Data & Compliance
Last updated: June 13, 2026
Vour is committed to responsible data handling, user privacy, and full compliance with international data protection laws. This page explains our compliance status, how we protect your data, who we share it with, and how to exercise your rights.
1. Regulatory Compliance Status
We comply with data protection laws across all jurisdictions where Vour operates or serves users.
| Regulation | Jurisdiction | Status | What We Did |
|---|---|---|---|
| GDPR (EU 2016/679) | European Union | Compliant | Privacy policy, contractual agreements with all data partners, data subject rights procedures, Data Protection Officer appointed |
| UK GDPR | United Kingdom | Compliant | Same framework as EU GDPR; aligned with ICO guidance |
| CCPA / CPRA | California, USA | Compliant | No sale of personal data; all California user rights implemented |
| Saudi PDPL | Kingdom of Saudi Arabia | Compliant | Primary jurisdiction; full compliance with NDMO requirements and cross-border data rules |
| LGPD (Law 13,709/2018) | Brazil | Compliant | DPO appointed; lawful bases established; user rights implemented |
| PIPL | China | Planned | Not currently serving China — will be assessed before any market entry |
| PDPA | Thailand | Planned | Not currently serving Thailand — will be assessed before any market entry |
2. How We Separate Your Data
Vour enforces strict boundaries between public information and personal data. These boundaries are built into our platform at the infrastructure level — not just our application code.
Public Information
Dish names, descriptions, prices, photos, restaurant names, opening hours, and aggregate star ratings. This information is visible to everyone, including search engines and AI assistants, to help people discover great food.
Your Personal Data
Your email, phone number, order history, delivery addresses, allergen preferences, and saved favourites. Visible only to you when you are signed in. Never shared publicly or with AI systems.
Merchant Business Data
A merchant's menu management, incoming orders, business analytics, documents, and payout details. Visible only to that specific merchant when signed in to their account.
Platform Administration
Vour's operations team can access platform-wide data only for the purposes of running and improving the service, investigating abuse, and meeting legal obligations. All administrative actions are logged and auditable.
3. Data Partners & Sub-processors
We use a small number of trusted technology partners to operate Vour. All partners are bound by data protection agreements that require them to handle your data securely and only for the purposes we specify. We never allow partners to use your data for their own marketing or sell it to others.
| Partner | Location | What They Do for Us | Safeguard |
|---|---|---|---|
| Supabase | USA | Cloud database and file storage infrastructure | Data agreement + international transfer clauses |
| Resend | USA | Sending transactional emails (order confirmations, alerts) | Data agreement + international transfer clauses |
| USA / Global | Sign-in with Google (optional login method) | International transfer clauses | |
| Apple | USA | Sign in with Apple (optional login method) | International transfer clauses |
| OpenStreetMap | EU | Map display for restaurant discovery — no personal data sent | Not applicable |
We will notify you of any material additions to this list at least 30 days in advance.
4. How We Keep Your Data Secure
We take the security of your personal data seriously and apply multiple layers of protection:
Encryption in Transit
All data sent between your device and our servers is encrypted using industry-standard secure protocols. Your information cannot be read by anyone intercepting the connection.
Encryption at Rest
Your data stored in our database and file storage is encrypted when not in use, using industry-standard encryption managed by our infrastructure provider.
Access Controls
Our systems enforce strict rules about who can see what. You can only see your own data. Merchants can only see their own business data. These controls are enforced at the infrastructure level.
Anonymised Network Data
We do not store your raw IP address. Any network identifiers we collect for security purposes are anonymised before storage using a one-way process — they cannot be reversed to identify you.
Audit Trails
All administrative actions on the platform are recorded in an audit log. We can review exactly what was done, by whom, and when.
Limited Data Collection
We only collect data we genuinely need to provide the service. We do not use advertising tracking pixels or third-party analytics cookies.
5. International Data Transfers
Because our infrastructure partners operate globally, your data may be processed on servers outside your country. Where this happens, we put legal safeguards in place:
- Contractual protections — We use Standard Contractual Clauses (approved by the EU Commission) for transfers from the EEA to other countries.
- Saudi PDPL cross-border rules— We follow the requirements set by Saudi Arabia's National Data Management Office for any data leaving the Kingdom.
- Partner agreements — All data partners sign agreements that bind them to the same data protection standards regardless of where they operate.
6. Data Processing Agreements
Merchants and business partners who receive data through Vour (for example, order details) can request a formal Data Processing Agreement (DPA). This document sets out:
- The scope and purpose of any data processing.
- Each party's responsibilities for that data.
- Security obligations.
- Procedures for handling user data requests.
- What happens in the event of a security incident.
To request a DPA, contact us at compliance@todevour.com.
7. Security Incident Response
If a security incident occurs that affects your personal data, we will act quickly and transparently:
Our commitment to you
- We will investigate any suspected incident immediately and contain it as quickly as possible.
- We will inform the relevant data protection authority within the timeframes required by law.
- If your data was affected in a way that creates real risk to you, we will notify you directly — clearly and without delay.
- We will tell you what happened, what data was involved, and what steps we have taken.
Notification timelines
| Who We Notify | When | Law |
|---|---|---|
| EU / UK Data Protection Authority | Within 72 hours of becoming aware | GDPR Art. 33 / UK GDPR |
| Saudi National Data Management Office | As required by the PDPL | Saudi PDPL |
| Brazilian ANPD | Within 72 hours for high-risk incidents | LGPD Art. 48 |
| Affected users | Without undue delay where risk is high | GDPR Art. 34 |
| Business partners | Within 48 hours under our agreements | DPA obligations |
Found a security issue?
If you discover a potential security vulnerability, please report it to us privately before disclosing it publicly. We investigate all reports and will acknowledge yours within 24 hours.
Security reports: security@todevour.com
8. Data Minimisation
We only collect what we need, and nothing more:
- We collect the minimum data necessary to provide you with the features you use.
- Sensitive information (such as allergen preferences) is stored separately and accessed only by the feature that requires it.
- Session data is automatically deleted after 90 days.
- We do not use advertising trackers, third-party analytics cookies, or sell data to data brokers.
- If you stop using Vour, your personal data is deleted within 30 days of your account deletion request, except where retention is required by law.
9. Exercising Your Rights
Depending on where you live, you have rights over your personal data — including the right to access, correct, delete, or export it. You can exercise these rights in two ways:
- In the app:Go to Profile → Settings → Privacy for self-service options including data export and account deletion.
- By email: privacy@todevour.com — for requests requiring human review. We verify your identity before processing any request.
Response times:
- GDPR / UK GDPR: Within 30 days (up to 90 days for complex requests, with notice)
- CCPA: Within 45 calendar days
- Saudi PDPL: As required by law
10. Contact Us
Data Protection Officer
privacy@todevour.com
Security Vulnerability Reports
security@todevour.com
Enterprise & DPA Requests
compliance@todevour.com
General Legal
legal@todevour.com
Vour — Kingdom of Saudi Arabia
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.