Privacy Policy

Effective date: April 13, 2026 · Last updated: May 15, 2026

This Privacy Policy describes how Cryptex ("we", "us", "our"), the developer and operator of the TABO app, collects, uses, shares, stores, and deletes personal data when you use the Tabo mobile app and related services.

1) Data we collect

Account data: name, email (optional), phone number, password (hashed by backend), date of birth, gender, about/bio text, WhatsApp contact number (if provided), account role (individual or agency).
Agency account data: agency name, agency logo, and any documentation submitted as part of an agency application.
Property listings you create: listing title, description, price, currency, category, images, and the property area you manually select in the app (governorate, city, and/or district from our directory lists), plus category-specific attributes. This is not GPS or real-time device location.
Listing area (not GPS):Search and listings use only the administrative areas you choose in the app, not using GPS or real-time device location.

Communications: messages you send through in-app chat (stored in Firebase Cloud Firestore) and any content submitted via support interactions or user/listing reports.

Device and technical data: app version (included in API requests), language preference, and limited technical data needed to operate the service. Tabo does not use a dedicated in-app crash-reporting SDK.

Payment flow data: payment status and transaction reference returned by our payment provider (PayTabs). Card details and full payment credentials are entered on PayTabs-hosted pages and are not stored by us.

Notification tokens: Firebase Cloud Messaging (FCM) device tokens are stored to deliver push notifications to your device.

2) Why we process data

To create and secure your account, authenticate sessions (via our REST API and Firebase Authentication), and prevent fraud/abuse.

To publish, manage, and display property listings and user-generated content.

To operate the in-app chat system and deliver push notifications.

To enable messaging, customer support, and account recovery.

To process paid boosts, featured listings, and subscription plans, and to maintain billing records.

To improve reliability, troubleshoot technical issues, and measure service performance.

To comply with legal obligations.

3) Legal bases (where applicable)

Depending on your region, we process data based on: contract performance (to provide the service you requested), legitimate interests (security, fraud prevention, service improvement), your consent (for optional permissions such as notifications), and legal compliance.

4) Permissions used in the app

Photos/Media library: to select and upload listing images, videos, documents, and profile photos from your device.

Notifications: to send account updates, chat messages, and listing activity alerts (if enabled by you).

All permissions are requested at the point of use and can be revoked at any time from your device settings. Revoking a permission disables only the features that depend on it.

5) Third-party service providers

We use the following third-party services to operate Tabo. Each provider processes data under their own privacy terms.

Firebase Authentication (Google LLC): issues authentication tokens for the in-app chat system using credentials from our backend. Firebase Privacy

Firebase Cloud Firestore (Google LLC): stores and syncs chat conversations and FCM device tokens. Firebase Privacy

Firebase Cloud Messaging / FCM (Google LLC): delivers push notifications to your device.

PayTabs: processes payments for boosts, subscriptions, and listing plans via a hosted payment page loaded in an in-app WebView. Tabo does not receive or store card data.

Tabo REST API (taboiq.com): our own backend servers host all account, listing, and search data. Servers may be operated in the United States or other regions under our control.

6) Sharing of data

With the service providers listed above, under data protection obligations.

With other users and public visitors for listing and profile elements you choose to publish (e.g. listing details, agency name, contact preferences).

With law enforcement or regulators where legally required.

In connection with business transfers (merger, acquisition, asset sale), with notice to users where required.

We do not sell your personal data to third parties.

7) Data retention and account deletion

We retain data only as long as needed for the purposes described above, including legal obligations, dispute resolution, and abuse prevention.

Deletion timeline: account deletion is processed as a soft delete immediately (account deactivated and no longer accessible), followed by a hard delete after 30 days, subject to limited retention required by law, security, or billing.

When you request account deletion in the app, the app:

Calls our backend account-deletion endpoint (DELETE /users/me/account) with an optional audit reason.

Attempts a best-effort cleanup of chat-related data stored in Firebase Cloud Firestore (including messages you sent, conversation visibility flags, and stored FCM token documents).

Signs you out locally and clears locally stored authentication tokens.

See our Account Deletion Policy for details.

8) Your choices and rights

Access, correction, portability, objection, and deletion of your personal data (where applicable by law).

Manage app permissions (photos and notifications) from your device settings at any time. Tabo does not use a location permission.

Manage notification and privacy preferences in the app (Account → Settings). Some preferences are stored locally on your device.

Control visibility of your profile information (phone number, WhatsApp, online status) from Privacy settings in the app.

Request account deletion in-app (Account tab → Settings → Delete Account) or by emailing support@taboiq.com.

9) Regional privacy rights (Iraq & Middle East)

Cryptex operates Tabo primarily in Iraq and the broader Middle East and Gulf region. We handle personal data in accordance with applicable data protection laws in these jurisdictions.

Iraq: We comply with applicable Iraqi laws governing the collection and processing of personal information.

Gulf Cooperation Council (GCC) countries: For users in Saudi Arabia, UAE, Kuwait, Qatar, Bahrain, and Oman, we observe applicable national data protection and electronic transactions regulations.

Right to access and correction: You may request access to or correction of your personal data by contacting us at support@taboiq.com.

Right to deletion: You can request account deletion in the app (Account tab → Settings → Delete Account), or by emailing support@taboiq.com.

Data localization: Where legally required, we take steps to ensure that personal data is handled consistently with applicable local data residency requirements.

10) Children

The service is not directed to children under 13 (or the minimum age required by local law). We do not knowingly collect data from children below the legal threshold. If you believe a child has provided us with personal data, please contact us and we will delete it.

11) Security

We use reasonable technical and organizational safeguards to protect personal data, including encrypted storage for authentication tokens on your device. No method of transmission or storage is 100% secure.

12) International data transfers

Your data may be processed in countries different from your country of residence (including the United States, where some of our infrastructure and third-party providers are located). Where required by applicable law, we apply transfer safeguards.

13) Changes to this policy

We may update this policy periodically. The latest version will always be posted at this URL with an updated effective date. Continued use of the app after a material change constitutes acceptance of the updated policy.

14) Contact us

Cryptex – Developer of Tabo
Email: support@taboiq.com
Subject line recommendation: Privacy Request

Back to Legal Center