Privacy Policy
Last updated: 6 July 2026
Joba (Arabic: جوبا) — "we", "us", "our" — is a directory that connects people who need home services ("Consumers") with independent service providers ("Providers") in the Arab world. Joba is operated from Kuwait by its founder; a formal operating entity is being established and this policy will be updated with its details. This policy explains what personal data we handle, why, and your rights. It is written to align with GCC data-protection laws (the Saudi PDPL, the UAE PDPL, and applicable Kuwait rules).
One thing to understand first: Joba only connects you. Providers are independent; you deal and pay with each other directly, off the platform. We do not process payments between Consumers and Providers and never collect card or bank details for those transactions.
This policy covers the Joba website (currently https://joba-rouge.vercel.app)
and the Joba mobile app.
1. Data we collect
Account and profile.
- Providers: name, phone number and/or email, business or display name, service categories, city and service area, availability status, and optional profile details (e.g. years of experience, response time).
- Consumers: your name and phone number, which you provide when you send your first contact request. Consumer accounts are created by verifying that phone number or email (see sign-in below); browsing never requires an account.
Sign-in (one-time codes). We use passwordless sign-in: you enter a phone number or email address and we send a short-lived one-time code (OTP) by SMS or email. We store the verified phone/email as your account identifier. We never see or store passwords.
Location. If you grant the app location permission (or the browser equivalent), we use your device's location at the moment you search to find providers near you. The coordinates are sent to our server to run that search. If you attach a location to a service request, it is stored with that request so the provider knows where the job is. Location access is while-in-use only — we do not track your location in the background and we do not build a movement history. You can always decline and choose a city manually instead; the service works without location.
Push notification tokens. If you enable notifications in the app, we store the device push token issued by Apple (APNs) or Google (FCM), the device platform, and when it was last seen, linked to your account. We use it only to deliver service notifications — above all, alerting a Provider that a new request arrived. Tokens are deleted when your account is deleted.
Service requests (leads). The category, note, city/location, and the contact details you choose to share when you contact a Provider, plus the request's status over time (viewed, responded, won/lost) and — if a Provider records it — an approximate job value. This is what powers each Provider's own statistics.
Reviews and content. Ratings, review text, and other content you post. Reviews are tied to a real contact request.
Analytics events. The app and website record product-usage events in our own database so we can understand whether the service actually works (do requests turn into jobs?). Each event stores the event name, a small set of properties, the page path, your interface language, the platform (web/app), and a timestamp. The current events are:
| Event | What is recorded | Why |
|---|---|---|
service_searched |
the search term or category chosen | which services people look for |
nearby_searched |
category and number of results | whether "near me" search finds providers |
provider_viewed |
the ID of the provider profile viewed | which profiles get attention |
lead_submitted |
provider ID and category | how many searches become contact requests |
availability_changed |
the provider's new status | how providers manage availability |
lead_status_changed |
lead ID and new status | whether providers respond to requests |
job_won |
lead ID and the job value the provider entered | whether requests become real jobs |
Analytics events do not contain your name, phone number, or message text. They are stored in our own database (not sent to an advertising network), are write-only from the apps, and we use no third-party advertising or tracking SDKs.
Device and technical data. Device type, app version, and basic logs needed to run and secure the service.
2. How we use data
- Match Consumers with nearby, available Providers.
- Deliver contact requests and notifications to Providers.
- Operate accounts, reviews, safety, and moderation.
- Show each Provider their own statistics (requests, responses, jobs won).
- Analyse usage to improve the service and validate that it works.
- Comply with law and enforce our Terms of Service.
Legal bases: performance of our service to you; your consent (e.g. precise location, push notifications, marketing); and our legitimate interests (safety, fraud prevention, service improvement), as recognised under applicable GCC law.
3. Sharing
With the Provider you contact: when you send a contact request, we share the details needed for the Provider to reach you (your name, phone number, your note, and the job location if you attached one). This is the core of the service — you are choosing to be contacted. Providers may not use your details for anything beyond responding to your request.
Service vendors (processors) acting on our instructions:
Vendor Role Where Supabase database, authentication, and backend hosting Frankfurt, Germany (EU) Vercel website hosting global edge network Apple (APNs) / Google (FCM) push-notification delivery per Apple/Google infrastructure SMS/email delivery providers delivering one-time sign-in codes per provider infrastructure Legal and safety: where required by law, or to protect users' rights and safety.
We do not sell personal data and do not share it with advertising networks.
4. Where your data is stored
Our database and backend are hosted with Supabase in Frankfurt, Germany (European Union). This means your data is processed outside your country of residence. We rely on the safeguards required by applicable law for such transfers, including hosting in a jurisdiction with strong statutory data protection (the EU GDPR framework) and contractual commitments from our vendors.
5. Retention
We keep personal data only as long as needed for the purposes above and to meet legal obligations, then delete or anonymise it. In particular: one-time sign-in codes expire within minutes; push tokens are removed when the account is deleted; contact requests and their statuses are kept while the related accounts are active (they power Provider statistics); analytics events are retained for up to 24 months and are not tied to your name or phone number.
6. Your rights
Subject to applicable law, you may request to access, correct, delete, or object to the processing of your data, and to withdraw consent (e.g. disable location or notifications in your device settings at any time). You can request deletion of your account and its data by contacting us; account deletion will also be available inside the app.
Contact azizal7seny@gmail.com — we respond within the period required by law.
7. Security
We apply reasonable technical and organisational measures: encryption in transit, access controls, and row-level data isolation in our database so users can only read what they are entitled to. No system is perfectly secure.
8. Children
The service is for users 18 years or older. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
9. Changes and contact
We may update this policy and will post the new version here with a revised date. Material changes will be flagged in the app or on the site.
Questions or requests: azizal7seny@gmail.com — Joba (جوبا), Kuwait.
This policy is published in Arabic and English.