Data & Compliance

Last updated: June 13, 2026

Vour is committed to responsible data handling, user privacy, and full compliance with international data protection laws. This page explains our compliance status, how we protect your data, who we share it with, and how to exercise your rights.

1. Regulatory Compliance Status

We comply with data protection laws across all jurisdictions where Vour operates or serves users.

RegulationJurisdictionStatusWhat We Did
GDPR (EU 2016/679)European UnionCompliantPrivacy policy, contractual agreements with all data partners, data subject rights procedures, Data Protection Officer appointed
UK GDPRUnited KingdomCompliantSame framework as EU GDPR; aligned with ICO guidance
CCPA / CPRACalifornia, USACompliantNo sale of personal data; all California user rights implemented
Saudi PDPLKingdom of Saudi ArabiaCompliantPrimary jurisdiction; full compliance with NDMO requirements and cross-border data rules
LGPD (Law 13,709/2018)BrazilCompliantDPO appointed; lawful bases established; user rights implemented
PIPLChinaPlannedNot currently serving China — will be assessed before any market entry
PDPAThailandPlannedNot currently serving Thailand — will be assessed before any market entry

2. How We Separate Your Data

Vour enforces strict boundaries between public information and personal data. These boundaries are built into our platform at the infrastructure level — not just our application code.

Public Information

Dish names, descriptions, prices, photos, restaurant names, opening hours, and aggregate star ratings. This information is visible to everyone, including search engines and AI assistants, to help people discover great food.

Your Personal Data

Your email, phone number, order history, delivery addresses, allergen preferences, and saved favourites. Visible only to you when you are signed in. Never shared publicly or with AI systems.

Merchant Business Data

A merchant's menu management, incoming orders, business analytics, documents, and payout details. Visible only to that specific merchant when signed in to their account.

Platform Administration

Vour's operations team can access platform-wide data only for the purposes of running and improving the service, investigating abuse, and meeting legal obligations. All administrative actions are logged and auditable.

3. Data Partners & Sub-processors

We use a small number of trusted technology partners to operate Vour. All partners are bound by data protection agreements that require them to handle your data securely and only for the purposes we specify. We never allow partners to use your data for their own marketing or sell it to others.

PartnerLocationWhat They Do for UsSafeguard
SupabaseUSACloud database and file storage infrastructureData agreement + international transfer clauses
ResendUSASending transactional emails (order confirmations, alerts)Data agreement + international transfer clauses
GoogleUSA / GlobalSign-in with Google (optional login method)International transfer clauses
AppleUSASign in with Apple (optional login method)International transfer clauses
OpenStreetMapEUMap display for restaurant discovery — no personal data sentNot applicable

We will notify you of any material additions to this list at least 30 days in advance.

4. How We Keep Your Data Secure

We take the security of your personal data seriously and apply multiple layers of protection:

Encryption in Transit

All data sent between your device and our servers is encrypted using industry-standard secure protocols. Your information cannot be read by anyone intercepting the connection.

Encryption at Rest

Your data stored in our database and file storage is encrypted when not in use, using industry-standard encryption managed by our infrastructure provider.

Access Controls

Our systems enforce strict rules about who can see what. You can only see your own data. Merchants can only see their own business data. These controls are enforced at the infrastructure level.

Anonymised Network Data

We do not store your raw IP address. Any network identifiers we collect for security purposes are anonymised before storage using a one-way process — they cannot be reversed to identify you.

Audit Trails

All administrative actions on the platform are recorded in an audit log. We can review exactly what was done, by whom, and when.

Limited Data Collection

We only collect data we genuinely need to provide the service. We do not use advertising tracking pixels or third-party analytics cookies.

5. International Data Transfers

Because our infrastructure partners operate globally, your data may be processed on servers outside your country. Where this happens, we put legal safeguards in place:

  • Contractual protections — We use Standard Contractual Clauses (approved by the EU Commission) for transfers from the EEA to other countries.
  • Saudi PDPL cross-border rules— We follow the requirements set by Saudi Arabia's National Data Management Office for any data leaving the Kingdom.
  • Partner agreements — All data partners sign agreements that bind them to the same data protection standards regardless of where they operate.

6. Data Processing Agreements

Merchants and business partners who receive data through Vour (for example, order details) can request a formal Data Processing Agreement (DPA). This document sets out:

  • The scope and purpose of any data processing.
  • Each party's responsibilities for that data.
  • Security obligations.
  • Procedures for handling user data requests.
  • What happens in the event of a security incident.

To request a DPA, contact us at compliance@todevour.com.

7. Security Incident Response

If a security incident occurs that affects your personal data, we will act quickly and transparently:

Our commitment to you

  • We will investigate any suspected incident immediately and contain it as quickly as possible.
  • We will inform the relevant data protection authority within the timeframes required by law.
  • If your data was affected in a way that creates real risk to you, we will notify you directly — clearly and without delay.
  • We will tell you what happened, what data was involved, and what steps we have taken.

Notification timelines

Who We NotifyWhenLaw
EU / UK Data Protection AuthorityWithin 72 hours of becoming awareGDPR Art. 33 / UK GDPR
Saudi National Data Management OfficeAs required by the PDPLSaudi PDPL
Brazilian ANPDWithin 72 hours for high-risk incidentsLGPD Art. 48
Affected usersWithout undue delay where risk is highGDPR Art. 34
Business partnersWithin 48 hours under our agreementsDPA obligations

Found a security issue?

If you discover a potential security vulnerability, please report it to us privately before disclosing it publicly. We investigate all reports and will acknowledge yours within 24 hours.

Security reports: security@todevour.com

8. Data Minimisation

We only collect what we need, and nothing more:

  • We collect the minimum data necessary to provide you with the features you use.
  • Sensitive information (such as allergen preferences) is stored separately and accessed only by the feature that requires it.
  • Session data is automatically deleted after 90 days.
  • We do not use advertising trackers, third-party analytics cookies, or sell data to data brokers.
  • If you stop using Vour, your personal data is deleted within 30 days of your account deletion request, except where retention is required by law.

9. Exercising Your Rights

Depending on where you live, you have rights over your personal data — including the right to access, correct, delete, or export it. You can exercise these rights in two ways:

  • In the app:Go to Profile → Settings → Privacy for self-service options including data export and account deletion.
  • By email: privacy@todevour.com — for requests requiring human review. We verify your identity before processing any request.

Response times:

  • GDPR / UK GDPR: Within 30 days (up to 90 days for complex requests, with notice)
  • CCPA: Within 45 calendar days
  • Saudi PDPL: As required by law

10. Contact Us

Data Protection Officer

privacy@todevour.com

Security Vulnerability Reports

security@todevour.com

Enterprise & DPA Requests

compliance@todevour.com

General Legal

legal@todevour.com

Vour — Kingdom of Saudi Arabia

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.