# Privacy Policy *Published:* 2026-04-20 *Author:* § 01Introduction ---------------- Aladdin Restaurants Inc. (“Aladdin,” “we,” “us,” or “our”) is a family-owned halal Mediterranean restaurant business serving Houston, Texas since 2006. We operate two locations: Aladdin Mediterranean Cuisine (Montrose) and Aladdin Mediterranean Grill (Garden Oaks). This Privacy Policy explains how we collect, use, share, and protect personal information when you interact with our business — whether you visit our website, order catering online, use our mobile application, sign up for our email list, visit our restaurants, or otherwise engage with our services. We take your privacy seriously and are committed to transparency about our data practices. Please read this policy carefully. By using our website, mobile application, or services, you acknowledge that you have read and understood this Privacy Policy. Plain English Short version: we collect what we need to take your order and run the restaurant, and you can reach a human at to change or delete anything anytime. --- § 02Scope of this policy ------------------------ This Privacy Policy applies to personal information we collect through the following channels and services: - Our website and any subdomains at aladdinshouston.com - Our mobile application on the Apple App Store and Google Play Store - Online ordering & catering placed through our Website, App, or WooCommerce-powered ordering platform - Orders placed through third-party platforms (such as Toast) when data is transferred to us - Product listings & promotions via Google Merchant Center, Google Shopping, and Google Ads - In-restaurant interactions, including loyalty programs, gift cards, and customer feedback - Our email newsletter, SMS communications, and promotional campaigns - Social media pages and customer service channels operated by Aladdin This policy does not apply to third-party websites, services, or applications that we link to or integrate with. Those third parties have their own privacy practices, and we encourage you to review their policies. --- § 03Who we are -------------- For the purpose of data protection laws, the data controller responsible for your personal information is: Data controller **Aladdin Restaurants Inc.**, a Texas corporation **Montrose:** 912 Westheimer Road, Houston, Texas 77006 **Garden Oaks:** 1737 W 34th Street, Houston, Texas 77018 Email: · Web: [aladdinshouston.com](https://aladdinshouston.com) --- § 04Information we collect -------------------------- We collect personal information in three ways: **(a)** information you provide directly to us, **(b)** information we collect automatically through your use of our services, and **(c)** information we receive from third parties. ### 4.1 Information you provide directly #### Contact & Identity Full name · email · postal and billing addresses · telephone · date of birth (only if you participate in age-restricted promotions). #### Order & Purchase Order history and menu selections; catering inquiry details (event date, headcount, delivery address, dietary requirements); special instructions; gift-card purchases and redemption activity. #### Payment We do not directly store complete credit or debit card numbers. Payment card information is collected and processed by our PCI-DSS compliant payment processors (Stripe, Toast, and similar providers). We may retain the last four digits of your card, card type, and expiration date for order reconciliation, dispute resolution, and fraud prevention. #### Account Username and password (stored in a hashed, non-reversible format); account preferences and communication settings; saved addresses and payment methods (when you opt to save them); loyalty program membership and reward balances. #### Communications & user-generated content Messages you send through contact forms, email, or support; reviews, ratings, and feedback; photos or images you voluntarily upload; survey and questionnaire responses. #### Marketing preferences Email newsletter subscription status; SMS and push notification preferences; interests and promotion preferences you share with us. ### 4.2 Information collected automatically - **Device & technical:** device type, model, OS, browser, IP address, device identifiers, mobile advertising identifiers (where permitted), language & regional settings. - **Usage & analytics:** pages and features used; clicks, taps, scrolls; search queries; referring and exit URLs; crash logs and performance diagnostics. - **Location:** with permission, coarse (city-level) or precise (GPS) location to find nearest Aladdin, calculate delivery, show local menus. You may disable location services at any time in your device settings. - **Cookies:** see §07 for detail on cookies, pixels, and similar technologies. ### 4.3 Information from third parties We may receive information about you from payment processors, third-party ordering platforms (Toast), delivery partners, social media platforms if you interact with our pages, analytics and advertising partners (Google Analytics, Google Ads, Meta), business partners, and publicly available sources such as Google Business Profile reviews. --- § 05How we use information -------------------------- We use the personal information we collect for the following purposes, consistent with the principle of data minimization: PurposeWhat we do **Fulfilling orders**Processing and delivering dine-in, takeout, catering, and online orders; coordinating delivery; refunds and order issues. **Customer accounts**Creating and maintaining your account, authenticating you, saving preferences, and managing loyalty rewards. **Customer service**Responding to inquiries, handling complaints, investigating order issues, and improving service. **Marketing & promotions**Sending opted-in email & SMS offers and push notifications; showing relevant ads on our Website, App, and third-party platforms. **Analytics & improvement**Understanding how people use our Website and App so we can improve features, menus, and UX. **Personalization**Customizing your experience, including location-based menu display and personalized recommendations. **Security & fraud**Detecting, preventing, and investigating fraud, unauthorized access, and harmful activity. **Legal compliance**Complying with applicable laws, regulations, court orders, subpoenas, and government requests. **Business operations**Accounting, recordkeeping, tax reporting, auditing, and general business administration. ### 5.1 Legal bases for processing (EU/UK users) If you are located in the EEA, the United Kingdom, or Switzerland, the GDPR and UK GDPR require us to identify a legal basis for each processing activity. We rely on: - **Contract** — to fulfill orders and provide services you request. - **Consent** — for email marketing, push notifications, optional analytics, non-essential cookies. You may withdraw at any time. - **Legitimate interests** — fraud prevention, security, service improvement, measuring marketing effectiveness, where not overridden by your rights. - **Legal obligation** — tax, accounting, anti-money laundering, and other legal requirements. --- § 06How we share information ---------------------------- How we share We do not sell personal information to data brokers for money. We do share certain identifiers with advertising partners (Google Ads, Meta) for behavioral advertising, which some laws treat as a “sale” or “share.” You can opt out using the methods in §11 or via the **Do Not Sell / Share** switch on this page. ### 6.1 Service providers We share information with trusted vendors who perform services on our behalf. These providers are contractually required to protect your information and use it only for the purposes we specify. Categories include payment processors (Stripe, Toast), hosting and infrastructure (Kinsta, Cloudflare), email & SMS delivery (Mailchimp), analytics (Google Analytics), CRM and support tools, third-party ordering platforms (Toast), delivery partners, accounting (QuickBooks), and cloud storage providers. ### 6.2 Advertising & marketing partners With appropriate consent where required, we share certain information (device identifiers, IP address, usage data) with platforms like Google Ads and Meta so we can show you relevant advertisements on other sites and apps, measure campaign performance, and build custom or lookalike audiences based on aggregated signals. Under CCPA/CPRA and similar laws, some of these activities may be considered “sharing” or “sale.” You can opt out using the methods in §11. ### 6.3 Business transfers If Aladdin is involved in a merger, acquisition, restructuring, sale of assets, bankruptcy, or similar transaction, personal information may be transferred as part of it. We will notify you of any material change. ### 6.4 Legal & safety disclosures We may disclose your information when we believe in good faith that it is necessary to comply with law or legal process; enforce our Terms; protect the rights, property, or safety of Aladdin, our customers, employees, or others; or to detect, prevent, or address fraud, security, or technical issues. ### 6.5 With your consent We may share your information with third parties when you explicitly direct or authorize us to do so, such as when you use a “share” feature or connect a third-party service to your account. --- § 07Cookies & similar technologies -------------------------------------- We and our partners use cookies, web beacons, pixels, SDKs, local storage, and similar technologies (collectively, “cookies”) to operate our Website and App, remember your preferences, analyze usage, and deliver relevant advertising. CategoryDescription **Strictly necessary**Required for the Website to function: session management, shopping cart, login, security, fraud prevention. These cannot be disabled. **Functional**Remember your language, location, saved items, and similar preferences. **Analytics**Help us understand how visitors use our Website and App (e.g., Google Analytics). Usually aggregated and does not directly identify you. **Advertising**Used by us and our partners (Google Ads, Meta Pixel) to show relevant ads and measure campaign performance across sites and apps. You can manage non-essential cookies through our [cookie banner](#) or browser settings. When a **Global Privacy Control** (GPC) signal is present in your browser, our site detects it on load and automatically opts you out of sale / sharing on this device. You can also opt out of interest-based ads via [aboutads.info](https://www.aboutads.info/choices/) or [networkadvertising.org](https://optout.networkadvertising.org/), and opt out of Google Analytics using the browser add-on. We do not respond to Do Not Track (DNT) browser signals at this time because no common industry standard for DNT has been adopted; however, we do honor Global Privacy Control (GPC) signals as described above. --- § 08Third-party services ------------------------ We work with reputable third-party providers. Each has its own privacy policy that governs their handling of data. ProviderPurposePolicy ToastOnline ordering, POS, payment processing[toasttab.com/privacy](https://pos.toasttab.com/privacy) StripePayments for eCommerce & catering[stripe.com/privacy](https://stripe.com/privacy) WooCommerce / AutomatticeCommerce platform[automattic.com/privacy](https://automattic.com/privacy/) KinstaWebsite hosting[kinsta.com/legal/privacy-policy](https://kinsta.com/legal/privacy-policy/) CloudflareCDN, security, DDoS protection[cloudflare.com/privacypolicy](https://www.cloudflare.com/privacypolicy/) GoogleAnalytics, Ads, Maps, Merchant Center[policies.google.com/privacy](https://policies.google.com/privacy) MetaSocial advertising & audience insights[facebook.com/privacy/policy](https://www.facebook.com/privacy/policy/) Mailchimp (Intuit)Email marketing[mailchimp.com/legal/privacy](https://www.intuit.com/privacy/statement/) Intuit QuickBooksAccounting[intuit.com/privacy](https://www.intuit.com/privacy/statement/) AppleiOS distribution & push[apple.com/legal/privacy](https://www.apple.com/legal/privacy/) Google Play / FirebaseAndroid distribution & crash reporting[firebase.google.com/support/privacy](https://firebase.google.com/support/privacy) --- § 09Mobile application disclosures ---------------------------------- This section supplements the general disclosures above with detail for our mobile application. ### 9.1 Permissions we may request Each permission is optional except where essential. You can grant, deny, or revoke at any time in your device settings. PermissionWhyRequired? Location (coarse / precise)Find your nearest location, calculate delivery, show local menus.Optional CameraUpload profile photo, scan QR codes, add photos to reviews.Optional Photos / MediaSelect an existing photo for your profile or review.Optional NotificationsOrder status updates and opted-in promotions.Optional Biometrics (Face ID / Fingerprint)Secure, passwordless login.Optional ContactsWe do not access your contact list.Not used MicrophoneNot requested unless a future voice-ordering feature is added (with disclosure).Not used ### 9.2 Google Play Data Safety **Data collected:** personal info (name, email, user IDs, delivery address); financial info (payment tokens — actual card numbers handled only by PCI-compliant processors); location (approximate; precise with permission); app activity (in-app actions, order history, in-app search); app performance (crash logs, diagnostics); device identifiers (device ID, mobile advertising identifier where permitted). **Data shared:** limited data with service providers for payment processing, analytics, customer service, delivery, and push notifications. We do not sell personal data to third-party data brokers. We do share certain identifiers with advertising partners as described in §6.2. **Security:** encrypted in transit via TLS. Request deletion anytime via App settings or email. Not directed to children under 13. ### 9.3 Apple App Store privacy The following categories may be collected and linked to your identity: Contact Info, Financial Info, Location, User Content, Identifiers, Usage Data, Diagnostics — for app functionality, customer support, analytics, and personalization. Where any embedded SDK (for example, Firebase Analytics or a Meta SDK) would link your identity to third-party advertising networks under Apple’s ATT definition, we present the ATT prompt and obtain your consent before that tracking activates. Our Privacy Nutrition Label is updated to reflect current SDK behavior. ### 9.4 Push notifications If enabled, we may send order-status updates, promotional offers, and service announcements. Disable anytime in device settings or within the App. ### 9.5 In-app account deletion Request deletion directly from within the App under **Settings → Account → Delete My Account**, or email . We complete deletion within 30 days, subject to legal retention described in §13. --- § 10Payments & PCI compliance --------------------------------- All payment card transactions on our Website, App, and in-store terminals are processed by PCI-DSS compliant payment providers including Stripe, Toast, and similar processors. Aladdin does not store full card numbers, CVV codes, or other sensitive payment credentials on our servers. We only receive confirmation tokens and the last four digits of your card for reconciliation, receipts, and dispute resolution. Our Website uses Transport Layer Security (TLS/SSL) encryption to protect payment information in transit. You can verify the secure connection by the padlock icon in your browser’s address bar. --- § 11Your privacy rights ----------------------- ### 11.1 General rights - **Access** — request a copy of the personal information we hold about you. - **Correction** — ask us to fix information that is inaccurate or incomplete. - **Deletion** — request that we delete your personal information, subject to legal exceptions. - **Portability** — receive your info in a portable, machine-readable format. - **Opt out of marketing** — unsubscribe from emails, SMS, or push at any time. - **Opt out of sale or sharing** — for cross-context behavioral advertising. ### 11.2 California residents (CCPA / CPRA) California residents have specific rights including the right to know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information, and non-discrimination. Email with “CCPA Request” in the subject, or use the “Do Not Sell or Share My Personal Information” link in our footer. We honor Global Privacy Control (GPC) browser signals as an opt-out. We do not knowingly sell or share personal information of minors under 16 without required opt-in consent. ### 11.3 Texas residents (TDPSA) The Texas Data Privacy and Security Act (TDPSA) grants Texas residents rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Based on our current data volume, Aladdin may not currently meet the TDPSA’s mandatory thresholds, but we extend the rights described in §11.1 to Texas residents as a matter of practice and recognize Global Privacy Control signals on this device. ### 11.4 Other U.S. state residents Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and other states with consumer privacy laws may have similar rights. We extend equivalent rights where applicable. ### 11.5 EU / UK / Swiss residents (GDPR / UK GDPR) In addition to the rights above, you have the right to object to processing based on legitimate interests, restrict processing, withdraw consent at any time without affecting the lawfulness of prior processing, and lodge a complaint with your local data protection authority. ### 11.6 How to exercise your rights - **Email** — with “Privacy Request” in the subject. - **Mail** — Aladdin Restaurants Inc., Attn: Privacy Officer, 912 Westheimer Road, Houston, TX 77006. - **In-App** — “Manage My Data” under Settings. - **On this page** — the form in the right rail, or via the “Privacy Request” button in the header. We verify your identity before processing your request and respond within 45 days, with a possible 45-day extension in complex cases. We will not charge a fee to process valid privacy requests; for requests that are manifestly unfounded, excessive, or repetitive, we may decline to act or charge a reasonable fee as permitted by applicable law. Authorized agents may submit requests with proof of authorization. If we don’t address your request satisfactorily, you may appeal or submit a complaint to the Texas Attorney General, California Privacy Protection Agency, or your local regulator. ### 11.7 Notice of financial incentive (loyalty program) Under CCPA §1798.125(b), we are required to inform you that our loyalty and rewards program constitutes a “financial incentive” because it provides benefits (such as discounts, free items, or reward points) in exchange for the collection of personal information. - **Categories collected:** name, email address, phone number, order history, and reward-point balances. - **Value of your data:** we estimate the value of the personal information collected through the loyalty program based on the expense of administering the program and the discounts and rewards provided. The value is reasonably related to the overall value of the benefits we offer. - **How to opt in:** you may join the loyalty program by creating an account on our Website, App, or in-restaurant. Participation is entirely voluntary. - **How to opt out:** you may withdraw from the loyalty program at any time by contacting or using the in-App account deletion feature described in §9.5. Unused rewards will be forfeited upon withdrawal. - **Non-discrimination:** we will not deny you goods or services, charge different prices, or provide a different quality of service because you exercise your privacy rights. --- § 12Children’s privacy ---------------------- Our services are not directed to children under 13, and we do not knowingly collect personal information from them. If you are a parent or guardian and believe your child has provided personal information, please contact and we will delete it. For users between 13 and 16, we do not “sell” or “share” personal information for cross-context behavioral advertising without required opt-in consent. --- § 13Data retention ------------------ We retain personal information for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Data categoryRetention period Account informationLife of account + up to 24 months after deletion for legal, tax, and fraud-prevention purposes. Order and transaction recordsAt least 7 years (tax, accounting, commercial record-keeping). Email marketing listsUntil you unsubscribe, or up to 36 months of inactivity — whichever is sooner. Website & App analyticsUp to 26 months, or per analytics provider settings. Customer service communicationsUp to 36 months after resolution. Security & fraud logsUp to 24 months from collection. When we no longer need personal information, we will securely delete or anonymize it. Some information may persist in encrypted backups for a limited period before being purged on rolling backup schedules. --- § 14Data security ----------------- We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction: - TLS/SSL encryption for data in transit; encryption at rest for sensitive information where appropriate - Access controls, role-based permissions, and multi-factor authentication for internal systems - Regular security updates, vulnerability scanning, and server hardening - PCI-DSS compliance through our payment processors for card transactions - Web Application Firewall (WAF) and DDoS protection via Cloudflare - Employee training on data protection and confidentiality Despite these safeguards, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected individuals without unreasonable delay, and no later than as required by applicable law — within 72 hours to EU/UK supervisory authorities under GDPR Art. 33, and as soon as practicable to Texas residents under Tex. Bus. & Com. Code §521.053 (including notification to the Texas Attorney General if 250 or more Texas residents are affected). --- § 15International data transfers -------------------------------- Aladdin is based in the United States, and our servers and service providers may be located in the United States or other countries. If you access our services from outside the United States, your information may be transferred to, stored in, and processed in the U.S. and other jurisdictions that may have different data protection laws than your country. Where required, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or UK ICO. --- § 16Email & SMS communications ---------------------------------- We send marketing emails and SMS messages only to users who have opted in. We do not share, sell, or transfer your opt-in consent or phone number to any third party for their marketing purposes. Every marketing email includes an unsubscribe link. We comply with CAN-SPAM, the Telephone Consumer Protection Act (TCPA), CTIA guidelines, and applicable state-level email and SMS regulations. SMS program disclosures - Message frequency varies based on your account activity and preferences. - Message and data rates may apply depending on your carrier plan. - Reply `STOP` to any SMS to opt out. You will receive a single confirmation message. - Reply `HELP` for assistance, or email . - Carriers are not liable for delayed or undelivered messages. Transactional messages (order confirmations, delivery updates, account notifications) are necessary for the services you request and are not subject to the same opt-out, though you can contact us to discuss alternatives. --- § 17Automated decision-making & profiling --------------------------------------------- We do not use fully automated decision-making that produces legal or similarly significant effects on you (such as denying service or credit). We may use automated tools for product recommendations, relevance of offers, fraud scoring, and analytics. If we introduce automated decision-making that requires specific disclosure under applicable law, we will update this Privacy Policy and, where required, obtain your consent. --- § 18Changes to this policy -------------------------- We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page, post the revised policy on our Website and in our mobile App, and provide at least 30 days’ notice before the changes take effect (for example, by email or in-app banner). Where applicable law requires fresh consent for a material change, we will obtain that consent before applying the new terms to your data. For data already collected under a prior version of this policy, the terms in effect at the time of collection will continue to apply unless you affirmatively consent to the updated terms. --- § 19How to contact us --------------------- Privacy Officer **Aladdin Restaurants Inc.** Attn: Privacy Officer 912 Westheimer Road, Houston, TX 77006, United States Email: Subject line: “Privacy Request” or “CCPA Request” Do Not Sell or Share: email us with “Do Not Sell” in the subject line, or enable **Global Privacy Control** (GPC) in your browser This Privacy Policy is governed by the laws of the State of Texas, United States, without regard to conflict-of-law principles, except as otherwise required by applicable privacy law. © 2026 Aladdin Restaurants Inc. All rights reserved.