Privacy Policy

Last updated: 4 July 2026

My Card Oman helps Oman’s cafés, restaurants and shops run loyalty cards. We take privacy seriously and handle personal data in line with the Sultanate of Oman's Personal Data Protection Law (Royal Decree 6/2022, "PDPL"). This policy explains what we collect and why.

1. What we collect

2. Why we use it

To create and update your loyalty card, award and redeem rewards, keep an audit trail that protects both you and the business against fraud, and show the owner aggregate insights (like how many customers return). We do not sell personal data.

3. Consent

When a customer joins, they give consent to link their card, and we record the date. Consent can be withdrawn at any time by asking the business or us to remove the card.

4. Who can see it

A customer's data is visible only to the business they joined, never to other businesses. Access is enforced at the database level (row-level security), so one tenant cannot read another's data. We use Supabase (database & auth) and Vercel (hosting) as processors.

5. Wallet passes

Your card in Apple Wallet or Google Wallet carries a random, unguessable identifier so stamps can update. It does not expose your phone number to anyone scanning it.

6. Retention

We keep loyalty data while your card is active. If a card is deleted or you withdraw consent, we remove or anonymise personal data, keeping only what the law requires.

7. Your rights (PDPL)

To exercise these, contact the business you joined or email us and we will help.

8. Security

Data is encrypted in transit, access is scoped per business, points move only through audited server actions, and card secrets are randomly generated. No system is perfect, but security is built into the design, not bolted on.

9. Contact

Privacy questions or requests: mycardoman@gmail.com.

This is a plain-language policy, not legal advice. Have an Omani-qualified adviser review it before commercial launch.