VibePoints — Website Privacy Policy
Effective: July 6, 2026 — Version 1.0.0
Plain-language summary. This Policy covers this website only — vibepoints.app. It explains what we collect when you apply to become a merchant or driver, or submit a booking through a merchant's link, and your rights under the Data Protection Act, 2018 (Saint Christopher and Nevis). We do not sell your data. If you use the VibePoints mobile app, a separate Consumer, Merchant, or Driver Privacy Policy presented in the app covers that data instead.
1. Who is responsible for your data
The data user for the purposes of the Data Protection Act, 2018 is:
Ashton Amory trading as VibePoints Basseterre, Saint Christopher and Nevis Contact: tony@vibepoints.dev
2. What we collect on this website
| Where | What | Required or optional? |
|---|---|---|
| Merchant or driver application (/merchants, /drivers) | Your name, business name (merchants only), email address, phone number, plan of interest | Required to submit the form |
| Booking request (a merchant's /book link) | Your name and email address (email is how a later reward gets linked to your account) | Required |
| Booking request (same form) | Phone number, a note to the merchant, party size, and your chosen service and time | Optional |
| Any form on this website | A hidden anti-bot field that must stay blank, a form-load timestamp, and a Cloudflare Turnstile token | Automatic — not personal data collected for its own sake, used only to block bots |
| Any page on this website | Your IP address and standard web request logs | Automatic, via our hosting provider and our rate-limiting/abuse-prevention service |
We do not collect payment details on this website — bookings are paid directly to the Merchant, and applications do not involve payment.
3. Why we use it
| What we do | Lawful basis (DPA 2018) |
|---|---|
| Reviewing and following up on a merchant or driver application | Steps taken at your request prior to a contract |
| Passing your booking request to the Merchant, and linking a later reward to your account | Performance of contract / your consent to the reward opt-in shown on the booking form |
| Blocking bots and abusive submissions (rate-limiting, Turnstile) | Legitimate interests (platform security) |
| Responding to lawful requests from authorities | Compliance with law |
4. How we share it
- Our verification partner, to review and process a merchant or driver application, including any KYC step.
- Our cloud hosting and database provider, to record and route a booking request to the relevant Merchant.
- Our email-delivery provider, to send you a booking or application confirmation.
- Our rate-limiting and bot-protection provider, to evaluate whether a submission looks abusive.
- Legal or regulatory authorities, where required by law.
We do not sell, license, or share your personal data with any third party for that party's commercial benefit. This is the same commitment that governs the VibePoints mobile app.
5. How long we keep it
- Applications we don't act on are deleted within ninety (90) days; applications we dismiss, or that look like spam, are deleted within thirty (30) days.
- If you go on to verify and activate an account, your application record is reduced to the minimum needed to link it to that account, and the free-text and technical details are deleted.
- Booking requests are kept for as long as needed to operate the booking — including honouring the thirty (30) day window described in our Website Terms of Use during which a reward can still be linked — and, once a booking is completed, as part of the visited Merchant's own transaction records.
- Records of your consent (for example, that you agreed to be contacted about your application) are kept indefinitely as evidence that our processing was lawful.
6. Cookies on this website
This website does not use advertising or third-party tracking or analytics cookies, and we do not run any analytics service on it. While the site is in private preview, we set a single essential cookie — set by our hosting provider's own access-protection feature — to remember that you have entered the preview password; it holds no personal information and expires automatically. Our fonts are bundled with the website at build time rather than loaded from a third party at runtime, so visiting this site does not send your data to a font provider. If we add analytics or any other tracking technology to this website in future, we will update this section first.
7. Your rights under the Data Protection Act, 2018
You have the right to access the data we hold about you, correct it if it is inaccurate, ask us to delete it (subject to the retention needs in Section 5), object to or restrict certain processing, and withdraw any consent at any time. To exercise any of these rights, email tony@vibepoints.dev. We will respond within one month. If you are not satisfied with our response, you may complain to the Information Commissioner of Saint Christopher and Nevis.
8. Children
This website is not directed at, and we do not knowingly collect personal data from, anyone under the age of eighteen (18).
9. Changes to this Policy
We may update this Policy from time to time. We will bump the version number at the top when we do. Material changes will be noted on this page.
10. Contact
Ashton Amory trading as VibePoints Basseterre, Saint Christopher and Nevis Contact: tony@vibepoints.dev For the attention of: Ashton Amory (data user, sole proprietor)
Data you provide inside the VibePoints mobile app — including Shells and Vibe+ activity, ride history, and Vibi conversations — is governed separately by the Consumer, Merchant, or Driver Privacy Policy presented in the app, not by this document.