Privacy Policy

1. Introduction

Welcome to Corbez ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our corporate benefits marketplace platform at corbez.com (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using our Service:

• Account Information: Name, email address, password (encrypted), company name, job title
• Company Information (for Company Admins): Company name, address, industry, size, contact details
• Business Information (for Merchants): Business name, address, license information, cuisine type, operating hours, contact details, banking information
• Profile Information: Profile photo, preferences, communication settings
• Communications: Messages sent through our platform, customer support inquiries
• Payment Information: Credit card details (processed securely through Stripe - we do not store full card numbers)

2.2 Information Collected Automatically

When you access our Service, we automatically collect:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, time spent, click patterns, features used
• Location Data: Approximate location based on IP address (with your consent for precise location)
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies
• Security Logs: Login attempts, security events, fraud detection data

2.3 Information from Third Parties

• Payment Processors: Transaction data from Stripe for billing purposes
• Business Verification: Publicly available business information for merchant verification
• Email Verification Services: Email validation and deliverability checks during account creation

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Create and manage your account
• Process discount claims and redemptions
• Generate QR codes for coupon verification
• Match employees with relevant merchant offers
• Facilitate communication between users and merchants

3.2 Business Operations

• Process payments and manage billing
• Verify merchant business legitimacy
• Approve or reject merchant applications
• Monitor platform usage and performance
• Generate analytics and insights (aggregated and anonymized)

3.3 Security and Fraud Prevention

• Detect and prevent fraudulent activity
• Identify suspicious usage patterns (excessive claiming, account sharing)
• Enforce our Terms of Service and prevent abuse
• Maintain audit logs for security investigations
• Comply with legal obligations and protect our rights

3.4 Communication

• Send transactional emails (account verification, password reset, claim confirmations)
• Notify you of new merchant partners (if opted in)
• Send weekly usage digests (if opted in)
• Provide customer support responses
• Send important service updates and policy changes

3.5 Improvement and Development

• Improve platform functionality and user experience
• Develop new features based on usage patterns
• Conduct A/B testing and research
• Train fraud detection algorithms

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal basis for collecting and using your information depends on the data and context:

• Contract Performance: Processing necessary to provide the Service you requested
• Legitimate Interest: Fraud prevention, security, analytics, service improvement
• Consent: Marketing communications, location tracking, optional features (you can withdraw anytime)
• Legal Obligation: Compliance with laws, tax requirements, law enforcement requests

5. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

5.1 With Service Providers

• Payment Processing: Stripe (PCI-DSS compliant payment processor)
• Cloud Hosting: Vercel (hosting), MongoDB Atlas (database)
• Email Delivery: Resend (transactional emails)
• Analytics: Vercel Analytics (privacy-focused, no personal data sold)

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.2 With Merchants (Limited Information)

When you redeem a coupon, we share only the necessary information with the merchant:

• First name and last initial (e.g., "John D.")
• Company name (to verify eligibility)
• Discount amount and terms
• Coupon expiration date

We do not share your full name, email, phone number, or other personal details with merchants.

5.3 With Your Company (for Employees)

If you join as an employee, your company admin can see:

• Your name and email (to manage team members)
• Aggregated usage statistics (number of employees using the platform, most popular merchants)

We do not share individual redemption details, specific restaurants visited, or spending amounts.

5.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal process (subpoena, court order, search warrant)
• Government or regulatory requests
• Protection of our rights, property, or safety
• Investigation of fraud, security issues, or Terms violations

5.5 Business Transfers

If Corbez is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

• Account Data: Retained while your account is active, deleted 30 days after account closure (unless required for legal reasons)
• Transaction Records: 7 years (tax and accounting requirements)
• Audit Logs: 90 days (security and fraud investigation)
• QR Codes: 30 days after coupon expiration or redemption
• Marketing Communications: Until you unsubscribe
• Anonymized Analytics: Indefinitely (cannot be linked back to you)

7. Your Rights

7.1 GDPR Rights (EEA Residents)

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing, location tracking, etc.

7.2 CCPA Rights (California Residents)

• Right to Know: What personal information we collect and how it's used
• Right to Delete: Request deletion of your information
• Right to Opt-Out: We do not sell personal information, so no opt-out needed
• Right to Non-Discrimination: Equal service regardless of privacy choices

7.3 How to Exercise Your Rights

To exercise any of these rights, contact us at contact@corbez.com with the subject line "Privacy Rights Request." We will respond within 30 days.

You can also manage some settings directly in your account:

• Update profile information
• Change email notification preferences
• Delete your account (Settings → Account → Delete Account)

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for authentication, security, session management (cannot be disabled)
• Analytics Cookies: Understand how users interact with the platform (can be disabled)
• Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features.

9. Security Measures

We implement industry-standard security measures to protect your information:

• Encryption: TLS 1.3 for data in transit, AES-256 for sensitive data at rest
• Password Security: bcrypt hashing with salt (12 rounds)
• Access Controls: Role-based access, multi-factor authentication (MFA) available
• Rate Limiting: Prevents brute force attacks and API abuse
• Fraud Detection: Real-time monitoring for suspicious activity
• Security Headers: CSP, HSTS, X-Frame-Options, XSS protection
• Regular Audits: Security assessments and penetration testing
• Incident Response: 24-hour response plan for security breaches

While we strive to protect your information, no method of transmission over the internet is 100% secure. Please use strong passwords and enable MFA for additional protection.

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will delete it immediately. If you believe we have collected information from a child, please contact us at contact@corbez.com.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

For EEA residents: We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection when transferring data outside the EEA.

12. Third-Party Links

Our Service may contain links to third-party websites (e.g., merchant websites). We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies before providing any information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on the platform

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

15. Data Protection Officer (DPO)

For GDPR-related inquiries, you can contact our Data Protection Officer at contact@corbez.com with the subject line "DPO - GDPR Inquiry."

16. Supervisory Authority

If you are located in the EEA and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.