tawlat

Legal

Privacy Policy

Last updated: 17 May 2026

This policy explains what data tawlat collects, how we use it, who we share it with, and the rights you have. It applies to restaurants using our software, to the staff who operate it, and to anyone visiting this site.

1. Who we are

tawlat is a restaurant operating system built in Jordan and used by restaurants across Jordan and the wider GCC. The service is operated by tawlat (the company).

For the marketing site, we act as the data controller. For the operational data your restaurant puts into the product (menu, customers, orders, suppliers, staff), we act as a data processor — your restaurant remains the controller of that data and decides what to do with it.

2. What we collect

We collect different categories of data depending on how you interact with us:

  • Account data: name, email, phone, restaurant name, billing address, and a hashed password.
  • Operational data your restaurant enters: menu items, prices, recipes, customer records (names, phones, addresses your restaurant takes from its own guests), orders, suppliers, staff users and their roles.
  • Usage and device data: pages visited, clicks, browser type, language, time zone, IP address, and approximate location derived from it.
  • Cookies: essential cookies that keep you signed in and keep the site working; optional analytics cookies only if you accept them.
  • Communications: support emails, chat conversations, and any forms you submit through our contact pages.

3. How we use it

We use the data to run the service, support you, bill you, and improve the product. Specifically:

  • Operating the service — every restaurant workflow runs on the data your team enters.
  • Billing and subscription management.
  • Customer support and onboarding.
  • Sending transactional messages (Z-reports, alerts, statements, security notices).
  • Product improvement via aggregate, de-identified analytics. We do not sell individual data to advertisers or data brokers.
  • Meeting legal, accounting, and tax obligations.

4. Who we share with

We share data with a small set of subprocessors that help us run the service, chosen for security and reliability. These include:

  • Cloud hosting and database providers (where your data is stored and processed).
  • Email and notification delivery services.
  • Analytics providers (for aggregate usage, never for ad targeting).
  • Payment processors (your customers' card data goes to them — we don't store full card numbers).
  • Legal and accounting advisers, under confidentiality.

We share data with authorities only when legally required (court order, valid legal request, fraud prevention). We do not sell personal data.

5. Cookies and tracking

Our marketing site uses essential cookies (so the site works and your locale persists) and optional analytics cookies (only if you accept them). The product itself uses session cookies for login and security.

You can clear or block cookies in your browser at any time. If you block essential cookies, parts of the site or product may stop working.

6. Data security and retention

We encrypt data in transit (HTTPS) and at rest where supported by our infrastructure. Access to your data is limited to staff who need it for support and is logged. We back up your data on a regular schedule, encrypted.

We keep your data for as long as you have an active account, plus a short window after cancellation so you can pull final reports or settle disputes. After that, your data is deleted from active systems. Anonymised records may be kept only as required by tax, accounting, or other legal obligations.

7. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (subject to legal retention requirements).
  • Object to certain processing, including marketing emails.
  • Export your data in a portable format.
  • Withdraw consent for optional processing (analytics, marketing) at any time.

To exercise any of these, email privacy@tawlat.menu. We respond within a reasonable time, and at no charge for ordinary requests.

8. International data transfers

Our cloud infrastructure may store and process data in multiple regions for backup and performance. We use standard contractual safeguards with our hosting providers to protect your data wherever it sits.

9. Children

The service is not intended for children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided data to us, contact us and we'll delete it.

10. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll email account owners and post a notice in the admin dashboard. The "Last updated" date at the top of this page always reflects the current version.