Effective date: 10 June 2026 · Last updated: 10 June 2026
This Privacy Policy explains how personal data is collected, used, shared, and protected in connection with the SERVA in-restaurant ordering, service, and payment application ("the App") and the related SERVA platform and operator dashboard (together, "the Services"). It is written to align with the principles and requirements of the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and applicable implementing regulations.
The Services are provided by SERVA Technologies LLC ("SERVA", "we", "us"). The App runs on in-restaurant tablet devices operated by the restaurant or hospitality business you are visiting ("the Operator").
| Category | Examples | Why |
|---|---|---|
| Order & session data | Items selected, table, dining session, timestamps, service requests | To take, prepare, and serve your order and respond to assistance requests |
| Contact details (optional) | Email address (for a receipt); phone number (for loyalty) | Only when you choose to provide them — to send a receipt or enrol you in loyalty |
| Payment data | Transaction amount, status, and a payment reference | To process your payment. Card numbers are handled by our PCI-DSS-certified payment provider — see §5 |
| Loyalty data (optional) | Phone-linked points balance and reward activity | To operate the loyalty programme if you enrol |
| Device & operational data | Tablet serial, model, software version, battery and connectivity status, diagnostic logs | To keep devices secure, online, and up to date. This is hardware data, not personal information about you |
We do not collect special categories of personal data, and we do not require you to create an account or provide identifying information to place an order and pay.
Consistent with the PDPL, we and the Operator rely on one or more of the following bases: your consent (e.g., when you enter an email or phone number, or enrol in loyalty); performance of a transaction you request (taking and paying for your order); and the Operator's and SERVA's legitimate interests in running a secure, functioning service. Where processing is based on consent, your consent is clear, specific, and may be withdrawn at any time (see §11).
Card payments are processed by our regulated payment provider, Network International (N-Genius), which is certified to the Payment Card Industry Data Security Standard (PCI-DSS). SERVA does not collect, see, or store your full card number, CVV, or PIN. SERVA retains only non-sensitive transaction metadata (amount, status, reference) needed to reconcile your payment with your order.
We collect only what is necessary for the purposes above (data minimisation) and take reasonable steps to keep data accurate and up to date. You may correct optional details you provided, or ask us or the Operator to do so.
We share personal data only with:
We do not sell your personal data and do not use it for third-party advertising.
The Services are hosted on secure cloud infrastructure (Amazon Web Services) which may store and process data on servers located outside the UAE. Where personal data is transferred across borders, we apply appropriate safeguards consistent with the PDPL — including processing only with adequate protection, contractual data-protection commitments with our providers, encryption in transit and at rest, and limiting transfers to what is necessary to deliver the Services.
We keep personal data only for as long as needed for the purposes for which it was collected, including to satisfy the Operator's operational needs and any legal, tax, or accounting requirements. Order, payment, and loyalty records are retained for the applicable retention period and then deleted or anonymised. Device and diagnostic data is retained only as long as useful for fleet operation and security.
We implement technical and organisational measures appropriate to the risk, including: encryption of data in transit (TLS) and at rest; strict tenant isolation and role-based access controls so each Operator's data is segregated; least-privilege access; secure credential handling (card data never touches SERVA); device hardening and managed updates; and monitoring. In the event of a personal-data breach that poses a risk to data subjects, we will support the Operator in meeting any notification obligations under the PDPL.
Subject to the PDPL, you have the right to:
To exercise any right, contact the Operator or SERVA using the details in §14. We respond within the timeframes required by law and do not charge for a reasonable request.
The App is intended for use by restaurant guests and is not directed at children. We do not knowingly collect personal data from children without appropriate consent. A child may, of course, order food at a table under the supervision of an accompanying adult.
The App uses only the minimal device/browser storage strictly necessary to run the kiosk (for example, to maintain your current dining session on the tablet). It does not use advertising or cross-site tracking cookies.
For privacy questions or to exercise your rights:
If you believe your personal data has been handled unlawfully, you also have the right to lodge a complaint with the UAE Data Office, the federal authority responsible for the PDPL.
We may update this policy from time to time. The "Last updated" date above reflects the latest version, and material changes will be made available through the Services.
This policy and the processing of personal data under it are governed by the laws of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations.
This notice describes the SERVA in-restaurant ordering App's data practices. The Operator you are visiting may provide an additional privacy notice covering its own services.