Atbaag

Privacy

Last updated: 28 May 2026

The short version

Atbaag is a map-first restaurant rating app covering Madinah, Jeddah, and Riyadh. It works by showing you what your friends — and friends of friends — actually rated, instead of strangers on the internet. To do that we need to know who's in your contacts. We do it the boring, safe way: contact numbers are hashed on your phone before they ever leave it, and we only ever store hashes. There's no advertising network attached to this app, no third-party analytics, and you can delete your account from inside the app at any time.

What we collect

  • Phone number — required to rate restaurants, save places, and add friends. Verified via a one-time code over WhatsApp or SMS. Stored alongside your account in Supabase.
  • Apple ID identifier — if you choose Sign in with Apple. Apple gives us an opaque user id (and an email, which we don't require). With Apple Sign In alone you can browse and view City-tier ratings; to add friends or rate within Inner Circle / Network you'll need to verify a phone number too.
  • Contact hashes — when you explicitly choose to find friends from contacts (via the Friends tab's “Find from contacts” action), the app reads your address book on-device, normalises each number, and sends only the SHA-256 hash of each number to our server. The server compares those hashes against other Atbaag users' phone hashes to find matches, returns the matched user IDs, and discards the submitted hashes — they are not stored. The raw phone numbers, names, and any other contact fields stay on your phone and are not transmitted.
  • Your ratings, want-to-try list, and friend graph — what you create inside the app. Visible only according to the trust tier you grant: friends see your direct rating, friends of friends see an anonymised aggregate, everyone else sees the city average.
  • Device metadata — minimum required to run the app: OS version, app version, language. We do not collect IDFA or any cross-app advertising identifier.

What we don't do

  • No third-party analytics SDKs (no Firebase Analytics, Mixpanel, Amplitude, etc.).
  • No advertising SDKs, no ad networks, no IDFA tracking.
  • No selling, renting, or trading your data to anyone.
  • No raw phone numbers from your contact book hitting our servers.

Who can see what

Trust tiers in Atbaag map directly to what other users see:
  • Inner Circle — your direct friends see your individual rating and your name as it appears in their phone's contacts.
  • Network — friends-of-friends see an anonymised aggregate score (minimum 2 raters before it appears) without attribution.
  • City — everyone sees the city-wide community average. Individual contributors are not identified.

Where your data lives

Atbaag uses Supabase (Postgres) for storage and authentication, and Cloudflare for the web landing page you're reading right now. We rely on Apple for Sign in with Apple and on WhatsApp/Twilio for one-time-code delivery. These providers process the bare minimum data required to deliver their respective services.

Deleting your account

Open the app, go to Account → Delete account, and confirm. Your ratings, want-to-try list, friend connections, contact hashes, and account record are erased. There is no "cold storage" copy and no undo. If you signed in with Apple, you may also revoke Atbaag's access from your iPhone's Settings → Apple ID → Sign-In & Security → Sign in with Apple.

Children

Atbaag is not directed at children under 13. If you believe a child has created an account, email us and we'll remove it.

Changes

If we change anything material in this policy we'll update the date at the top of this page and notify signed-in users in-app before the change takes effect.

Contact

Questions about privacy or a deletion request you can't complete in-app: [email protected].