Privacy Policy

• •Legal entity: Fusion AI Establishment (trading as Qweelvo)
• •Registered address: Riyadh, Kingdom of Saudi Arabia
• •Privacy contact / Data Protection point of contact: [email protected]
• •Website: https://qweelvo.com

For restaurant patrons ordering from a restaurant that uses the Service, the restaurant acts as the Controller of order-specific data and conversation content, and Qweelvo acts as a Processor on the restaurant's behalf. For Personal Data that Qweelvo collects for its own platform operations — including account administration, fraud prevention, product analytics, and direct marketing of the Service to restaurants — Qweelvo acts as the Controller. This Policy describes both roles.

Qweelvo employs third-party large-language-model services to interpret WhatsApp messages in Saudi Arabic dialect and English, classify intent (for example: "place order", "ask question", "reserve table"), extract menu items and modifiers, and generate automated replies.

Conversation content is transmitted to the model provider's API on a no-training, no-retention basis where supported by the applicable provider's API terms. Where such terms do not provide for no-retention, prompts and responses are retained for the minimum period necessary for service operation and abuse monitoring.

We do not use AI to make solely automated decisions that produce legal or similarly significant effects on a Data Subject, within the meaning of the PDPL Implementing Regulations.

Qweelvo communicates with Data Subjects using the WhatsApp Business Platform (Cloud API) provided by WhatsApp LLC and hosted by Meta Platforms, Inc. ("Meta"). The following disclosures apply accordingly:

• •When you message a restaurant via a Qweelvo-powered WhatsApp number, the content of your messages, your phone number, profile name, message timestamps and delivery status are processed by Meta as a sub-processor acting on our behalf and on behalf of the restaurant.
• •Meta's servers for the Cloud API are located outside the Kingdom of Saudi Arabia, primarily in the United States. This constitutes a cross-border transfer governed by PDPL Article 29 (see Section 8 below).
• •Your use of WhatsApp itself is separately governed by WhatsApp's own Privacy Policy and Terms of Service, which are outside the scope of this Policy and which we do not control.
• •We shall send you business-initiated messages (utility, authentication, or marketing templates) only where you have provided your phone number and opted in. You may withdraw consent at any time by replying STOP via WhatsApp, by tapping the unsubscribe option in any marketing template, or by emailing [email protected]. Transactional messages strictly necessary to fulfil an active order shall continue pursuant to the performance of contract basis.
• •For restaurant owners onboarded via Meta Embedded Signup, by granting Qweelvo access to your WhatsApp Business Account you authorise us to send and receive messages, manage approved templates, and view quality ratings on your behalf. You may revoke this access at any time through Meta Business Suite.

Online payments are processed by Moyasar Financial Company, a payment service provider supervised by the Saudi Central Bank (SAMA) and certified to PCI DSS Level 1. When you complete a payment, your card or digital wallet details (Mada, Visa, Mastercard, American Express, Apple Pay, STC Pay) are submitted directly to Moyasar's hosted payment fields.

Qweelvo does not at any point access, transmit or store your full card number, expiry date or CVV. We receive solely the transaction reference, masked card number (last four digits), amount, currency and transaction status. Moyasar's own Privacy Policy and Terms of Service govern the payment transaction.

We disclose Personal Data only to the following categories of recipients, and solely to the extent necessary to fulfil the stated purpose:

• •Restaurants: the restaurant whose number you contacted receives your order, phone number, delivery address, conversation content and order history. The restaurant processes such data under its own privacy practices and as an independent Controller.
• •Meta / WhatsApp: as our messaging infrastructure sub-processor, pursuant to Section 5 of this Policy.
• •Moyasar: as our payment processing partner, pursuant to Section 6 of this Policy.
• •Cloud infrastructure providers engaged to host the Platform and its databases.
• •AI and LLM providers engaged for conversation understanding and automated reply generation.
• •Delivery partners: where the restaurant dispatches an order through a third-party logistics service, the driver receives the customer name, phone number and delivery address solely to the extent necessary to complete the delivery.
• •Professional advisors — including legal counsel, accountants and auditors — on a strictly need-to-know basis, subject to binding confidentiality obligations.
• •Regulatory authorities: including SDAIA, SAMA, ZATCA, the Ministry of Commerce, the Public Prosecution Office and competent courts, where required by applicable Saudi law or pursuant to a valid judicial or regulatory order.

We do not sell Personal Data. We do not share Personal Data with advertising networks for the purposes of cross-context behavioural advertising.

Certain sub-processors — notably Meta, AI/LLM providers and particular cloud infrastructure regions — process Personal Data outside the Kingdom of Saudi Arabia. We rely on the lawful transfer mechanisms set out in PDPL Article 29 and the Regulations on Personal Data Transfers outside the Kingdom, including:

• •Transfer in performance of a contract to which you are a party (for example, processing your order).
• •Adequacy determinations published by SDAIA where applicable.
• •Standard Contractual Clauses or Binding Common Rules issued or approved by SDAIA.
• •Limitation of the transfer to the minimum Personal Data strictly necessary to fulfil the stated purpose.

You may request a list of the countries to which your Personal Data is transferred by emailing [email protected].

Pursuant to PDPL Article 4 and its Implementing Regulations, Data Subjects are entitled to exercise the following rights:

• •Right to be informed of the legal basis and specific purpose for which Personal Data is collected and processed.
• •Right of access to Personal Data held by us, including the right to receive a copy in a readable format.
• •Right to portability — to receive Personal Data in a structured, readable format suitable for transfer to another controller.
• •Right to rectification — to correct, complete or update any inaccurate or incomplete Personal Data.
• •Right to destruction — to request erasure where the data is no longer required for the original purpose, where consent has been withdrawn and no alternative legal basis applies, or where processing is otherwise unlawful.
• •Right to withdraw consent at any time, including consent to receive marketing communications. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.
• •Right to object to direct marketing, free of charge and without the need to provide reasons.
• •Right to lodge a complaint with SDAIA via the National Data Governance Platform (NDGP) within 90 days of becoming aware of an alleged violation.

To exercise any of the foregoing rights, please email [email protected] stating your full name, the phone number(s) and email address associated with your account, and a description of your request. We shall respond within 30 calendar days, extendable by a further 30 days for complex or multiple requests as permitted by the Implementing Regulations.

We implement administrative, technical and physical safeguards aligned with the National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1), including:

• •TLS 1.2+ encryption for all Personal Data in transit.
• •Encryption at rest for all stored Personal Data and databases.
• •Role-based access controls and least-privilege access principles.
• •Multi-factor authentication for all privileged system access.
• •Comprehensive audit logging and anomaly detection.
• •Secret rotation and secure credential management.
• •Regular vulnerability assessments and penetration testing.

Notwithstanding these measures, no information system is entirely immune to security risks. We continuously review and improve our security practices.