Privacy Policy

1. Introduction

1.1

This Privacy Policy ("Policy") describes how Jasmine Entertainment FZE ("Company," "We," "Us," or "Our"), a Free Zone Establishment registered in Sharjah Publishing City, United Arab Emirates, collects, uses, processes, stores, shares, and protects personal data and other information in connection with the MyDscvr Eats platform, accessible at mydscvr.ai (the "Platform").

1.2

This Policy applies to all users of the Platform, including restaurant owners and managers who register for accounts ("Registered Users" or "You"), and end consumers who access publicly available menu pages ("Visitors").

1.3

By accessing or using the Platform, You acknowledge that You have read and understood this Privacy Policy. If You are a Registered User, Your use of the Platform is also governed by our Terms and Conditions.

1.4

This Privacy Policy has been prepared in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and its Executive Regulations (Cabinet Decision No. 44 of 2024), and takes into account applicable international data protection standards.

1.5

This Policy is published in the English language. Where applicable law requires an Arabic translation, the Arabic version shall prevail. For all other purposes, the English version shall govern.

2. Definitions

2.1

"Personal Data" means any data relating to an identified or identifiable natural person ("Data Subject"), as defined under Article 1 of the UAE PDPL.

2.2

"Processing" means any operation or set of operations performed on Personal Data, whether by automated or non-automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

2.3

"AI Features" means the artificial intelligence-powered functionalities of the Platform, including AI-generated menu descriptions, dietary tag suggestions, and menu analysis.

2.4

"Menu Data" means all information related to restaurant menus submitted by Registered Users, including menu items, descriptions, pricing, categories, modifiers, dietary information, and associated images.

2.5

"Sensitive Data" means special categories of Personal Data as defined under the UAE PDPL, including data relating to health, religious beliefs, ethnic origin, and other categories specified in Article 7 of the UAE PDPL.

3. Data Controller Information

3.1

The data controller for Personal Data processed through the Platform is:

Jasmine Entertainment FZE

Publishing City, Sharjah

United Arab Emirates

Email: support@mydscvr.ai

3.2

For any inquiries regarding the processing of your Personal Data, you may contact our data protection point of contact at: support@mydscvr.ai.

4. Information We Collect

We collect and process the following categories of information:

4.1. Account Registration Information

When You create an Account on the Platform, we collect the following information through our authentication provider (Clerk):

(a)Full name;

(b)Email address;

(c)Password (encrypted; managed by Clerk);

(d)Profile photograph (if voluntarily provided); and

(e)Authentication tokens and session identifiers.

4.2. Restaurant and Business Information

When You set up Your restaurant profile on the Platform, we collect:

(a)Restaurant or business name;

(b)Restaurant type and cuisine category;

(c)Business address and location;

(d)Contact telephone number;

(e)Business description;

(f)Operating hours;

(g)Logo and brand images; and

(h)Any additional business information You voluntarily provide.

4.3. Menu Data

As part of the Platform's core functionality, we collect and process:

(a)Menu item names and descriptions;

(b)Menu item pricing and currency;

(c)Menu categories and subcategories;

(d)Menu item modifiers (add-ons, variations, sizes);

(e)Dietary tags and allergen information (including AI-suggested tags);

(f)Menu item images and photographs;

(g)Menu structure and organization data; and

(h)AI-generated content associated with menu items.

4.4. Payment and Billing Information

When You subscribe to a paid Subscription Plan, payment information is collected and processed by our third-party payment processor, Stripe:

(a)Payment card details (card number, expiration date, CVV) — processed and stored exclusively by Stripe; We do not store full payment card details;

(b)Billing name and address;

(c)Transaction history and subscription status; and

(d)Stripe customer and subscription identifiers.

4.5. Usage and Technical Data

We automatically collect certain technical and usage information when You access or use the Platform:

(a)IP address;

(b)Browser type and version;

(c)Device type, operating system, and device identifiers;

(d)Referring URLs and exit pages;

(e)Pages visited, features used, and actions taken on the Platform;

(f)Date, time, and duration of access;

(g)Click patterns and navigation paths; and

(h)Error logs and performance data.

4.6. AI Interaction Data

When You use the AI Features of the Platform, we collect:

(a)Menu Data and other inputs submitted for AI processing;

(b)AI-generated outputs (descriptions, tags, analysis results, scores);

(c)Your interactions with AI-generated content (accept, reject, edit);

(d)AI feature usage frequency and patterns; and

(e)AI usage log data (timestamps, feature type, usage counts).

4.7. Communications Data

When You contact Us or interact with our support channels, we collect:

(a)Email correspondence;

(b)Support ticket contents;

(c)Feedback and survey responses; and

(d)Any other information You voluntarily provide in communications with Us.

4.8. Information We Do Not Intentionally Collect

4.8.1

We do not intentionally collect Sensitive Data as defined under the UAE PDPL. However, Menu Data may incidentally contain information that could be considered sensitive, such as dietary information related to religious practices (e.g., halal, kosher). Such information is processed solely for the purpose of providing the Platform's menu management and dietary tagging functionalities.

4.8.2

We do not collect biometric data, genetic data, or data concerning criminal convictions through the Platform.

5. How We Use Your Information

5.1.1. Service Delivery and Account Management

(a)Creating, managing, and maintaining Your Account;

(b)Authenticating Your identity and managing access to the Platform;

(c)Processing and managing Your Subscription and billing;

(d)Providing the Platform's core menu management functionalities; and

(e)Providing customer support and responding to Your inquiries.

5.1.2. AI Feature Delivery

(a)Processing Your Menu Data through AI models to generate menu descriptions;

(b)Analyzing menu items to suggest dietary tags and allergen information;

(c)Conducting menu analysis and generating scoring and recommendations;

(d)Tracking and managing Your AI feature usage entitlements; and

(e)Improving the quality and relevance of AI-generated outputs.

5.1.3. Platform Improvement and Analytics

(a)Analyzing usage patterns to improve the Platform's features, performance, and user experience;

(b)Generating aggregated, anonymized analytics and insights;

(c)Conducting research and development for new features;

(d)Monitoring and improving Platform security and stability; and

(e)Identifying and resolving technical issues and bugs.

5.1.4. Communications

(a)Sending transactional emails (account verification, subscription confirmations, billing receipts);

(b)Sending service-related notifications (feature updates, maintenance notices, policy changes);

(c)Sending marketing communications, subject to Your consent where required by applicable law; and

(d)Responding to Your support requests and inquiries.

5.1.5. Legal and Compliance

(a)Complying with applicable legal obligations, including tax and accounting requirements;

(b)Enforcing our Terms and Conditions and other policies;

(c)Detecting, preventing, and addressing fraud, security incidents, and technical issues;

(d)Exercising or defending legal claims; and

(e)Meeting regulatory requirements, including data protection compliance.

6. AI Data Processing

Transparency Notice

This section provides specific transparency regarding how Your data is processed by AI Features, in accordance with emerging AI governance principles and the UAE PDPL's requirements for fair and transparent processing.

6.1.1. How AI Features Work

(a)Description Writer: When You use the AI description writing feature, Your menu item data (name, category, existing description, modifiers, and pricing) is sent to the Anthropic Claude API. The AI model processes this input and generates enhanced or new menu item descriptions. The original menu data is transmitted to Anthropic's servers for real-time processing and is not retained by Anthropic beyond the processing session.

(b)Dietary Tagger: When You use the dietary tagging feature, Your menu item data (name, description, ingredients if provided, and modifiers) is sent to the Anthropic Claude API. The AI model analyzes the data and suggests relevant dietary tags (e.g., vegetarian, vegan, gluten-free, dairy-free, halal). These are suggestions only and require Your review and confirmation.

(c)Menu Analyzer: When You use the menu analysis feature, Your complete menu data (items, descriptions, categories, pricing, structure) is sent to the Anthropic Claude API for comprehensive analysis. The AI generates scores and recommendations across multiple dimensions. Analysis results are cached on Our servers for performance optimization.

6.1.2. Data Sent to AI Providers

The following categories of data may be transmitted to Anthropic's Claude API when You use AI Features:

(a)Menu item names and descriptions;

(b)Menu item pricing;

(c)Menu categories and structure;

(d)Menu item modifiers and variations;

(e)Existing dietary tags; and

(f)Restaurant cuisine type and category (for contextual processing).

What We Do Not Send to AI Providers

Your personal name, email address, payment information, IP address, account credentials, or any data not directly related to menu content processing.

6.1.3. AI Provider Data Handling

We use the Anthropic Claude API under commercial API terms. Under Anthropic's API terms, data submitted through the API is not used by Anthropic to train its AI models.

Data transmitted to Anthropic is processed in accordance with Anthropic's privacy policy and data processing terms. Anthropic may temporarily retain API inputs and outputs for abuse prevention, safety monitoring, and limited debugging purposes.

6.1.4. AI Content Accuracy

AI-Generated Content is produced by statistical language models and may contain errors, inaccuracies, or biases.

Important

AI-suggested dietary tags are not verified medical or nutritional assessments. You must independently verify all dietary and allergen information before publishing it to consumers.

7. Legal Basis for Processing

7.1

In accordance with Article 5 of the UAE PDPL, we process Personal Data based on one or more of the following legal bases:

7.1.1. Consent

Where You have given Your explicit, informed, and freely given consent to the processing of Your Personal Data for specific purposes, including: (a) creating an Account and using the Platform; (b) receiving marketing communications; and (c) processing Your data through AI Features. You have the right to withdraw Your consent at any time.

7.1.2. Performance of a Contract

Processing that is necessary for the performance of a contract to which You are a party, including: (a) providing the Platform's services; (b) managing Your Account and Subscription; (c) processing payments; and (d) delivering AI Features that You have requested.

7.1.3. Legitimate Interests

Processing that is necessary for Our legitimate interests, provided that such interests do not override Your fundamental rights and freedoms, including: (a) improving and optimizing the Platform; (b) ensuring the security and integrity of the Platform; (c) generating aggregated analytics; (d) preventing fraud and abuse; and (e) direct marketing to existing customers (subject to opt-out rights).

7.1.4. Legal Obligations

Processing that is necessary for compliance with a legal obligation, including: (a) tax reporting and accounting requirements; (b) responding to lawful requests from competent authorities; and (c) compliance with data protection and consumer protection laws.

8.1

We do not sell, rent, or trade Your Personal Data to third parties for their own marketing purposes.

8.2

We may share or disclose Your information in the following circumstances:

8.2.1. Service Providers and Processors

We share information with third-party service providers who process data on Our behalf, subject to data processing agreements that require them to protect Your data and process it only in accordance with Our instructions.

8.2.2. Public Menu Pages

If You configure Your restaurant menu to be publicly accessible, the following information will be visible to Visitors on Your Public Menu Page:

(a)Restaurant name and branding;

(b)Menu item names, descriptions, and pricing;

(c)Menu categories and structure;

(d)Dietary tags and allergen information;

(e)Menu item images; and

(f)Any other menu information You choose to make publicly visible.

You control what information is displayed on Your Public Menu Page through Your dashboard settings.

8.2.3. Legal and Regulatory Requirements

We may disclose Your information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms and Conditions; (c) protect the rights, property, or safety of the Company, our Users, or the public; (d) detect, prevent, or address fraud, security, or technical issues; or (e) respond to a lawful request by a UAE government authority or court order.

8.2.4. Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, Your information may be transferred to the successor entity, subject to applicable data protection requirements. We will notify You of any such transfer.

8.2.5. Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify You. Such data is not considered Personal Data under the UAE PDPL.

9. Third-Party Service Providers

We use the following third-party service providers to operate the Platform:

Clerk

Authentication

User authentication, account management, and session management.

Data processed: Name, email address, profile image, authentication tokens, session data, IP address.

Data location: United States (with global edge infrastructure).

Stripe

Payment Processing

Processing subscription payments, managing billing, issuing receipts and invoices.

Data processed: Payment card details, billing name and address, transaction amounts, subscription status, customer identifiers.

Data location: United States (with global infrastructure; PCI DSS Level 1 certified).

Anthropic

AI Processing

Processing menu data through the Claude AI API to provide AI-powered description writing, dietary tag suggestions, and menu analysis features.

Data processed: Menu item data (names, descriptions, pricing, categories, modifiers, dietary information).

Data location: United States.

Cloudflare

Hosting, CDN, and Storage

Hosting the Platform frontend (Cloudflare Workers), content delivery, DDoS protection, and storing menu item images and media files (Cloudflare R2).

Data processed: IP address, request data, uploaded images and media files, usage logs.

Data location: Global network of data centers.

Railway

Backend Infrastructure and Database

Hosting the Platform backend (API server) and the PostgreSQL database.

Data processed: All data stored in the Platform database, including account information, restaurant data, menu data, AI usage logs, and subscription information.

Data location: United States.

10. International Data Transfers

10.1. Transfer of Data Outside the UAE

10.1.1

As described in Section 9, certain Third-Party Service Providers process data outside the United Arab Emirates, including in the United States. This means that Your Personal Data may be transferred to and processed in countries outside the UAE.

10.1.2

In accordance with Articles 22 and 23 of the UAE PDPL and the relevant provisions of its Executive Regulations, We implement the following safeguards for international data transfers:

(a)Adequacy: Where the UAE Data Office has issued an adequacy finding for the recipient country, we rely on such finding as the legal basis for transfer.

(b)Contractual Safeguards: Where no adequacy finding exists, We ensure that appropriate contractual safeguards are in place with each data processor, including standard contractual clauses and data processing agreements that require the recipient to protect Personal Data to a standard substantially equivalent to the protections afforded under the UAE PDPL.

(c)Consent: Where required and appropriate, we obtain Your explicit consent for the transfer of Your Personal Data to countries outside the UAE.

10.2. GCC Data Transfers

10.2.1

As We expand our operations to other GCC member states, additional data protection requirements may apply. We will update this Policy to reflect jurisdiction-specific requirements as applicable.

11. Data Storage and Security

11.1. Data Storage

11.1.1

Your data is stored using the infrastructure and service providers described in Section 9. Our primary database is hosted on Railway's infrastructure. Images and media files are stored on Cloudflare R2.

11.2. Security Measures

We implement technical and organizational security measures designed to protect Your Personal Data, in accordance with Article 8 of the UAE PDPL. These measures include:

(a)Encryption in Transit: All data transmitted between Your browser and the Platform is encrypted using TLS / HTTPS protocols.

(b)Encryption at Rest: Sensitive data stored in our database is encrypted at rest using industry-standard encryption algorithms.

(c)Authentication Security: User authentication is managed through Clerk, which implements industry-standard security practices including password hashing, secure session management, and optional multi-factor authentication.

(d)Access Controls: Access to Personal Data within Our organization is restricted to authorized personnel on a need-to-know basis.

(e)Payment Security: Payment card data is processed and stored by Stripe, which maintains PCI DSS Level 1 certification.

(f)Infrastructure Security: Our hosting providers (Cloudflare and Railway) implement comprehensive security measures including DDoS protection, network firewalls, and regular security monitoring.

11.3. Security Incident Response

In the event of a Personal Data breach, We will:

(a)Promptly assess the nature, scope, and potential impact of the breach;

(b)Notify the UAE Data Office within seventy-two (72) hours from becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of Data Subjects;

(c)Notify affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms; and

(d)Take immediate steps to contain, investigate, and remediate the breach.

12. Data Retention

12.1. Retention Periods

We retain Your Personal Data only for as long as necessary to fulfill the purposes for which it was collected. The following general retention periods apply:

Data Category	Retention Period
Account registration data	Duration of account + 12 months after deletion
Restaurant and business information	Duration of account + 12 months after deletion
Menu Data	Duration of account + 30 days after deletion (data export period)
Payment and billing records	7 years from the date of the transaction (UAE tax law)
AI interaction data (usage logs)	24 months from the date of the interaction
AI-generated content	Duration of account + 30 days after deletion
Usage and technical data	24 months from the date of collection
Communications and support data	36 months from the date of the communication

12.2. Retention After Account Deletion

Upon deletion of Your Account, We will delete or anonymize Your Personal Data within the retention periods specified above, except where: (a) retention is required by applicable law; (b) the data has been incorporated into aggregated, anonymized datasets; or (c) retention is necessary for the establishment, exercise, or defense of legal claims.

12.3. Anonymization

Where feasible, We may anonymize Your data rather than delete it. Anonymized data is no longer considered Personal Data under the UAE PDPL and may be retained indefinitely for analytics, research, and Platform improvement purposes.

13. Your Rights as a Data Subject

13.1

In accordance with Articles 13 through 20 of the UAE PDPL, You have the following rights regarding Your Personal Data:

Right of Access

You have the right to request access to the Personal Data We hold about You, including information about the purposes of processing, the categories of data processed, the recipients of Your data, and the retention period.

Right to Rectification

You have the right to request the correction of inaccurate Personal Data and the completion of incomplete Personal Data.

Right to Erasure

You have the right to request the deletion of Your Personal Data where: the data is no longer necessary for the purposes for which it was collected; You withdraw Your consent; You object to the processing; or the data has been unlawfully processed.

Right to Restriction of Processing

You have the right to request the restriction of processing of Your Personal Data in certain circumstances, including where You contest the accuracy of the data or the processing is unlawful.

Right to Data Portability

You have the right to receive Your Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible.

Right to Object

You have the right to object to the processing of Your Personal Data on grounds relating to Your particular situation, where the processing is based on Our legitimate interests.

Right to Withdraw Consent

Where processing is based on Your consent, You have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You. Our AI Features generate suggestions presented for Your review and manual acceptance.

13.2. Exercising Your Rights

13.2.1

To exercise any of the rights described above, please contact Us at support@mydscvr.ai with the subject line "Data Subject Rights Request."

13.2.2

We will respond to Your request within thirty (30) days of receipt, as required by the UAE PDPL. This period may be extended by an additional sixty (60) days in cases of complexity.

13.2.3

We may request verification of Your identity before processing Your request.

13.2.4

There is no fee for exercising Your data protection rights. However, if requests are manifestly unfounded or excessive, We may charge a reasonable administrative fee or refuse to act on the request.

13.3. Right to Lodge a Complaint

13.3.1

If You believe that Your data protection rights have been violated, You have the right to lodge a complaint with the UAE Data Office or any other competent supervisory authority.

14. Cookies and Tracking Technologies

14.1. What Are Cookies

Cookies are small text files placed on Your device when You visit a website. They are widely used to make websites work more efficiently and to provide information to the website operator.

14.2. Cookies We Use

The Platform uses the following types of cookies and similar tracking technologies:

Strictly Necessary Cookies

Authentication cookies (set by Clerk), security cookies (CSRF protection), and load balancing cookies. These are essential and do not require consent.

Legal basis: Strictly necessary for the provision of the Platform.

Functional Cookies

Preference cookies (language, display settings) and feature state cookies (dashboard layout choices).

Legal basis: Legitimate interest in providing a functional Platform.

Analytics Cookies

Performance cookies (page load times, errors) and usage analytics cookies (page views, navigation paths, session duration).

Legal basis: Legitimate interest in improving the Platform, subject to opt-out.

Third-Party Cookies

Clerk authentication cookies, Stripe fraud detection cookies, and Cloudflare performance/security cookies.

Legal basis: As set by each third-party provider.

14.3. Managing Cookies

You can control and manage cookies through Your browser settings. Most browsers allow You to view, delete, and block cookies. Disabling certain cookies, particularly authentication cookies, may impair the functionality of the Platform.

15. Public Menu Pages and Consumer Data

15.1. Consumer (Visitor) Data

When end consumers ("Visitors") access Public Menu Pages, We may collect limited information, including: IP address, browser type, device type, pages viewed, duration of visit, and referring URL. We do not require Visitors to create accounts to view Public Menu Pages.

15.2. Registered User Responsibility

Registered Users are responsible for ensuring that the information they publish on their Public Menu Pages, including dietary tags, allergen information, and item descriptions, is accurate and complies with applicable consumer protection and food safety laws.

16. Children's Privacy

16.1

The Platform is a business-to-business service designed for use by restaurant owners, managers, and other authorized business representatives. The Platform is not directed at or intended for use by individuals under the age of eighteen (18).

16.2

We do not knowingly collect Personal Data from children under the age of eighteen (18). If We become aware that We have inadvertently collected Personal Data from a person under eighteen (18), We will take steps to delete such data promptly.

16.3

If You believe that We have collected Personal Data from a child under eighteen (18), please contact Us immediately at support@mydscvr.ai.

17. Do Not Track Signals

17.1

"Do Not Track" (DNT) is a privacy preference that users can set in certain web browsers. The Platform does not currently respond to DNT signals, as there is no industry-standard technology for recognizing or honoring DNT signals.

17.2

Regardless of DNT settings, We process data as described in this Policy. You may manage tracking through cookie settings as described in Section 14.

18. Changes to This Privacy Policy

18.1

We reserve the right to update or modify this Privacy Policy at any time. Changes will be effective upon posting the updated Policy on the Platform with a revised "Last Updated" date.

18.2

For material changes that significantly affect how We collect, use, or share Your Personal Data, We will provide at least thirty (30) days' advance notice via email or a prominent notice on the Platform.

18.3

Your continued use of the Platform after the effective date of any updated Policy constitutes Your acceptance of the changes. If You do not agree with the updated Policy, You should discontinue use of the Platform and delete Your Account.

19. Jurisdiction-Specific Provisions

19.1. United Arab Emirates

This Privacy Policy has been prepared in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and its Executive Regulations (Cabinet Decision No. 44 of 2024). We are committed to complying with all requirements of the UAE PDPL, including lawful, fair, and transparent processing; purpose limitation and data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

19.2. Kingdom of Saudi Arabia (Future)

As We expand operations to the Kingdom of Saudi Arabia, We will comply with the Saudi Personal Data Protection Law (Royal Decree M/19, dated 9/2/1443 AH) and its Implementing Regulations. A Saudi Arabia-specific addendum to this Policy will be published prior to the commencement of operations in that market.

19.3. Other GCC Jurisdictions (Future)

As We expand to additional GCC markets, we will publish jurisdiction-specific addenda to address the data protection requirements of each market, including: Bahrain's Personal Data Protection Law (Law No. 30 of 2018); Qatar's Law No. 13 of 2016 on Personal Data Privacy; Kuwait's applicable data protection provisions; and Oman's Personal Data Protection Law (Royal Decree No. 6/2022).

20. Contact Us

If You have any questions, concerns, or complaints about this Privacy Policy or Our data processing practices, please contact Us at: