Privacy Policy
Last updated: 4 July 2026
My Card Oman helps Oman’s cafés, restaurants and shops run loyalty cards. We take privacy seriously and handle personal data in line with the Sultanate of Oman's Personal Data Protection Law (Royal Decree 6/2022, "PDPL"). This policy explains what we collect and why.
1. What we collect
- Customers: your phone number, an optional name, the date you consented, and your loyalty activity (stamps, points, rewards) at the business you joined. We ask for the minimum needed to run your card.
- Business staff & owners: the email used to sign in and the actions taken in the dashboard and staff terminal.
2. Why we use it
To create and update your loyalty card, award and redeem rewards, keep an audit trail that protects both you and the business against fraud, and show the owner aggregate insights (like how many customers return). We do not sell personal data.
3. Consent
When a customer joins, they give consent to link their card, and we record the date. Consent can be withdrawn at any time by asking the business or us to remove the card.
4. Who can see it
A customer's data is visible only to the business they joined, never to other businesses. Access is enforced at the database level (row-level security), so one tenant cannot read another's data. We use Supabase (database & auth) and Vercel (hosting) as processors.
5. Wallet passes
Your card in Apple Wallet or Google Wallet carries a random, unguessable identifier so stamps can update. It does not expose your phone number to anyone scanning it.
6. Retention
We keep loyalty data while your card is active. If a card is deleted or you withdraw consent, we remove or anonymise personal data, keeping only what the law requires.
7. Your rights (PDPL)
- Access the personal data held about you.
- Ask for a correction if it is wrong.
- Withdraw consent and have your data deleted.
To exercise these, contact the business you joined or email us and we will help.
8. Security
Data is encrypted in transit, access is scoped per business, points move only through audited server actions, and card secrets are randomly generated. No system is perfect, but security is built into the design, not bolted on.
9. Contact
Privacy questions or requests: mycardoman@gmail.com.
This is a plain-language policy, not legal advice. Have an Omani-qualified adviser review it before commercial launch.