Privacy Policy

01 Information We Collect

We collect the following categories of information:

• Account data: name, email, phone, country, language, and optional profile fields (gender, birthdate, interests, avatar).
• Authentication: secure session tokens for phone OTP and email login. We never store your password in clear text.
• Usage data: campaigns played, scores, coupons earned/transferred/redeemed, screens you visit, time spent.
• Product interests: items you save or look up when planning your purchases.
• Photos: product photos you submit for Tresor mystery operations.
• Approximate location: we only ever store coarse zones (about 1 km wide, never your exact position), and only while location memory is enabled in your settings (see section 3).
• Device info: device model, operating system, app version.
• Inferred data: personalisation fields (preferred categories, favourite brands, household profile, neighbourhood-level home/work/shopping zones) derived from your behaviour — see section 4.
• Partner business data: company name, legal address, tax IDs, billing details (partner accounts only).

02 How We Use Your Information

We process your personal data for the following purposes:

• (a) Service delivery — coupons, campaign play and redemption, all the features you actively use.
• (b) Account security — fraud prevention, OTP verification, abuse detection.
• (c) Personalised feed — ranking, recommendations and audience matching so iKopn shows you what's most relevant.
• (d) Service improvement — anonymised analytics, bug and performance metrics.
• (e) Communications — service push notifications and transactional emails ; marketing only if you've opted in.
• (f) Legal obligations — tax records and fraud reporting where required.

We do not sell your personal data. We do not use your data for advertising profiling outside iKopn.

03 Approximate Location & Your Choice

iKopn never stores your precise position. The «Nearby» feature uses your location only to work out which partners are around you, then forgets the exact coordinates the moment the answer is sent back.

When «Location memory» is enabled in your settings (it is on by default and can be switched off any time), we keep approximate zones only — your position is rounded to an area about 1 km wide before anything is saved. You can never be pinpointed within that area, only known to be somewhere inside it. This memory is kept for 90 days on a rolling window so iKopn can recognise your usual neighbourhood, workplace and shopping areas and make your feed more relevant. We never share this data.

Switching «Location memory» off in Settings → Privacy immediately erases your full history and last-known area. Locations derived server-side (the partner store where you redeem a coupon or wait for service) are only kept while the setting is on, and they too are kept only as approximate zones.

04 Profiling & Automated Decisions

iKopn uses profiling to personalise your feed. We infer:

• (a) Demographic signals — age range, gender, education level, household profile.
• (b) Behaviour patterns — favourite brands, preferred campaign types, peak activity hours.
• (c) Approximate zones — your usual neighbourhood, work area and shopping spots (only when location memory is on).
• (d) Affinity scores between you and partner operations.

These signals shape which campaigns appear first in your feed and which audience filters partners can use, but they NEVER produce decisions with legal or similarly significant effects — no credit scoring, no automated denials.

You have the right to access your inferred profile via Settings → My data or by writing to [email protected], to object to profiling, and to ask for a human review of any campaign-level filtering decision that visibly affects you.

05 Data Sharing, Sub-processors & International Transfers

Who can see your data:

• (a) Partners: aggregated and anonymised engagement metrics only (views, completion rates, audience distribution buckets pooled from at least 50 members). Partners NEVER receive your personal contact information.
• (b) Service providers that power iKopn: Railway (USA — hosting), Cloudinary (USA — image storage), Cloudflare (USA — content delivery and protection), Stripe (USA — payment processing), Firebase by Google (USA — authentication and push notifications), Twilio (USA — phone codes for the web app), Anthropic and OpenAI (USA — AI for content understanding), OpenFoodFacts (France — public product information database).
• (c) Law enforcement: only upon a valid legal request.

International transfers: your data may be processed outside your country of residence. Where applicable, transfers to the USA rely on Standard Contractual Clauses and equivalent safeguards under UAE PDPL, Morocco Law 09-08, and KSA PDPL.

06 Coupon, Transaction & Audit Records

Every coupon earned, transferred, or redeemed is logged with a timestamp for integrity, anti-fraud, accounting and dispute resolution. The transaction log includes the operation ID, partner ID, value, currency, and the timestamp of each state change. Transfer history is visible to you in the Pocket section. Staff-side redemption events also record the staff member ID (audit trail) and the store location. These records are retained per the schedule in section 9.

07 Cookies, Trackers & Third-Party SDKs

Web: essential cookies (session tokens) cannot be disabled. We do not deploy advertising trackers. We do not use Google Analytics, Meta Pixel, or similar cross-site tracking technologies.

Mobile: the iKopn app embeds the following SDKs:

• Firebase — authentication and push notifications.
• Geolocator — OS-level location permission.
• package_info_plus — app version reporting.

We have removed third-party advertising IDs from the production build. The app does not track you across other companies' apps or websites.

08 Data Security

We encrypt your data both in transit and at rest, with industry-standard ciphers. Access is role-based with time-limited sessions, per-store staff PINs are rate-limited and locked after too many wrong attempts, and sensitive operations require fresh authentication. Personal data is separated by partner scope and member scope. If a personal data breach affects your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay, as required by data protection laws.

09 Data Retention (per category)

We keep each category of data only for as long as necessary:

• Account data: kept while your account is active ; deleted within 30 days of an account-deletion request (Settings → Delete account).
• Transaction & coupon history: 3 years for accounting and audit purposes.
• Authentication logs: 6 months.
• Your product interests: we keep track of items you like so iKopn can suggest more of what matters to you. You can clear this history any time ; deleting your account erases it for good.
• Location memory: kept on a rolling 90-day window, purged daily by an automated process ; immediately erased if you switch the setting off.
• Inferred profile: recalculated daily ; cleared on account deletion.
• Anonymised aggregated analytics: may be retained indefinitely for service improvement (no personal identifiers).
• Backups: encrypted, retained 30 days.

10 Children's Privacy

iKopn is not directed at minors. We apply the strictest applicable age threshold per jurisdiction: 16 (EU GDPR default), 13 (USA COPPA), 14 (China PIPL), local thresholds where higher. We do not knowingly collect personal data from children below the threshold. If you learn that a child below the applicable threshold has provided us with personal data without verifiable parental consent, please write to [email protected] and we will delete it without undue delay.

11 Your Rights & How to Exercise Them

Under the GDPR and equivalent laws (CNDP Morocco, PDPL UAE, PDPL Saudi Arabia, PIPL China, CCPA California) you have the right to:

• (a) Access your personal data and obtain a copy.
• (b) Rectify inaccurate or incomplete data.
• (c) Erase your data (right to be forgotten).
• (d) Restrict processing for a specific purpose.
• (e) Data portability — export your data in a structured, machine-readable format.
• (f) Object to processing based on legitimate interest, including profiling.
• (g) Withdraw consent at any time, with no effect on prior processing.
• (h) Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

Most of these rights can be exercised in-app: Settings → Edit profile (rectification), Settings → Export my data (portability), Settings → Privacy → Location memory OFF (withdraw location memory), Settings → Delete my account (erasure). For any other request, write to [email protected] — we respond within 30 days.

12 Data Controller, Contact & Supervisory Authorities

Data Controller: AMA Edge FZE, Ajman Free Zone, United Arab Emirates. Trade Licence: Ajman Free Zone Authority. Contact e-mail: [email protected]. We have not appointed a dedicated Data Protection Officer — the founders directly handle every request.

Right to lodge a complaint with a supervisory authority: European Union — your local DPA (France: CNIL, www.cnil.fr) ; Morocco — Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP, www.cndp.ma) ; UAE — UAE Data Office (u.ae) ; Saudi Arabia — SDAIA (sdaia.gov.sa) ; China — Cyberspace Administration of China (CAC).

Updates to this policy: we will notify you in-app and by e-mail at least 14 days before material changes take effect ; trivial clarifications take effect on publication.

07• How to Delete Your iKopn Account

You can permanently delete your iKopn account and associated data at any time. iKopn is operated by AMA Edge FZE (Ajman, United Arab Emirates) and the deletion procedure below applies to all members and partner accounts.

Method 1 — Delete from the iKopn mobile app (recommended)

1. Open the iKopn app and sign in.
2. Go to Profile → Account.
3. Tap Delete my account.
4. Confirm by entering the OTP sent to your phone or email.
5. Your account is queued for deletion immediately and removed within 30 days.

Method 2 — Email request

If you cannot access the app, send a deletion request to [email protected] from the email or phone number associated with your account. Include your registered phone number or email so we can verify your identity. We respond within 7 business days and complete deletion within 30 days.

Data that will be deleted

• Profile information (name, phone, email, avatar, date of birth, country, language, interests).
• Authentication credentials and OTP history.
• All coupons in your pocket (claimed, transferred, unredeemed).
• Game and campaign interaction history (spins, scratches, quizzes, surveys).
• Notification history and device tokens.
• For partner accounts: catalogues, items, operations, store data, uploaded media.

Data that may be retained

• Anonymized analytics: aggregated, non-identifying engagement statistics may be kept for platform analytics. This data cannot be linked back to you.
• Billing and tax records: for partner accounts, invoices and payment records are retained for the period required by UAE tax and accounting laws (up to 7 years).
• Security and fraud-prevention logs: minimal logs may be retained for up to 90 days for legal and security purposes.
• Backup copies: encrypted backups containing your data are purged within 90 days of deletion.

Once deletion is complete, your account cannot be recovered. If you create a new iKopn account in the future with the same phone number or email, it will be a new, empty account.