Privacy Policy

1. Who is responsible

The data controller is Vibu SARL, based in Rabat, Morocco. For Vendor accounts, the Vendor is the controller of any customer data they collect through their account; Vibu acts as the data processor.

2. Vendor data we collect

• Account data: business name, business type, city, your name, email, phone number.
• Authentication data: hashed password, session cookies, login timestamps.
• Operational data: offers you create, vouchers issued and redeemed, employee actions on your account.
• Technical data: IP address (rate-limiting and abuse prevention), user-agent, basic request logs.

Legal basis: contract performance (necessary to provide the Service) and legitimate interest (security, fraud prevention).

3. Customer data we collect

When a customer scans your QR and receives a voucher, we generate a unique voucher identifier and store the rules of the offer. We do NOT collect their name, email, or phone number, and we do NOT set any cookie on their device for this. The customer keeps the voucher by bookmarking the page in their browser, or by saving it to Google Wallet (an optional feature; see section 5).

If we later add an optional customer signup, we will only ask for the data needed for that account (e.g. phone number for OTP) and we will update this policy accordingly.

4. Mobile app data

Vibu also offers a mobile app for vendors and customers (Android, with iOS to follow). The app uses the same account you create on the web. In addition to the data described above, the mobile app handles the following on-device data:

• Authentication token — stored in the device's secure keystore (iOS Keychain / Android EncryptedSharedPreferences) so you stay signed in. Removed on sign-out.
• Push-notification token — issued by Google's Firebase Cloud Messaging (FCM) so we can deliver per-store push notifications when a customer scans at one of your stores. The app subscribes to a topic of the form business_X_store_Y; we do NOT track individual device identifiers on our servers.
• Camera — used only to read voucher QR codes when an employee redeems. No images are saved to your device or transmitted; the camera frames are discarded as soon as a code is decoded.
• Notification permission (Android 13+) — requested only so vendor approvals can reach you. You can revoke it at any time in system settings.

The mobile app does NOT collect your location, contacts, photos, calendar, microphone, or any analytics events. There is no advertising SDK and no advertising ID is read.

5. Google Wallet (optional)

From any active voucher page you can tap "Add to Google Wallet". This generates a digital pass and hands it off to Google's Wallet service. Google Wallet stores the pass under your Google account; the pass contains the same voucher information (offer name, terms, expiry, QR code) that the voucher page displays. We do not receive any data from Google Wallet beyond what we already have. Saving a pass is optional; you can use Vibu without it.

6. Cookies

• laravel_session: keeps you signed in to the dashboard. Strictly necessary, no consent required. Vendor side only — not set on customer-facing pages.
• XSRF-TOKEN: protects against cross-site request forgery on the dashboard. Strictly necessary.

We do not set any cookie on customer-facing voucher pages. We do not use third-party tracking cookies, advertising cookies, or analytics that follow you across the web.

7. How we use data

• To operate the Service (issue and redeem vouchers, render the wallet, render the dashboard).
• To communicate with you about your account (transactional emails, when re-enabled).
• To prevent fraud, abuse, and security incidents.
• To produce aggregated, non-identifying statistics (e.g. "X vouchers issued this week").

8. Sharing

We do not sell, rent, or trade personal data. We share data only with:

• Service providers acting on our behalf under contract: hosting (DigitalOcean), error monitoring (Sentry), Firebase Cloud Messaging (Google) for vendor push notifications, and Google Wallet (Google) when a customer chooses to save a voucher pass.
• Authorities, when required by Moroccan law and in response to a properly issued legal request.
• An acquirer, in the event of a merger or acquisition, with continued protection of data under terms no less protective than this policy.

9. Retention

• Vendor account data: kept for the lifetime of the account, deleted on account deletion (with a 30-day soft-delete grace period).
• Vouchers and redemption records: kept for 90 days after expiration or redemption, then deleted by an automated job. Aggregated statistics may be retained longer.
• Operational logs (IP addresses, requests): 90 days, longer if needed for a specific security investigation.

10. Your rights

Subject to applicable law, you can:

• Access a copy of your data (export from the dashboard).
• Correct inaccurate data (edit from the dashboard).
• Delete your account and associated data (delete from the dashboard, 30-day grace period).
• Object to specific processing or restrict it.
• Lodge a complaint with the Moroccan data protection authority (CNDP).

11. International transfers

Some of our service providers (e.g. Sentry) may process data outside Morocco. Where this is the case, we rely on standard contractual clauses or equivalent safeguards.

12. Security

We use TLS for all connections, hashed passwords, signed session cookies, rate-limited authentication endpoints, and isolated production credentials. No system is perfectly secure; we will notify affected users of any breach without undue delay and as required by law.

13. Children

The Service is not intended for use by anyone under 18. We do not knowingly collect data from minors.

14. Changes

If we make material changes to this Policy, we will notify you in the dashboard at least 14 days before they take effect.

15. Contact

Privacy questions can be raised from inside your dashboard once you sign up. For matters that cannot wait — including Play Store / Google Wallet review enquiries — write to privacy@vibu.app.