Effective date: 23 May 2026  ·  Version: 2.0

This policy is governed by, and is intended to comply with, the Personal Data Protection Law of the Sultanate of Oman (Royal Decree No. 6/2022) and its Executive Regulations.

Privacy Policy

This Privacy Policy explains how Async Solution Services LLC ("Async Solution", "we", "us", or "our"), the operator of the oFatoura restaurant point-of-sale and management platform (including the web platform, the oFatoura ePOS mobile application, and the oFatoura Partner application, together the "Service"), collects, uses, discloses, stores, and protects personal data. We are committed to protecting personal data in accordance with the Personal Data Protection Law of the Sultanate of Oman (Royal Decree No. 6/2022) and its Executive Regulations (the "PDPL"), which is supervised by the Ministry of Transport, Communications and Information Technology ("MTCIT").

1. Who is responsible for your data (controller and processor roles)

Under the PDPL, the responsibility for personal data depends on whose data it is:

  • Async Solution as controller. For the personal data of the restaurant businesses that subscribe to oFatoura and the individuals who administer their accounts (for example, account, billing, and support data), Async Solution Services LLC acts as the data controller.
  • Async Solution as processor. For the personal data that a subscribing restaurant enters into the Service about its own customers and staff (for example, customer contact details, order history, and staff records), the restaurant is the data controller and Async Solution acts as a data processor that processes such data only on the restaurant's documented instructions. The terms governing this relationship are set out in our Data Processing Agreement.

2. Personal data we collect

We collect data that you provide to us and data generated automatically when you use the Service:

2.1 Restaurant account data (we are controller)

  • Business name, branch address, and contact information
  • Account administrator name, email address, and phone number
  • Billing and subscription information
  • Commercial Registration and tax identification numbers (including for VAT compliance)

2.2 Staff and user data

  • Name, email address, and phone number
  • Role, branch assignment, and permission settings
  • Login credentials and authentication data
  • Operational records limited to shift open/close times and cash-handling entries, and activity/audit logs

2.3 Customer data (the restaurant is controller)

  • Customer name and contact information, where provided
  • Order history and preferences
  • Reservation details
  • Payment is handled by licensed third-party payment processors; we do not store full card numbers

2.4 Technical data

  • IP address, device and operating-system information
  • Browser type and version
  • Usage patterns, preferences, and diagnostic logs
  • Cookies and similar technologies — see our Cookie Policy

We do not intentionally collect special categories of personal data (such as data revealing health, religious belief, ethnic origin, or political opinion). You should not enter such data into free-text fields of the Service.

3. Legal basis for processing

In line with the PDPL, we process personal data only where we have a lawful basis to do so:

  • Your explicit consent, freely given by a person with full legal capacity — for example, for optional marketing communications. You may withdraw consent at any time.
  • Performance of a contract with you — to provide, maintain, and bill for the Service.
  • Compliance with a legal obligation — for example, retaining tax and VAT records and responding to lawful requests from competent authorities.
  • Our legitimate operation of the Service, including security, fraud prevention, and service improvement, balanced against your rights.

4. How we use personal data

  • Service provision: to provide, operate, maintain, and improve the Service
  • Account and billing: to create and manage accounts, process subscription payments, and handle support
  • Order and operations processing: to process orders, reservations, shifts, and cash records on behalf of the restaurant
  • Communication: to send service-related notices and respond to your requests
  • Security: to detect, prevent, and address security incidents and fraud
  • Legal compliance: to meet obligations under Omani law and enforce our agreements
  • Marketing: only with your prior consent, which you may withdraw at any time

5. Disclosure of personal data

We do not sell personal data. We disclose personal data only in the following circumstances:

  • Service providers (sub-processors) who help us operate the Service — for example, licensed payment processors, cloud hosting within Oman, and communication providers — under contracts that require them to protect the data and process it only on our instructions.
  • Legal and regulatory requirements — where disclosure is required by Omani law, by a competent court or authority (including MTCIT), or to protect the rights, property, or safety of users and the public.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, subject to the protections of this policy and the PDPL.
  • With your consent — at your direction or with your explicit consent.

6. Data location and cross-border transfers

Personal data processed through the Service is hosted and stored on infrastructure located within the Sultanate of Oman. We do not transfer personal data outside Oman except where such transfer is permitted under the PDPL and is carried out with the safeguards it requires, including, where applicable, the data subject's explicit consent and any approval required from MTCIT. Where a limited transfer outside Oman is necessary (for example, certain payment or communication providers), we take steps to ensure an adequate level of protection consistent with the PDPL.

7. Data security

We apply technical and organisational measures appropriate to the risk, including:

  • Encryption of data in transit (TLS) and of stored credentials
  • Role-based access controls and the principle of least privilege
  • Audit logging of sensitive actions
  • Regular backups and recovery procedures
  • Restricted access to personal data on a need-to-know basis

No method of transmission or storage is completely secure, but we work to protect personal data and to respond promptly to any incident.

8. Personal data breach notification

If a personal data breach occurs that may pose a risk to data subjects' rights, we will notify MTCIT and, where required, the affected data subjects without undue delay and, where feasible, within 72 hours of becoming aware of the breach, describing the nature of the breach, its likely impact, and the measures taken to address it. Where we act as a processor for a restaurant, we will notify that restaurant (the controller) so it can meet its own obligations.

9. Data retention

We retain personal data only for as long as necessary to provide the Service, comply with legal obligations (including tax, VAT, and accounting record-keeping requirements under Omani law), resolve disputes, and enforce our agreements. When data is no longer required, we delete or anonymise it. On account closure we delete or anonymise personal data subject to mandatory legal retention periods.

10. Your rights under the PDPL

Subject to the conditions in the PDPL, you have the right to:

  • Be informed about how your personal data is processed
  • Access your personal data and obtain a copy
  • Correct inaccurate or incomplete data
  • Request deletion of your personal data
  • Withdraw consent where processing is based on consent
  • Object to or restrict processing in certain circumstances
  • Data portability — request transfer of your data where applicable

To exercise these rights, contact us using the details in section 13. We do not charge a fee to respond to a valid request and will respond within 45 days of receipt, as required by the PDPL. Where the data is controlled by a restaurant (section 1), we will refer your request to that restaurant. You also have the right to lodge a complaint with MTCIT.

11. Children and minors

The Service is a business tool intended for use by restaurants and their authorised staff, and is not directed to minors. We do not knowingly collect personal data from individuals under 18 years of age without the consent of a parent or legal guardian, as required under the PDPL. If you believe a minor's data has been provided to us without such consent, please contact us so we can address it.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or in applicable law. We will post the updated policy on this page, update the "Effective date", and notify you of material changes via email or an in-platform notice.

13. Contact us

For any question, request, or complaint regarding this Privacy Policy or your personal data, please contact:

Async Solution Services LLC (operator of oFatoura)
Commercial Registration No.: [to be completed]
Address: Office 202, Al-Qurrum 29, Muscat, Sultanate of Oman
Email: support@asyncsolution.com

This document is provided for transparency and does not constitute legal advice. It should be reviewed by qualified legal counsel before publication.