VebboPay Logo
Back to VebboPay

Privacy Policy

Last Updated: February 2026

Cibeeo Inc SRL

This Privacy Policy describes how Cibeeo Inc SRL ("Cibeeo," "we," "us," or "our"), operating the VebboPay platform ("VebboPay" or "Services"), collects, uses, stores, shares, and protects your personal data. This policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Romanian Law No. 190/2018 implementing the GDPR, and all other applicable EU and national data protection legislation.

By using VebboPay, you acknowledge that you have read and understood this Privacy Policy. Where processing is based on consent, your continued use of the Services after being informed of this policy constitutes your consent to the practices described herein.

1. Data Controller

The data controller responsible for your personal data is:

Cibeeo Inc SRL
Registered in Romania
Email: privacy@vebbopay.com

1.1. Data Protection Officer (DPO). We have appointed a Data Protection Officer who can be reached at:

Email: privacy@vebbopay.com
Subject line: "DPO Inquiry"

The DPO is responsible for overseeing our data protection strategy and ensuring compliance with GDPR requirements. You may contact the DPO directly regarding any questions or concerns about how we handle your personal data.

2. Types of Data Collected

We collect and process the following categories of personal data:

2.1. Personal Identification Data

  • Full name, date of birth, nationality, and gender;
  • Email address, phone number, and postal address;
  • Government-issued identification documents (passport, national ID card, driver's license) for KYC/AML verification;
  • Selfie or biometric photograph for identity verification purposes;
  • Tax identification number where required by law.

2.2. Financial Data

  • Bank account details (IBAN, SWIFT/BIC codes);
  • Payment card information (processed via PCI DSS-compliant payment processors);
  • Transaction history, including amounts, dates, recipients, and descriptions;
  • Account balances and financial summaries;
  • Billing and invoicing information.

2.3. Device and Technical Data

  • IP address, browser type and version, and operating system;
  • Device identifiers, including unique device IDs and mobile advertising identifiers;
  • Login timestamps, session duration, and access logs;
  • Geolocation data (approximate, based on IP address);
  • Referral URLs, pages visited, and clickstream data.

2.4. AI Agent Data

  • AI Agent configurations, including rules, budgets, spending limits, and instructions set by you;
  • AI Agent activity logs, including transactions executed, decisions made, and actions taken;
  • Performance metrics and analytics related to AI Agent operations;
  • Communication logs between AI Agents and third-party services.

3. Lawful Basis for Processing

We process your personal data on the following legal bases as defined by Article 6 of the GDPR:

3.1. Performance of a Contract (Article 6(1)(b))

Processing is necessary for the performance of the contract between you and Cibeeo Inc SRL when you use VebboPay Services. This includes account creation, identity verification, transaction processing, and providing customer support.

3.2. Legal Obligation (Article 6(1)(c))

Processing is necessary for compliance with legal obligations to which we are subject, including anti-money laundering (AML) regulations under the EU Anti-Money Laundering Directives (AMLD), know-your-customer (KYC) requirements, tax reporting obligations, and financial regulatory requirements under the Payment Services Directive 2 (PSD2).

3.3. Legitimate Interests (Article 6(1)(f))

Processing is necessary for the purposes of our legitimate interests, provided these are not overridden by your rights and freedoms. Our legitimate interests include fraud detection and prevention, network and information security, improving and developing the Services, business analytics and reporting, and direct marketing to existing customers (with opt-out rights).

3.4. Consent (Article 6(1)(a))

Where processing is based on your consent, such as for marketing communications, placement of non-essential cookies, or processing of special categories of data, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Purpose of Processing

We process your personal data for the following purposes:

  • To create, maintain, and secure your VebboPay account;
  • To verify your identity and conduct KYC/AML checks as required by law;
  • To process payments, transactions, and financial operations;
  • To operate and manage your AI Agents and autonomous payment functions;
  • To detect, prevent, and investigate fraud, unauthorized transactions, and other illegal activities;
  • To comply with legal and regulatory obligations, including tax reporting and audit requirements;
  • To communicate with you about your account, transactions, and service updates;
  • To provide customer support and respond to your inquiries;
  • To improve, personalize, and develop the Services and user experience;
  • To conduct analytics and generate aggregated, anonymized reports;
  • To send marketing communications where you have provided consent or where we have a legitimate interest;
  • To enforce our Terms of Service and protect our legal rights.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

  • Account data: Retained for the duration of your account and for up to three (3) years after account closure, unless longer retention is required by law.
  • Financial and transaction data: Retained for a minimum of five (5) years and up to ten (10) years after the relevant transaction, in accordance with EU anti-money laundering directives (AMLD), Romanian fiscal legislation, and applicable accounting regulations.
  • AML/KYC records: Retained for a minimum of five (5) years after the end of the business relationship, or up to ten (10) years where required by applicable law or regulatory guidance.
  • AI Agent data: Activity logs and configuration data are retained for the duration of the Agent's existence and for two (2) years after the Agent is deleted or deactivated.
  • Marketing consent records: Retained for the duration of the consent and for three (3) years after withdrawal of consent for record-keeping purposes.
  • Device and technical data: Retained for up to twenty-four (24) months from the date of collection, unless required for ongoing security investigations.

Upon expiration of the applicable retention period, personal data will be securely deleted or anonymized in accordance with our data disposal procedures.

6. Third-Party Processors and International Transfers

6.1. Third-Party Processors. We engage trusted third-party service providers ("Processors") to assist us in providing the Services. These processors are contractually bound to process personal data only on our instructions and in compliance with applicable data protection laws. Our processors include, but are not limited to:

  • Identity verification and KYC/AML service providers;
  • Payment processing and banking partners;
  • Cloud infrastructure and hosting providers;
  • Fraud detection and risk management services;
  • Customer support and communication platforms;
  • Analytics and business intelligence tools.

6.2. International Data Transfers. Some of our processors may be located outside the European Economic Area ("EEA"). Where personal data is transferred to countries outside the EEA that have not been deemed to provide an adequate level of data protection by the European Commission, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses ("SCCs") as approved by the European Commission pursuant to Article 46(2)(c) of the GDPR;
  • Adequacy decisions by the European Commission pursuant to Article 45 of the GDPR;
  • Binding Corporate Rules where applicable;
  • Supplementary measures as recommended by the European Data Protection Board ("EDPB"), including encryption, pseudonymization, and transfer impact assessments.

6.3. You may obtain a copy of the relevant safeguards by contacting us at privacy@vebbopay.com.

7. Data Subject Rights Under GDPR

Under the GDPR, you have the following rights with respect to your personal data:

  • Right of Access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the personal data and receive a copy thereof.
  • Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.
  • Right to Erasure (Article 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to our legal obligations to retain certain data as described in Section 5.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit such data to another controller without hindrance.
  • Right to Restriction of Processing (Article 18): You have the right to request the restriction of processing of your personal data in certain circumstances, including where the accuracy of the data is contested or where processing is unlawful.
  • Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing purposes, we will cease such processing without delay.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at privacy@vebbopay.com or write to our Data Protection Officer at privacy@vebbopay.com. We will respond to your request within one (1) month, which may be extended by two (2) further months where necessary, taking into account the complexity and number of requests.

8. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Romania, the relevant supervisory authority is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Website: www.dataprotection.ro

You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

9. Automated Decision-Making and Profiling

9.1. In accordance with Article 22 of the GDPR, we inform you that VebboPay may use automated decision-making processes, including profiling, in the following contexts:

  • Fraud Detection: Automated systems analyze transaction patterns to detect and prevent potentially fraudulent activities in real time. This processing is necessary for the performance of our contract with you and for our legitimate interest in preventing fraud.
  • KYC/AML Screening: Automated screening tools may be used to verify identities and screen against sanctions lists and politically exposed persons (PEP) databases. This processing is necessary for compliance with legal obligations.
  • Risk Assessment: Automated risk scoring may be used to determine transaction limits, account features, and service eligibility. Decisions that produce legal effects or similarly significantly affect you are subject to human review.
  • AI Agent Operations: AI Agents execute autonomous financial decisions based on rules and parameters you configure. These operations are initiated and controlled by you through the platform.

9.2. Where automated processing produces legal effects or similarly significantly affects you, you have the right to:

  • Obtain human intervention from our side;
  • Express your point of view;
  • Contest the decision.

To exercise these rights, please contact our Data Protection Officer at privacy@vebbopay.com.

10. Children's Privacy

VebboPay is not intended for use by individuals under the age of eighteen (18), or the age of legal majority in their jurisdiction. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental or guardian consent, we will take steps to delete such data promptly. If you believe that we have inadvertently collected data from a child, please contact us immediately at privacy@vebbopay.com.

11. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
  • Multi-factor authentication for account access;
  • Role-based access controls and least-privilege principles;
  • Regular security assessments, penetration testing, and vulnerability scanning;
  • Intrusion detection and prevention systems;
  • Secure data centers with physical access controls;
  • Employee security awareness training and background checks;
  • Incident response and data breach notification procedures in accordance with Articles 33 and 34 of the GDPR;
  • Regular backup and disaster recovery procedures.

In the event of a personal data breach, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where feasible, and will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

12. Cookies

We use cookies and similar tracking technologies on VebboPay. For detailed information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please refer to our Cookie Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on VebboPay and, where required by law, by providing direct notice via email. We encourage you to review this Privacy Policy periodically.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

Cibeeo Inc SRL
Email: privacy@vebbopay.com
Data Protection Officer: privacy@vebbopay.com