Last updated: [DATE] · Effective: [DATE]
This Privacy Policy explains how Novara Horizon Group FZE LLC (“we”, “us”), operator of Qarran (“the Service”), collects, uses, stores and protects information. We are based in [EMIRATE], United Arab Emirates. Contact: [privacy@yourdomain.com].
Qarran is a business tool for contractors and SMEs to manage projects, sales, purchasing and accounting. It is not directed to children and is not intended for anyone under 18. We do not knowingly collect data from children.
| Category | Examples | Why |
|---|---|---|
| Account data | Your name, email, password (hashed by our auth provider), company name, role | Create and secure your account; multi-user access |
| Business records you enter | Clients, suppliers and subcontractors (names, contacts, phone, email, address, TRN/VAT no.); projects; quotations, sales orders, invoices, LPOs, delivery notes, credit notes, payments; expenses; products & rates | To provide the core service you signed up for |
| Uploaded documents | Project drawings/PDFs, company files, and compliance documents you choose to upload — which may include trade licences, establishment cards, employee visas, Emirates ID, labour cards, passports, insurance and vehicle registrations, plus your company logo/stamp | Document storage and expiry reminders you request |
| Technical data | A session token stored in your browser’s local storage; basic error information | Keep you logged in; diagnose faults |
We do not currently collect payment-card data (billing is not yet enabled), and we do not run advertising trackers or third-party analytics. We do not use AI to process your data.
Only to operate, secure and support the Service, and to comply with law (including UAE tax record-keeping). We do not sell or share your personal data for advertising.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage (encrypted in transit & at rest) | [Supabase project region, e.g. EU/Frankfurt] |
| CDN providers (Cloudflare, jsDelivr, unpkg, Google Fonts) | Serving app libraries and fonts | Global CDN |
| [Stripe — only once billing is enabled] | Payment processing (PCI-DSS) | — |
Where data is transferred outside your region, it is protected by appropriate safeguards (e.g. Standard Contractual Clauses).
We keep your business records while your account is active. Financial/tax records may be retained to meet UAE FTA requirements (generally 5 years, longer for real-estate). On account closure we delete or anonymise personal data within [30–90 days], except where law requires retention.
GDPR (EU/UK): access, rectification, erasure, restriction, portability, and objection. CCPA/CPRA (California): the right to know, delete, correct, and opt out of “sale”/“sharing” — we do not sell or share personal information. To exercise any right, contact [privacy@yourdomain.com]. You may also complain to your local data-protection authority.
Note on multi-user companies: the company administrator controls the company’s data and its members; data you enter as an employee belongs to the company account.
Data is encrypted in transit (HTTPS/TLS) and at rest, access is restricted per company via database row-level security, and access is role-based. No method is 100% secure; see our breach-response process at [link / contact]. (See also our internal Data-Security Statement.)
We use only a strictly-necessary session token in local storage to keep you signed in. We do not use advertising or analytics cookies at this time. If that changes, we will add a consent banner.
We will post changes here and update the “Last updated” date; material changes will be notified in-app or by email.
This document is a template and not legal advice.