01 — Scope and controller
This policy applies to Droplet water and beverage ordering and delivery services in Saudi Arabia, the driver portal, and dropletapp.pro. The operator of the Droplet platform is responsible for the processing described here.
For privacy questions or rights requests: info@dropletapp.pro.
02 — Data we process
- Account and contact data: name, mobile number, optional email, hashed password, language, and optional profile image.
- Order and delivery data: products, quantities, value, VAT, delivery fee, address, coordinates you choose to share, status, and delivery notes.
- Payment data: payment method, transaction identifiers and status. We do not store full card details; the payment provider processes them.
- Driver operational data: account details, service districts, assigned orders, and pickup/delivery updates.
- Device and usage data: notification token, device/OS type, network address, crash/security logs, and service interactions.
- Support messages, complaints, favourites and reviews you submit.
03 — Why we use it and legal bases
We process data to perform the ordering and delivery contract; create and verify accounts; collect payment and record orders; operate notifications and support; prevent fraud and secure the service; improve performance; and meet legal obligations. Depending on context, we rely on contract performance, legal obligation, your consent for optional features, or a legitimate interest that does not override your rights.
Location and notifications
We request customer device location only when you choose to place a delivery address on the map. You can enter an address manually or disable permission in device settings. Notifications are optional and can be disabled; order status remains available in the app.
04 — Who receives data
We share the minimum necessary with the assigned driver, payment provider, hosting, security, notification and operational analytics providers, service advisers, and authorities where legally required. We do not sell personal data. Service providers are bound by instructions, confidentiality and appropriate safeguards.
05 — Retention and deletion
We retain account data while it is active. On deletion, direct identifiers and unnecessary data are deleted or anonymised. Order, payment, invoice, dispute and anti-fraud records may be retained for periods required by Saudi law, with restricted use, then deleted or anonymised. Notification tokens, addresses, favourites and unnecessary profile data are removed with the account.
We handle rights requests within 30 days and may extend by up to 30 additional days where implementation requires disproportionate effort, after telling you why. In-app customer deletion starts immediately; web requests require identity verification.
Start an account deletion request →06 — Your rights and choices
Under the Saudi Personal Data Protection Law, you may be informed about processing, access and obtain a copy of your data, request correction or completion, request destruction where applicable, and withdraw consent without retroactive effect. We may reasonably verify identity. You may complain to us and, if unresolved, contact the competent Saudi data protection authority.
07 — Security and international transfers
We use technical and organisational controls including encryption in transit, access restrictions, password hashing, monitoring and backups. No digital method is completely guaranteed. Where a provider processes data outside Saudi Arabia, we apply Saudi transfer requirements, appropriate safeguards and risk assessment.
08 — Children and policy updates
The service is not directed to people under 18 without guardian supervision. Contact us if you learn that a child submitted data without authority. We may update this policy as the service or law changes and will publish a new date and provide prominent notice for material changes.
09 — Contact
Operator of the Droplet platform — Saudi Arabia
info@dropletapp.pro
Support centre