NouveauAI← Back to site

Legal · ParkinPaid

Privacy Policy

Effective date: 1 June 2026 · Last updated: 1 June 2026

The short version

ParkinPaid is a native iOS application published by NouveauAI, a sole establishment based in Dubai, United Arab Emirates. The app does not require an account, does not transmit any personal information about you to any server, and contains no third-party tracking, analytics, or advertising libraries.

The app does maintain a small crowdsourced parking-zone catalog on a server we operate at parkinpaid.nouveauai.org. Each time you successfully send a parking SMS, the app uploads three pieces of information: the zone code printed on the sign, the approximate GPS coordinates of the parking spot, and the emirate. These are tagged with an anonymous per-install device hash and used to help other drivers find the right zone code at their location. No vehicle plate, name, phone number, payment information, or session history is ever transmitted.

The parking-payment SMS itself goes from your phone, via your UAE mobile operator, to the parking authority’s shortcode. That happens entirely outside our servers.

Who we are

The data controller for ParkinPaid is NouveauAI, an independent software studio in Dubai. You can reach the controller at [email protected]. References below to “we”, “our” and “the app” refer to NouveauAI and the ParkinPaid application respectively.

The information ParkinPaid handles

Below is every category of data the app can access, why it accesses it, and where the data ends up.

Stored only on your device

The following categories of data live exclusively in the app’s local SwiftData container on your iPhone, in a shared App Group container for the widget and Apple Watch app, and (where you have opted in) in your private iCloud database accessible only by you on devices signed into your Apple ID.

  • Vehicle information. A nickname, plate number, emirate, and vehicle type for each vehicle you record in Manage Cars.
  • Optional display name. A name you choose for the Dashboard greeting. Optional. We never ask for your email, phone number, password, government ID, or any other identifier.
  • Parking session history. Each completed payment is recorded with: the vehicle, the emirate, the zone code, the duration purchased, the shortcode contacted, the text of the SMS you sent, the time iOS confirmed the SMS as sent, the corresponding expiry time, and the GPS coordinates where you parked (held only to show the spot on a small map in your History tab — not transmitted with the catalog upload below).
  • App preferences. Your appearance (always dark), language (English or Arabic), default parking duration, geofence-reminders toggle, and onboarding state.

None of the data in this section ever leaves your device or your private iCloud database.

Transmitted to our crowdsourced catalog

After you successfully send a parking-payment SMS, the app sends a single POST /v1/zones request to parkinpaid.nouveauai.org. The body of that request contains:

  • The zone code you typed before sending (e.g. J01, 335A, S).
  • The approximate GPS coordinates of where the SMS was sent from, rounded to roughly 11-metre precision (six decimal places).
  • The emirate the request was sent in (one of the seven UAE emirates).
  • The hour-count purchased and the on-device confidence score (a number between 0 and 1).
  • An anonymous device hash — the SHA-256 of a random UUID generated by the app on first launch. We can correlate uploads from the same install but we cannot link this hash to your Apple ID, your phone number, your plate, your name, your IP address (Cloudflare strips this before our server sees it), or anything else outside the app. Deleting the app and reinstalling generates a new hash with no link to the old one.

The catalog is then read back, anonymously, by every other ParkinPaid user via GET /v1/zones. There is no API call that lets one user identify another user.

Read by us only briefly, never stored

  • Location while in use. The Dashboard map and the post-SMS catalog upload both need to know roughly where you are. The app reads your iOS Core Location at “When In Use” authorisation, holds the coordinates in memory for as long as the relevant screen is open or the catalog upload is in flight, and discards them. We do not log the IP address of any catalog request — Cloudflare proxies all traffic and we have disabled raw-IP logging on the origin.
  • Motion activity (only if you enable geofence reminders). iOS Motion Activity tells the app whether you are stationary, walking, or driving so we can suppress reminders while you’re still in motion. Read only in memory. Never persisted, never transmitted.

Apple Push, Apple Watch, App Intents

ParkinPaid does not register for Apple Push Notification service. All reminder notifications are scheduled locally on your device by iOS. Communication with the Apple Watch app uses Apple’s WatchConnectivity, which encrypts payloads in transit between your iPhone and Watch via Apple’s infrastructure — we do not see this traffic.

What ParkinPaid does NOT collect or transmit

  • Your name, email address, telephone number, password, Apple ID, advertising identifier (IDFA), or vendor identifier (IDFV).
  • Your vehicle plate number — it stays on-device for SMS composition and is never sent to our server.
  • The contents, recipients, or metadata of any text messages other than the single parking SMS you composed and sent yourself.
  • Payment card details, bank account details, or any financial information. ParkinPaid does not process payments.
  • Your contact list, photos, microphone, camera, health data, fitness data, Apple Pay information, or HomeKit data.
  • Crash logs, behavioural analytics, or product-analytics events. There are no analytics SDKs in the binary.

How the data is used

Data stored on your device

Used solely to run the app for you: build SMS bodies, suggest nearby zones, run the live countdown, populate the widget and Apple Watch app, schedule pre-expiry reminders, and personalise the Dashboard greeting.

Data transmitted to our catalog

Used solely to build and maintain the crowdsourced zone catalog. Specifically:

  1. To create a new entry the first time a code is seen at a coordinate.
  2. To increase confidence in an existing entry the next time the same code is seen near the same coordinate (a 2-kilometre cluster).
  3. To weight conflicting reports by the number of distinct devices that have contributed.

We do not profile you, target advertising at you, or use any of the catalog data to train machine-learning models intended for sale or external publication. The on-device confidence scoring step IS a small statistical model, but it runs entirely on your iPhone and the model is the same for every user.

Legal basis for processing under PDPL and GDPR

  • Local on-device data: processed under your explicit consent (you tap Continue at onboarding having read this policy via the link on the welcome screen).
  • Catalog uploads: processed under our legitimate interest in maintaining a community-curated parking-zone catalog that no commercial entity makes available in the UAE. The interest is balanced by (a) the anonymisation of the device hash, (b) the absence of any plate/identity information, (c) the fact that the same data is publicly readable by every other user of the app, and (d) your ability to switch off all uploads via the Settings screen of any future release (see Your rights below).

Third parties

ParkinPaid does not embed any third-party SDKs. There are no analytics services, advertising networks, attribution services, error-reporting services, or external login providers integrated into the app.

Two infrastructure providers see encrypted traffic but no clear-text user data:

  • Apple Inc. operates the iOS frameworks the app is built on (SwiftUI, SwiftData, Core Location, Core Motion, MapKit, MessageUI, User Notifications, WidgetKit, ActivityKit, App Intents, WatchConnectivity, CloudKit if you have enabled iCloud sync).
  • Cloudflare, Inc. proxies the HTTPS traffic between the app and our origin server at parkinpaid.nouveauai.org. Cloudflare’s privacy policy applies to that proxy.

When you tap to confirm a parking payment, ParkinPaid hands a prefilled SMS to the iOS Messages app. From that point onward your UAE mobile network operator delivers the SMS to the parking authority’s shortcode. The parking authority then sends back its own confirmation SMS, billing and dispute handling on their normal terms. Each of those parties operates under its own privacy policy. The carriers and authorities used by the supported emirates include but are not limited to Roads and Transport Authority (RTA) of Dubai, Integrated Transport Centre (ITC) of Abu Dhabi (Mawaqif), Sharjah Municipality, Ajman Municipality, the Government of Ras Al Khaimah, Fujairah Municipality, Umm Al Quwain Municipality, Etisalat and du.

iCloud and device-to-device synchronisation

The current build of ParkinPaid may optionally synchronise your local data (vehicles, settings, parking history) through your private iCloud database if you have enabled the iCloud capability for the app in iOS Settings. We do not see this data — it is encrypted by Apple and accessible only by devices signed into your Apple ID. The crowdsourced catalog described above is independent of iCloud and runs on our server, not Apple’s.

Data retention and deletion

On your device:

  • Delete any single vehicle from Manage Cars.
  • End any active parking session from the Dashboard.
  • Delete the entire ParkinPaid app from your device, which removes every piece of data the app has stored locally and in its App Group container.
  • Toggle iCloud sync off in iOS Settings → iCloud → ParkinPaid to stop syncing this device’s data to your private iCloud, or use iCloud Settings to delete the ParkinPaid private database entirely.

On our crowdsource catalog:

  • The device hash linked to your install cannot identify you. If you would like every observation associated with your install hash purged from the live catalog, write to [email protected] from any address, telling us either the install date and approximate city of use, or providing the device hash (visible to operators via the hidden Diagnostics screen of a future release). We will erase matching observations from zones.csv and the raw_submissions.csv audit log within thirty (30) days and confirm by reply.
  • Deleting and reinstalling the app generates a new device hash with no relationship to your previous one. From the moment of reinstall, no past observations can be linked to your new install.

Children

ParkinPaid is intended for adult drivers licensed to drive in the United Arab Emirates. The app is not directed at children under thirteen and we do not knowingly collect any personal data from children.

Your rights under UAE PDPL, GDPR, and UK GDPR

Under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, the EU General Data Protection Regulation, and the UK GDPR, you have the right to access, rectify, port, restrict, object to the processing of, and erase the personal data we hold about you. Because:

  1. All directly-identifying data (plate, name, history) is stored only on your device, you can exercise each of these rights for that data directly inside the app or by deleting it.
  2. The catalog data is anonymised and we have no practical way to identify it as yours without your help. We will nonetheless honour deletion requests on a best-effort basis as described in the previous section.

If you have any question about how to exercise these rights, write to [email protected].

Security

Local data is protected by the iOS sandbox, your device passcode and biometric controls, the App Group entitlement, and Apple’s on-device encryption. We strongly recommend you enable a device passcode and Face ID or Touch ID, and keep your iOS up to date.

Catalog uploads travel over HTTPS with valid TLS certificates issued by Cloudflare. Our origin server stores data in flat CSV files on encrypted disk; access is restricted to NouveauAI personnel via an admin bearer token protected at rest by the operating system’s keychain.

Changes to this policy

We will revise this Privacy Policy when we add new features, when the supported UAE emirates change their requirements, or when legal requirements change. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be announced inside the app on next launch.

Contact

ParkinPaid is published by NouveauAI in Dubai, United Arab Emirates. For privacy questions, data subject requests, or any other correspondence relating to this policy, write to [email protected].