Privacy Policy

Last updated: June 13, 2026 — Version 2.0

This Privacy Policy explains how Vour(“we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use our mobile application, website, and related services (collectively, the “Platform”). We are committed to full compliance with:

  • European General Data Protection Regulation (GDPR) — EU 2016/679
  • UK General Data Protection Regulation (UK GDPR)
  • California Consumer Privacy Act (CCPA/CPRA)
  • Saudi Personal Data Protection Law (PDPL) — Royal Decree M/19
  • Brazil Lei Geral de Proteção de Dados (LGPD)

1. Data Controller & DPO

The data controller responsible for your personal data is:

Vour

Kingdom of Saudi Arabia

Data Protection Officer (DPO):

privacy@todevour.com

Response time: Within 30 days of receiving your request (GDPR Art. 12)

For Saudi PDPL requests, we will respond within the timeframes specified under Article 20 of the PDPL. For CCPA requests, we respond within 45 calendar days.

2. Data We Collect

We collect the following categories of personal data, depending on how you use the Platform:

2.1 Account Information

  • Full name and display name
  • Email address
  • Phone number (optional, for order notifications)
  • Profile photo (optional)
  • Authentication provider (Google, Apple, or email/password)

2.2 Profile & Preferences

  • Allergen and dietary restrictions (sensitive data — collected only with explicit consent)
  • Food preferences and taste profile
  • Saved favourite dishes and restaurants
  • Language and notification preferences

2.3 Location Data

  • GPS coordinates — used for nearby restaurant discovery and GPS check-in verification
  • Saved delivery addresses
  • General city/region (inferred from location)

2.4 Order & Transaction Data

  • Items ordered, quantities, and order history
  • Transaction amounts and currency (SAR)
  • Delivery addresses per order
  • Order status and timestamps

2.5 Review & Social Data

  • Star ratings and written review content
  • Photos attached to reviews
  • Reactions (upvotes/downvotes) on reviews
  • Followers and following relationships

2.6 Device & Session Data

  • Device type, model, and operating system
  • App version
  • Hashed IP address (SHA-256 — we never store raw IP addresses)
  • User agent string
  • Login timestamps and session duration

2.7 Merchant Data (for business accounts only)

  • Business name, type, and cuisine category
  • Business address and contact details
  • Verification documents (commercial registration, ID)
  • Bank account details for payouts (IBAN, bank name)
  • Subscription status and plan history
Sensitive data notice: Allergen and dietary preferences are classified as sensitive personal data under GDPR Article 9. We process this data only with your explicit consent via the Allergy Guard feature, and we never share it with merchants or third parties.

3. How We Use Your Data

Provide the PlatformOperate the app, display dishes, connect diners with merchants, process orders
GPS VerificationConfirm you were physically present at the restaurant for a verified review (Verified Eater system)
PersonalisationRecommend dishes based on your preferences, allergens, and location history
GamificationCalculate XP, award badges, update leaderboard rankings
CommunicationsSend order confirmations, status updates, and security alerts via email
AnalyticsUnderstand Platform usage patterns to improve features and performance
Fraud PreventionDetect fake reviews, account abuse, and payment fraud
Legal ComplianceMeet our obligations under applicable laws including tax and financial regulations

4. Legal Bases for Processing

We process your personal data under the following legal bases (GDPR Art. 6 & 9):

Consent (Art. 6(1)(a))Marketing emails, location tracking, allergen data, cookies
Contract Performance (Art. 6(1)(b))Account creation, order processing, subscription management, payouts
Legitimate Interest (Art. 6(1)(f))Platform security, fraud prevention, aggregate analytics, product improvement
Legal Obligation (Art. 6(1)(c))Tax record retention (7 years), responding to legal requests, KYC for merchant verification

Where we process allergen/dietary data (Art. 9 sensitive data), the legal basis is your explicit consent (Art. 9(2)(a)).

5. Data Sharing & Sub-processors

We share your personal data only in the following circumstances. We never sell your data.

5.1 With Merchants (Order Fulfillment Only)

When you place an order, we share your name and order details with the fulfilling merchant. We never share your email address, phone number, allergen data, or any other personal data with merchants beyond what is strictly necessary for order fulfillment.

5.2 Technology Sub-processors

Supabase (US)Cloud database hosting, authentication, storage, edge functions — DPA signed
Resend (US)Transactional email delivery — DPA signed
Google (US)OAuth authentication (Google Sign-In) — Standard Contractual Clauses apply
Apple (US)OAuth authentication (Apple Sign-In) — Standard Contractual Clauses apply
OpenStreetMap (EU)Map tiles for discovery feature — no personal data transmitted

5.3 Legal Requirements

We may disclose your data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of Vour, our users, or others.

We NEVER sell your personal data. We do not share your data with advertisers, data brokers, or any third parties for their own marketing purposes.

6. Public vs. Private Data

Publicly Visible (including to AI systems and search engines)

  • Your display name (as shown on reviews and leaderboard)
  • Your review content and ratings
  • Your leaderboard rank and XP level
  • Dish data, restaurant information, and aggregate ratings

Private (never publicly visible, never shared with AI systems)

  • Email address and phone number
  • Full order history and transaction amounts
  • Delivery addresses
  • Allergen and dietary preferences
  • Saved favourites and personal preferences
  • Session data, device info, and hashed IP addresses

7. AI Systems and Search Engine Indexing

To help people discover great food, we make certain Platform data discoverable by AI search engines and assistants (such as Google, ChatGPT, Perplexity). This data is served through a dedicated public API that is structurally incapable of returning personal user data:

  • Dish names, descriptions, prices, and photos
  • Restaurant names, city, and operating hours
  • Anonymised aggregate ratings (display names only — no email, phone, or user ID)
Our public discovery feature is served through a dedicated system that is architecturally separate from your personal data. It is designed so that personal information cannot be included in public responses, even inadvertently.

8. Data Retention

Account profile dataActive account life + 30 days after deletion request
Order & transaction data7 years from transaction date (tax/legal compliance — KSA VAT Law)
Review contentUntil you request deletion; anonymised after account deletion
Session & login data90 days, then automatically purged
Allergen preferencesUntil you withdraw consent or delete your account
Merchant documents5 years after subscription end (KSA commercial regulations)
Audit log entries3 years (security and compliance)
Hashed IP addresses90 days

9. Your Rights Under GDPR (Art. 15–22)

If you are in the European Economic Area or UK, you have the following rights:

  • Right of Access (Art. 15) — Request a copy of your personal data.
  • Right to Rectification (Art. 16) — Correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17) — Delete your personal data (“right to be forgotten”).
  • Right to Data Portability (Art. 20) — Receive your data in JSON or CSV format.
  • Right to Object (Art. 21) — Object to processing based on legitimate interests.
  • Right to Restriction (Art. 18) — Restrict processing in certain circumstances.
  • Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time without affecting prior processing.
  • Right to Lodge a Complaint — Lodge a complaint with your national supervisory authority (e.g., ICO for UK, your local DPA for EU).

Submit requests to privacy@todevour.com. We will respond within 30 days (extendable to 90 days for complex requests, with notice).

10. Your Rights Under Saudi PDPL

Under the Saudi Personal Data Protection Law (Royal Decree M/19), you have the right to:

  • Know — Be informed about what personal data we hold and why.
  • Access (Art. 4) — Request a copy of your personal data.
  • Correction (Art. 17) — Request correction of inaccurate or incomplete data.
  • Destruction (Art. 18) — Request deletion or anonymisation of your data when no longer needed.
  • Withdraw Consent (Art. 10) — Withdraw consent for processing at any time.
  • Object to Automated Decisions — Object to decisions made solely by automated means that significantly affect you.

11. Your Rights Under CCPA/CPRA

If you are a California resident:

  • Right to Know — Categories and specific pieces of personal data collected in the past 12 months.
  • Right to Delete — Request deletion of your personal data (subject to legal exceptions).
  • Right to Correct — Request correction of inaccurate personal data.
  • Right to Opt-Out of Sale/Sharing — Vour does not sell or share personal data for cross-context behavioural advertising.
  • Right to Limit Use of Sensitive PI — Limit use of sensitive personal information (e.g., precise geolocation, allergen data).
  • Right to Non-Discrimination — We will not discriminate against you for exercising CCPA rights.

12. Your Rights Under LGPD (Brazil)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados:

  • Confirmation & Access — Confirm whether we process your data and request a copy.
  • Correction — Request correction of incomplete, inaccurate, or outdated data.
  • Anonymisation, blocking, or deletion — Of unnecessary, excessive, or non-compliant data.
  • Portability — Transfer your data to another service provider.
  • Revocation of consent — At any time, free of charge.

13. International Data Transfers

Your data may be processed on servers located outside your country. We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) — Used for transfers from the EEA to third countries (Supabase, Resend, Google, Apple).
  • Data Processing Agreements (DPAs) — Signed with all sub-processors that handle personal data.
  • PDPL Cross-Border Transfer Rules — We comply with NDMO requirements for cross-border data transfer from the Kingdom of Saudi Arabia.

14. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33).
  • Notify affected users without undue delay when the breach is likely to result in high risk to your rights (GDPR Art. 34).
  • Notify NDMO within the timeframe required by the Saudi PDPL.
  • Provide details of the breach, its likely consequences, and the measures taken to address it.

To report a potential breach or security vulnerability, contact: security@todevour.com

15. Cookies

We use cookies and similar technologies as described in our Cookie Policy. Refer to that page for a full list of cookies and how to manage your preferences.

16. Children

Vour is not directed at persons under the age of 18. We do not knowingly collect personal data from children under 18. If we discover we have collected data from a minor, we will delete it immediately. Report concerns to privacy@todevour.com.

17. Security Measures

  • Encryption in Transit — All data between your device and our servers is encrypted using industry-standard secure protocols.
  • Encryption at Rest — Your stored data is encrypted when not in use.
  • Access Controls — You can only access your own data. These controls are enforced at the infrastructure level, not just in application code.
  • Anonymised Network Identifiers — We do not store raw IP addresses. Any network identifiers collected for security are anonymised through a one-way process before storage.
  • Audit Logging — All administrative actions are logged in a tamper-resistant audit trail.

For our full security and compliance posture, see our Data & Compliance page.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notification at least 30 days beforetaking effect. The “Last updated” date indicates when this version was published.

19. Contact & Complaints

Data Protection Officer: privacy@todevour.com

Security issues: security@todevour.com

General contact: support@todevour.com

Vour — Kingdom of Saudi Arabia

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.