Data Privacy
This Privacy Policy explains how OrbitBook handles personal data, why we process it, who we share it with, and the rights you have under the laws of the Hashemite Kingdom of Jordan, including the Personal Data Protection Law No. (24) of 2023.
1. Introduction and who we are
OrbitBook (the "Service") is a bilingual online appointment-booking platform for small businesses in the Hashemite Kingdom of Jordan. The Service is operated by VTEC (Venture Tech Engineering Consultancy), a company established in Jordan ("we", "us", "our"). This Privacy Policy describes how we collect, use, share, and protect personal data in connection with the Service. If you have any questions about this policy, you can contact us at privacy@orbitbook.vtec-jo.com.
This policy applies to two categories of users: a "Business" (a tenant owner that holds an account and operates a public booking page) and a "Customer" (a person who books an appointment through a Business's booking page without creating an account).
2. Our roles: controller and processor
For a Business's own account information (such as the account email, password, and business profile), we decide how and why that data is used, and we therefore act as the data controller.
For Customer personal data entered through a Business's booking page (such as a Customer's name and phone number), the Business determines how that data is used. We process it on the Business's behalf solely to provide the Service, acting as a data processor. Customers who have questions about how their booking data is used should usually contact the relevant Business first.
3. What personal data we process
In summary: for a Business account we process an email address, a password (stored only in hashed form), and a business profile (business name in English and Arabic, city, address, logo, brand colour, working hours, services and prices, and notification preferences). For a Customer booking we process the full name (required), phone number (required), email address (optional), the selected service, the appointment date and time, and the preferred language. A Business may also add block-list entries relating to Customers. We use minimal browser storage (localStorage) for the language preference and the login session, and we do not use third-party advertising or cross-site tracking.
For full details of what we collect and how, please see our Data Collection Policy.
4. How and why we use your data
We use personal data only for the following purposes:
- To operate and provide the Service, including hosting each Business's booking page.
- To create, manage, and display bookings between Businesses and Customers.
- To send transactional notifications, such as booking confirmations and updates, through our email delivery provider (email addresses are masked in logs).
- To secure the Service and prevent abuse, including automated content and abuse screening.
- To comply with applicable laws and lawful requests from competent authorities.
5. Legal bases under the PDPL
We process personal data in accordance with the Personal Data Protection Law No. (24) of 2023 ("PDPL") and its implementing regulations, relying on the following legal bases:
- Contract: processing needed to provide the Service you have requested, such as creating a Business account or completing a Customer booking.
- Consent: where you have given consent, such as providing an optional email address for booking notifications. You may withdraw consent at any time.
- Legitimate interests: securing the Service, preventing fraud and abuse, and maintaining the reliability of the platform, in ways that do not override your rights.
- Legal obligation: processing required to comply with applicable Jordanian law.
6. Sharing and subprocessors
We do NOT sell personal data. We share personal data only with service providers who process it on our behalf under confidentiality obligations, and only to the extent needed to provide the Service:
- Supabase (database, authentication, and file storage), hosted in the European Union (Germany).
- Cloudflare (application hosting, content delivery network (CDN), and security services, including web application firewall).
- Resend (transactional email delivery).
We may also disclose personal data to competent authorities where we are legally required to do so.
7. International data transfers
The Service's data is hosted in the European Union (Germany). Where personal data is transferred outside Jordan, it is protected by appropriate safeguards, including our providers' contractual commitments and security measures, consistent with the requirements of the PDPL and its implementing regulations.
8. Data retention
We retain personal data only while it is needed to provide the Service, generally while the relevant Business account is active. Afterwards, or upon a valid deletion request, personal data is deleted or anonymised within ninety (90) days, and in any event Customer booking data is deleted or anonymised within twelve (12) months of the appointment date or of closure of the relevant Business account, whichever is later. Some records may be kept for longer where the law requires it: in particular, we retain financial and transaction records for five (5) years, consistent with the record-keeping and audit periods under Jordan's Income Tax Law No. (34) of 2014, and other records may be kept where necessary for accounting, dispute-resolution, or legal-compliance purposes.
9. Security
We apply technical and organisational measures to protect personal data, including strict row-level isolation between Businesses, encryption in transit (HTTPS), access controls, and automated content and abuse filtering. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a personal-data breach, we will act in accordance with the Personal Data Protection Law No. (24) of 2023, including notifying affected parties and the competent authority without undue delay where required, and where a breach originates at a third-party provider, it is also subject to that provider's own security commitments.
10. Your rights under the PDPL
Under the PDPL, you have the following rights in relation to your personal data:
- Access: to obtain a copy of your personal data that we hold.
- Rectification: to correct inaccurate or incomplete data.
- Erasure: to request deletion of your personal data.
- Restriction: to request that we limit how we process your data.
- Objection: to object to certain processing of your data.
- Withdrawal of consent: to withdraw consent at any time, where processing is based on consent.
- Complaint: to lodge a complaint with the competent Jordanian data protection authority.
To exercise any of these rights, contact us at privacy@orbitbook.vtec-jo.com. If you are a Customer, we recommend that you first contact the relevant Business, as it is the party that controls your booking data; we will support the Business in responding to your request.
11. Children's privacy
The Service is not directed to persons under the age of 18. A Customer who books an appointment should be an adult or have the consent of a parent or legal guardian. If we become aware that we have collected personal data from a minor without appropriate consent, we will take steps to delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and revise the "last updated" date. Material changes may also be communicated through the Service. Your continued use of the Service after an update means you accept the revised policy.
13. How to contact us
For questions, requests, or complaints regarding this Privacy Policy or our handling of personal data, contact us at privacy@orbitbook.vtec-jo.com. For data protection matters, please get in touch with our team at the same address. We operate remotely and do not maintain a public office.