Khamsa

Privacy Policy

Last updated: 9 May 2026

Khamsa (“we”, “us”, “our”) is operated as a sole proprietorship by Saif Hegazy, based in Egypt. Khamsa is a software platform that helps restaurants and cafes collect customer reviews, display digital menus, and accept online payments. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Who this policy covers

This policy applies to two groups of users:

  • Restaurant operators who sign up for a Khamsa account to manage their venue.
  • Customers who scan a Khamsa QR code to leave a review, view a menu, or pay a bill.

2. Information we collect

From restaurant operators

  • Account data: email address, name, restaurant name, branch addresses, logo.
  • Authentication data managed by Supabase (our auth provider).
  • Payment processor credentials (Paymob API keys) that you voluntarily enter to enable customer payments. These are stored encrypted at rest in our database and are used only to create payment requests on your behalf.
  • Optional Google Business Profile OAuth tokens when you connect your Google account to enable AI-drafted review replies. We store a refresh token and a short-lived access token, both encrypted at rest.

From customers

  • Star ratings and any free-text feedback you choose to submit.
  • If you submit a complaint and choose to share contact info: your name, email, or phone number, used solely to allow the restaurant to follow up.
  • If you pay a bill online: your name and email are passed to the restaurant’s Paymob account for receipt purposes. Khamsa stores the transaction reference, amount, and timestamp; we do not store your full card details. Card processing happens entirely inside Paymob’s PCI-compliant iframe.

3. How we use Google user data

When a restaurant operator chooses to connect their Google Business Profile, Khamsa requests the https://www.googleapis.com/auth/business.manage scope. We use this access strictly to:

  • Read the list of locations under the connected Google account, to identify which location to associate with the restaurant.
  • Read public reviews left on that location, in order to generate AI-drafted reply suggestions.
  • Post replies to reviews only when the restaurant operator has explicitly approved a reply through the Khamsa dashboard.

Khamsa’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not use Google user data for advertising.
  • We do not allow humans to read Google user data unless we have your explicit consent for specific messages, it is necessary for security purposes (e.g., investigating abuse), to comply with applicable law, or for our internal operations and even then only when the data has been aggregated and anonymized.
  • We do not transfer Google user data to third parties except as necessary to provide or improve the service, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
  • We do not use Google user data to train generalized AI/ML models. AI-generated reply drafts are produced by sending the relevant review text to OpenAI’s API; OpenAI does not train its models on data submitted via the API by default.

4. How we use other information

  • To operate the platform: storing reviews, displaying menus, processing payment intents, sending receipts.
  • To send transactional emails (e.g., payment receipts, complaint notifications) via Resend.
  • To detect and prevent abuse, fraud, or misuse of the service.
  • To respond to your support requests at hello@thekhamsa.app.

We do not sell your personal information. We do not run advertising on Khamsa.

5. Third-party services we rely on

  • Supabase — database, authentication, file storage. Hosted in the EU.
  • Vercel — web hosting and serverless functions.
  • Cloudflare — DNS and email routing for our domain.
  • Resend — transactional email delivery.
  • Paymob — per-restaurant payment processing. Payments flow directly from the customer to the restaurant’s Paymob account; Khamsa does not hold customer funds and takes a 0% cut on customer-to-restaurant transactions.
  • OpenAI — AI-drafted Google review replies. Only the public review text and your tone preferences are sent.
  • Google Business Profile API — read reviews and (with your approval) post replies on your behalf.

6. Data retention

  • Account data is retained while your account is active.
  • Reviews and complaints are retained while the corresponding restaurant account is active.
  • Google OAuth tokens are deleted immediately when you disconnect Google in the Khamsa dashboard.
  • Payment transaction records are retained for at least seven (7) years to comply with accounting and tax obligations.
  • You may request deletion of your account and associated data at any time by emailing hello@thekhamsa.app.

7. Security

All traffic to and from Khamsa is encrypted in transit using TLS. Sensitive credentials (Paymob API keys, Google refresh tokens) are encrypted at rest by our database provider. Access to production systems is restricted and uses strong authentication. No system is perfectly secure; if we discover a breach affecting your data, we will notify affected users without undue delay.

8. Your rights

Depending on where you live, you may have rights to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Object to or restrict certain types of processing.
  • Withdraw consent at any time (e.g., disconnect Google).
  • Lodge a complaint with a data protection authority.

To exercise any of these rights, email hello@thekhamsa.app. We will respond within 30 days.

9. Children

Khamsa is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top. Material changes will be communicated via email or an in-app notice.

11. Contact

Khamsa is operated by Saif Hegazy as a sole proprietorship, based in Egypt. For any privacy questions, requests, or complaints, contact us at hello@thekhamsa.app.