Khamsa

Privacy Policy

Last updated · 20 May 2026

Khamsa (“we”, “us”, “our”) operates the website thekhamsa.app and the related services described below. This Privacy Policy explains what data we collect, how we use it, and the choices you have.

By using Khamsa, you agree to the practices described here. If you don’t agree, please don’t use the service.

1. Who runs Khamsa

Khamsa is operated by Saif Hegazy operating as Khamsa, a business registered in Egypt. You can reach us at support@thekhamsa.app.

2. What data we collect

From diners (people who eat at restaurants using Khamsa)

  • Account: your name, phone number, email address, and a password (stored as a secure hash).
  • Activity: which restaurants you’ve interacted with, stamps you’ve earned, reward codes you’ve claimed and redeemed, ratings you’ve left, complaints you’ve submitted (including photos if you attach them).
  • Preferences: your language choice and any opt-in settings.

From restaurant owners

  • Account: your name, phone number, email address, and password (hashed).
  • Restaurant info: business name, locations, logo, brand colors, menu, Google review URL, contact email.
  • Team: any team members you invite, with their email and role.
  • Billing: subscription status. Card payments are processed by Paymob; we don’t store full card numbers.

From everyone

  • Browser data: cookies for session and preferences, basic analytics (page views, errors). We don’t use advertising trackers.
  • Communications: if you contact support, we keep a record.

3. How we use your data

  • To provide the service: show you your stamp cards, send transactional emails (signup verification, password reset, account notices), let restaurants see and address complaints.
  • To improve the product: understand which features get used, find and fix bugs.
  • For billing: process payments and send invoices to restaurant owners.
  • For security: detect fraud and prevent abuse.

We do not sell your data. We don’t show you ads. We don’t share your data with advertisers or data brokers.

4. Who we share data with

We share data only with services we use to run Khamsa:

  • Supabase: our database and authentication.
  • Vercel: hosts the application.
  • Resend (or another transactional email provider): sends our emails.
  • Paymob: processes restaurant subscription payments (when activated).
  • OpenAI: processes specific AI features (such as bill OCR and menu parsing). Only the necessary content is sent; never your account details.

Each provider operates under their own privacy terms.

We may also share data when required by law (such as a valid Egyptian court order) or to protect Khamsa’s rights and the safety of users.

5. How long we keep data

  • Account data: as long as your account is active.
  • Activity data: as long as your account is active, plus a short period after deletion for audit purposes.
  • After you delete your account: we purge your personal data within 30 days. Aggregated statistics that don’t identify you may remain.
  • Restaurant content (menus, settings) survives team-member changes and stays with the restaurant.

6. Cookies

We use a small number of cookies:

  • A session cookie to keep you signed in.
  • A preference cookie for language and view choices.
  • A diner identification cookie when you’re signed in.

We don’t use third-party advertising cookies.

7. Your rights

You can:

  • Access your data — your account settings show you most of it.
  • Export your data — request a download from your settings page (delivered as CSV/JSON).
  • Correct your data — edit your name, phone, email, and preferences directly.
  • Delete your data — delete your account from settings. This is permanent.

If you have a complaint about how we handle your data, contact us at support@thekhamsa.app. You also have the right to file a complaint with Egypt’s Personal Data Protection Center.

8. Security

We take reasonable steps to protect your data:

  • Passwords are stored as salted hashes; we never see them.
  • Communications between your browser and our servers use HTTPS.
  • We follow standard security practices for our hosting and database providers.

No system is 100% secure. If we detect a breach that affects you, we’ll notify you as soon as we can.

9. Children

Khamsa isn’t intended for children under 13. We don’t knowingly collect data from children under 13. If you believe a child has provided us data, contact us and we’ll delete it.

10. Changes to this Policy

We may update this Policy occasionally. When we do, we’ll post the new version here and update the “Last updated” date. If the change is significant, we’ll notify you by email.

11. Contact

Questions? Reach us at support@thekhamsa.app.