Vibors — Privacy Policy
1. Introduction
Vibors ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over your data.
This Policy applies to the Vibors mobile application ("App") available on the Apple App Store and Google Play Store, and to all related services operated by Vibors.
We operate primarily in the Kingdom of Saudi Arabia (KSA) and the United Arab Emirates (UAE). This Policy is designed to comply with:
- The Saudi Personal Data Protection Law (PDPL) and its implementing regulations
- The UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection
- The EU General Data Protection Regulation (GDPR) where applicable to users in relevant jurisdictions
- Apple App Store and Google Play Store privacy requirements
By using the App, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
Vibors is the data controller responsible for your personal data.
Contact: Email: privacy@vibors.com Website: www.vibors.com
3. Data We Collect
We collect the following categories of personal data:
3.1 Account and Identity Data
- Mobile phone number (primary identifier)
- Email address (optional at sign-up, required for Profile Level 2)
- Username
- Profile picture or system-assigned avatar
- Password (stored in hashed form — never stored in plain text)
- Social login provider tokens (Apple, Google, Facebook) — we receive only the unique identifier and email; we do not receive your social media passwords
3.2 Profile Verification Data
- Email verification status — whether your email has been verified (boolean)
- Mobile verification status — whether your mobile number has been verified (boolean)
- Biometric / Face Verification data — if you choose to complete Face Verification (Profile Level 3):
- A liveness check selfie and a photograph of your government-issued ID are captured and transmitted to our verification service
- These images are permanently deleted within 60 seconds of the verification decision
- Only the verification result (pass/fail) is retained on your account record
- Face data is never used for any purpose other than identity verification
- Face data is never shared with businesses, advertisers, or third parties
- Face verification is always optional and requires your explicit consent before proceeding
3.3 Content and Activity Data
- Photos, videos, and text you publish on the Platform
- Interactions you perform (likes/Vibes, comments, shares, saves, follows)
- Content you view (for feed personalization, in aggregate)
- Content engagement metrics associated with your posts
3.4 Location Data
- Approximate device location — collected when you use map-based features (place discovery, check-ins, event discovery)
- Precise location — collected only if you enable Location Sharing to appear on the social Map for other users
- Location data is used for feature delivery only and is refreshed at 5-minute intervals for Map pins
- You can disable location access at any time in your device settings or within the App's privacy settings
3.5 Transaction and QR Data
- QR scan events linked to your account (business, place, or event; timestamp; validation status)
- Points earned and rewards redeemed
- Campaign participation records
3.6 VIP Subscription Data
- Subscription status (Active / Expired)
- Subscription plan (Monthly / Annual)
- Billing date
- We do not store payment card numbers or billing details. All payment processing is handled by Apple App Store or Google Play Store. We receive only a subscription status confirmation via webhook.
3.7 Device and Technical Data
- Device type, operating system, and version
- App version
- Device identifiers (for push notifications and session management)
- IP address (used for rate limiting, fraud detection, and approximate region detection)
- Session tokens (JWT access tokens and refresh tokens, stored in iOS Keychain / Android Keystore)
- Crash logs and error reports
3.8 Communications Data
- Direct messages sent between users (stored encrypted)
- In-app notifications and interaction history
3.9 Event Data (VIP Users)
- Events created by VIP users, including event name, location, attendee data, and RSVP records
4. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Performance of contract |
| Authenticating your identity (OTP, OAuth, face verification) | Performance of contract; Legal obligation |
| Delivering core Platform features (feed, map, messaging, QR validation) | Performance of contract |
| Calculating and displaying your Influence Score | Performance of contract |
| Processing rewards and points | Performance of contract |
| Managing VIP subscription status | Performance of contract |
| Sending security and account notifications (OTPs, password resets) | Performance of contract; Legal obligation |
| Sending service communications and feature updates | Legitimate interest |
| Content moderation and safety enforcement | Legitimate interest; Legal obligation |
| Fraud detection and abuse prevention | Legitimate interest; Legal obligation |
| Improving and personalizing the Platform (including feed algorithms) | Legitimate interest |
| Analytics to understand platform usage (aggregate and anonymized where possible) | Legitimate interest |
| Compliance with applicable law | Legal obligation |
We do not use your data for:
- Selling your personal data to third parties
- Serving third-party advertisements within the App
- Automated decision-making that produces significant legal effects, without human review
5. Influence Score and Data Processing
Your Influence Score is calculated automatically using a weighted algorithm that processes verified activity data including social interactions, QR-validated check-ins, event attendance, and verification status. This is a platform feature score and does not constitute profiling that produces legal or significantly similar effects within the meaning of applicable data protection law.
You may request information about how your score is calculated by contacting privacy@vibors.com.
6. Sharing Your Data
We do not sell your personal data. We share data only in the following circumstances:
6.1 With Other Users
- Your profile (username, profile picture, Influence Score tier, verification badge) is visible to other users as part of the Platform's social layer
- If Location Sharing is enabled, your approximate location and score tier badge are visible to other users on the Map (including VIP users who may filter by score tier)
- Your published content is visible according to the privacy settings you configure
6.2 With Businesses and Places
- When you perform a QR scan at a business or venue, your participation is recorded and may be visible to the business's authorized administrators in aggregate or event-level form, for campaign and analytics purposes
- We do not share your full profile, exact location, or biometric data with businesses
6.3 With Service Providers
We share data with trusted third-party service providers strictly for the purpose of operating the Platform:
| Provider Type | Purpose | Data Shared |
|---|---|---|
| Cloud Hosting (e.g., AWS, Azure) | Infrastructure and data storage | All platform data (stored securely) |
| SMS Gateway (e.g., Twilio, AWS SNS) | OTP delivery | Mobile phone number |
| Email Service (e.g., SendGrid, AWS SES) | Transactional emails and verification | Email address |
| Map / Geolocation Provider (e.g., Google Maps) | Map rendering and location services | Approximate location |
| Face Verification Service | Identity verification (biometric data processing) | Selfie + ID image (deleted within 60s of decision) |
| Push Notification Service | In-app and device notifications | Device token |
| Analytics Provider | Platform performance and usage analytics | Aggregated, pseudonymized usage data |
All service providers are contractually bound to process data only as instructed, maintain adequate security standards, and comply with applicable data protection law.
6.4 With Apple and Google
When you make an in-app purchase (VIP subscription), Apple Inc. or Google LLC processes your payment. Their respective privacy policies govern the data they collect in connection with that transaction.
6.5 Legal Requirements
We may disclose your data where required by applicable law, court order, or government authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Vibors, our users, or the public.
6.6 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce agreements.
| Data Type | Retention Period |
|---|---|
| Account data (username, phone, email) | Duration of account |
| Profile content and published posts | Duration of account (or until deleted by user) |
| Direct messages | Duration of account (or until deleted by participants) |
| Influence Score and history | Duration of account |
| QR transaction records | Duration of account + 24 months |
| Verification status (email/mobile/face — boolean only) | Duration of account |
| Face verification images (selfie + ID) | Deleted within 60 seconds of verification decision — never retained |
| Verification event logs | 24 months |
| Device and session logs | 90 days |
| Security and fraud logs | 24 months |
| Subscription status logs | Duration of account + 36 months |
| Deleted account data | Permanently and irreversibly deleted 30 days after deletion request |
8. Security
We implement industry-standard security measures to protect your personal data, including:
- Encryption in transit: All data transmitted between the App and our servers is encrypted using TLS.
- Encryption at rest: Sensitive data, including passwords (hashed), session tokens, and messages, is encrypted at rest.
- Secure token storage: JWT refresh tokens are stored in iOS Keychain and Android Keystore.
- Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
- Biometric data isolation: Face and ID images are stored in an isolated temporary bucket with a maximum 60-second TTL and are never accessible by any process other than the verification service.
- OTP rate limiting: SMS and email OTP systems are rate-limited server-side to prevent abuse.
No system is entirely secure. If you believe your account has been compromised, contact us immediately at privacy@vibors.com.
9. Your Rights
Depending on your jurisdiction (KSA, UAE, or EU), you may have the following rights:
9.1 Right to Access
You may request a copy of the personal data we hold about you.
9.2 Right to Correction
You may request correction of inaccurate or incomplete personal data.
9.3 Right to Deletion
You may request deletion of your personal data. This can be done directly in the App (Settings → Account → Delete Account), subject to the 30-day grace period described in our Terms and Conditions. We may retain certain data where required by law.
9.4 Right to Restrict Processing
In certain circumstances, you may request that we restrict the processing of your data.
9.5 Right to Data Portability
Where technically feasible and legally required, you may request a machine-readable copy of your personal data.
9.6 Right to Object
You may object to processing based on legitimate interest (e.g., analytics and personalization).
9.7 Right to Withdraw Consent
Where processing is based on your consent (including face verification), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
9.8 How to Exercise Your Rights
Submit requests to: privacy@vibors.com We will respond within 30 days. We may need to verify your identity before fulfilling a request. We will not charge a fee for reasonable requests.
10. Children's Privacy
The Platform is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 18, we will delete that data immediately. If you believe a minor has registered on the Platform, contact us at privacy@vibors.com.
11. Location Data — Additional Details
- Location access is not required to use the Platform's social feed, messaging, or content features.
- Location is required only for Map-based features (place discovery, check-ins, and social Map pins).
- If you enable Location Sharing (Settings → Privacy → Location Sharing), your approximate location is visible on the social Map to other users. You control this setting and can disable it at any time.
- Location data is refreshed every 5 minutes for Map visibility. Disabling Location Sharing removes your pin within the next refresh cycle (maximum 5 minutes).
- We do not share your precise location with businesses, advertisers, or third parties outside of the map rendering infrastructure (e.g., the mapping API).
12. Biometric Data — Special Notice
Face verification involves the collection of biometric data (facial images and ID document photographs), which is classified as sensitive personal data under Saudi PDPL, UAE data protection law, and other applicable frameworks.
We process biometric data only:
- With your explicit, informed consent provided before the verification process begins
- For the sole purpose of verifying your identity
- Through a liveness check to prevent spoofing
- With all images permanently deleted within 60 seconds of the verification decision
- With only the boolean pass/fail result retained on your account
You are never required to complete face verification. It is an optional feature. Declining face verification does not affect your access to core Platform features.
13. Push Notifications
We send push notifications for account activity, social interactions, rewards, and platform updates. You may control notification preferences within the App (Settings → Notifications) or through your device's notification settings. Disabling notifications does not affect your account.
15. International Data Transfers
Your data is primarily stored and processed on servers located in the region (KSA / UAE / MENA). Where data is transferred to service providers located outside your jurisdiction (e.g., cloud infrastructure or verification services), we ensure adequate safeguards are in place through contractual mechanisms compliant with applicable law.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or email. The updated Policy will be effective from the date stated at the top. Your continued use of the Platform after the effective date constitutes acceptance of the revised Policy.
17. App Store — Data Practice Disclosures
In accordance with Apple App Store and Google Play Store requirements, below is a summary of our data collection practices:
Data Used to Track You We do not use your data to track you across third-party apps or websites for advertising purposes.
Data Linked to You (stored and associated with your account)
- Contact info (phone number, email address)
- User content (photos, videos, text)
- Identifiers (username, device ID)
- Usage data (interactions, session data)
- Location (when enabled)
- Financial info (subscription status only — no card data)
Data Not Linked to You (collected but not associated with identity)
- Crash logs and diagnostics (pseudonymized)
- Aggregate analytics data
Sensitive Data
- Biometric data (face verification): collected temporarily, deleted within 60 seconds, not linked to persistent profile data beyond pass/fail result
- Precise location: collected only when explicitly enabled by user
18. Contact and Complaints
For privacy-related questions, requests, or complaints:
Vibors Privacy Team Email: privacy@vibors.com Website: www.vibors.com
If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority:
- KSA: National Data Management Office (NDMO)
- UAE: UAE Data Office (Federal)
This Privacy Policy was last updated on June 3, 2026 and is effective as of that date.