CUPSA · Legal
Privacy Policy
Effective date: 1 June 2025
ATOMATE FZE (“CUPSA”, “we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the rights available to you when you use the CUPSA application and website (collectively, the “Service”).
This policy complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), Apple App Store privacy requirements, and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for your personal data is:
2. Information We Collect
2.1 Information You Provide Directly
- Account registration data: full name, email address, phone number
- Payment information: processed securely via Apple Pay, Google Pay, or our payment processor (we do not store raw card numbers)
- Communications: messages you send to our support team
- Profile preferences and drink preferences you optionally provide
2.2 Information Collected Automatically
- Device information: device model, operating system, unique device identifiers, app version
- Location data: precise geolocation at the time of drink redemption (to verify you are physically at a partner café). Location is collected only during active redemption — not continuously in the background
- Usage data: features used, redemptions made, session duration, in-app navigation
- Transaction data: drink category, café visited, timestamp, amount paid, membership plan
- Log data: IP address, access times, crash reports, performance data
2.3 Information from Third Parties
- Authentication data from Apple Sign In or Google Sign In if you choose to use these options
- Payment confirmation from our payment processor (Stripe, Checkout.com, or equivalent)
- Aggregate analytics from crash reporting and app performance tools
3. How We Use Your Information
We use your personal data for the following purposes:
3.1 Service Delivery (Contractual Necessity)
- Creating and managing your account
- Processing subscription payments and billing
- Verifying your eligibility and physical presence for drink redemptions
- Communicating with you about your account, transactions, and service updates
3.2 Service Improvement (Legitimate Interest)
- Analysing usage patterns to improve app functionality and partner café matching
- Debugging errors and preventing app crashes
- Monitoring for fraud, abuse, and security threats
- Generating anonymised, aggregated statistics about service usage
3.3 Marketing (With Your Consent)
- Sending push notifications about new partner cafés, promotions, and features — only with your explicit consent
- Personalising in-app recommendations based on your redemption history
You may withdraw marketing consent at any time in the app's notification settings or by emailing hello@cupsa.app.
3.4 Legal Compliance
- Meeting obligations under UAE law, tax regulations, and financial reporting requirements
- Responding to lawful requests from government authorities
4. Location Data
We collect your precise location only when you initiate a drink redemption, to confirm you are physically present at the partner café. Location access is requested in-app at the time of redemption and is never collected in the background.
You may deny location permission at any time through your device settings. Doing so will prevent drink redemptions, as physical presence verification is a core service requirement.
5. Payment Data
We do not store your full payment card details. All payment processing is handled by PCI-DSS compliant third-party processors. We retain only a tokenised reference, the transaction amount, and the date of transaction for billing and dispute resolution purposes.
6. Sharing Your Information
We do not sell your personal data. We share your information only in the following circumstances:
6.1 Partner Cafés
We share limited transactional data with Partner Cafés solely to fulfil your redemption: the drink selected and the time of visit. We do not share your name, contact details, or payment information with Partner Cafés.
6.2 Service Providers
We engage trusted third-party service providers to support the operation of the Service, including:
- Payment processors (e.g. Stripe, Checkout.com) — for billing
- Cloud infrastructure providers (e.g. AWS, Google Cloud) — for hosting and data storage
- Analytics providers (e.g. Firebase, Mixpanel) — for app performance and usage analysis
- Customer support platforms — for managing support requests
All service providers are contractually required to handle your data in accordance with this policy and applicable law.
6.3 Legal Requirements
We may disclose your information to government authorities, law enforcement, or courts if required by applicable law, court order, or in connection with legal proceedings.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: retained for the duration of your account plus 2 years after account closure
- Transaction records: retained for 5 years for financial and legal compliance
- Location data: not stored beyond the immediate redemption event — it is used only for real-time verification
- Marketing data: deleted promptly upon withdrawal of consent
You may request deletion of your account at any time. Upon request, we will delete or anonymise your personal data within 30 days, subject to legal retention obligations.
8. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure— request deletion of your data (“right to be forgotten”)
- Right to restriction — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent — withdraw marketing consent at any time without affecting prior processing
To exercise any of these rights, contact us at hello@cupsa.app. We will respond within 30 days. If you are dissatisfied with our response, you have the right to complain to the UAE Data Office or, if applicable, your local data protection authority.
9. Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly. If you believe we have collected data from a child, please contact us at hello@cupsa.app.
10. Data Security
We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls limiting data access to authorised personnel only
- Regular security assessments and vulnerability testing
- Incident response procedures for data breaches
No method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant authorities as required by applicable law.
11. International Data Transfers
Your data is processed primarily within the UAE. If we transfer your data to countries outside the UAE or the EU/EEA, we ensure adequate protections are in place through standard contractual clauses or equivalent safeguards approved by the relevant data protection authorities.
12. Cookies and Tracking Technologies
Our website (cupsa.app) uses essential cookies necessary for site functionality. We do not use advertising or behavioural tracking cookies without your consent. You can control cookie settings through your browser preferences.
Our mobile application does not use cookies. It may use device identifiers and analytics SDKs as described in Section 2.2.
13. Push Notifications
With your permission, we may send push notifications to inform you of new partner cafés, membership renewals, redemption confirmations, and promotions. You can manage notification preferences at any time in your device settings or within the app.
14. Apple and Google Platforms
If you download the Service through the Apple App Store or Google Play, your use of those platforms is governed by Apple's and Google's respective privacy policies and terms of service. CUPSA is independently responsible for the data practices described in this policy. Apple and Google are not a party to this Privacy Policy and have no responsibility for the Service or your data within it.
15. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal data.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via the application or by email at least 14 days before the changes take effect. The “Effective date” at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
17. Contact and Complaints
For any questions, requests, or concerns about this Privacy Policy or our data practices, contact our Privacy team:
CUPSA Privacy Team
Email: hello@cupsa.app
Website: https://cupsa.app/privacy
Response time: within 30 days
This Privacy Policy was last updated on 1 June 2025.