This Privacy Policy explains what personal data the Doueh mobile application (“Doueh”, “we”, “us”) collects, why we collect it, who we share it with, and the rights you have over that data. It is written to comply with Apple App Store review guidelines (including the 2026 AI disclosure rules), Google Play Data Safety requirements, the Saudi Personal Data Protection Law (PDPL), and the EU GDPR / Digital Services Act where applicable. By creating an account or using Doueh, you agree to this Privacy Policy.
1. Summary (App Privacy "Nutrition Label")
The values below match exactly what is declared in App Store Connect — App Privacy and Google Play — Data safety. We do not sell personal data. We do not use personal data for behavioral advertising. We do not track you across other companies’ apps or websites.
- Email address
- Collected: Yes
- Linked to user: Yes
- Used for tracking: No
- Name
- Collected: Yes
- Linked to user: Yes
- Used for tracking: No
- Phone number
- Collected: Yes
- Linked to user: Yes
- Used for tracking: No
- Password (hashed)
- Collected: Yes
- Linked to user: Yes
- Used for tracking: No
- Approximate location
- Collected: Yes (with permission)
- Linked to user: Yes
- Used for tracking: No
- Precise location
- Collected: Yes (only if user opts in for delivery / nearby auctions)
- Linked to user: Yes
- Used for tracking: No
- Photos uploaded by user
- Collected: Yes
- Linked to user: Yes
- Used for tracking: No
- Purchase / auction history
- Collected: Yes
- Linked to user: Yes
- Used for tracking: No
- Device identifiers (push token, install ID)
- Collected: Yes
- Linked to user: Yes
- Used for tracking: No
- Crash data / diagnostics
- Collected: Yes
- Linked to user: Yes (where unavoidable)
- Used for tracking: No
- Health, contacts, browsing history, biometrics, sensitive identifiers
- Collected: No
- Linked to user: Yes
- Used for tracking: No
- Advertising identifiers / cross-app tracking
- Collected: No
- Linked to user: Yes
- Used for tracking: No
2. Data We Collect and Why
2.1 Account data
- What: First name, last name, email, phone number (with country code, e.g. +966), hashed password, OTP verification codes, user role (buyer / seller).
- Why: To create and secure your account, verify your phone, and let you sign in. Without this data the app cannot function.
- Legal basis (GDPR): Performance of a contract.
2.2 KYC / seller verification (only if you list items for sale)
- What: Identity document number, document image, profile photo, optional business information.
- Why: To verify sellers, prevent fraud and money laundering, and comply with Saudi e-commerce regulations.
- Legal basis: Legal obligation; legitimate interest in fraud prevention.
2.3 Location data
- What: Approximate location (city / region) and, only if you grant the permission, your precise location while the app is in the foreground.
- Why: To show auctions and listings near where you live; to set the pickup / delivery address you choose; to filter and sort listings by distance.
- Note: We do NOT collect location in the background, do NOT track your movement over time, and do NOT share location with advertisers.
- Permission: iOS — “While Using the App”; Android — ACCESS_COARSE_LOCATION / ACCESS_FINE_LOCATION. You can deny or revoke this at any time in your OS settings.
2.4 Push notifications
- What: A device push token (Apple Push Notification service / Firebase Cloud Messaging via Expo Push), and the notification preferences you choose.
- Why: To notify you about bids on your items, auctions you participate in, payment status, shipping updates, and important account events.
- Permission: iOS / Android prompt the first time. You may disable notifications at any time in OS settings or inside the app.
2.5 Camera and photos
- What: Photos you take in the app or pick from your photo library to upload as product images.
- Why: To list items for auction. Photos are uploaded to our storage and shown to other users on the listing.
- Note: We do not access photos for any purpose other than the one you initiated.
2.6 Auction, bidding and transaction data
- What: Items you list, bids you place, items you win or sell, wallet transactions (top-ups, withdrawals, payouts), shipping addresses you enter.
- Why: To run the auction service, settle payments, and provide receipts and order history.
- Legal basis: Performance of a contract; legal obligation (tax / accounting).
2.7 Payment data
- Details: We use a regulated third-party payment processor to handle card payments and wallet top-ups.
- Note: Card numbers and CVVs are entered directly into the payment processor and are NEVER stored on our servers.
- Stored Info: We only store amount, currency, status, masked PAN (e.g. **** 1234), and a transaction reference.
2.8 Diagnostics, crash data and basic analytics
- What: Crash logs, error stack traces, device model, OS version, app version, anonymized event counts (e.g. “bid_placed”).
- Why: To detect and fix bugs, measure performance, and improve the product.
- Tools: Sentry (crash reporting). We do not use advertising SDKs.
2.9 Communications
- Details: If you contact our support via email or in-app form, we retain that conversation to answer you and improve our service.
3. Who We Share Data With
We share only the minimum data required with the following categories of processors. Each is contractually bound by a Data Processing Agreement to provide the same or equal protection of your personal data as stated in this policy and required by the App Store guidelines. We do not share personal data with advertising networks. We do not sell personal data.
- Apple Push Notification service
- Purpose: Deliver iOS push notifications
- Data shared: Device push token, notification payload
- Firebase Cloud Messaging (Google)
- Purpose: Deliver Android push notifications
- Data shared: Device push token, notification payload
- Expo (Expo Application Services)
- Purpose: Build, deliver and update the app, send push via Expo Push
- Data shared: Anonymous build metadata, push tokens
- Sentry
- Purpose: Crash and error reporting
- Data shared: Error stack traces, device/OS info, anonymized user ID
- Cloud hosting provider
- Purpose: Host backend, database and uploaded images
- Data shared: All app data needed to run the service
- Payment processor (PCI-DSS certified)
- Purpose: Process card payments, wallet top-ups, withdrawals
- Data shared: Order amount, masked card data, customer reference
- Logistics / shipping provider
- Purpose: Deliver the item (only if you buy or sell physical goods)
- Data shared: Recipient name, phone, address
- Government / regulators / law enforcement
- Purpose: When legally required (e.g. anti-fraud, court order)
- Data shared: Only what the law requires
4. International Data Transfers
Your data is primarily processed on servers located in Saudi Arabia / the GCC region. Some processors (e.g. Apple, Google, Sentry, Expo) may process data in the United States or the European Union. When data leaves your country, we rely on Standard Contractual Clauses or equivalent legal mechanisms.
5. Data Retention
After these periods, data is deleted or irreversibly anonymized.
- Active account dataWhile your account exists
- Auction / transaction records7 years after the transaction (tax & accounting law)
- KYC / verification documents5 years after account closure (anti-fraud law)
- Crash / diagnostic logsUp to 90 days
- Push tokensUntil the app is uninstalled or you log out
- Support emailsUp to 24 months after the last reply
- Marketing communications (if any)Until you unsubscribe
6. Your Rights
Subject to applicable law (PDPL, GDPR, etc.) you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (“right to erasure”) — see Section 7.
- Restrict or object to certain processing.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time, where processing is based on consent (e.g. push notifications, location).
- Lodge a complaint with your data protection authority (in Saudi Arabia: the Saudi Data & Artificial Intelligence Authority (SDAIA)).
To exercise any right, email privacy@doueh.app from the address registered on your account. We respond within 30 days.
7. Account & Data Deletion
You can delete your account and the personal data linked to it in two ways:
- In-app: Open the app → Menu / Settings → Account → Delete account. You will be asked to confirm. The deletion request is queued and completed within 30 days.
- By email: Send a request from your registered email address to privacy@doueh.app with subject “Delete my account”. We will verify your identity and confirm deletion within 30 days.
What gets deleted:
Profile, contact details, uploaded photos, push tokens, location data, support history.
What we must keep (legal obligation):
Invoices, payment records and KYC documents for the periods listed in Section 5. These are stored separately and are not used for any other purpose.
A direct link to the deletion instructions is also published at: https://doueh.app/account-deletion
8. Children
Doueh is not intended for users under 18 years old and contains commerce, bidding and payments. We do not knowingly collect personal data from minors. If we learn that we have collected data from a child, we will delete it immediately. Parents or guardians may contact us at privacy@doueh.app.
9. Security
We protect personal data with:
- TLS / HTTPS for all network traffic.
- Industry-standard hashing for passwords (we never store plaintext passwords).
- Encrypted credential storage on the device (iOS Keychain / Android Keystore via secure storage).
- Role-based access control on our backend; access logged and audited.
- Regular dependency updates and security reviews.
No system is 100% secure. If a breach affects your data, we will notify you and the competent authority as required by law.
10. Generative AI Disclosure (2026 Apple / Google Requirement)
Doueh does not use any Generative AI provider (such as OpenAI, Google Gemini, Anthropic Claude, or similar) to process user prompts, photos, voice, or any other personal data. If we add AI features in the future, this section will be updated before the feature is released to disclose the AI provider’s name, exactly what data is sent to the provider, and whether that data may be used to train the provider’s models. We will only use providers whose terms confirm that API data is not used for model training, or we will obtain explicit user consent.
11. Cookies and Tracking
The Doueh mobile app does not use cookies and does not use the iOS App Tracking Transparency (ATT) framework, because we do not track users across apps or websites. Our marketing website may use strictly necessary cookies; details there.
12. Permissions Used by the App
You can deny or revoke any permission at any time in your device settings.
- Location (when in use)Show auctions near you, set pickup / delivery address“Doueh uses your location to show auctions and listings near you.”
- NotificationsBid, payment, shipping, and account alerts“Doueh sends you notifications about your bids, sales and payments.”
- CameraTake photos of items you list“Doueh uses the camera so you can take photos of items to sell.”
- Photo libraryPick photos to upload“Doueh accesses your photos so you can upload them to your listings.”
- Calendar (optional)Add auction end times to your calendar“Doueh can save auction end times to your calendar.”
13. Changes to this Policy
If we make material changes, we will notify you via the app and update the Last updated date. Continued use of Doueh after the update means you accept the revised policy.
14. Contact
- Email: privacy@doueh.app
- Postal address: Doueh, Riyadh, Kingdom of Saudi Arabia
- Data Protection Officer: dpo@doueh.app
An Arabic version of this policy is available at https://doueh.com/ar/privacy-policy. In case of any conflict between the two versions, the Arabic version prevails for users in Saudi Arabia.