Mobile App Privacy Policy
Wadi Home – Mobile App Privacy Policy
Effective date: 2026-07-09
Last updated: 2026-07-09
Wadi Home ("we", "us", "the app") operates the Wadi Home mobile application for iOS and Android that lets customers browse and purchase products from the Wadi Home online store (wadihome.com). This policy explains what we collect through the app, why we collect it, who we share it with, and the rights you have over that data.
If you use the wadihome.com website, that experience is governed by our website privacy policy at wadihome.com/pages/privacy-policy. This document covers the mobile app only.
1. Who we are
Data controller. Wadi Home
Contact for privacy questions. privacy@wadihome.com
Postal address. Riyadh, Saudi Arabia
2. What we collect
The app collects the following categories of data. Nothing is collected that isn't listed here.
2.1 Information you give us directly
- Sign-in information. When you sign in to view your Wadi Home account, order history, wishlist, or checkout, we use Shopify Customer Accounts. We do not see your password. What we store on the device is an OAuth refresh token and an ID token (both encrypted at rest using Android's Keystore-backed EncryptedSharedPreferences / iOS Keychain).
- Cart contents. The products, variants, and quantities you add to your cart are stored on-device and synced to the Shopify checkout system.
- Photos you take for visual search. When you use the camera-search feature, the photo is sent one time to our Cloudflare Worker, which forwards it to Groq for object recognition. Groq's terms prohibit training on that image. Our worker does not persist the photo. Only the derived text labels ("floor lamp", "ceiling light") are logged so merchants can see what customers are searching for.
2.2 Automatic technical information
-
Analytics events. We use Firebase Analytics (Google Analytics 4) and our own analytics endpoint on Cloudflare to record app usage: session starts, product views, add-to-cart, begin-checkout, purchase, search queries, and visual-search attempts. Each event carries:
- the event name and any product handle / variant id / order value associated with it,
- the app's install identifier (
install_id) — an anonymous ID derived from AndroidSettings.Secure.ANDROID_IDor iOSidentifierForVendor. It is not your device's IMEI, phone number, or hardware advertising ID. - your Shopify customer ID (
customer_id) only when you're signed in. If you're not signed in, events are anonymous with respect to Shopify. - a
platformfield ("ios"or"android") and app version.
- Push registration. OneSignal is used to send push notifications. It registers a push token that identifies your device to Google Firebase Cloud Messaging or Apple Push Notification Service so we can deliver a message to you. You can revoke push permission at any time in your device settings.
- Crash reports. Sentry captures crash stack traces, the phone model, OS version, and a small amount of surrounding app state so we can fix bugs. Sentry sees your IP address at the moment of the crash report; we do not store it beyond Sentry's 30-day retention window.
2.3 What we do NOT collect
- Location (we do not request GPS or coarse location).
- Contacts, calendar, or SMS.
- Advertising IDs (we don't use ad networks).
- Health, financial, or biometric data. Biometric prompts to unlock the app happen entirely on-device via Android BiometricPrompt / iOS Face or Touch ID — the fingerprint / face template never leaves your phone.
3. Why we collect it
- Show you the store, run your cart, and process your order. Everything under Section 2.1 exists so you can shop.
- Improve the app and fix bugs. Analytics and crash reports let us see which flows fail, which searches turn up empty, and where the app crashes. Aggregated, not targeted at any individual.
- Send you order and promotional notifications. Only when you opt in to push notifications.
-
Attribute mobile orders in Shopify. Every cart the app creates carries a
source: "ios"orsource: "android"attribute so merchants can see which orders came from the mobile app.
We do NOT sell your data, use it for cross-context behavioural advertising, or share it with data brokers.
4. Who we share it with
We share data only with the service providers we need to run the app:
| Provider | What they see | Purpose |
|---|---|---|
| Shopify (Storefront + Customer Accounts) | Cart, checkout, sign-in tokens, customer id | E-commerce backend |
| Firebase Analytics (Google) | Event names + our install_id + customer_id when signed in | Product analytics |
| Firebase Cloud Messaging (Google) | Push token | Notification delivery |
| OneSignal | Push token + install_id | Notification routing |
| Sentry | Crash traces + IP at crash time | Crash monitoring |
| Groq | Photos submitted to visual search (not retained) | Object recognition |
| Cloudflare | All API requests (routing + edge cache) | Infrastructure |
Each provider is under a data-processing agreement with us and processes data on our instructions only.
5. How long we keep it
-
Analytics events: 30 days in raw form, then aggregated indefinitely (aggregate rows carry no
install_idorcustomer_id). - LLM cost / visual-search logs: 90 days.
- Crash reports: 30 days (Sentry default).
- Auth tokens on-device: until you sign out or uninstall the app.
- Cart on-device: until you complete or abandon the cart.
6. Your rights
Depending on where you live (KSA PDPL, EU GDPR, UK GDPR, CCPA), you have some combination of the following rights:
- Access. Ask for a copy of what we hold on you.
- Deletion. Ask us to delete your data. Sign out of the app to remove the on-device tokens; email privacy@wadihome.com with your Shopify customer id to have your analytics rows purged.
- Correction. Fix inaccurate account data via your Wadi Home account on the website.
- Opt-out of analytics. Deny the notification permission and disable Google Analytics for this app in your device settings under Google → Ads. iOS: Settings → Privacy → Tracking.
-
Withdraw consent. Uninstalling the app stops all future data collection. Analytics rows already collected under
install_idare purged from Google Analytics after 30 days of inactivity per the GA4 default retention.
To exercise any of these rights, email privacy@wadihome.com. We aim to respond within 30 days.
7. Children's privacy
The app is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe your child has used the app, email us and we will delete any records associated with the install.
8. Changes to this policy
If we change what we collect or who we share it with, we'll update this document and change the "Last updated" date at the top. Significant changes will be surfaced in the app the next time it launches.
9. Contact
Email: privacy@wadihome.com
Postal: Riyadh, Saudi Arabia
For the website privacy policy, see wadihome.com/pages/privacy-policy.