Privacy Policy

Last updated: 2026-05-09 · Version: 2.1.1

This privacy policy explains how Yassir Tech Ltd ("Yassir," "we," "us," "our") collects, uses, shares, and protects information when you use yassir.app and the Yassir mobile application (the "Service").

Binding versions. This policy is published in English, Arabic, and German. For users in Syria and the Arab world, the Arabic version is legally binding in case of conflict. For users in Austria and Germany, the German version is legally binding.

Quick summary (in plain language)

We're a platform that connects hosts in Syria with travelers, particularly the Syrian diaspora.
We collect what we need to run bookings: your account info, your property/booking info, your messages, and basic device data.
We use trusted partners (Stripe, ShamCash, Cloudflare, Render, Firebase, Sentry, and others listed below) to operate the Service. We don't sell your data and don't share it with advertisers.
You can access, correct, export, or delete your data at any time. Email privacy@yassir.app or contact support on WhatsApp +963 933 840 742.
If you're in Austria or the EU, you can also complain to the Austrian Data Protection Authority (Datenschutzbehörde, dsb.gv.at).

1. Who we are

Yassir Tech Ltd A private company limited by shares, registered in England and Wales.

Company Number: [Pending — to be added after Companies House registration]
Registered office: Kemp House, 152-160 City Road, London EC1V 2NX, United Kingdom
Privacy contact: privacy@yassir.app
General contact: hello@yassir.app
Legal / abuse: legal@yassir.app

EU representative (GDPR Art. 27): [To be appointed before EU launch — required because Yassir Tech Ltd is established outside the EU but offers services to data subjects in Austria and other EU member states.]

For users in Austria, the relevant supervisory authority is the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, dsb.gv.at.

2. What we collect

2.1 Account data (when you sign up)

Full name
Email address
Phone number
Password — stored only as a bcrypt hash; we never see plaintext
Profile photo (optional)
Bio / about (optional)
Account type: renter, host, or both
Country, city, and address line you choose to provide

2.2 OAuth login data (if you sign in with Google or Facebook)

Email address
Name
Profile picture URL (when provided)
Provider's unique account identifier

We never receive your Google or Facebook password.

2.3 Host / listing data (if you list a property)

Property title and description
Property type, address, city, country, geographic coordinates
Property photos
Pricing, availability, cancellation policy
Bank or payout account details for receiving payments

2.4 Guest / booking data (if you book)

Check-in and check-out dates
Number of guests
Special requests
Payment information — card data is handled directly by Stripe; for ShamCash transfers, we store the reference number and a screenshot of the transfer proof

2.5 Identity verification (only if you choose to verify)

When you upload an identity document (passport, national ID, residence permit) to verify your account:

The document image — retained for up to 30 days after admin approval, then permanently deleted
OCR text extracted via Google Cloud Vision API — retained as part of your verification record
The verification decision (approved / flagged / rejected) and timestamp — retained for the lifetime of your account

You can opt out of automated OCR (see §9) and request manual admin review instead.

2.6 Communications

Messages you send through in-platform chat (between guests, hosts, and admin support)
Reviews and ratings you write
Support correspondence
Special-offer messages (locked subtotal, target user, expiry)

2.7 Information collected automatically

IP address (received via Cloudflare reverse proxy)
Browser type and version
Pages visited and timestamps
Device characteristics (operating system, screen size, language)
Push notification tokens (Firebase Cloud Messaging on Android; Apple Push Notification Service on iOS when launched)
Session cookies for keeping you logged in (see §5)

We do not collect precise GPS location. The Android app does not declare ACCESS_FINE_LOCATION.

3. Why we use this data (legal bases under GDPR Art. 6)

Purpose	Legal basis
Creating and managing your account	Contract — Art. 6(1)(b)
Processing bookings and payments	Contract — Art. 6(1)(b)
Sending booking notifications and OTP codes	Contract — Art. 6(1)(b)
Identity verification (OCR via Google Vision)	Your consent at upload — Art. 6(1)(a); legitimate interest in fraud prevention — Art. 6(1)(f)
Server logs for security, debugging, abuse prevention	Legitimate interest — Art. 6(1)(f)
Error monitoring (Sentry)	Legitimate interest — Art. 6(1)(f)
Compliance with tax, accounting, legal obligations	Legal obligation — Art. 6(1)(c)
Marketing / non-transactional emails	Your explicit consent — Art. 6(1)(a); withdrawable any time

4. Who can see your data

Other users: When you list a property, message someone, or write a review, the other party sees what's needed for that interaction (your name, profile photo, listing details, message content).
Yassir admin staff: Our admins may view your data when processing disputes, verifying identities, investigating policy violations, or providing support. Admin actions are audit-logged.
Service providers (sub-processors): See §6 below.
Government and judicial authorities: When legally required by valid process (court order, lawful regulatory request).

We do not sell your data, share it with advertisers, or use it for behavioral profiling. We do not run third-party analytics or tracking pixels.

5. Cookies and tracking

We only use cookies that are essential to operating the Service:

Cookie	Purpose	Duration
`yassir_user_session`	JWT session token to keep you logged in	30 days
`yassir_admin_session`	JWT session token for admin staff login	30 days
Cloudflare `__cf_bm`	Anti-bot / DDoS protection	Session

We do not use Google Analytics, Facebook Pixel, advertising cookies, retargeting pixels, or any third-party tracking. No browsing history is shared with marketers.

6. Sub-processors (third-party service providers)

These third parties process your data on our behalf to operate the Service. We have data processing agreements (DPAs) with each of them where required.

Provider	Purpose	Data shared	Location
Render Services Inc.	Web hosting, application database (Postgres)	All user-submitted data	USA (consolidated region)
Cloudflare Inc.	DNS, CDN, anti-DDoS, R2 storage for property photos	IP address, request URLs, uploaded photos	Global edge; R2 bucket in EEUR (Eastern Europe)
Stripe Payments Europe Ltd.	Card payment processing	Card details (Yassir never sees them), name, email, billing address	Ireland (EU); some processing in USA under SCCs
ShamCash	Bank-transfer payments for users in Syria	Transfer reference, screenshot of transfer proof	Syria
Google LLC (Firebase Cloud Messaging)	Push notifications on Android	Device push token, notification payload (booking ID, type)	USA
Functional Software Inc. (d/b/a Sentry)	Error and crash reporting	Error stack traces, browser/device, partial URL, user ID (no email/phone)	Germany (EU region)
Google LLC (Google Cloud Vision API)	OCR for ID verification (only on documents you upload for verification)	Image of your ID document, extracted text	USA
Google LLC (Google OAuth)	Sign-in with Google (optional)	Email, name, profile photo URL, Google account ID	USA
Meta Platforms Inc. (Facebook OAuth)	Sign-in with Facebook (optional)	Email, name, profile photo URL, Facebook account ID	USA / EU
Meta Platforms Ireland Ltd. (WhatsApp Business)	WhatsApp delivery for 2FA codes (fallback when SMS unavailable)	Phone number, OTP code	Ireland (EU) / global
Prelude Security Inc.	SMS delivery for OTPs and login codes	Phone number, OTP code	Global SMS routing (USA-headquartered)
Apple Inc. (Apple Push Notification Service)	Push notifications on iOS — future, when iOS app launches	Device push token, notification payload	USA
SMTP provider	Transactional email delivery	Recipient email, message contents	[Configured by Yassir; currently TBD]
OpenStreetMap Foundation (Nominatim)	Geocoding addresses to coordinates	Property address text (no personal data)	EU

For data transfers outside the EU/EEA we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, EU-US Data Privacy Framework adequacy where applicable, or your explicit consent.

7. How long we keep your data

Data category	Retention period
Active account data	Until you delete your account
Account after self-deletion	Soft-deleted; reactivation possible within 30 days; permanently anonymized thereafter
Booking records	Anonymized after the deleting party's grace period; retained 7 years for tax compliance (Austrian Bundesabgabenordnung § 132, equivalent obligations elsewhere)
ID document images	Up to 30 days after admin decision, then permanently deleted; OCR result + decision retained as part of your verification record
Server logs (IP, request URLs)	30 days, then auto-rotated and deleted
Sentry error reports	90 days
Marketing email consent	Until you withdraw consent
Messages between users	Lifetime of both accounts; deleted with the originating account
Daily DB backups	30 days

8. Your rights under GDPR

If you're in the EU/EEA (including Austria), or in any jurisdiction with equivalent rights, you have:

Right of access (Art. 15) — request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — correct inaccurate data via account settings or by emailing us.
Right to erasure / right to be forgotten (Art. 17) — delete your account in account settings; full erasure occurs after the 30-day grace period.
Right to data portability (Art. 20) — request a machine-readable copy of your data.
Right to restrict processing (Art. 18) — limit processing while a dispute is being resolved.
Right to object (Art. 21) — object to processing based on legitimate interest.
Right to withdraw consent — for any processing based on consent (e.g., marketing emails, OCR verification), withdraw at any time without affecting prior lawfulness.
Right to lodge a complaint with a supervisory authority. For Austria: Datenschutzbehörde (dsb.gv.at).

To exercise any right, email privacy@yassir.app. We respond within 30 days as required by GDPR Art. 12(3).

9. Identity verification — special note about Google Cloud Vision

When you upload an ID document for verification, the image is sent to Google Cloud Vision API for automated optical character recognition (OCR). Google receives the image and processes it under their own privacy practices (cloud.google.com/vision/docs/data-usage).

You can opt out of automated OCR by emailing privacy@yassir.app before uploading your document, requesting manual admin review. In that case the image is reviewed only by Yassir staff and is not sent to Google.

The image is permanently deleted within 30 days of admin decision, regardless of whether OCR or manual review was used.

10. International data transfers

Some sub-processors are located outside the EU/EEA — primarily the United States (Render, Stripe US processing, Firebase, Google Cloud Vision, Apple, Prelude). When we transfer data outside the EU/EEA, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, or
EU-US Data Privacy Framework adequacy decisions where the recipient is certified, or
Your explicit consent for specific transfers.

For users in Syria, see §13. For users in Lebanon and Jordan, see §14.

You can request copies of the relevant safeguards by emailing privacy@yassir.app.

11. Children

Yassir is not intended for users under the age of 18. We do not knowingly collect data from children. If you believe we have collected data from a minor, contact privacy@yassir.app and we will delete it promptly.

12. Security

We implement industry-standard security measures including:

TLS 1.3 encryption for all data in transit
Encryption at rest for our database
Bcrypt password hashing (never plaintext)
Two-factor authentication available for all users; required for super-admin accounts
Role-based admin access with audit logging
Content Security Policy (CSP) enforcement
Strict cookie flags (httpOnly, sameSite)
Daily automated database backups
Database-layer constraints preventing financial inconsistencies (refund caps, host-self-booking blocks)

No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours of discovery, as required by GDPR Art. 33-34.

13. Special note for users in Syria

Yassir is built for the Syrian market and many of our hosts and guests are based in Syria. A few specifics:

ShamCash payment data stays in Syria: Bank-transfer payments via ShamCash are processed within Syria. Yassir stores only the transfer reference and screenshot proof.
Other services process data outside Syria: Hosting (Render), CDN (Cloudflare), card payments (Stripe), push notifications (Firebase), error reporting (Sentry), OCR (Google), maps (OSM). This means some of your data leaves Syria. We use these providers because no equivalent infrastructure exists inside Syria at the scale and reliability the Service requires.
Sanctions: Some Western services may restrict access for users connecting from Syrian IP addresses. This is a legal constraint imposed by the providers, not a Yassir choice. Where this happens, the affected feature degrades gracefully (e.g., card payment falls back to ShamCash).
Arabic translation: The Arabic version of this policy is the legally binding version for users in Syria and other Arab countries.

14. Special note for users in Lebanon and Jordan

The platform is rolling out to Lebanon and Jordan as the next markets after Syria. The following local data-protection regimes apply alongside the GDPR-aligned protections described in §8:

Lebanon — Law No. 81/2018 on electronic transactions and personal data. Personal data of users in Lebanon is collected, processed, and transferred under this law. Your rights of access, correction, deletion, and objection are equivalent to those described in §8. Cross-border transfers of your data to the providers in §6 rely on your informed consent at signup and on the contractual necessity of operating the Service. The supervisory authority is the Ministry of Economy and Trade, which oversees Title II of Law 81/2018.
Jordan — Personal Data Protection Law (PDPL), Law No. 24 of 2023, effective 17 March 2024 (with phase-in continuing through 2025). The lawful bases, data-subject rights, and cross-border transfer safeguards mirror GDPR closely. Your rights of access, rectification, erasure, objection, restriction, and withdrawal of consent are exercisable by emailing privacy@yassir.app. The supervisory authority is the Personal Data Protection Council under the Ministry of Digital Economy and Entrepreneurship.
Cross-border transfers: Yassir's sub-processors (§6) include providers in the USA, EU, and Syria. For users in Lebanon and Jordan, transfers to these providers rely on your informed consent at signup and on the contractual necessity of operating the Service. We can provide a copy of the safeguards used on request.
Arabic version: For users in Lebanon and Jordan, the Arabic version of this policy is the legally binding version in case of conflict.

15. Special note for users in Austria and the EU

Controller: Yassir Tech Ltd (UK), as listed in §1.
EU representative under GDPR Art. 27: [Pending appointment before EU/Austria launch.]
Supervisory authority: Austrian Datenschutzbehörde, dsb.gv.at.
Tax record retention: Booking records anonymized but retained 7 years per Austrian Bundesabgabenordnung § 132.
Online dispute resolution: EU consumers may use ec.europa.eu/consumers/odr.
German version: The German version of this policy is the legally binding version for users in Austria and Germany.

16. Changes to this policy

We may update this policy. Material changes (changes that affect your rights or how we use your data) will be communicated by email and via an in-app banner at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent change. A change log is maintained at the bottom of this document.

17. Contact

For privacy questions or to exercise any right:

Email: privacy@yassir.app
WhatsApp: +963933840742 — https://wa.me/963933840742
Postal: Yassir Tech Ltd, Kemp House, 152-160 City Road, London EC1V 2NX, United Kingdom

Change log

2026-05-09 — v2.1.1: Added canonical WhatsApp support contact (+963933840742, https://wa.me/963933840742) to the quick summary and Contact section.
2026-05-06 — v2.1: Inserted new Lebanon/Jordan section (§14) referencing Lebanon Law 81/2018 and Jordan PDPL 2023; renumbered Austria/EU §14→§15, Changes §15→§16, Contact §16→§17; updated §10 cross-reference. Closes LAUNCH_CHECKLIST item #29 on the privacy side.
2026-05-06 — v2.0: Added Sentry, Firebase, WhatsApp, ShamCash, Cloudflare R2, and Apple APNS to sub-processor list. Added Syria-specific section (§13). Added Austria/EU section (then §14, now §15). Clarified retention via booking anonymization (UPDATE-not-DELETE). Plain-language summary added at top. EU Article 27 representative TBD flag added.
2026-04-28 — v1.0: Initial draft.

Yassir Tech Ltd · Registered in England and Wales · privacy@yassir.app