Dukkan

Privacy Policy

Privacy Policy

Last updated: July 2, 2026 · Version 2026-07-02

Draft — subject to legal review.

This document describes what we actually do with your data in plain English. It is not legal advice and should be reviewed by qualified UAE counsel before relying on it.

1. Who this applies to

This policy covers anyone who uses the Dukkan platform — store owners and staff who sign up for the dashboard, and customers who place orders through the WhatsApp webview.

Dukkan is operated by Verstack For Marketing and PR L.L.C S.O.C (Dubai DET License No. 1516468, TRN 105139750100003), registered address Office 101, Zalfa Building, Al Garhoud, Dubai, UAE. That entity is the data controller for the information described below.

2. What we collect

For store accounts:

  • Owner / staff name, email address, phone number
  • Store name, address, area, operating hours
  • Hashed password (never stored or transmitted in clear)
  • Catalog content you create or edit

For customers:

  • Phone number (from WhatsApp, hashed for lookup)
  • Name (when you first message a store)
  • Delivery addresses you save, including map location (GPS coordinates) and any delivery notes you add
  • Order history (items, prices, payment method, delivery status, scheduled time, and any order notes or driver instructions you add)
  • Your current cart contents, per store
  • The contents of your WhatsApp conversation with the Dukkan bot, for as long as the conversation state requires it
  • Reports you send us about a store (“Report a problem”), including the report text and how it was resolved

We do not collect payment card numbers — all transactions happen offline between you and the store at delivery time.

3. Why we collect it

Everything we collect is to provide the ordering service: route your message to the right store, show you their catalog, place and track your order, and let the store fulfill it. We also review problem reports you send us so we can hold stores to a quality standard.

We do not sell your data, and we do not use it for advertising.

4. Who we share it with

  • The store you order from sees your name, phone number, delivery address, and order details — they need all of this to pack and deliver. They do not see your activity with other stores.
  • WhatsApp / Metahandle the message transport. Meta's own privacy policy applies to what they see; we recommend reading it.
  • Supabase is our database and storage provider. They host our infrastructure and process data on our behalf under a data-processing agreement. We use their cloud regions configured for compliance with applicable UAE regulations.
  • 360dialog is our WhatsApp Business API provider, also acting as a processor on our behalf.
  • If you report a problem, the Dukkan team reviews it and may share the substance of your report with the store concerned in order to resolve it. We do not share it beyond that.

We do not share your data with anyone else without your consent, except where required by UAE law.

5. Cookies

We use a single essential cookie on the store dashboard (/d/*) and admin pages (/a/*) to keep you signed in. We do not use tracking, analytics, or advertising cookies on the customer-facing webview at all — your phone's WhatsApp client manages your identity, and the catalog uses a signed token in the URL instead of cookies.

6. How long we keep it

Catalog and order history are kept as long as your account is active. Stores need order records for tax and bookkeeping purposes, typically five years under UAE rules.

If you delete your customer account (/c/settings), we remove your personal information immediately: name, phone number, addresses, cart, and conversation state. Past orders are retained for the store's records but the personal details on them are scrubbed.

7. Your rights

You can:

  • Export your data as JSON from /c/settings.
  • Delete your accountfrom the same page. The effect is described in the "How long we keep it" section above.
  • Correct your information by messaging the Dukkan bot on WhatsApp.

8. Children

Dukkan is not intended for people under 18. If you become aware that a minor has registered, please contact us and we will remove the account.

9. Security

We use industry-standard precautions: HTTPS in transit, hashed passwords for staff accounts, signed short-lived tokens for the customer webview, and database-level isolation per environment. No system is perfectly secure; please use a unique password and tell us right away if you suspect your account has been compromised.

10. Changes to this policy

When we change this policy we bump the version string and date at the top of the page. For material changes affecting stores, we will notify stores by email or a dashboard notice; continued use of the platform after the stated effective date constitutes acceptance of the updated policy.

11. Contact

Privacy questions can be sent to info@verstack.design. Postal mail can be addressed to Verstack For Marketing and PR L.L.C S.O.C, Office 101, Zalfa Building, Al Garhoud, Dubai, UAE.

See also our Terms of Service.