Privacy Policy

Last updated: 22 June 2026 · Effective date: 22 June 2026

1. Scope & who we are

This Privacy Policy explains how Blue Bridge Technology Services FZCO (referred to here as “Blue Bridge”, “Qisto”, “we”, “us” or “our”) collects, uses, shares and protects personal information when you:

• visit our website at qistoapp.com;
• create or use a Qisto account through our mobile application;
• communicate with us via WhatsApp, SMS, email, or in-app channels; or
• otherwise interact with our services (together, the “Services”).

Blue Bridge Technology Services FZCO is the operator of Qisto and the controller of personal information processed in connection with the Services.

2. Information we collect

We collect the following categories of personal information:

2.1 Information you provide directly

• Account & contact information: phone number, name, date of birth, residential address, email address.
• Identity verification (KYC): national ID number, photographs of your government-issued ID (front and back), and a selfie used to confirm your identity.
• Financial & transactional information: bank account details (where provided), purchase amounts, instalment schedules, repayment history.
• Communications: messages you send us via WhatsApp, SMS, email, in-app chat, or support tickets, including any attachments.
• Optional profile data: occupation and other details you choose to share.

2.2 Information collected automatically

• Device & technical data: device model, operating system, app version, language, time zone, mobile network, IP address, device identifiers, crash logs, and approximate location derived from IP.
• Usage data: pages and screens viewed, features used, in-app interactions, timestamps, and similar diagnostic information.

2.3 Information from third parties

• Identity-verification providers that confirm the authenticity of your ID documents.
• Merchants where you make purchases (limited to transaction amount and purchase reference).
• Public registries and fraud-prevention services, where permitted by law.

3. How we use your information

We use your personal information for the following purposes:

• To create, secure and operate your Qisto account;
• To verify your identity and meet our Know-Your-Customer (KYC) and anti-money-laundering (AML) obligations;
• To send one-time passwords (OTPs) and security codes (via WhatsApp, SMS or push notifications);
• To process purchases, repayments, and instalment schedules;
• To send transactional and service messages — such as payment reminders, due-date notices, receipts, and account alerts — via WhatsApp, SMS, email and push notifications;
• To provide customer support and respond to your enquiries;
• To detect, prevent and investigate fraud, abuse, and security incidents;
• To comply with applicable laws, regulations, court orders, and legitimate requests from public authorities;
• To improve, personalise, and develop the Services (using aggregated or de-identified data wherever possible);
• With your separate consent, to send you marketing or promotional messages about Qisto offers and partner merchants — you can withdraw consent at any time.

4. Lawful basis for processing

Where data-protection law requires a lawful basis, we rely on one or more of the following:

• Performance of a contract — to provide the Services you have requested (account, purchases, repayment management).
• Compliance with a legal obligation — KYC/AML, tax, financial reporting and other regulatory requirements.
• Legitimate interests — to operate, secure and improve the Services, prevent fraud, and protect our rights and users.
• Consent — for optional marketing messages and other processing that requires consent under applicable law. You may withdraw consent at any time.

5. WhatsApp & messaging

We use the WhatsApp Business Platform, provided by WhatsApp Ireland Limited (a Meta company), and other channels (SMS, push, email) to communicate with you about your Qisto account.

6. Sharing your information

We share personal information only as needed and only with the following categories of recipients:

• Service providers (processors) acting on our instructions, including: cloud and database hosting providers, identity-verification providers, payment processors and banks, SMS / WhatsApp gateways, analytics and crash-reporting providers, and customer-support tools.
• WhatsApp / Meta Platforms — to deliver messages sent via the WhatsApp Business Platform.
• Merchants where you transact — limited to information needed to confirm and reconcile your purchase.
• Regulators, courts, law-enforcement and other authorities — where we are legally required, or to protect our rights, users or the public.
• Professional advisors — auditors, lawyers and consultants under confidentiality obligations.
• Successors — in connection with a merger, acquisition, financing or sale of assets, subject to appropriate safeguards.

We do not sell your personal information. We do not share it with third parties for their own independent marketing purposes without your consent.

7. International transfers

Qisto operates from the United Arab Emirates and serves users in our supported markets. Some of our service providers — including Meta Platforms, cloud-hosting providers and analytics partners — may be located in, or process data in, jurisdictions other than your country of residence (including the United States, the European Economic Area and India).

When personal information is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms recognised under applicable data-protection laws.

8. Data retention

We retain personal information only for as long as needed to fulfil the purposes set out in this Policy:

• Account & KYC records — for the duration of your account and for a minimum period after closure as required by AML and financial-record-keeping laws (typically 5–7 years).
• Transaction records — for the period required by applicable accounting, tax and consumer-protection laws.
• Communications — for as long as needed to support, audit and improve our Services, and to defend legal claims.
• Device & usage logs — typically for up to 12–24 months, after which they are deleted or anonymised.

When information is no longer required, we securely delete or anonymise it.

9. Security

We implement appropriate technical and organisational measures to protect your personal information, including encryption in transit (TLS), encryption of sensitive data at rest, access controls, role-based permissions, audit logging, and regular security reviews. While no method of transmission or storage is fully secure, we work continuously to safeguard your data.

If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify you and the relevant authorities without undue delay, as required by applicable law.

10. Your rights & choices

Depending on the laws that apply to you, you may have the following rights:

• Access — obtain a copy of the personal information we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — ask us to delete your data, subject to legal-retention exceptions.
• Restriction & objection — restrict or object to certain processing.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.
• Opt-out of marketing — reply STOP to WhatsApp messages, change in-app notification settings, or email us.
• Complain — lodge a complaint with the data-protection authority in your jurisdiction.

To exercise any of these rights, email privacy@qistoapp.com. We will verify your identity and respond within 30 days, or sooner where required by law.

11. Children

The Services are intended for users aged 18 or older. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with information, please contact privacy@qistoapp.com and we will delete it.

12. Cookies & analytics

Our website (qistoapp.com) uses a small number of cookies and similar technologies, including:

• Strictly necessary — to enable core functionality (such as remembering your language and version preference).
• Analytics — if enabled, to understand how visitors interact with the site, in aggregated form. We use privacy-respecting analytics where available.

You can control cookies through your browser settings. Our mobile app does not use browser cookies but may use device identifiers for similar purposes, as described in section 2.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the Services or to legal requirements. The “Last updated” date at the top of this page shows when this Policy was last revised. Material changes will be communicated through the app, by email, or by prominent notice on this page. Your continued use of the Services after the changes take effect constitutes acceptance of the revised Policy.

14. Contact us

For any privacy-related question, request, or complaint, please contact:

Governing law: this Privacy Policy and any related disputes are governed by the laws of the United Arab Emirates, without prejudice to any mandatory consumer-protection rights you may have under the laws of your country of residence.