Privacy Policy

This Policy covers the personal data of the following categories of data subjects.

• Prospective Users and Leads: Those who submit interest, demo, or trial forms before holding an account, and businesses we research for sales outreach.
• Website Visitors: Those who visit tajergo.ae.
• Merchants (Customers): The businesses and individuals who subscribe to the Services.
• Authorized Users: Those with login credentials to a merchant account, including owners, managers, cashiers, and other staff assigned a role under role based access control.
• End Customers: The customers of a merchant whose personal data is processed through the merchant's use of the Services, for example through sales, ordering, loyalty, credit (Khata), and digital receipts.

This Policy does not cover the websites, storefronts, or systems operated by our merchants outside the Services. Each merchant sets its own policies for, and is responsible for compliance with all laws relating to, the personal data of its own End Customers.

Controller and processor roles. TajerGo is the data controller for the personal data of Prospective Users, Website Visitors, Merchants, and Authorized Users. TajerGo is a data processor for End Customer data and merchant business content held in the platform. As a processor, we act on the merchant's documented instructions.

The Services are for business use and are not directed at individuals under the age of 18. See Section 15.

Prospective Users and Leads

When you submit the website lead form, we collect: full name, email address, mobile number, shop or business name, and industry. We also record your consent status, the consent timestamp, the IP address and browser user agent at the time of consent, the version of the privacy notice you accepted, and your marketing preferences.

For sales outreach, we also research and store business contact data on prospective merchants, which may include business name, brand, category, location, decision-maker name and role, email, phone, WhatsApp number, website, and public social media handles, along with a lead score generated by our systems.

Website Visitors

Log data such as IP address, browser and device information, referring pages, and language preference. We use Google Analytics, Microsoft Clarity, and Cloudflare analytics to understand how the website is used. Cookies and similar technologies are described in Section 10 and in our separate Cookie Policy.

Merchants

• Account information: business name, trade license details, owner and administrator contact details, billing address, and tax registration number where relevant.
• Configuration data: branches, roles, products, pricing, and integration settings.
• Billing and payment information: payments are processed by Stripe through Stripe Checkout. Card details are entered with Stripe and TajerGo does not store full card numbers.
• Uploaded files and images: documents and images you upload, including product images, receipts, supplier invoices, bank statements, trade licenses, and VAT certificates submitted for finance, reconciliation, and onboarding features. These files may contain personal and financial data and are processed by OCR as described in Section 4.

Authorized Users

Identity and access data: name, email, assigned role, and login credentials (passwords are stored hashed). Activity logs: configuration changes, transactions processed, and access events, kept for security and audit.

End Customers (processed on behalf of merchants)

• Identity and contact data: name, email, phone, address, city, country, and where the merchant collects it, nationality, date of birth, tax registration number, and identity document references.
• Transaction data: orders, items, amounts, and timestamps.
• Loyalty and credit data: loyalty points and tier, cashback, store credit, and Khata ledger balances and history.
• Identity and contact fields such as email, phone, and address are stored encrypted, as described in Section 12.

Voice and recognition data

Where a merchant enables voice command or image recognition features, we process the related voice recordings and images to deliver those features.

Technical and operational data

Usage and device data, and error and performance diagnostics used to maintain and improve the Services.

• Provide, operate, maintain, and secure the Services.
• Enable account access and platform features.
• Process subscriptions, payments, confirmations, and invoices.
• Send service messages, including technical notices, security alerts, and support communications.
• Respond to support requests.
• Monitor and analyze usage to maintain stability, detect abuse, and improve features.
• Comply with legal obligations, and investigate and prevent fraud and unauthorized access.
• Send commercial communications where you have agreed to receive them.

For End Customer data, we process only to deliver the merchant's enabled features, on the merchant's instructions. We do not use End Customer data for our own marketing.

We use artificial intelligence and automated software agents to operate and improve parts of the Services. The AI services we use are:

• Google Vertex AI (Google Cloud), model Gemini 2.5 Flash. Used to power in-platform agents that assist with categorization, reconciliation support, search, reporting, drafting, and operational tasks.
• Google Vision (Google Cloud). Optical character recognition used to read and extract data from uploaded invoices, receipts, bank statements, trade licenses, and VAT certificates.

These features may process the personal and financial data contained in the documents you upload and in the records inside your account. We log AI usage and the decisions our automated systems produce for audit and oversight.

• Purpose limitation. AI features process only the data needed for the stated task.
• Provider terms. AI processing is carried out by Google Cloud (Vertex AI and Vision) acting as our Sub-Processors. Under Google Cloud's data processing terms, your data is not used to train Google's foundation models.
• No solely automated decisions with legal effect. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, unless permitted by law. Where automated processing materially affects you, you can request human review. See Section 9.
• Human oversight. A human remains responsible for consequential outputs.

Merchants remain the controller of any End Customer data processed by AI features and are responsible for informing their own End Customers.

We may produce aggregated and anonymized data that does not identify any individual, such as usage statistics and performance metrics, to operate, secure, and improve the Services. Aggregated and anonymized data is not personal data and is not subject to the restrictions that apply to personal data.

We share personal data with service providers ("Sub-Processors") who help us run the business and deliver the Services. They process personal data only on our instructions and under contract terms covering confidentiality, data protection, and security. We do not permit them to sell personal data or use it for their own purposes.

Our Sub-Processors:

• Render, Inc. Application hosting and cache. The backend service and the Valkey / Redis cache run in Render's Frankfurt, Germany region.
• Supabase (PostgreSQL). Primary database, hosted in the Mumbai, India region.
• Amazon Web Services (S3). Object storage for uploaded documents and images, in the Mumbai, India region.
• Google Cloud (Vertex AI and Vision). AI agents and document OCR.
• Stripe. Payment processing and checkout.
• Resend. Transactional and notification email delivery (sending domain tajergo.ae).
• Slack. Internal operational notifications.
• Cloudflare. Content delivery network and security layer for the website, including cookieless web analytics.
• Google Analytics (Google LLC). Website usage analytics.
• Microsoft Clarity (Microsoft Corporation). Website behaviour analytics and session insights.

A current Sub-Processor list is available on request via privacy@tajergo.ae.

We may also share personal data:

• To respond to lawful requests by public authorities, court orders, or legal process, or to establish, exercise, or defend legal claims.
• Where we hold a good faith belief that sharing is needed to investigate or prevent fraud, security threats, threats to safety, or breaches of our terms.
• In connection with a merger, acquisition, financing, or sale, as in Section 19.
• Where you have given consent.

Where a merchant connects a third-party service to their account, such as a delivery platform, data is shared with that service under the merchant's control and that service's own terms. We do not share End Customer data except to deliver the merchant's enabled features or as required by law.

The Services run across providers in more than one country. Below is where each category of data is stored and the safeguard applied when data leaves the UAE.

Under the PDPL, transfer of personal data outside the UAE is lawful only where one of the following applies: the destination provides an adequate level of protection, a contract binds the recipient to PDPL-level protections, you give explicit consent, or the transfer is necessary for a contract or for legal claims.

Notes on safeguards. Your data leaves the UAE to Germany (EU), India, and the United States, and to Google Cloud. The UAE Data Office has not yet published a list of jurisdictions with adequate protection. Until it does, the basis for each transfer is a Data Processing Agreement that binds the recipient to PDPL-level protections, supported by your explicit consent where relevant.

Under the PDPL, consent is the default basis for processing personal data. We process without consent only where the PDPL permits, including where processing is:

• Necessary to perform or negotiate a contract with you.
• Required to comply with a legal obligation.
• Necessary to protect the vital interests of a data subject.
• Necessary for the public interest or public health.
• Related to data the data subject has made public.
• Necessary for legal claims or judicial procedures.
• Necessary for employment, social security, or social protection obligations.
• For archival, scientific, historical, or statistical purposes in line with UAE law.

We record consent at the point of collection, including the timestamp, IP address, user agent, and the version of this Policy accepted. Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect processing carried out before withdrawal. For End Customer data, the legal basis is set by the merchant as controller.

Subject to the conditions and exceptions in the PDPL, you have the right to:

• Be informed about, and obtain access to, your personal data.
• Request correction of inaccurate or incomplete data.
• Request deletion of your personal data.
• Request restriction of, or object to, processing.
• Request transfer of your personal data in a structured, machine readable format.
• Withdraw consent where processing is based on consent.
• Request human review of any decision based solely on automated processing that materially affects you.

We operate an internal process for deletion and other rights requests. To exercise a right, contact privacy@tajergo.ae. We will verify your identity before acting and respond within the period required by the PDPL. If you are an End Customer of a merchant, direct your request to that merchant. If you contact us, we will refer you to the merchant.

If you are not satisfied, you can lodge a complaint with the UAE Data Office.

We use cookies and similar technologies on the website and within the Services for operation, security, preferences, and analytics. Full detail, including the categories used and how to manage them, is in our separate Cookie Policy. You can manage non-essential cookies through the controls provided when you visit.

• Service communications: operational, security, and account messages needed to run the Services, sent from tajergo.ae. These cannot be switched off while you hold an account.
• Commercial communications: marketing messages sent only where you agreed to receive them. Opt out using the unsubscribe link, your account settings, or privacy@tajergo.ae.

We apply physical, technical, and administrative controls to protect personal data, including:

• Encryption in transit using TLS.
• Encryption of data at rest. Our database provider encrypts stored data, and we apply additional column-level encryption to sensitive End Customer fields, including email, phone, and address.
• Role based access control and row level security at the database layer.
• Access logging, audit trails, and restricted internal access on a need to know basis.
• Hashing of account passwords.

No method of transmission or storage is fully secure, and we cannot guarantee absolute security. Report a security concern to privacy@tajergo.ae.

If a personal data breach occurs that may prejudice the privacy, confidentiality, or security of personal data, we will notify the UAE Data Office, and affected data subjects where required, in line with the PDPL. Where TajerGo is a processor, we will notify the affected merchant without undue delay so the merchant can meet its own obligations.

We keep personal data only as long as needed for the purposes in this Policy, or longer where the law requires. We consider the purpose of collection, the sensitivity of the data, the risk of harm, whether less data would serve, and legal and tax retention rules.

Retention periods (5 years across categories):

• Lead and prospect data: 5 years.
• Account and configuration data: life of the account, plus 5 years after closure.
• Transaction and financial records: 5 years, aligned to UAE record keeping rules.
• Uploaded documents and images: 5 years.
• Activity and audit logs: 5 years.

When a period ends, we delete or anonymize the data. End Customer data is retained per the merchant's instructions and applicable law.

The Services are for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under that age. We process personal data in line with the UAE Federal Decree-Law No. 26 of 2025 on Child Digital Safety where it applies. If we learn we hold such data without a lawful basis, we will delete it.

Where TajerGo acts as a processor of End Customer data, the merchant is the controller and is responsible for:

• Establishing a lawful basis for collecting and processing End Customer data.
• Giving End Customers the required privacy information.
• Handling End Customer rights requests.
• Configuring the Services in line with its own legal obligations.

We process End Customer data only on the merchant's documented instructions. The terms governing this are in the Data Processing Addendum to the TajerGo Subscription Agreement.

For any privacy matter, contact our data protection contact at dpo@tajergo.ae.

We may update this Policy from time to time. Where a change materially affects how we process your personal data, we will give notice and, where required, obtain consent. The updated Policy will be posted with a revised effective date. We version this Policy and record the version accepted at sign up.

We may transfer this Policy and the data it covers in connection with a merger, acquisition, financing, reorganization, or sale of all or part of the business. Any successor will be bound by the commitments here.

This Policy is governed by the laws of the United Arab Emirates, including the PDPL. It is issued in English. An Arabic version may be published. Where there is any conflict between the two, the Arabic version prevails to the extent required by UAE law.

Contact us first at privacy@tajergo.ae so we can address your concern. If it stays unresolved, you can lodge a complaint with the UAE Data Office, the supervisory authority under the PDPL.