Aladdin Restaurants Inc. (“Aladdin,” “we,” “us,” or “our”) is a family-owned halal Mediterranean restaurant business serving Houston, Texas since 2006. We operate two locations: Aladdin Mediterranean Cuisine (Montrose) and Aladdin Mediterranean Grill (Garden Oaks).
This Privacy Policy explains how we collect, use, share, and protect personal information when you interact with our business — whether you visit our website, order catering online, use our mobile application, sign up for our email list, visit our restaurants, or otherwise engage with our services.
We take your privacy seriously and are committed to transparency about our data practices. Please read this policy carefully. By using our website, mobile application, or services, you acknowledge that you have read and understood this Privacy Policy.
Short version: we collect what we need to take your order and run the restaurant, and you can reach a human at hello@aladdinshouston.com to change or delete anything anytime.
This Privacy Policy applies to personal information we collect through the following channels and services:
This policy does not apply to third-party websites, services, or applications that we link to or integrate with. Those third parties have their own privacy practices, and we encourage you to review their policies.
For the purpose of data protection laws, the data controller responsible for your personal information is:
Aladdin Restaurants Inc., a Texas corporation
Montrose: 912 Westheimer Road, Houston, Texas 77006
Garden Oaks: 1737 W 34th Street, Houston, Texas 77018
Email: hello@aladdinshouston.com · Web: aladdinshouston.com
We collect personal information in three ways: (a) information you provide directly to us, (b) information we collect automatically through your use of our services, and (c) information we receive from third parties.
Full name · email · postal and billing addresses · telephone · date of birth (only if you participate in age-restricted promotions).
Order history and menu selections; catering inquiry details (event date, headcount, delivery address, dietary requirements); special instructions; gift-card purchases and redemption activity.
We do not directly store complete credit or debit card numbers. Payment card information is collected and processed by our PCI-DSS compliant payment processors (Stripe, Toast, and similar providers). We may retain the last four digits of your card, card type, and expiration date for order reconciliation, dispute resolution, and fraud prevention.
Username and password (stored in a hashed, non-reversible format); account preferences and communication settings; saved addresses and payment methods (when you opt to save them); loyalty program membership and reward balances.
Messages you send through contact forms, email, or support; reviews, ratings, and feedback; photos or images you voluntarily upload; survey and questionnaire responses.
Email newsletter subscription status; SMS and push notification preferences; interests and promotion preferences you share with us.
We may receive information about you from payment processors, third-party ordering platforms (Toast), delivery partners, social media platforms if you interact with our pages, analytics and advertising partners (Google Analytics, Google Ads, Meta), business partners, and publicly available sources such as Google Business Profile reviews.
We use the personal information we collect for the following purposes, consistent with the principle of data minimization:
| Purpose | What we do |
|---|---|
| Fulfilling orders | Processing and delivering dine-in, takeout, catering, and online orders; coordinating delivery; refunds and order issues. |
| Customer accounts | Creating and maintaining your account, authenticating you, saving preferences, and managing loyalty rewards. |
| Customer service | Responding to inquiries, handling complaints, investigating order issues, and improving service. |
| Marketing & promotions | Sending opted-in email & SMS offers and push notifications; showing relevant ads on our Website, App, and third-party platforms. |
| Analytics & improvement | Understanding how people use our Website and App so we can improve features, menus, and UX. |
| Personalization | Customizing your experience, including location-based menu display and personalized recommendations. |
| Security & fraud | Detecting, preventing, and investigating fraud, unauthorized access, and harmful activity. |
| Legal compliance | Complying with applicable laws, regulations, court orders, subpoenas, and government requests. |
| Business operations | Accounting, recordkeeping, tax reporting, auditing, and general business administration. |
If you are located in the EEA, the United Kingdom, or Switzerland, the GDPR and UK GDPR require us to identify a legal basis for each processing activity. We rely on:
We do not sell personal information to data brokers for money. We do share certain identifiers with advertising partners (Google Ads, Meta) for behavioral advertising, which some laws treat as a “sale” or “share.” You can opt out using the methods in §11 or via the Do Not Sell / Share switch on this page.
We share information with trusted vendors who perform services on our behalf. These providers are contractually required to protect your information and use it only for the purposes we specify. Categories include payment processors (Stripe, Toast), hosting and infrastructure (Kinsta, Cloudflare), email & SMS delivery (Mailchimp), analytics (Google Analytics), CRM and support tools, third-party ordering platforms (Toast), delivery partners, accounting (QuickBooks), and cloud storage providers.
With appropriate consent where required, we share certain information (device identifiers, IP address, usage data) with platforms like Google Ads and Meta so we can show you relevant advertisements on other sites and apps, measure campaign performance, and build custom or lookalike audiences based on aggregated signals. Under CCPA/CPRA and similar laws, some of these activities may be considered “sharing” or “sale.” You can opt out using the methods in §11.
If Aladdin is involved in a merger, acquisition, restructuring, sale of assets, bankruptcy, or similar transaction, personal information may be transferred as part of it. We will notify you of any material change.
We may disclose your information when we believe in good faith that it is necessary to comply with law or legal process; enforce our Terms; protect the rights, property, or safety of Aladdin, our customers, employees, or others; or to detect, prevent, or address fraud, security, or technical issues.
We may share your information with third parties when you explicitly direct or authorize us to do so, such as when you use a “share” feature or connect a third-party service to your account.
We and our partners use cookies, web beacons, pixels, SDKs, local storage, and similar technologies (collectively, “cookies”) to operate our Website and App, remember your preferences, analyze usage, and deliver relevant advertising.
| Category | Description |
|---|---|
| Strictly necessary | Required for the Website to function: session management, shopping cart, login, security, fraud prevention. These cannot be disabled. |
| Functional | Remember your language, location, saved items, and similar preferences. |
| Analytics | Help us understand how visitors use our Website and App (e.g., Google Analytics). Usually aggregated and does not directly identify you. |
| Advertising | Used by us and our partners (Google Ads, Meta Pixel) to show relevant ads and measure campaign performance across sites and apps. |
You can manage non-essential cookies through our cookie banner or browser settings. When a Global Privacy Control (GPC) signal is present in your browser, our site detects it on load and automatically opts you out of sale / sharing on this device. You can also opt out of interest-based ads via aboutads.info or networkadvertising.org, and opt out of Google Analytics using the browser add-on. We do not respond to Do Not Track (DNT) browser signals at this time because no common industry standard for DNT has been adopted; however, we do honor Global Privacy Control (GPC) signals as described above.
We work with reputable third-party providers. Each has its own privacy policy that governs their handling of data.
| Provider | Purpose | Policy |
|---|---|---|
| Toast | Online ordering, POS, payment processing | toasttab.com/privacy |
| Stripe | Payments for eCommerce & catering | stripe.com/privacy |
| WooCommerce / Automattic | eCommerce platform | automattic.com/privacy |
| Kinsta | Website hosting | kinsta.com/legal/privacy-policy |
| Cloudflare | CDN, security, DDoS protection | cloudflare.com/privacypolicy |
| Analytics, Ads, Maps, Merchant Center | policies.google.com/privacy | |
| Meta | Social advertising & audience insights | facebook.com/privacy/policy |
| Mailchimp (Intuit) | Email marketing | mailchimp.com/legal/privacy |
| Intuit QuickBooks | Accounting | intuit.com/privacy |
| Apple | iOS distribution & push | apple.com/legal/privacy |
| Google Play / Firebase | Android distribution & crash reporting | firebase.google.com/support/privacy |
This section supplements the general disclosures above with detail for our mobile application.
Each permission is optional except where essential. You can grant, deny, or revoke at any time in your device settings.
| Permission | Why | Required? |
|---|---|---|
| Location (coarse / precise) | Find your nearest location, calculate delivery, show local menus. | Optional |
| Camera | Upload profile photo, scan QR codes, add photos to reviews. | Optional |
| Photos / Media | Select an existing photo for your profile or review. | Optional |
| Notifications | Order status updates and opted-in promotions. | Optional |
| Biometrics (Face ID / Fingerprint) | Secure, passwordless login. | Optional |
| Contacts | We do not access your contact list. | Not used |
| Microphone | Not requested unless a future voice-ordering feature is added (with disclosure). | Not used |
Data collected: personal info (name, email, user IDs, delivery address); financial info (payment tokens — actual card numbers handled only by PCI-compliant processors); location (approximate; precise with permission); app activity (in-app actions, order history, in-app search); app performance (crash logs, diagnostics); device identifiers (device ID, mobile advertising identifier where permitted).
Data shared: limited data with service providers for payment processing, analytics, customer service, delivery, and push notifications. We do not sell personal data to third-party data brokers. We do share certain identifiers with advertising partners as described in §6.2.
Security: encrypted in transit via TLS. Request deletion anytime via App settings or email. Not directed to children under 13.
The following categories may be collected and linked to your identity: Contact Info, Financial Info, Location, User Content, Identifiers, Usage Data, Diagnostics — for app functionality, customer support, analytics, and personalization. Where any embedded SDK (for example, Firebase Analytics or a Meta SDK) would link your identity to third-party advertising networks under Apple’s ATT definition, we present the ATT prompt and obtain your consent before that tracking activates. Our Privacy Nutrition Label is updated to reflect current SDK behavior.
If enabled, we may send order-status updates, promotional offers, and service announcements. Disable anytime in device settings or within the App.
Request deletion directly from within the App under Settings → Account → Delete My Account, or email hello@aladdinshouston.com. We complete deletion within 30 days, subject to legal retention described in §13.
All payment card transactions on our Website, App, and in-store terminals are processed by PCI-DSS compliant payment providers including Stripe, Toast, and similar processors. Aladdin does not store full card numbers, CVV codes, or other sensitive payment credentials on our servers. We only receive confirmation tokens and the last four digits of your card for reconciliation, receipts, and dispute resolution.
Our Website uses Transport Layer Security (TLS/SSL) encryption to protect payment information in transit. You can verify the secure connection by the padlock icon in your browser’s address bar.
California residents have specific rights including the right to know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information, and non-discrimination. Email hello@aladdinshouston.com with “CCPA Request” in the subject, or use the “Do Not Sell or Share My Personal Information” link in our footer. We honor Global Privacy Control (GPC) browser signals as an opt-out. We do not knowingly sell or share personal information of minors under 16 without required opt-in consent.
The Texas Data Privacy and Security Act (TDPSA) grants Texas residents rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Based on our current data volume, Aladdin may not currently meet the TDPSA’s mandatory thresholds, but we extend the rights described in §11.1 to Texas residents as a matter of practice and recognize Global Privacy Control signals on this device.
Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and other states with consumer privacy laws may have similar rights. We extend equivalent rights where applicable.
In addition to the rights above, you have the right to object to processing based on legitimate interests, restrict processing, withdraw consent at any time without affecting the lawfulness of prior processing, and lodge a complaint with your local data protection authority.
We verify your identity before processing your request and respond within 45 days, with a possible 45-day extension in complex cases. We will not charge a fee to process valid privacy requests; for requests that are manifestly unfounded, excessive, or repetitive, we may decline to act or charge a reasonable fee as permitted by applicable law. Authorized agents may submit requests with proof of authorization. If we don’t address your request satisfactorily, you may appeal or submit a complaint to the Texas Attorney General, California Privacy Protection Agency, or your local regulator.
Under CCPA §1798.125(b), we are required to inform you that our loyalty and rewards program constitutes a “financial incentive” because it provides benefits (such as discounts, free items, or reward points) in exchange for the collection of personal information.
Our services are not directed to children under 13, and we do not knowingly collect personal information from them. If you are a parent or guardian and believe your child has provided personal information, please contact hello@aladdinshouston.com and we will delete it. For users between 13 and 16, we do not “sell” or “share” personal information for cross-context behavioral advertising without required opt-in consent.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
| Data category | Retention period |
|---|---|
| Account information | Life of account + up to 24 months after deletion for legal, tax, and fraud-prevention purposes. |
| Order and transaction records | At least 7 years (tax, accounting, commercial record-keeping). |
| Email marketing lists | Until you unsubscribe, or up to 36 months of inactivity — whichever is sooner. |
| Website & App analytics | Up to 26 months, or per analytics provider settings. |
| Customer service communications | Up to 36 months after resolution. |
| Security & fraud logs | Up to 24 months from collection. |
When we no longer need personal information, we will securely delete or anonymize it. Some information may persist in encrypted backups for a limited period before being purged on rolling backup schedules.
We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction:
Despite these safeguards, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected individuals without unreasonable delay, and no later than as required by applicable law — within 72 hours to EU/UK supervisory authorities under GDPR Art. 33, and as soon as practicable to Texas residents under Tex. Bus. & Com. Code §521.053 (including notification to the Texas Attorney General if 250 or more Texas residents are affected).
Aladdin is based in the United States, and our servers and service providers may be located in the United States or other countries. If you access our services from outside the United States, your information may be transferred to, stored in, and processed in the U.S. and other jurisdictions that may have different data protection laws than your country. Where required, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or UK ICO.
We send marketing emails and SMS messages only to users who have opted in. We do not share, sell, or transfer your opt-in consent or phone number to any third party for their marketing purposes. Every marketing email includes an unsubscribe link. We comply with CAN-SPAM, the Telephone Consumer Protection Act (TCPA), CTIA guidelines, and applicable state-level email and SMS regulations.
STOP to any SMS to opt out. You will receive a single confirmation message.HELP for assistance, or email hello@aladdinshouston.com.Transactional messages (order confirmations, delivery updates, account notifications) are necessary for the services you request and are not subject to the same opt-out, though you can contact us to discuss alternatives.
We do not use fully automated decision-making that produces legal or similarly significant effects on you (such as denying service or credit). We may use automated tools for product recommendations, relevance of offers, fraud scoring, and analytics. If we introduce automated decision-making that requires specific disclosure under applicable law, we will update this Privacy Policy and, where required, obtain your consent.
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page, post the revised policy on our Website and in our mobile App, and provide at least 30 days’ notice before the changes take effect (for example, by email or in-app banner). Where applicable law requires fresh consent for a material change, we will obtain that consent before applying the new terms to your data. For data already collected under a prior version of this policy, the terms in effect at the time of collection will continue to apply unless you affirmatively consent to the updated terms.
Aladdin Restaurants Inc.
Attn: Privacy Officer
912 Westheimer Road, Houston, TX 77006, United States
Email: hello@aladdinshouston.com
Subject line: “Privacy Request” or “CCPA Request”
Do Not Sell or Share: email us with “Do Not Sell” in the subject line, or enable Global Privacy Control (GPC) in your browser
This Privacy Policy is governed by the laws of the State of Texas, United States, without regard to conflict-of-law principles, except as otherwise required by applicable privacy law.
© 2026 Aladdin Restaurants Inc. All rights reserved.