case:
| Recipient | What is shared | Why |
|---|---|---|
| Vendors (restaurants and shops) | Customer first name, recipient phone (for the duration of the order), delivery address, order content, special requests | To prepare the order correctly |
| Drivers | Recipient first name, masked phone (when supported), pickup and drop-off addresses, order summary | To collect from the vendor and deliver to you |
| Payment processors (PayTabs, Stripe, PayPal, Razorpay) | Order amount, currency, billing reference, encrypted card data entered on their form | To authorize and capture payments and process refunds |
| Cloud and infrastructure providers | Hosting and storage of the data described above | To run the Service (e.g. server hosting and content delivery / DDoS protection) |
| Google Firebase (Auth, Cloud Messaging, Crashlytics, Analytics) | Device identifiers, push tokens, crash logs, usage events | To authenticate users, send notifications, and diagnose crashes |
| Maps providers (Google Maps, OpenStreetMap / Nominatim) | Search query, GPS coordinates | To display maps, geocode addresses, and route drivers |
| SMS / OTP gateways | Phone number, verification code | To verify your phone number during sign-up and login |
| Government and regulators | Information requested by lawful order, or required for tax / VAT reporting | To comply with the law |
| Acquirers in a corporate transaction | Information required for due diligence and continued service | If our business is sold or restructured; you will be notified beforehand |
The Service relies on the following third-party providers. Each operates under its own privacy policy, which we encourage you to review:
Location is essential to a delivery app. We treat it as follows:
You can revoke location permission at any time from your device settings. Some features (such as live tracking and address pinning) will be disabled without it.
The apps request the following device permissions:
| Permission | Why we need it |
|---|---|
| Location (foreground / background) | Show nearby vendors, pin delivery address, dispatch and route drivers (background only on the driver app while a delivery is active). |
| Camera | Update your profile photo, scan QR codes for promotions, and (driver app) capture proof-of-pickup / proof-of-delivery photos. |
| Photo library / storage | Pick a profile photo or attach an image to a support message. |
| Notifications | Send order updates, OTP codes, and (optionally) marketing offers. |
| Phone state | Auto-fill the OTP code sent via SMS during phone-number verification. |
| Microphone (optional) | Allow audio notes inside the support chat. |
Each permission is requested only when first needed and can be revoked any time in your device settings.
We keep personal data only as long as necessary for the purposes set out in this policy:
| Data | Retention |
|---|---|
| Account profile | While the account is active, plus 30 days after deletion is requested. |
| Order content (items, address) | While the account is active, plus up to 24 months for dispute and warranty handling. |
| Transaction and invoice records | Up to 7 years, as required by tax law. |
| Fraud, abuse, and security logs | Up to 24 months. |
| Crash and diagnostic logs | Up to 90 days. |
| Backups | Overwritten on the regular backup cycle, within 30 days. |
| Anonymized analytics | Indefinite, as it can no longer identify you. |
Subject to applicable law, you have the right to:
To exercise any of these rights, email [email protected]. We will reply within 30 days. We may verify your identity before processing the request.
You can permanently delete your Kabseh account and the personal data associated with it at any time. There are two ways to do this:
The full process, what we delete, what we retain (and why), and how long it takes, is described on the dedicated Account & Data Deletion Request page.
Open the deletion pageKabseh is not directed at children under 13 years old, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it. Some local laws may set a higher minimum age (for example, 16 in parts of the EU); in those jurisdictions you must meet that age to use the Service.
We protect your data with administrative, technical, and physical safeguards, including:
No method of transmission over the Internet is 100% secure. If a breach of your personal data occurs and is likely to result in a high risk to your rights, we will notify you and the competent authority without undue delay, in line with applicable law.
Our servers and several of the third-party services listed above may be located outside your country, including in the European Union, the United States, and other jurisdictions. When we transfer personal data internationally, we rely on appropriate safeguards such as standard contractual clauses or the recipient's certification under recognized privacy frameworks.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the app and / or by email at least 7 days before the change takes effect, and update the "Last updated" date at the top of this page. Continued use of the Service after the effective date means you accept the updated policy.
For any privacy-related question, request, or complaint: