Mawaaid
About Terms and Conditions Contact Us

Privacy Policy

Last updated: 13 Oct 2025

1) Who we are & scope

Mawaaid is a SaaS platform that helps people book appointments with professionals and gives professionals simple scheduling and subscription tools. This Policy explains what personal data we collect, why, how we use it, how long we keep it, and your rights.

Controller: HZED
Legal domicile: Paris, France
Email: hzedassist@gmail.com
Contact form: Contact form
Hosting provider: Google Cloud Platform (Google LLC), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA · cloud.google.com/support

Applicable law: Lebanon (primary). EU/EEA and UK users retain mandatory rights under their local law where applicable.

2) Data we collect

  • Account data (users & professionals): name, email, phone, country/region, role, verification status, and Terms acceptance metadata (termsVersion, acceptedAt, IP, role).
  • Professional profile (pros): specialty/category, business name/location, contacts, services, pricing, working hours, time off, public bio, profile picture, optional map coordinates (publicly visible; clicking opens a third-party map service).
  • Booking data: appointment ID, professional ID, client ID, start/end times, status (booked/passed/canceled), brief cancellation reason, counters.
  • Billing (pros): plan, Stripe customer/subscription IDs, invoice refs, status. We do not store full card numbers.
  • Technical & security logs: IP, user agent, device identifiers, throttling counters, abuse flags, error logs.
  • Media: professional profile picture (publicly visible in search and listings) and optional files uploaded in the context of appointments (not public).
  • Cookies: strictly necessary session cookie(s) for authentication and security.
  • Professional Notes: titles, timestamps, and content of Notes created by Professionals for their own use. Notes are private to the Professional and, if enabled by the Professional, to authorized assistants.
  • Assistant permissions: when a Professional enables assistant access, we process the permissions linking the assistant to the Professional’s workspace.

We intentionally avoid collecting medical records or diagnoses.

Chat (in-product messaging)

We process chat content exchanged between users and professionals, timestamps, and limited technical metadata (sender/recipient IDs, delivery status). Messages are encrypted in transit (HTTPS) and encrypted at rest by our providers. This is not end-to-end encryption because the controller (site owner) can access chat strictly for safety, abuse handling, and compliance. No staff access.

Purposes & legal bases:

  • Deliver chat (contract; legitimate interests). Safety & abuse prevention and lawful requests (legitimate interests; legal obligation where applicable).

Access control:

  • Only the controller (site owner) may access chat content when strictly necessary. We may disclose data to authorities where legally required. We do not arbitrate disputes; Mawaaid is a venue only.

Retention:

  • Chat is retained up to 5 years and then deleted or anonymized, unless longer retention is required by law or to resolve an active case.

Use limitations:

  • Chat is for appointment logistics. Do not send passwords, full card numbers, national IDs, medical records, or other sensitive data.

Files (secure sharing) & Professional Notes

Files:

  • Files are scanned for malware and stored privately. Prohibited content includes illegal material and sensitive data not necessary for scheduling. Professionals must have a lawful basis to share any client data. Retention: until the Professional deletes them or the Professional’s account is closed, unless a longer period is required by law or to resolve an active case.

Professional Notes:

  • Notes are controlled by the Professional and are not a medical record system. If a Professional enters special-category data, they are responsible for having a lawful basis and required consents. Notes persist until deletion or account closure.

3) Purposes & legal bases

  • Provide the service (accounts, search/listing, booking/canceling, dashboards, role guard). Legal bases: contract performance and legitimate interests (service integrity).
  • Subscriptions & billing (pros) (plan activation, invoicing, fraud prevention). Legal bases: contract, legal obligation (accounting/tax), legitimate interests.
  • Security & abuse prevention (email verification, login throttling, cancellation/no-show controls, audit). Legal basis: legitimate interests.
  • Provide the files feature (store and deliver documents so participants can download/view them). Legal bases: contract performance; legitimate interests (reliable service).
  • Safety & abuse prevention (automated malware scanning, handling abuse reports) and lawful requests. Mawaaid does not arbitrate private disputes. Legal bases: legitimate interests; legal obligation where applicable.
  • Provide the Notes feature (creation, storage, and display to the Professional and authorized assistants). Legal bases: contract performance; legitimate interests (reliable service).
  • No health data: we do not intend to process special-category data (health). Do not include medical records in Notes, files, or chat. If you choose to do so, you are responsible for having a lawful basis and required consents.
  • Service communications (verification, receipts, critical notices). Legal bases: contract / legal obligation / legitimate interests. No marketing without consent.
  • Compliance (court orders, record-keeping, tax). Legal basis: legal obligation.

4) Cookies & local storage

We use only strictly necessary cookies/local storage.

  • session – HttpOnly authentication/session cookie for access control and CSRF protection.

If we add analytics or advertising in the future, we will request your consent before setting any non-essential cookies and provide a “Manage cookies” choice.

You can review all technical details in our dedicated cookies notice.

5) Who we share data with

We share personal data only to run Mawaaid, under contracts that require confidentiality and appropriate security:

  • Hosting & databases: Google Cloud Platform, Firebase Authentication, Firestore, Cloud Storage.
  • Payments: Stripe for professional subscriptions.
  • Email/SMS: SendGrid/Twilio (transactional messages only).
  • Authorities: where required by law or to protect rights and safety.
  • Access control (files): only the site owner (controller) may access file contents when necessary for the purposes above; no staff access. Hosting providers process files under our instructions. We may disclose data to competent authorities where legally required.

We do not sell personal data.

5.A) Controller/Processor roles

We act as Controller for account, billing, security, and platform operations data. For content a Professional creates or uploads for their clients—such as Notes, appointment files, and chat messages exchanged with clients—the Professional acts as Controller and Mawaaid acts as Processor, processing that content under the Professional’s instructions to operate the service.

See our Data Processing Addendum (DPA).

6) International transfers

We host and process personal data within the EU/EEA. Some service providers may process limited data outside the EEA (e.g., payments or email delivery). Where such transfers occur, we rely on the European Commission’s Standard Contractual Clauses (and the UK addendum where relevant) and appropriate supplementary measures. You can request our current list of service providers and safeguards at hzedassist@gmail.com.

7) Retention

  • Files (uploaded with appointments): remain until the Professional deletes them or the Professional’s account is closed, unless a longer period is required by law or to resolve an active case.
  • Notes: retained until the Professional deletes them or the Professional’s account is closed, unless a longer period is required by law or to resolve an active case.
  • Note attachments (files uploaded within Notes): retained without a fixed time limit and remain until the Professional deletes them or the Professional’s account is closed, subject to legal holds where applicable.
  • Shared files (outside Notes): retained for a maximum of 1 year unless deleted earlier by the User or Professional, or longer if required by law or to resolve an active case.
  • Assistant permissions: retained while the assistant role is enabled and for a short audit period thereafter.
  • Database information (accounts, profiles, bookings, billing references, terms acceptance logs, and other audit logs): retained for 5 years to support legal claims, fraud prevention, and accounting obligations.
  • Aggregated analytics that do not identify individuals may be kept longer.

8) Your rights

  • Lebanon: rights to be informed, access a copy, correct/erase inaccurate or excessive data, and object on legitimate grounds (statutory exceptions may apply).
  • EU/EEA & UK: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable.

To exercise rights, please use our contact form or email hzedassist@gmail.com. We may verify identity and respond within the period required by law.

You also have the right to lodge a complaint with your local supervisory authority in the EEA or with the UK Information Commissioner’s Office (ICO).

9) Deleting your account

You can delete your account at any time from the sign-up page (Wrong category) or from your profile when signed in. Certain records (e.g., invoices or audit logs) may be retained for the retention periods above or as required by law.

10) Security

We protect data in transit and at rest, limit access to a small number of authorized administrators, keep audit logs, and regularly review our systems. We run rate-limits and abuse defenses, and we periodically test our security. No online service is 100% secure, but we work to detect issues quickly and fix them.

  • Encryption in transit (HTTPS), provider-level encryption at rest, and access controls.
  • Abuse prevention (login throttling, rate limiting, cancellation/no-show checks) and audit trails.
  • If a personal data breach affects your data, we will notify the competent authority within 72 hours where required and notify affected individuals without undue delay where the risk is high.
  • Files are encrypted in transit (HTTPS) and at rest. We apply strict access controls and audit logging, and may run automated scans to detect malware or abuse.

11) Children

Mawaaid is not intended for persons below the local “digital consent” age in the EEA/UK (15 in France; 16 in some other Member States), and under 18 elsewhere. If we learn we collected such data, we will delete it.

12) Changes

We may update this Policy. We will post updates here and refresh the “Last updated” date; material changes may receive additional notice.

13) Contact

For privacy questions or requests, please use our contact form or email hzedassist@gmail.com.

← Back to home