Yalla Systems
Yalla Systems

Legal

Privacy Policy

General Privacy Policy of the Application

Version: V1 — 01/04/2026

This Policy sets out the principles and standards under which we undertake to collect, process, protect, and maintain the confidentiality of your data when you use the platform and the services provided through it. The platform is intended to enable booking services and the management and organization of appointments between users and the participating medical entities, and to support the operation of these services in a secure, organized, and effective manner. Use of the platform and the processing of data associated with it shall be limited to the legitimate purposes necessary for providing the service, operating, administering, securing, and supporting the platform, and for fulfilling the relevant legal and regulatory obligations, in accordance with the applicable laws and regulations.

1- Why Do We Collect Your Data?

We collect your data to enable booking services and the management and organization of appointments between the user and the medical provider through the platform, including enabling users to search for providers and book appointments, and enabling providers to manage, create, or coordinate appointments for users where needed. We also collect data to ensure that the application operates properly and securely, and to prevent misuse of the application or use in a manner that may cause harm or adversely affect the service. We do not use your data for commercial or marketing purposes unless we have your explicit consent.

2- Parties

User: The individual who uses the application or whose data is processed through it.

Medical Provider: The hospital, health center, clinic, or medical entity participating in the platform.

Application Provider: The owner and operator of the platform.

Roles of the Parties

Each party’s role as a Data Controller or Data Processor may vary depending on the type of data and the purpose of processing. The Medical Provider acts as an independent Data Controller in relation to the data it processes for the operation of its facility and the provision of its services. The Application Provider acts as an independent Data Controller in relation to the data it processes for operating, administering, securing, supporting, and improving the platform. In addition, the Application Provider may act as a Data Processor on behalf of the Medical Provider in relation to certain personal data processed through the platform to enable the services provided through it.

3- Information We Use and How We Use It

a) User Identification Data: such as name, date of birth, phone number, email address, gender, and any other identifying data necessary to provide the service, including data provided during registration through Google or Apple, for the purposes of account creation, account verification, communication, enabling use of the application, and booking appointments.

b) Location Data: to enable users to search for nearby providers or providers within the relevant geographic area.

c) Service-Related Data: including data necessary to organize, coordinate, and manage the requested medical service and the related appointment.

d) Appointment Data and Status: including appointment details, status, and related updates, in order to facilitate appointment management and interaction between the user and the medical provider.

e) Application Usage Data: including login-related information, booking and usage activity logs, user interaction with the application, and technical information necessary to operate, protect, and support the application, or to prevent misuse.

f) Voluntarily Provided Data: including any information that the user voluntarily provides, such as ratings, comments, or other information, for the purpose of improving, delivering, or evaluating the service.

4- Legal Basis for Processing

We process personal data on one or more of the following bases, as applicable depending on the data type and the nature of the service:

Service Delivery and Performance of the User’s Request:

to process bookings and manage, coordinate, confirm, reschedule, or cancel appointments, and to communicate with the user or the medical provider regarding the appointment and related service.

Secure and Effective Operation of the Application:

to ensure the application operates reliably and securely, including preventing misuse, detecting fraud, protecting the platform, improving performance, operating backups, security monitoring, and maintaining technical logs necessary for operation, support, troubleshooting, and incident investigation.

Legal and Regulatory Compliance:

where processing is necessary to comply with applicable legal obligations, official requests, or record-keeping requirements under applicable laws and regulatory procedures.

Consent:

where explicit consent is required for optional processing activities that are not necessary to provide the core service (such as marketing or promotional communications, or enabling certain optional features relying on optional permissions). Users may withdraw consent at any time; however, withdrawal may affect optional features and does not prevent us from processing data necessary to provide the core service or to comply with legal obligations.

5- Legal and Regulatory Disclosure

We may disclose information where required by law or upon request from competent governmental, judicial, or regulatory authorities.

6- Who Has Access to Data?

  • The Medical Provider registered on the application, and its authorized personnel, to the extent necessary for booking, managing, and coordinating appointments.
  • The Application Provider, in its capacity as the owner and operator of the platform, to the extent necessary to operate, administer, secure, and support it.
  • Authorized technical or operational service providers, including cloud infrastructure providers, messaging or verification service providers, and support, maintenance, or development service providers, to the extent necessary to operate, support, or provide services related to the platform.

7- Data Protection

We implement appropriate technical and organizational measures to protect personal data, including encryption during transmission and storage, appropriate access controls, and periodic backups, in a manner consistent with the nature of the service and reasonable operational requirements.

8- Cloud Hosting and Cross-Border Processing

The application relies on cloud infrastructure, and data may be processed, stored, or backed up within or outside the user’s country where necessary to operate, provide, and support the platform, through authorized technical or cloud service providers. We implement appropriate safeguards to protect data in accordance with applicable laws and regulations.

9- Data Retention Period

We retain personal data, including appointment and booking data, whether completed or cancelled, for as long as necessary to provide the service, operate the platform, enable users to access their appointment history, assist with arranging future appointments where needed, and comply with applicable legal, regulatory, and operational requirements. Retention periods may vary depending on the type of data, the nature of the service, and applicable compliance requirements. In some cases, certain data may be deleted or retained on a more limited basis upon the termination or withdrawal of a Medical Provider from the platform, depending on the nature of the service or applicable legal or regulatory obligations.

10- Your Rights

Subject to applicable law, users may request access to their personal data or correction of such data. They may also request deletion where applicable, and may withdraw their consent where processing is based on consent, subject to any applicable legal, regulatory, or operational obligations. Some of these rights may be exercised through the Medical Provider or through the Application Provider, depending on the nature of the data and the purpose of processing. In some cases, we may need to continue retaining certain data where this is necessary to operate the service or comply with legal or regulatory requirements. Please do not include any unnecessary medical or sensitive health information when submitting a request.

11- Breach Notification

In the event of a data breach, we will take appropriate steps to address it and provide notification where required in accordance with applicable laws and regulations.

12- Security and Protection Provisions

Application Provider: applies appropriate security measures to protect the platform and data, including encryption, backups, and appropriate measures to reduce unauthorized access.

Medical Provider: is responsible for securing its own environment, including its devices, networks, and authorized user accounts.

User: is responsible for the accuracy of the information provided and for maintaining the confidentiality of login credentials or any confidential information related to the user’s account

13- Usage Restrictions

  1. 1. It is prohibited to use, disclose, sell, or exploit data for unauthorized commercial or marketing purposes, or in any manner that violates applicable laws or the applicable terms and conditions.
  2. 2. The application is not intended for children below the legal age applicable in the country of residence, unless such use is supervised or carried out through a legally authorized person or entity where applicable. The Application Provider may restrict or prohibit the creation of accounts or the use of the application or certain of its features by such category, in whole or in part.
  3. 3. The application may not be used unless the applicable Terms and Conditions and Privacy Policy have been reviewed and accepted.
  4. 4. It is prohibited to use the application to make fake or improperly repetitive bookings, send unsolicited requests or content, or engage in any use intended to misuse, disrupt, or adversely affect the platform or the services provided through it. The Application Provider may take appropriate measures to prevent, limit, or address such conduct in accordance with applicable laws and regulations.
  5. 5. Phone number verification is required to complete a booking through the application, and other appropriate verification methods may be used for certain browsing or usage features as made available by the platform.

14- When and Why May We Contact You?

Application Provider:

The Application Provider may contact you for the purpose of verifying your account within the application, including sending a one-time passcode (OTP) to your phone number or email address to complete the verification process, when you request support, when you contact the support team, through in-app notifications, or to inform you of important updates, notices, or news relating to the application, the service, or your account. In all cases, the Application Provider will not ask you to share any confidential information such as your OTP or your account password.

Medical Provider:

The Medical Provider may contact you in relation to confirming your appointment or any change or update affecting the appointment or the related service. The Medical Provider shall remain responsible for any direct communication or independent use of data carried out outside the operation of the platform or outside the permitted purposes, in accordance with the laws and obligations applicable to it.

Note:

The user may contact the Application Provider in relation to issues concerning the account or use of the application, and may contact the Medical Provider in relation to issues concerning the appointment, the related booking, or the relevant service

15- Laws and Jurisdiction

This Policy shall be governed by the laws of the State of Qatar, and the Qatari courts shall have jurisdiction unless otherwise agreed in writing.

16- Policy Updates

We may update this Policy from time to time, and the updated version will be published on the website or through the communication channels adopted by the Application Provider.

17- Language

This Policy has been adopted in Arabic, and an English translation may be provided for convenience. In the event of any inconsistency, the Arabic text shall prevail unless otherwise stated.

18- Acknowledgment of the Privacy Policy

By using the application or the services provided through it, you acknowledge that you have reviewed this Privacy Policy and understand its contents. Where applicable, you may also be asked to provide consent for certain processing activities or features where required by the nature of the service and applicable law.

19- Contact

For any inquiries or urgent data-related reports, please contact:

Privacy@yalla.systems