Privacy Policy

Last updated: May 22, 2026

Hababkum is a ticketing platform for Sudanese events — weddings, concerts, cultural and religious gatherings, and diaspora community events. This policy explains what data we collect about you, why, and how you can control it.

1) Data we collect

a) When you create an account

• Phone number (E.164 format) — required for OTP sign-in.
• Full name — optional, shown to organizers when you reserve.
• Email — optional, for ticket confirmations and notifications.
• Preferred language (Arabic / English).

b) When you sign in with a third party

• Facebook: public ID, name, email (only if you grant the email scope).
• Google: public ID, name, email, photo (via a Google-signed ID token).
• Telegram: public ID, name, photo (via Telegram OAuth).

This data is used only to create or link an account. We never request publishing rights or friends-list access.

c) When you reserve or buy

• Ticket details (event, category, quantity, price).
• Payment data — processed via the payment provider (Stripe / local processor). We do not store card numbers.
• Device + browser — User-Agent + IP address (hashed for security).

d) When you use the app

• Behavioral analytics — events like "viewed event" and "purchase started" with hashed IP.
• Error logs — for detecting and fixing bugs.
• Push notifications — FCM device token to send event notifications.

2) Why we collect this data

• To run the service — verify identity, issue tickets, send QR codes, allow gate entry.
• For better customer service — resolve support tickets, verify accounts in disputes.
• To improve the product — understand which features people use and where they get stuck.
• To prevent fraud — detect fake account creation, protect your account from compromise.
• For legal compliance — maintain transaction records per UAE and Sudan law.

3) Who we share your data with

We do not sell your data. We share it only with:

• Event organizers — those you buy tickets from: your name, phone number, ticket. Necessary to issue the ticket.
• Payment providers — Stripe and licensed local processors in UAE and Sudan for payment processing.
• Infrastructure providers — Cloudflare (CDN), Sentry/GlitchTip (error tracking), Mapbox (maps), Google Identity (optional sign-in). All bound by strict data-processing terms.
• Authorities — only with a valid court order from a recognized jurisdiction.

4) Your rights

• Access — request a copy of all your data from /me/settings → Export data.
• Correction — edit your name, email, and language in account settings.
• Deletion — delete your account from /me/settings → Privacy → Delete account. Tickets you've purchased remain valid (the gate scanner doesn't need your account active).
• Objection — opt out of analytics and notifications in settings.
• Complaint — email us at [email protected].

5) Retention

We keep most data while your account exists. After deletion we erase your data within 30 days, except:

• Financial transaction records — retained 7 years for tax compliance.
• Fraud records — retained 2 years to prevent re-opening banned accounts.

6) Data security

We use TLS encryption for all traffic, encrypt data at rest, and follow OWASP standards in development. No system is 100% secure, but we do what we can: periodic audits, immediate security updates, and tightly-scoped access for our team.

7) Children

The service is not directed at children under 13. If we discover an account belongs to a child we delete it immediately. If you are a parent and suspect your child created an account, email us at [email protected].

8) Policy changes

We may amend this policy. Material changes will be communicated by email and an in-app banner 30 days before they take effect.

9) Contact us

Privacy questions: [email protected]
General support: [email protected]