Back to home

Data Collection Policy

Last updated: 14 July 2026

This policy explains what data OrbitBook collects, from whom, why, and on what legal basis.

1. Introduction

OrbitBook (the "Service") is an online appointment-booking service operated by VTEC (Venture Tech Engineering Consultancy, the Hashemite Kingdom of Jordan; vtec-jo.com) ("we", "us", "our"). This Data Collection Policy describes what personal data we collect through the Service, from whom we collect it, the purposes of collection, and the legal basis for processing under the laws of the Hashemite Kingdom of Jordan, including the Personal Data Protection Law No. (24) of 2023 (the "PDPL").

This policy applies to two categories of users: a "Business" (a tenant owner that holds an account and operates a public booking page) and a "Customer" (a person who books an appointment with a Business without creating an account). This policy should be read together with our Privacy Policy, which explains in more detail how data is used, shared, protected, and how you can exercise your rights. If this policy and the Privacy Policy differ, the Privacy Policy prevails on matters of use, sharing, and rights.

2. Business Account Data

When you create and operate a Business account, we collect the following data directly from you:

  • Email address and password. The password is stored in hashed form by our authentication provider and is never stored in plain text.
  • Business profile: business name (in English and Arabic), city, address, logo image, brand colour, working hours, services and prices, and notification preferences.

Purpose: to create and operate your account and your public booking page. Legal basis: performance of our contract with you (providing the Service you signed up for) and, where applicable, your consent.

3. Customer Booking Data

When a Customer books an appointment through a Business's booking page, the Customer provides the following data through the Service and on behalf of that Business. No Customer account is required.

  • Full name (required).
  • Phone number (required).
  • Email address (optional).
  • Selected service.
  • Appointment date and time.
  • Preferred language.

A Business may also add block-list entries (an email address or phone number) to prevent abuse of its booking page. Purpose: to make and manage the booking and to send confirmations, reminders, and cancellation notices. Legal basis: performance of the booking requested by the Customer and, where applicable, consent; block-list entries are processed on the basis of legitimate interests in preventing abuse.

Each Business is responsible for informing its Customers about how their data is used and for obtaining any consent required under the PDPL or other applicable law in connection with its own use of Customer data.

4. Technical and Usage Data

We process limited technical data automatically when you use the Service: a limited IP address and basic device and log data, processed by our hosting and security providers for security and reliability purposes (for example, detecting abuse and keeping the Service available). Legal basis: legitimate interests in securing and operating the Service.

Your browser's localStorage is used only to remember your language preference and to keep you signed in (login session). We do not use third-party advertising trackers or cross-site tracking of any kind.

5. Communications Data

We send transactional emails only: booking confirmations, reminders, cancellation notices, and alerts to Business owners. These are sent through our email provider. Email addresses are masked in our internal logs to reduce exposure. Legal basis: performance of the booking or account contract; these messages are necessary to provide the Service and are not marketing.

6. Data We Do NOT Collect

To be clear, the Service does not collect or process the following:

  • No payment-card data through the Service [unless ADDED LATER].
  • No precise geolocation or location tracking.
  • No advertising profiles and no third-party advertising or cross-site tracking.
  • We do not sell personal data.

7. How and Where Data Is Stored

Data collected through the Service is stored on Supabase infrastructure located in the European Union (Germany). Each Business's data is kept strictly separate from other Businesses' data through row-level isolation enforced at the database level, so one Business cannot access another Business's records or Customer bookings.

8. Retention Overview

We keep personal data while the related account or booking is active. Data is deleted or anonymised upon a valid request or upon account closure, within ninety (90) days, and Customer booking data is in any event deleted or anonymised within twelve (12) months of the appointment date or of account closure, whichever is later; financial and transaction records are retained for five (5) years as required under Jordanian tax and commercial record-keeping rules. Detailed retention periods and deletion procedures are set out in our Privacy Policy.

9. Your Choices

You have practical choices about the data you provide: as a Customer, providing an email address is optional; you may use the Service in English or Arabic and switch language at any time; and you may request access to, correction of, or deletion of your personal data by contacting us at privacy@orbitbook.vtec-jo.com or, for Customer bookings, by contacting the Business you booked with. How to exercise these rights, and the rights available to you under the PDPL, are described in our Privacy Policy.