Privacy Policy

1. Introduction

Ambia Global Technologies Ltd, a company incorporated in the Dubai International Financial Centre (DIFC), Dubai, United Arab Emirates, trading as "Sundae" or "Sundae.io" ("Sundae", "we", "us", or "our"), is committed to protecting your privacy and ensuring the security of your personal information.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:

• Visit or use our websites,
• Use our AI-powered decision-intelligence platform and related products (including Sundae Report), and
• Interact with us in connection with those services (together, the "Services").

By using the Services, you agree to the collection and use of your information in accordance with this Privacy Policy. If you do not agree, you should not use the Services.

This Privacy Policy should be read together with our Terms of Service, which describe the contractual relationship between you and Sundae and define concepts such as Customer Data, Aggregated Data, and Benchmark Data.

2. Information We Collect

We collect different types of information depending on how you interact with us and which parts of the Services you use.

2.1 Information You Provide to Us

We collect information that you voluntarily provide to us, for example when you:

• Create an account or register for our Services
• Complete an onboarding or integration process
• Contact us directly or request customer support
• Participate in surveys, promotions, or events
• Provide feedback, testimonials, or respond to product research
• Connect third-party services (such as POS, HR, payroll, accounting, or CRM systems) to our platform

This information may include:

• Contact details: name, email address, phone number
• Professional details: company name, job title, role, industry segment
• Account details: username, password, preferences, communication settings
• Communications: messages you send us, feedback, support requests
• Any other information you choose to provide.

2.2 Restaurant and Business Data (Customer Data)

As part of our Services for restaurants and hospitality businesses, we collect and process business and operational data that you or your organization provide or connect to the platform ("Customer Data").

This may include, without limitation:

• Sales and transaction data from POS systems (e.g., items sold, transaction amounts, timestamps, payment methods, discounts, promotions)
• Operational metrics (e.g., covers, table turns, occupancy, average check, service times)
• Inventory and supply chain data (e.g., stock levels, ordering data, cost of goods sold)
• Employee and workforce data (e.g., shift schedules, roles, performance metrics, anonymized identifiers; we advise you not to upload unnecessary sensitive personal data)
• Financial and accounting data (e.g., revenue figures, high-level P&L metrics)
• Customer interaction data (e.g., feedback, ratings, reviews, loyalty behavior, where provided or integrated by you).

Much of this data will relate to your business, but some may contain personal information about your employees, contractors, or customers. Where you provide such data, you are responsible for ensuring that you have an appropriate legal basis to do so and that any required notices have been given.

2.3 Automatically Collected Information

When you access or use the Services, we automatically collect certain information about your device and usage ("Usage Data"), such as:

• Device information: IP address, browser type, device type, operating system
• Usage data: pages or screens viewed, features used, time and date of visits, time spent, clicks and interactions
• Log data: access logs, error reports, performance and diagnostic data
• Approximate location information: derived from your IP address or device settings (where permitted by law and with your consent where required)
• Cookies and similar technologies: identifiers, session information, and preferences (see Section 9 below).

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide and operate the Services
  Setting up and managing accounts
  Providing dashboards, analytics, and AI-powered insights
  Integrating with your POS and other systems
• To process and analyze your data
  Processing Customer Data to generate reports, KPIs, alerts, and recommendations
  Creating comparative and benchmarking analytics (including Sundae Report) using Aggregated Data and Benchmark Data
• To improve and develop the Services
  Monitoring performance and usage patterns
  Debugging, troubleshooting, and enhancing features
  Training and tuning our models using Aggregated Data that does not identify individuals or your business
• To personalize your experience
  Remembering your settings and preferences
  Tailoring content, features, and communications to your context
• To communicate with you
  Sending service-related announcements, updates, and security alerts
  Responding to your requests and inquiries
  Providing onboarding and customer success support
  Sending you information about new features, offers, and events (you can opt out of marketing at any time)
• To ensure security and prevent misuse
  Detecting, investigating, and preventing fraud, abuse, and security incidents
  Enforcing our Terms of Service and other policies
• To comply with legal obligations
  Responding to lawful requests and legal processes
  Maintaining records as required by law
  Complying with data protection, tax, and other regulatory requirements

For users in the EEA/UK or other regions requiring a lawful basis, we generally rely on:

• Performance of a contract (to provide and support the Services),
• Legitimate interests (to improve and secure the Services, perform analytics, and communicate with you about relevant features),
• Consent (for certain marketing communications, cookies, and where required for specific processing), and
• Legal obligations (where we must retain or disclose data).

4. Information Sharing and Disclosure

We do not sell your personal information to third parties.

We may share your information in the following circumstances:

4.1 With Your Consent or Direction

We may share your information when you explicitly consent to it or direct us to do so, for example when:

• You authorize us to connect with third-party services (POS, HR, accounting, or other integrations), or
• You share specific reports or outputs with third parties (e.g., business partners, advisors).

4.2 Service Providers (Processors)

We use trusted third-party service providers who perform services on our behalf, such as:

• Cloud hosting and infrastructure
• Data storage and backup
• Payment processing
• Customer support and communication tooling
• Analytics, logging, and monitoring
• Security and fraud prevention services

These providers are contractually obligated to:

• Use the information only to provide services to us, and
• Protect your information with appropriate technical and organizational measures.

4.3 Aggregated and Benchmark Data

We may share Aggregated Data and Benchmark Data derived from Customer Data and Usage Data in a form that does not identify you or any individual. This may include industry reports, anonymized benchmarks, and performance insights across segments or geographies.

4.4 Legal Requirements and Protection of Rights

We may disclose your information if we believe it is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Protect the rights, property, or safety of Sundae, our users, or the public
• Enforce our agreements, including the Terms of Service
• Detect, prevent, or address fraud, security, or technical issues

4.5 Business Transfers

If Sundae or Ambia is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its business or assets, your information may be transferred as part of that transaction. We will take reasonable steps to ensure that the recipient honors this Privacy Policy or a substantially similar policy and, where required by law, we will notify you of such changes.

5. Data Security

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Secure data storage and backup procedures
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Employee training on data protection practices
• Incident response and breach notification procedures

Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee the absolute security of your information.

6. Data Retention

We retain your information for as long as reasonably necessary to:

• Provide and support the Services
• Fulfill the purposes described in this Privacy Policy
• Comply with our legal and regulatory obligations
• Resolve disputes and enforce our agreements
• Maintain appropriate business and financial records

When you close your account, we will delete or anonymize your personal information within a reasonable period (typically within 90 days), except where retention is necessary for:

• Compliance with legal or regulatory obligations
• Fraud prevention and security incident logs
• Pending or potential disputes
• Backup and disaster recovery (where data will be securely stored and then deleted in line with our retention cycles)

Aggregated Data and Benchmark Data that no longer identifies you or any individual may be retained and used indefinitely for legitimate business purposes.

7. Your Rights and Choices

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct or update inaccurate or incomplete information.
• Deletion: Request that we delete your personal information, subject to certain exceptions.
• Restriction: Request that we restrict our processing of your information in certain circumstances.
• Portability: Request a structured, commonly used, machine-readable copy of certain information and request that we transfer it to another controller where technically feasible.
• Objection: Object to certain processing based on our legitimate interests, including profiling.
• Marketing: Opt out of direct marketing communications at any time (for example, via the "unsubscribe" link in our emails).

To exercise these rights, please contact us at privacy@sundae.io. We will respond in accordance with applicable data protection laws and may need to verify your identity before fulfilling your request.

You may also have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can attempt to resolve your concerns.

8. International Data Transfers

Sundae is headquartered in the United Arab Emirates and may process information in the UAE and in other countries where we or our service providers operate. This means your information may be transferred to, stored, and processed outside your country of residence, including in countries that may not provide the same level of data protection as your home jurisdiction.

Where required by law (for example, for users in the European Economic Area (EEA), United Kingdom, or other regions with data transfer restrictions), we implement appropriate safeguards for cross-border transfers, such as:

• Standard Contractual Clauses approved by the European Commission or other competent authorities;
• Reliance on adequacy decisions where available; and/or
• Other lawful transfer mechanisms permitted under applicable data protection laws.

You can contact us for more information about the safeguards we use for international transfers relevant to you.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as web beacons and pixels) to collect and store certain information when you use our Services.

Cookies may be:

• Essential cookies: Required for core site functionality, authentication, and security.
• Analytics cookies: Helping us understand how the Services are used so we can improve them.
• Preference cookies: Remembering your settings and choices.
• Marketing cookies: Used to deliver relevant content and measure the effectiveness of campaigns.

You can control cookies through your browser settings, and some jurisdictions may require or allow you to manage cookie preferences via a dedicated consent banner. If you choose to disable certain cookies, some features of the Services may not function properly.

10. Third-Party Links and Services

Our Services may contain links to third-party websites or services that are not owned or controlled by Sundae. We are not responsible for the privacy practices of these third parties.

We recommend that you review the privacy policies of any third-party services you access through our platform. This Privacy Policy applies only to information collected by Sundae.

11. Children's Privacy

Our Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we become aware that we have collected personal information from children under 13 without verification of parental consent, we will take steps to remove that information from our servers.

12. Region-Specific Information

12.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA, including:

• The right to know the categories of personal information collected and the purposes for which it is used;
• The right to know whether personal information is sold or shared;
• The right to access and, in some cases, request deletion of your personal information;
• The right to opt out of certain "sales" or "sharing" of personal information (where applicable);
• The right to non-discrimination for exercising your privacy rights.

Sundae does not sell personal information as that term is generally defined under the CCPA. To exercise your California rights, you may contact us at privacy@sundae.io.

12.2 EEA/UK – GDPR

If you are in the EEA or UK, the General Data Protection Regulation (GDPR) and UK GDPR give you the rights described in Section 7, and require us to describe our lawful bases for processing, which we have summarized in Section 3 (contract, legitimate interests, consent, legal obligations).

If you believe our processing of your personal information infringes applicable law, you have the right to lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to deal with your concerns first.

12.3 UAE and DIFC

For users located in the UAE or using the Services via Ambia's DIFC entity, we process personal information in accordance with applicable UAE data protection laws and relevant DIFC regulations. Our primary contact point for privacy matters is listed in Section 14.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

When we make material changes, we will take reasonable steps to notify you, such as by:

• Posting the updated Privacy Policy on this page, and/or
• Providing notice within the Services or by email.

The "Last updated" date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Services after any changes become effective will signify your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

If you contact us with a privacy request or concern, we will take reasonable steps to respond within the timeframes required by applicable law.