Privacy Policy for Offerlash

Last Updated: February 11, 2026

1. Introduction

Welcome to Establishment Offerlash ("we," "us," or "our"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App"), visit our website (the "Site"), and use our services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. Your use of our Services is also governed by our Terms and Conditions and, if you use our mobile application, our End-User License Agreement (EULA).

Landing-site specific notice: Most static marketing pages located at offerlash.com do not collect personal data through forms. However, if you submit the Affiliate Program Application form on affiliate.html, we collect the information you provide (such as your name, nationality, verified email, mobile phone number, gender, date of birth, and any optional licensing or business details you choose to submit) and limited technical metadata (such as IP address and user agent) to review your application, prevent abuse, and contact you with next steps. The remainder of this Privacy Policy applies to that submission.

2. Information We Collect

We collect information that you provide directly to us, information we collect automatically, and information from third parties.

2.1. Information You Provide to Us

  • Account Information: When you create an account, we collect personal information such as your name, email address, and password.
  • User-Generated Content: We collect the content you submit to our Services, such as coupons, offers, and any associated information.
  • Communications: If you contact us directly (e.g., via email or for customer support), we may receive additional information about you, such as your name, email address, and the contents of your message.

2.2. Information We Collect Automatically

  • Usage Data: We automatically collect information about your interactions with our Services, such as the pages you view, the features you use, coupons you bookmark, stores you follow, and the dates and times of your visits.
  • Device Information: We collect information about the device you use to access our App, including the hardware model, operating system and version, unique device identifiers, IP address, and mobile network information.
  • Clipboard Access: When you use the "Copy Code" feature in our mobile app to copy a coupon code, we write the coupon code to your device's clipboard for your convenience. This is a write-only operation—we do not read, monitor, or access any other content on your clipboard. The clipboard data remains under your control and is managed by your device's operating system.
  • System Logs & Security Telemetry: When you interact with our API, we generate a request identifier and log metadata such as IP address, user agent, inferred locale, and authentication status. These logs are used for fraud detection, abuse prevention, auditability, and troubleshooting and are stored separately from your profile.
  • Strictly Necessary Referral Attribution: If you arrive through a referral link, we store the referral code in first-party browser storage to honor that referral and credit commissions. Without consent, we keep it in sessionStorage for up to 30 minutes so attribution works within the same session. If you accept the banner, we store it in localStorage for up to 7 days to preserve attribution across visits. This storage is limited to a referral code and timestamp, is not used for advertising or profiling, and is necessary to provide the referral benefit you requested. If you reject cookies, we clear referral storage and referral attribution may not be credited.
  • Landing Site Analytics (Optional, Consent-Based): On offerlash.com we store your cookie preference in your browser (the cookies_consent_status key in localStorage). We use Google Analytics (GA4) via gtag.js with Google Consent Mode and denied defaults before acceptance. If you accept the banner, we update consent to allow analytics storage for fuller measurement. If you reject (or do not accept), analytics storage remains denied. We do not use Google Tag Manager on the landing site.
  • Attribution Link Routing (Optional): When you click an app download button, the link may be routed through our attribution provider using a smart link so we can measure installs and subscriptions. The attribution provider may receive click data and device or browser metadata needed for attribution. Install attribution may involve deterministic matching and, where deterministic signals are unavailable, probabilistic matching. Probabilistic matching is inferential and is not guaranteed to be 100% accurate in every case. We do not perform device fingerprinting on the landing site.

3. How We Use Your Information

We use the information we collect for various purposes, including to:

  • Provide, operate, and maintain our Services.
  • Process and moderate the content you submit.
  • Process your subscriptions and transactions.
  • Communicate with you, including sending you service-related announcements, updates, and promotional messages. Marketing communications are delivered via mobile push notifications only, are opt-in, and can be opted out later through your device settings or in-app preferences.
  • Monitor and analyze trends, usage, and activities in connection with our Services.
  • Personalize your experience, such as showing you relevant offers.
  • Maintain audit logs, referral tracking records, and request identifiers to comply with legal obligations, enforce our Terms, and investigate fraud or abuse.
  • Detect and prevent fraudulent activity and ensure the security of our platform.

4. How We Share Your Information

We do not sell your personal information. However, we may share your information in the following situations:

  • With Your Consent: We may share your information with your consent or at your direction.
  • Third-Party Service Providers: We share information with third-party vendors and service providers who need access to such information to carry out work on our behalf.
  • Affiliate Partners: When you interact with an affiliate link, we may share information (such as a non-identifying click ID) with our affiliate partners to track conversions and manage our affiliate program.
  • For Legal Reasons: We may disclose your information if we believe it is required by applicable law, regulation, legal process, or governmental request.

5. Third-Party Services

Our Services are integrated with third-party services to provide a better experience.

  • Subscription Processing: In-app subscriptions are processed by RevenueCat. Payment card details are handled exclusively by Apple (App Store) or Google (Play Store) and their authorized payment processors in accordance with PCI-DSS standards—we do not store or access your credit card information. RevenueCat facilitates subscription management and syncing across your devices. When you enable "User Association" in your Privacy Settings (Settings → Privacy → Analytics User Association), we share your profile information with RevenueCat to sync your subscription status across devices. This includes: User ID, email address, first name, last name, date of birth, gender, referral code, account verification status, and user role (e.g., affiliate enrollment status). This data syncing enables features like subscription restoration on new devices and consistent access to premium features. You can disable User Association at any time via Settings → Privacy, which will stop future data syncing with RevenueCat (your subscription will remain active but won't sync profile data). RevenueCat processes this data in accordance with its privacy policy.
  • Analytics and Attribution: We use Firebase (Google) to understand how our users interact with our App and to measure the effectiveness of our marketing campaigns.
  • Attribution & Deep Linking: We use Singular to route app download links and measure app install attribution. Singular collects device identifiers (IDFA on iOS after user authorization via App Tracking Transparency, Google Advertising ID on Android), install timestamps, and campaign parameters to attribute app installs to marketing sources and measure the effectiveness of our promotional campaigns. Attribution may use deterministic matching (exact match via device identifiers when available) or probabilistic matching (estimated match via device signals such as IP address, device model, and timing patterns) depending on signal availability. Probabilistic matches are inferential best-effort estimates and are not guaranteed to be 100% accurate. Singular processes this data in accordance with its privacy policy.
  • Push Notifications: We use Firebase Cloud Messaging and OneSignal to send you push notifications if you have opted-in to receive them. You can opt out at any time through your device settings or in-app preferences.
  • Search: Search queries are processed on our own servers and are not shared with any third-party search provider.
  • Spam & Abuse Prevention: We use Google reCAPTCHA v3 on certain forms (such as the Affiliate Program Application) to protect against automated submissions and abuse. reCAPTCHA may collect hardware and software information, such as device and application data, and send it to Google for analysis. This processing is governed by Google's Privacy Policy and Terms of Service.
  • Error Monitoring: We use Sentry to monitor application errors and improve service reliability. When an error occurs, Sentry may receive technical diagnostic data such as stack traces, request metadata (IP address, user agent, and request identifiers), and browser or device information. This data is used solely for debugging and performance improvement. Sentry processes this data in accordance with its privacy policy.

These services have their own privacy policies, and we encourage you to review them.

5.1. Data Processing Agreements

We have executed Data Processing Agreements (DPAs) with all third-party processors listed above to ensure they process your personal data in accordance with PDPL and GDPR requirements. These agreements require our processors to:

  • Process personal data only on our documented instructions
  • Implement appropriate technical and organizational security measures
  • Maintain confidentiality of personal data
  • Assist us in responding to data subject rights requests
  • Notify us of any data breaches without undue delay
  • Delete or return personal data upon termination of services

These contractual safeguards ensure that your data is protected even when processed by third parties on our behalf, in compliance with PDPL Article 16 and GDPR Article 28.

6. Our Legal Bases for Processing (Saudi PDPL)

Because we are registered and operate in the Kingdom of Saudi Arabia, we process personal data in accordance with the Personal Data Protection Law (PDPL). Depending on the activity, we rely on the following legal bases:

  • Performance of a contract: To create and manage your account, provide subscriptions, and deliver requested services.
  • Compliance with legal obligations: To satisfy record-keeping requirements, respond to lawful requests, and meet SDAIA directives.
  • Legitimate interests: To protect our platform against fraud and abuse, improve product performance, and compile aggregated analytics that do not override your privacy rights. We also rely on legitimate interests to honor referral links and credit commissions through strictly necessary, short-lived referral storage.
  • Consent: For optional processing such as marketing communications, push notifications, and analytics cookies. You may withdraw consent at any time through the app settings, browser controls, or by contacting us.

7. Your Rights Under the Saudi PDPL

Individuals located in the Kingdom of Saudi Arabia have the following rights under the PDPL (and we extend similar rights to other regions where required, such as GDPR or CCPA):

  • Right to be informed: To know why and how your personal data is collected, used, and shared.
  • Right of access and copies: To obtain a copy of the personal data we hold about you in a commonly used format.
  • Right to correction and updating: To request that inaccurate or incomplete data be corrected.
  • Right to destruction/deletion: To ask us to delete data that is no longer needed for the stated purposes or where you withdraw consent.
  • Right to withdraw consent: To opt out of marketing messages, analytics cookies, or optional features at any time without affecting the lawfulness of prior processing.
  • Right to data portability: To request that we transfer your data directly to you or another controller when technically feasible.
  • Right to complain: To file a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) if you believe we have violated the PDPL.

If you reside in a jurisdiction with additional statutory rights (for example, the European Economic Area or California), we will honor those requirements as well, including the right to object to certain processing and to opt out of any “sale” of personal information (even though we do not sell personal data in the traditional sense).

To exercise these rights, please contact us via the in-app support flow or email care@offerlash.com. We may ask you to verify your identity before processing a request and will respond within the timelines required by PDPL (typically within 30 days). You may also submit a complaint directly to SDAIA.

8. Data Security

We use a combination of technical, administrative, and physical controls to maintain the security of your data. While we take reasonable precautions to guard your personal information, no security system is impenetrable.

8.1. Data Breach Notification

In the unlikely event of a data breach that may affect your personal information, we are committed to transparency and timely notification:

  • Notification to SDAIA: We will notify the Saudi Data & Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware of the breach, as required by PDPL Article 28.
  • Notification to Affected Users: We will notify affected data subjects without undue delay when the breach is likely to result in a high risk to your rights and freedoms, in accordance with PDPL requirements.
  • Information Provided: Our notification will include clear information about:
    • The nature of the personal data breach
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach
    • Contact information for our Data Protection Officer
  • GDPR Compliance: For users in the European Economic Area, we will also comply with GDPR Article 33 and 34 requirements, including notification to the relevant supervisory authority within 72 hours where applicable.

We maintain detailed incident response procedures and conduct regular security assessments to minimize the risk of data breaches and ensure rapid response if one occurs.

9. Data Storage and International Transfers

We store personal data on secure cloud infrastructure provided by Hostinger International Ltd. Our database and web application servers are hosted on a self-managed VPS located in France/Cyprus (European Union). We use industry-standard encryption and security measures to protect your data in transit and at rest.

DNS management services are provided by DigitalOcean for domain name resolution purposes only. DigitalOcean does not store or process any personal data; they only route traffic to our servers.

9.1. Data Storage Locations

Our infrastructure is located in the following regions:

  • Primary Infrastructure: Hostinger VPS - France/Cyprus (European Union)
  • Database: Self-hosted MySQL on Hostinger VPS (France/Cyprus)
  • Application Servers: Hostinger VPS (France/Cyprus)
  • DNS Management: DigitalOcean (no personal data storage)
  • SSL Certificates: Let's Encrypt (automated certificate authority)

9.2. International Transfer Safeguards

For users in the Kingdom of Saudi Arabia, we rely on PDPL Article 23 legal bases for international data transfers to the European Union, including:

  • Your explicit consent: When you create an account and accept this Privacy Policy
  • Performance of our contract: To provide the services you have requested
  • Compliance with legal obligations: To fulfill regulatory and tax requirements
  • Adequate level of protection: The European Union is recognized as providing strong data protection standards comparable to PDPL requirements

For users in the European Economic Area, our infrastructure is located within the EU, minimizing cross-border data transfers. We maintain Data Processing Agreements with Standard Contractual Clauses (SCCs) with all service providers as required by GDPR Article 46.

We have implemented the following technical and organizational safeguards:

  • Encryption: All data in transit is encrypted using TLS 1.2+ protocol
  • Data Processing Agreements: Executed with Hostinger and all third-party processors listed in Section 5
  • EU Infrastructure: Primary servers located in European Union for GDPR adequacy
  • Self-Managed Database: Full control over data access, security, and backup procedures
  • Provider Compliance: Hostinger maintains ISO 27001 and SOC 2 Type II certifications
  • Access Controls: Role-based access with multi-factor authentication for all administrative access
  • Regular Audits: Quarterly security assessments and annual third-party penetration testing

When we transfer data to third-party service providers (such as RevenueCat for payment processing or Firebase for analytics), we ensure these transfers comply with both PDPL Article 23 and GDPR Article 44-50 requirements through appropriate safeguards including Data Processing Agreements, Standard Contractual Clauses, and adequacy decisions where applicable.

10. Data Retention

We will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

  • Account data: Stored while your account is active. When you delete your account, your personal information (profile, preferences, and associated data) is permanently deleted immediately. All active sessions and API tokens are revoked at the time of deletion.
  • Audit & security logs: Request metadata (IP, user agent, request ID, auth outcome) is retained for up to 24 months to support security investigations and regulatory inquiries. These logs are stored separately from your profile and are not deleted when your account is deleted.
  • Anonymous referral sessions: Unlinked sessions (where no user signs up) expire automatically after 12 months. Once a session is linked to an account, it is treated as part of the user profile and follows the account retention schedule.
  • Payment and tax records: Retained for the period required under Saudi tax/commercial regulations (usually 7 years). These records are maintained independently of your account and may persist after account deletion where required by law.

When your account is deleted, your personal information is permanently removed from our active systems. Audit logs, financial records, and fraud-prevention data may be retained separately where legally required, but we will inform you when such retention applies.

11. Data Protection Officer

Offerlash has appointed a Data Protection Officer responsible for PDPL compliance and for responding to privacy-related inquiries. You can contact the DPO at care@offerlash.com (please include "Data Protection Officer" in the subject line) or by using the address listed below.

12. Children's Privacy

Our Services are not intended for or directed to children under the age of 13 (or the age defined by PDPL and local regulations). We do not knowingly collect personal information from children without the consent of a parent or legal guardian. If we learn that we have collected personal information from a child without the required consent, we will take steps to delete such information as soon as possible.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time, at our sole discretion and without prior notice. We will post the revised Privacy Policy on this page and update the "Last Updated" date. Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.

14. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: care@offerlash.com
Phone: +966 55 064 0057
Address: 3987 No. 216, Riyadh 13323, Kingdom of Saudi Arabia