Privacy Policy.
Last updated: 2 June 2026
- Service
- QoRe (qorepay.app)
- Operated by
- Amity and Co L.L.C-FZ ("Amity and Co", "QoRe", "we", "us", "our")
- Licence No.
- 2532998.01
- Registered address
- Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates
- Contact
- hello@qorepay.app
1. Introduction
This Privacy Policy explains how we collect, use, disclose, transfer, retain, and protect personal data when you visit qorepay.app (the “Website”), enquire about or use the QoRe service, or otherwise interact with us. It also describes the rights available to you under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”) and its Executive Regulations, together with any other applicable data protection laws of the United Arab Emirates.
We act as the controller of the personal data described in this policy, except where we process personal data on behalf of a merchant, in which case the merchant is the controller and we act as a processor (see Section 7).
2. Scope
This policy applies to:
- Visitors and enquirers — people who browse the Website or contact us, including merchants and individuals who request the pilot via our sign-up form;
- Merchants — businesses that use QoRe to request or collect payment; and
- Payers — end customers who make a payment to a merchant through a QoRe payment page or link.
It does not apply to the independent privacy practices of third parties, including our payment service providers and any website you reach through a link from ours.
3. Personal data we collect
3.1 Information you provide
When you complete our pilot sign-up form, email us, or otherwise contact us, we collect the information you submit. This typically includes your name, business name, business type, WhatsApp/telephone number, and email address, together with the content of your message.
3.2 Information about payers
When a payer makes a payment through QoRe, we may process limited transaction information such as the amount, currency, order reference, date and time, payment status, and a masked/tokenised reference returned by the payment service provider. The merchant determines what information is requested at the point of payment.
3.3 Payment and card data
Card and payment-instrument details are collected and processed directly by the licensed payment service provider (for example, Stripe). Each Merchant connects its own PSP account, and funds are settled by the PSP directly to that Merchant; QoRe does not hold funds and does not receive, see, or store full card numbers, CVV codes, or other sensitive authentication data. We receive only transaction metadata (such as amount, status, and a tokenised reference). Card processing is performed in a PCI-DSS compliant environment operated by the PSP.
3.4 Information collected automatically
When you use the Website we may automatically collect technical information through server-side request logs, including your IP address, device and browser type, operating system, referring page, the pages you view, and the date and time of access. We use this information for security, diagnostics, and to operate and improve the Website. We do not set advertising or cross-site tracking cookies on this Website.
4. How we use personal data
We use personal data for the following purposes:
- to respond to your enquiries and to set up, onboard, and run pilots;
- to provide, operate, maintain, and support the QoRe service;
- to process and confirm payments and to communicate transaction status;
- to detect, investigate, and prevent fraud, abuse, and security incidents;
- to improve the Website and the service, and to develop new features;
- to send you service-related communications and, where permitted, relevant updates (you may opt out of marketing at any time); and
- to comply with our legal, regulatory, accounting, and reporting obligations in the UAE.
5. Legal bases for processing
Consistent with the PDPL, we process personal data where one or more of the following applies: you have given your consent; processing is necessary to perform a contract with you or to take steps at your request before entering into a contract; processing is necessary to comply with a legal obligation; processing is necessary to protect vital interests; or processing is necessary for our legitimate interests (such as securing and improving our service), provided those interests are not overridden by your rights and freedoms. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out beforehand.
6. Cookies and similar technologies
This marketing Website relies on server-side logs and does not use advertising or analytics cookies. Strictly necessary technical storage may be used to deliver the Website. If we introduce optional analytics or other non-essential technologies in future, we will update this policy and, where required, request your consent.
7. How we share personal data
We do not sell your personal data. We share it only as follows:
- Payment service providers — Stripe (and similar licensed providers) process card payments and settle funds directly to the Merchant’s connected account;
- Form and communication providers — our pilot sign-up form is delivered by FormSubmit (formsubmit.co), which transmits submissions to us by email;
- Hosting and infrastructure — Cloudflare hosts and delivers the Website;
- Professional advisers and authorities — auditors, lawyers, and competent regulators or courts, where reasonably required or legally compelled; and
- Business transfers — a successor entity in connection with a merger, acquisition, or reorganisation, subject to this policy.
Where we act as a processor for a merchant, we process payer personal data only on documented instructions from that merchant and in accordance with our agreement with them.
8. International transfers
Some of our service providers process personal data outside the UAE. Where personal data is transferred to a jurisdiction that does not provide an adequate level of protection under the PDPL, we put in place appropriate safeguards (such as contractual data protection commitments) and rely on the transfer conditions permitted by the PDPL and its Executive Regulations. You may contact us for further information about these safeguards.
9. Data retention
We keep personal data only for as long as necessary for the purposes set out in this policy. Enquiry and pilot information is generally retained for the duration of our relationship and for a reasonable period thereafter for record-keeping and legitimate business purposes. Transaction records are retained for the periods required by applicable tax, accounting, and anti-money-laundering laws. We will delete or anonymise personal data when it is no longer required, unless a longer retention period is required by law.
10. Information security
We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, and unauthorised access or disclosure. These include encryption in transit, access controls, and the use of PCI-DSS compliant providers for card processing. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Your rights
Subject to the PDPL and any applicable exemptions, you have the right to:
- request access to, and a copy of, the personal data we hold about you;
- request correction of inaccurate or incomplete personal data;
- request erasure of your personal data;
- request restriction of, or object to, certain processing;
- request portability of personal data you provided to us, in a structured, machine-readable format;
- withdraw consent where processing is based on consent; and
- lodge a complaint with the competent supervisory authority.
12. How to exercise your rights and complaints
To exercise any of these rights, email hello@qorepay.app. We may ask you to verify your identity before responding and will respond within the timeframes required by law. If you believe your data protection rights have been infringed, you may also contact the UAE Data Office, the federal authority responsible for personal data protection.
13. Children
The QoRe service and Website are intended for businesses and adults. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.
14. Third-party links and services
The Website and payment flows may link to or rely on third-party services. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy notices.
15. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top indicates when it was last revised. Material changes will be notified through the Website or by other appropriate means. Your continued use of the Website or the service after an update constitutes acceptance of the revised policy.
16. Contact us
Questions, requests, or complaints about this policy or our handling of personal data can be sent to hello@qorepay.app, or by post to Amity and Co L.L.C-FZ, Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates.