How VOYO handles your data.
This policy describes the personal data VOYO collects, why we collect it, who can see it, and how to ask us to delete it. Written to satisfy Jordan's Personal Data Protection Law No. 24 of 2023 (PDPL).
01Who we are
VOYO is operated by فرص المستقبل للتسويق و البرمجة الحاسوبية, registered in Amman, Jordan, commercial registration number 81114. We are the data controller for the personal data described in this policy.
You can reach our data protection contact at privacy@voyoworld.com. We respond within 7 working days.
02What we collectPDPL Art. 4
You provide directly
- Account. Name, phone number, email, password hash.
- Optional profile. Date of birth, dietary preferences, neighborhood.
- Payment. Card token (we do not store the card number; tokenization is handled by our PCI-DSS Level 1 acquirer).
Generated as you use VOYO
- Visits. Which venues you booked, redeemed offers at, or paid via VOYO.
- App telemetry. Device model, OS version, crash reports, anonymous event logs.
- Location (optional, permission-gated). Used to surface nearby venues. Default is off.
We do not collect data we don't need. We do not buy data from data brokers. We do not collect sensitive categories (health, religion, sexual orientation) and we never will.
03How we use itPDPL Art. 5–6
- Run your account. Sign-in, bookings, payments, support tickets.
- Apply member offers. Match your tier to discounts at partner venues.
- Improve recommendations. Aggregate behavior (not your identity) trains the recommendation model.
- Prevent abuse. Detect bot signups, payment fraud, and offer-stacking.
- Required disclosures. Comply with court orders, regulator requests, tax law.
We do not use your data to train third-party AI models. We do not sell, rent, or lease your data.
04Who can see your dataPDPL Art. 7
Partner venues
A venue sees: that you are a VOYO member of a given tier, that you redeemed their offer, that you made a booking. They do not see: your visits to other venues, your phone number, your other VOYO history.
Institutional customers (HR teams)
If your employer enrolls in VOYO for Institutions, they see aggregated cohort metrics for their seats: total redemptions, top categories, activation rate. They do not see individual member visit history. PDPL Art. 8 explicitly forbids it; our backend enforces it at the query layer.
Service providers we depend on
- Cloud hosting: [hosting provider — TBC] (application, database, and media).
- Payments: CyberSource (Visa).
- Communications: [email provider TBD], [SMS provider TBD].
- Crash reporting: Sentry, scrubbed of personal fields.
05How long we keep itPDPL Art. 11
- Account data. Kept while your account is active, plus 30 days after deletion to handle refunds, disputes, fraud claims.
- Transaction history. Kept for 7 years to satisfy Jordanian tax law and Central Bank record-keeping.
- App telemetry. 90 days, then aggregated and the raw events are deleted.
- Marketing consent. Honored immediately on revoke. Backups age out within 30 days.
06Your rightsPDPL Art. 18–24
Under PDPL you can ask us to:
- See your data. A complete export, machine-readable, within 30 days.
- Correct it. Fix wrong or outdated fields from inside the app, or by emailing privacy@voyoworld.com.
- Delete it. Erase your account, with the carve-outs in section 05 above.
- Restrict processing. Pause data use while a complaint is open.
- Object. Specifically object to recommendation training or marketing.
- Withdraw consent. For any processing where consent is the legal basis.
- Complain to the regulator. The Jordan Personal Data Protection Bureau accepts complaints directly.
You exercise any of these by emailing privacy@voyoworld.com. We don't require a reason.
07Cross-border transfersPDPL Art. 15
VOYO's production infrastructure (application, database, and backups) is hosted in [region / country — to be confirmed]. Where personal data is processed outside Jordan, PDPL permits transfers to jurisdictions that provide a comparable level of protection, and VOYO applies appropriate contractual and technical safeguards. Backups and audit logs are restricted to the same environment.
Customer support tooling may occasionally process queries from elsewhere. Where it does, the underlying data is pseudonymized and the link to your account stays in our database, not the tool.
08SecurityPDPL Art. 13
- Transport encryption. All traffic over TLS 1.2+.
- Storage encryption. Database at rest, backup volumes, and object storage all encrypted.
- Access control. Engineering access to production is logged; tier-gated by role.
- Incident response. If your data is involved in a confirmed breach, we notify you and the Bureau within 72 hours as PDPL requires.
09Cookies and similar
The marketing site uses one first-party preference cookie (voyoTheme, voyoLang) stored in localStorage to remember dark mode and language. No third-party analytics on the marketing site at launch. If we add product analytics later, we will name the tool here and rely on consent, not legitimate interest.
10Children
VOYO is for users 16 and older. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, write to privacy@voyoworld.com and we will delete the account.
11Changes to this policy
Material changes get a banner in the app and an email to active members 30 days before they take effect. Minor wording fixes are noted in the "Last reviewed" date at the top.