Privacy Policy

Nehna Haddak (“we”, “our”, or “the Platform”) is a Lebanese ride-booking platform connecting passengers with licensed tuk-tuk drivers across Lebanon. We are headquartered in Beirut, Lebanon, and can be reached at support@nehnahaddak.com.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it. It applies to all users of the Nehna Haddak mobile application (Android) and the website at nehnahaddak.com.

By registering an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2.1 Account & Identity Data

• Phone number — your Lebanese mobile number, used to create and verify your account via Firebase Phone Authentication (SMS OTP). This is your primary identifier on the Platform.
• Full name, first name, last name — provided during profile setup.
• Date of birth — collected for age verification (minimum age: 18).
• Province and city — your area of operation or residence.

2.2 Driver Verification Data

Drivers undergo identity verification before being activated. We collect:

• National ID number — for identity verification and fraud prevention. Subject to a uniqueness constraint: one national ID per active driver account.
• National ID photograph (front and back) — uploaded securely and reviewed by our team before driver activation.
• Selfie photograph — used to verify the person submitting the application matches the ID document.
• Vehicle photograph and details — license plate number, vehicle color, and vehicle type.

Verification documents are stored in Cloudflare R2 (EU region) with access-controlled signed URLs. They are reviewed only by authorised Nehna Haddak staff and are never shared publicly.

2.3 Location Data

• Drivers (while online) — real-time GPS coordinates, heading, and speed are collected and broadcast to nearby passengers to enable ride matching. Collection begins when the driver sets status to “Available” and stops when they go offline or close the app.
• Passengers — approximate location is collected when you open the app to display nearby drivers. Precise location during a trip tracks progress. We do not collect passenger location outside active app use.
• Safe Trip — GPS coordinates updated every 10 seconds and shared via a time-limited link with whoever you choose. Sharing ends automatically when you terminate the session (maximum 4 hours). We do not retain Safe Trip location data after the session ends.

2.4 Trip & Transaction Data

• Trip timestamps, origin, destination, distance, and status.
• Ratings and feedback submitted after trips.
• Driver subscription plan, status, and payment timestamps.
• We do not store full payment card details. Payments are processed by Whish Money; we receive only a confirmation and transaction reference.

2.5 Technical & Device Data

• FCM token — device-level identifier for push notifications.
• JWT session tokens — RS256-signed tokens stored securely on your device.
• Anonymised API logs — for debugging and service improvement. No location traces or message content.

• Contract performance — to operate your account, match rides, and process subscriptions.
• Legal obligation — identity verification and fraud prevention required by Lebanese law.
• Legitimate interests — service improvement, safety monitoring, and abuse prevention, balanced against your privacy rights.
• Consent — for marketing notifications (opt out any time: Settings → Notifications).

• Create and manage your account and verify your identity.
• Match passengers with the nearest available, verified driver.
• Display driver location to passengers during an active trip.
• Process driver subscription payments and manage trial periods.
• Send ride request notifications, status updates, and service alerts.
• Review and approve driver applications.
• Investigate complaints, disputes, and safety incidents.
• Detect and prevent fraud, fake accounts, and abuse.
• Maintain and improve the Platform’s performance and reliability.
• Comply with Lebanese law and respond to lawful government requests.

We never sell your personal data. We do not use your data for targeted advertising or share it with advertising networks.

5.1 Between Users (In-App)

During an active trip, a driver’s first name, vehicle color, and plate number are visible to the passenger. A passenger’s first name is visible to the driver. No phone numbers, national ID details, or financial data are ever shared between users.

5.2 Service Providers

• Google Firebase — phone authentication and push notifications.
• Amazon Web Services (AWS) — backend servers and database in eu-west-3 (Paris, France).
• Cloudflare R2 — secure storage for driver identity and vehicle documents (EU region).
• Whish Money — payment processing for driver subscriptions.

5.3 Legal Disclosure

We may disclose your data to law enforcement, courts, or regulatory authorities when required by Lebanese law or a lawful judicial order. We will notify you where legally permitted.

When your account is deleted, all personal data is permanently removed within 30 days except where legally required. Deleted data cannot be recovered.

Contact us at support@nehnahaddak.com — we respond within 30 days.

• Access — request a copy of all personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your account and data (also available in-app: Profile → Delete Account).
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — opt out of marketing notifications any time in Settings.
• Complaint — file a complaint with the relevant data protection authority in your jurisdiction.

• All data transmitted over HTTPS with TLS 1.2 or higher.
• Production database (PostgreSQL 16) in a private VPC subnet with no public internet access.
• API authentication via RS256-signed JWTs with short expiry (access: 15 min; refresh: 30 days).
• HTTP rate limiting applied to all public API endpoints.
• Driver documents stored with time-limited, single-use signed URLs.
• All infrastructure hosted on AWS eu-west-3 (Paris), subject to EU data protection standards.
• Security patches applied within 48 hours of critical vulnerability disclosure.

In the event of a data breach materially affecting your personal data, we will notify affected users within 72 hours through the app or by email where technically possible.

Your data is processed in France (AWS eu-west-3) and the EU (Cloudflare R2). Google Firebase processes data globally under Standard Contractual Clauses (SCCs). We do not transfer your personal data to countries without adequate data protection.

Nehna Haddak is strictly for users aged 18 and over. If we become aware a user is under 18, we will immediately suspend the account and delete the associated data. Contact support@nehnahaddak.com if you believe a minor has created an account.

• Data collected: Phone number, name, location (foreground only), photos (driver verification), device identifiers (FCM token).
• Data shared with third parties: Yes — Firebase, AWS, Cloudflare, Whish Money (for payment only).
• Encryption in transit: Yes — TLS 1.2+.
• User can request deletion: Yes — in-app or via email.
• Background location: No — location collected only while app is in foreground and driver is actively online.

We will notify you of material changes through an in-app notice at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance of the revised policy.