Privacy Policy for Gozilla App

Effective Date: June 13, 2025

This Privacy Policy describes how Towbe Lebanon SAL ("we," "us," or "our"), the owner and operator of the Gozilla mobile application (the "App") and its related services, collects, uses, stores, shares, and protects your personal data. We are committed to protecting your privacy and handling your data transparently, in accordance with applicable laws, including Lebanese Law No. 81/2018 (Electronic Transactions and Personal Data Law), the European Union's General Data Protection Regulation (GDPR), and relevant data protection laws in the United States.

By accessing or using the Gozilla App and our services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with the terms of this policy, please do not use the App.

1. Definitions

"App": Refers to the Gozilla mobile application.
"Personal Data": Any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This includes "personal information" as defined by US state laws like the California Consumer Privacy Act (CCPA) and "personal data" as defined by the GDPR.
"Processing": Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Data Controller": The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Policy, Towbe Lebanon SAL is the Data Controller.
"Data Processor": A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. This includes our cloud provider and certain third-party service providers.
"Service": Refers to the services provided by Towbe Lebanon SAL through the Gozilla App, including food ordering and delivery.

2. Information We Collect

We collect various types of information to provide and improve our Service. This information may include Personal Data.

2.1. Information You Provide Directly

When you use the Gozilla App, you may provide us with the following information:

Account Information: Your name, email address, phone number, password, and profile picture when you register for an account.
Order Information: Details about your food orders, including items purchased, delivery address, special instructions, and preferred restaurants.
Payment Information: Your payment card details (card number, expiration date, CVV) or other financial account information. Please note that we do not directly store full payment card details on our servers; this information is securely processed by our third-party payment processors.
Communication Data: Information you provide when you communicate with us, such as through customer support inquiries, feedback, ratings, reviews, or participation in surveys.
Dietary Preferences/Allergies: Optional information you may provide regarding dietary restrictions or allergies to help us tailor your experience.

2.2. Information Collected Automatically

When you access and use the App, we may automatically collect certain information about your device and usage patterns:

Usage Data: Information about how you use the App, such as the pages or sections you view, the features you interact with, the restaurants you browse, the time spent on the App, and referral sources.
Device Information: Details about the device you use to access the App, including device type, operating system, unique device identifiers, IP address, mobile network information, and browser type.
Location Information: With your consent, we may collect precise or approximate location information from your mobile device to facilitate food delivery, show nearby restaurants, and improve delivery efficiency. You can enable or disable location services through your device settings.
Cookies and Tracking Technologies: We use cookies and similar tracking technologies (e.g., pixels, web beacons) to track activity on our App and hold certain information. These technologies help us enhance your experience, analyze trends, and understand user behavior. For more details, please refer to Section 11.

2.3. Information from Third Parties

We may receive information about you from third-party sources, such as:

Payment Processors: When you make a purchase, our payment processors provide us with transaction confirmation and limited payment information (e.g., last four digits of your card, transaction ID).
Delivery Partners: If you interact with third-party delivery services integrated with our App, they may provide us with delivery status updates or other relevant information.
Social Media Services: If you choose to link, create, or log in to your Gozilla account through a social media service (e.g., Google, Facebook), we may receive certain information from that service (e.g., your name, email address, profile picture) as permitted by your privacy settings on that service.
Publicly Available Sources: We may collect information from publicly available sources to verify or enhance your profile.

3. How We Use Your Information

We use the collected information for various purposes, primarily to provide, maintain, and improve our Service, enhance user experience, and ensure security. Our legal bases for processing include your consent, the necessity to perform a contract with you, compliance with legal obligations, and our legitimate interests.

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we rely on the following legal bases for processing your Personal Data:

Performance of a Contract: The processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (e.g., processing your order).
Legitimate Interests: The processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (e.g., improving our services, fraud prevention, marketing, analytics).
Consent: Where you have given explicit consent for specific processing activities (e.g., for certain types of direct marketing or location data collection beyond what is strictly necessary for the service). You have the right to withdraw your consent at any time.
Legal Obligation: The processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax or financial reporting).
Vital Interests: The processing is necessary to protect your vital interests or those of another natural person (rarely applicable).

3.2. To Provide and Manage the Service

To process and fulfill your food orders and deliveries.
To manage your account, including registration, login, and preferences.
To communicate with you regarding your orders, account updates, and customer support inquiries.
To facilitate payments and send transaction confirmations.
To enable features like saving favorite restaurants or re-ordering past meals.

3.3. To Personalize and Improve User Experience

Personalization: To customize your experience on the App, including displaying relevant restaurants, menu items, and promotions based on your location, order history, and preferences.
Data Analytics and Service Improvement: We use advanced analytics services, including AWS QuickSight, to analyze user behavior, understand trends, and gather insights into how our App is used. This helps us to:
- Improve the design, functionality, and performance of the App.
- Optimize our service offerings and operational efficiency.
- Identify popular dishes, peak ordering times, and areas for service expansion.
Recommendations: We use services like AWS Recommend to provide personalized recommendations for restaurants and dishes that we believe you might enjoy, based on your past orders, browsing history, and similar user preferences.
Content Moderation and Enhancement: In certain instances, and with appropriate safeguards and anonymization where possible, we may utilize services like AWS Rekognition to analyze images uploaded by users (e.g., profile pictures, food photos in reviews). This is primarily for content moderation (e.g., detecting inappropriate content), enhancing user profiles (e.g., basic image analysis for personalization, without identifying individuals), and ensuring the integrity of our platform. We do not use Rekognition for biometric identification of individuals.

3.4. For Marketing and Promotional Purposes

To send you promotional communications, special offers, and news about Gozilla that may be of interest to you, based on your preferences.
To conduct targeted advertising campaigns.
You can opt-out of receiving marketing communications at any time by following the unsubscribe instructions provided in the emails or by adjusting your notification settings within the App.

3.5. For Security and Fraud Prevention

To detect, prevent, and investigate fraudulent or illegal activities.
To protect the security and integrity of our App, systems, and user data.
To enforce our Terms of Service.

3.6. For Legal Compliance

To comply with our legal obligations, including tax, accounting, and anti-money laundering requirements.
To respond to lawful requests from government or public authorities, including those outside your country of residence.

We may share your Personal Data with the following categories of recipients:

With Restaurants/Vendors: We share necessary order details (e.g., your name, delivery address, order items, contact number) with the restaurants or food vendors to fulfill your orders.
With Delivery Partners: We share necessary delivery information (e.g., your name, delivery address, contact number, order details) with our delivery personnel or third-party delivery services to enable them to pick up and deliver your orders.
With Service Providers (Data Processors): We engage trusted third-party service providers who perform services on our behalf and process data according to our instructions. These include:
- Cloud Hosting Providers: Our platform is hosted on cloud infrastructure provided by major cloud providers (e.g., Amazon Web Services (AWS)). This means your data is stored on their secure servers.
- Payment Processors: Companies that handle your payment transactions securely.
- Analytics Providers: Companies like AWS QuickSight that help us analyze user behavior and App performance.
- AI/ML Service Providers: Providers like AWS Rekognition and AWS Recommend, which are used to enhance user experience and provide personalized services as described in Section 3.3.
- Customer Support Providers: Companies that help us manage and respond to your inquiries.
- Marketing and Advertising Partners: Companies that assist us with marketing campaigns and targeted advertisements.
- These service providers are contractually obligated to protect your data and are prohibited from using your Personal Data for any purpose other than providing services to us. For GDPR compliance, we ensure that appropriate data processing agreements (DPAs) are in place.
For Legal Reasons: We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such action is necessary to (a) comply with a legal obligation, (b) protect and defend our rights or property, (c) prevent or investigate possible wrongdoing in connection with the Service, or (d) protect the personal safety of users of the Service or the public.
Business Transfers: In the event of a merger, acquisition, asset sale, or other corporate transaction, your Personal Data may be transferred to the acquiring entity. We will notify you of any such transfer and ensure the new entity adheres to this Privacy Policy.
With Your Consent: We may share your information for any other purpose with your explicit consent.
Aggregated or Anonymized Data: We may share aggregated or anonymized information that cannot reasonably be used to identify you. This data may be used for research, analytics, and marketing purposes without restriction.

5. Cloud Hosting and International Data Transfers

As part of our operations, particularly due to the use of cloud hosting providers like AWS and certain third-party services, your Personal Data may be stored and processed on servers located outside of Lebanon, including in regions where AWS infrastructure is available globally (e.g., in the United States, European Economic Area, etc.).

While Lebanese Law No. 81/2018 does not explicitly define rules for international data transfers, we are committed to ensuring that your Personal Data receives an adequate level of protection consistent with internationally recognized data protection standards, including those of the GDPR, even when transferred across borders.

For transfers of Personal Data originating from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection by the European Commission, we rely on appropriate safeguards, such as:

Standard Contractual Clauses (SCCs): Implementing the Standard Contractual Clauses approved by the European Commission.
Binding Corporate Rules (BCRs): If applicable in the future.
Adequacy Decisions: Relying on any applicable adequacy decisions by the European Commission.

We implement the following additional safeguards for international data transfers:

We enter into data processing agreements and, where appropriate, rely on standard contractual clauses or other legal mechanisms approved for cross-border data transfers with our service providers.
We select cloud providers and third-party services that adhere to high security standards and privacy certifications (e.g., ISO 27001, SOC 2, and specific privacy certifications like ISO 27701 for privacy information management, as observed with AWS).
We strive to ensure that the processing of your data by our third-party service providers is limited to what is necessary for the purposes outlined in this Privacy Policy.

By using the Gozilla App, you acknowledge and agree to the potential transfer and processing of your Personal Data outside of Lebanon as described in this section.

6. Your Rights (Data Subject Rights)

Under Lebanese Law No. 81/2018, the GDPR, and applicable US state data protection laws (such as the CCPA/CPRA, Virginia CDPA, Colorado CPA, Utah UCPA, Connecticut CTDPA), you have certain rights regarding your Personal Data. These rights may vary based on your location and applicable law, but generally include:

Right to Access/Know: You have the right to request access to the Personal Data we hold about you, including categories of personal information collected, sources from which it is collected, the business or commercial purpose for collecting, selling, or sharing personal information, categories of third parties to whom we disclose personal information, and specific pieces of personal information collected.
Right to Rectification/Correction: You have the right to request that we correct any inaccurate or incomplete Personal Data we hold about you.
Right to Erasure ("Right to be Forgotten"/Deletion): You have the right to request the deletion or removal of your Personal Data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or if you withdraw consent and no other legal basis for processing applies.
Right to Object/Opt-out: You have the right to object to the processing of your Personal Data for certain purposes, especially direct marketing or commercial promotion, as per Articles 86 and 92 of Lebanese Law No. 81/2018. Under US laws, this may include the right to opt-out of the "sale" or "sharing" of your personal information (as these terms are defined by applicable US state laws) for cross-context behavioral advertising.
Right to Restriction of Processing (GDPR): You have the right to request that we restrict the processing of your Personal Data under certain conditions (e.g., if you contest the accuracy of the data, the processing is unlawful, or we no longer need the data but you require it for legal claims).
Right to Data Portability: You have the right to request a copy of your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.
Right to Lodge a Complaint (GDPR): If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you believe that the processing of personal data relating to you infringes the GDPR.
Right to Opt-Out of Automated Decision-Making, including Profiling (GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into or performance of a contract, authorized by law, or based on your explicit consent. While we use analytics and recommendation engines (e.g., AWS QuickSight, AWS Recommend) for personalization, these typically do not involve solely automated decisions with legal or similarly significant effects on you.

How to Exercise Your Rights:
To exercise any of these rights, please contact us using the contact information provided in Section 14 of this Privacy Policy. We will respond to your request in accordance with applicable law within the legally required timeframe (e.g., typically 30-45 days for US states, 30 days for GDPR, with possible extensions). Please note that we may ask you to verify your identity before responding to such requests.

Some US state laws (e.g., CCPA/CPRA) grant residents the right to opt-out of the "sale" or "sharing" of their personal information (as defined by those laws). While Towbe Lebanon SAL does not "sell" personal information in the traditional sense for monetary gain, we may "share" certain information with third-party advertising and analytics partners for cross-context behavioral advertising or similar purposes, which may constitute a "sale" or "sharing" under these laws.

If you are a resident of a US state that provides such a right, you may opt-out of the "sale" or "sharing" of your personal information by:

Adjusting your preferences within the App's privacy settings (if available).
Clicking on the "Do Not Sell or Share My Personal Information" link on our website (if applicable).
Contacting us using the information in Section 14.

We will endeavor to respond to your request in accordance with applicable law.

8. Data Security

We implement robust technical and organizational security measures to protect your Personal Data from unauthorized access, alteration, disclosure, destruction, or accidental loss. These measures include:

Encryption: Using encryption for data in transit and at rest where appropriate.
Access Controls: Limiting access to Personal Data to authorized personnel who have a legitimate business need.
Firewalls and Network Security: Employing firewalls and other network security technologies to protect our systems.
Regular Security Audits: Conducting regular security assessments and vulnerability scans.
Secure Payment Processing: Using PCI DSS compliant third-party payment processors to handle your financial information.
Cloud Security: Leveraging the advanced security features and compliance certifications offered by our cloud provider (AWS) to protect data stored on their infrastructure.

While we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

9. Data Retention

We retain your Personal Data for as long as necessary to fulfill the purposes for which it was collected, including for the purpose of satisfying any legal, accounting, or reporting requirements. This includes data necessary to maintain your account, process orders, provide customer support, and improve our services.

When your Personal Data is no longer required, we will securely delete or anonymize it in accordance with our data retention policies and applicable laws (including GDPR's storage limitation principle).

10. Children's Privacy

The Gozilla App is not intended for use by individuals under the age of 18 ("Children"). We do not knowingly collect Personal Data from Children. If you are a parent or guardian and you become aware that your child has provided us with Personal Data, please contact us immediately. If we become aware that we have collected Personal Data from a child without verification of parental consent, we will take steps to remove that information from our servers.

For California residents under 16 years of age, we do not knowingly "sell" or "share" their personal information without affirmative authorization, as required by the CCPA/CPRA.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track the activity on our App and store certain information. Cookies are small data files placed on your device. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.

You have the option to accept or refuse cookies and know when a cookie is being sent to your device. However, if you do not accept cookies, you may not be able to use some portions of our Service.

We use cookies for various purposes, including:

Necessary Cookies: Essential for the operation of our App (e.g., maintaining your login session).
Performance and Analytics Cookies: To collect information about how you use our App (e.g., which pages you visit most often), helping us improve its functionality.
Functionality Cookies: To remember your preferences and choices (e.g., language, region) to provide a more personalized experience.
Advertising Cookies: To deliver advertisements relevant to you and your interests.

For users in the EEA, UK, and Switzerland, we obtain your consent for non-essential cookies and tracking technologies through a clear and transparent consent management platform (CMP) or similar mechanism.

12. Third-Party Links

Our App may contain links to websites or services operated by third parties that are not owned or controlled by Towbe Lebanon SAL. This Privacy Policy applies only to our App and services. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top of this Privacy Policy. For material changes, we will also endeavor to provide direct notification to you, such as via email to the address associated with your account if provided. Your continued use of the App after the changes become effective constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy, your Personal Data, or your rights, please contact us:

Towbe Lebanon SAL
Gozilla App
Email: admin@towbe.com
Address: Berytech, Mathaf, Beirut, Lebanon