Privacy Policy
Last updated: June 13, 2026 — Version 2.0
This Privacy Policy explains how Vour(“we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use our mobile application, website, and related services (collectively, the “Platform”). We are committed to full compliance with:
- European General Data Protection Regulation (GDPR) — EU 2016/679
- UK General Data Protection Regulation (UK GDPR)
- California Consumer Privacy Act (CCPA/CPRA)
- Saudi Personal Data Protection Law (PDPL) — Royal Decree M/19
- Brazil Lei Geral de Proteção de Dados (LGPD)
1. Data Controller & DPO
The data controller responsible for your personal data is:
Vour
Kingdom of Saudi Arabia
Data Protection Officer (DPO):
privacy@todevour.com
Response time: Within 30 days of receiving your request (GDPR Art. 12)
2. Data We Collect
We collect the following categories of personal data, depending on how you use the Platform:
2.1 Account Information
- Full name and display name
- Email address
- Phone number (optional, for order notifications)
- Profile photo (optional)
- Authentication provider (Google, Apple, or email/password)
2.2 Profile & Preferences
- Allergen and dietary restrictions (sensitive data — collected only with explicit consent)
- Food preferences and taste profile
- Saved favourite dishes and restaurants
- Language and notification preferences
2.3 Location Data
- GPS coordinates — used for nearby restaurant discovery and GPS check-in verification
- Saved delivery addresses
- General city/region (inferred from location)
2.4 Order & Transaction Data
- Items ordered, quantities, and order history
- Transaction amounts and currency (SAR)
- Delivery addresses per order
- Order status and timestamps
2.5 Review & Social Data
- Star ratings and written review content
- Photos attached to reviews
- Reactions (upvotes/downvotes) on reviews
- Followers and following relationships
2.6 Device & Session Data
- Device type, model, and operating system
- App version
- Hashed IP address (SHA-256 — we never store raw IP addresses)
- User agent string
- Login timestamps and session duration
2.7 Merchant Data (for business accounts only)
- Business name, type, and cuisine category
- Business address and contact details
- Verification documents (commercial registration, ID)
- Bank account details for payouts (IBAN, bank name)
- Subscription status and plan history
3. How We Use Your Data
| Provide the Platform | Operate the app, display dishes, connect diners with merchants, process orders |
| GPS Verification | Confirm you were physically present at the restaurant for a verified review (Verified Eater system) |
| Personalisation | Recommend dishes based on your preferences, allergens, and location history |
| Gamification | Calculate XP, award badges, update leaderboard rankings |
| Communications | Send order confirmations, status updates, and security alerts via email |
| Analytics | Understand Platform usage patterns to improve features and performance |
| Fraud Prevention | Detect fake reviews, account abuse, and payment fraud |
| Legal Compliance | Meet our obligations under applicable laws including tax and financial regulations |
4. Legal Bases for Processing
We process your personal data under the following legal bases (GDPR Art. 6 & 9):
| Consent (Art. 6(1)(a)) | Marketing emails, location tracking, allergen data, cookies |
| Contract Performance (Art. 6(1)(b)) | Account creation, order processing, subscription management, payouts |
| Legitimate Interest (Art. 6(1)(f)) | Platform security, fraud prevention, aggregate analytics, product improvement |
| Legal Obligation (Art. 6(1)(c)) | Tax record retention (7 years), responding to legal requests, KYC for merchant verification |
Where we process allergen/dietary data (Art. 9 sensitive data), the legal basis is your explicit consent (Art. 9(2)(a)).
5. Data Sharing & Sub-processors
We share your personal data only in the following circumstances. We never sell your data.
5.1 With Merchants (Order Fulfillment Only)
When you place an order, we share your name and order details with the fulfilling merchant. We never share your email address, phone number, allergen data, or any other personal data with merchants beyond what is strictly necessary for order fulfillment.
5.2 Technology Sub-processors
| Supabase (US) | Cloud database hosting, authentication, storage, edge functions — DPA signed |
| Resend (US) | Transactional email delivery — DPA signed |
| Google (US) | OAuth authentication (Google Sign-In) — Standard Contractual Clauses apply |
| Apple (US) | OAuth authentication (Apple Sign-In) — Standard Contractual Clauses apply |
| OpenStreetMap (EU) | Map tiles for discovery feature — no personal data transmitted |
5.3 Legal Requirements
We may disclose your data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of Vour, our users, or others.
6. Public vs. Private Data
Publicly Visible (including to AI systems and search engines)
- Your display name (as shown on reviews and leaderboard)
- Your review content and ratings
- Your leaderboard rank and XP level
- Dish data, restaurant information, and aggregate ratings
Private (never publicly visible, never shared with AI systems)
- Email address and phone number
- Full order history and transaction amounts
- Delivery addresses
- Allergen and dietary preferences
- Saved favourites and personal preferences
- Session data, device info, and hashed IP addresses
7. AI Systems and Search Engine Indexing
To help people discover great food, we make certain Platform data discoverable by AI search engines and assistants (such as Google, ChatGPT, Perplexity). This data is served through a dedicated public API that is structurally incapable of returning personal user data:
- Dish names, descriptions, prices, and photos
- Restaurant names, city, and operating hours
- Anonymised aggregate ratings (display names only — no email, phone, or user ID)
8. Data Retention
| Account profile data | Active account life + 30 days after deletion request |
| Order & transaction data | 7 years from transaction date (tax/legal compliance — KSA VAT Law) |
| Review content | Until you request deletion; anonymised after account deletion |
| Session & login data | 90 days, then automatically purged |
| Allergen preferences | Until you withdraw consent or delete your account |
| Merchant documents | 5 years after subscription end (KSA commercial regulations) |
| Audit log entries | 3 years (security and compliance) |
| Hashed IP addresses | 90 days |
9. Your Rights Under GDPR (Art. 15–22)
If you are in the European Economic Area or UK, you have the following rights:
- Right of Access (Art. 15) — Request a copy of your personal data.
- Right to Rectification (Art. 16) — Correct inaccurate or incomplete data.
- Right to Erasure (Art. 17) — Delete your personal data (“right to be forgotten”).
- Right to Data Portability (Art. 20) — Receive your data in JSON or CSV format.
- Right to Object (Art. 21) — Object to processing based on legitimate interests.
- Right to Restriction (Art. 18) — Restrict processing in certain circumstances.
- Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time without affecting prior processing.
- Right to Lodge a Complaint — Lodge a complaint with your national supervisory authority (e.g., ICO for UK, your local DPA for EU).
Submit requests to privacy@todevour.com. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
10. Your Rights Under Saudi PDPL
Under the Saudi Personal Data Protection Law (Royal Decree M/19), you have the right to:
- Know — Be informed about what personal data we hold and why.
- Access (Art. 4) — Request a copy of your personal data.
- Correction (Art. 17) — Request correction of inaccurate or incomplete data.
- Destruction (Art. 18) — Request deletion or anonymisation of your data when no longer needed.
- Withdraw Consent (Art. 10) — Withdraw consent for processing at any time.
- Object to Automated Decisions — Object to decisions made solely by automated means that significantly affect you.
11. Your Rights Under CCPA/CPRA
If you are a California resident:
- Right to Know — Categories and specific pieces of personal data collected in the past 12 months.
- Right to Delete — Request deletion of your personal data (subject to legal exceptions).
- Right to Correct — Request correction of inaccurate personal data.
- Right to Opt-Out of Sale/Sharing — Vour does not sell or share personal data for cross-context behavioural advertising.
- Right to Limit Use of Sensitive PI — Limit use of sensitive personal information (e.g., precise geolocation, allergen data).
- Right to Non-Discrimination — We will not discriminate against you for exercising CCPA rights.
12. Your Rights Under LGPD (Brazil)
If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados:
- Confirmation & Access — Confirm whether we process your data and request a copy.
- Correction — Request correction of incomplete, inaccurate, or outdated data.
- Anonymisation, blocking, or deletion — Of unnecessary, excessive, or non-compliant data.
- Portability — Transfer your data to another service provider.
- Revocation of consent — At any time, free of charge.
13. International Data Transfers
Your data may be processed on servers located outside your country. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) — Used for transfers from the EEA to third countries (Supabase, Resend, Google, Apple).
- Data Processing Agreements (DPAs) — Signed with all sub-processors that handle personal data.
- PDPL Cross-Border Transfer Rules — We comply with NDMO requirements for cross-border data transfer from the Kingdom of Saudi Arabia.
14. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33).
- Notify affected users without undue delay when the breach is likely to result in high risk to your rights (GDPR Art. 34).
- Notify NDMO within the timeframe required by the Saudi PDPL.
- Provide details of the breach, its likely consequences, and the measures taken to address it.
To report a potential breach or security vulnerability, contact: security@todevour.com
15. Cookies
We use cookies and similar technologies as described in our Cookie Policy. Refer to that page for a full list of cookies and how to manage your preferences.
16. Children
Vour is not directed at persons under the age of 18. We do not knowingly collect personal data from children under 18. If we discover we have collected data from a minor, we will delete it immediately. Report concerns to privacy@todevour.com.
17. Security Measures
- Encryption in Transit — All data between your device and our servers is encrypted using industry-standard secure protocols.
- Encryption at Rest — Your stored data is encrypted when not in use.
- Access Controls — You can only access your own data. These controls are enforced at the infrastructure level, not just in application code.
- Anonymised Network Identifiers — We do not store raw IP addresses. Any network identifiers collected for security are anonymised through a one-way process before storage.
- Audit Logging — All administrative actions are logged in a tamper-resistant audit trail.
For our full security and compliance posture, see our Data & Compliance page.
18. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notification at least 30 days beforetaking effect. The “Last updated” date indicates when this version was published.
19. Contact & Complaints
Data Protection Officer: privacy@todevour.com
Security issues: security@todevour.com
General contact: support@todevour.com
Vour — Kingdom of Saudi Arabia
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.