Skip to main content
Neural AvatarReady
  • Social
  • Mail
  • Vego AI
  • Search
  • Ads
  • Data
  • Stream
  • Music
  • Podcast
  • TV
  • Chat
  • Meet
  • RTC
  • Live
  • Drive
  • Docs
  • Maps
  • Pay
  • Vault
  • Privacy
  • Security
  • Compliance
  • Identity
  • Creator
  • Business
  • Platform
  • Settings
  • Governance
  • Support
  • Auth Shield
VegotronVegotron®©

Privacy Policy

Vegotron Platform — Privacy Policy

Effective Date: June 21, 2026 Version: 3.0.20 — v1.0.976-Full-Monorepo-Index-Scan Jurisdiction: Sharjah Free Zone (SPARK), United Arab Emirates Applicable Frameworks: UAE PDPL (Federal Law No. 45/2021) · Saudi Arabia PDPL (Royal Decree M/19, 1443H) · Egypt PDPL No. 151/2020 · Dubai DESC Cybersecurity Framework · Abu Dhabi SIA Standards · NCA Essential Cybersecurity Controls (ECC-1:2018) · Cairo Supreme Cybersecurity Council Standards · ISO/IEC 27001:2022 · ISO/IEC 27701:2019 · ISO/IEC 29100:2011 · EU GDPR (Art. 3 extraterritorial scope) · NIST SP 800-207 (Zero Trust) · NIST FIPS 203 (Post-Quantum) · Apple App Store Privacy Guidelines (2026) · Google Play Data Safety Framework · Microsoft Store Privacy Requirements


DUAL-AUDIENCE SUMMARY

Layer 1 — Enterprise & Engineering Specification

DomainCommitment
Data governanceRole-based access, immutable audit trails, data minimization, purpose limitation, and regional residency controls enforced at the API gateway and service mesh.
Quantum-ready securityHybrid classical + post-quantum key exchange (Kyber-class lattice KEM) on sensitive channels; Ed25519 identity; AES-256-GCM at rest and in transit.
Zero-trust accessEvery request authenticated and authorized; short-lived tokens; mTLS between internal services; no implicit trust by network zone.
SLA & availabilityTarget platform availability 99.9% for core APIs; incident disclosure via [email protected]; RTO/RPO documented in enterprise agreements.
Data subject rightsAccess, rectification, erasure, portability, and objection processed within statutory windows via [email protected].

Engineering teams integrating with Vegotron should treat personal data as sovereign assets: encrypt before persistence, zero sensitive buffers after use, and route all PII through validated schemas at the gateway boundary.

Layer 2 — Plain Language for Users

Your data belongs to you. Vegotron does not sell your personal information. We collect only what we need to run the platform, protect your account, and improve your experience — and we tell you why.

  • Encryption everywhere: Messages and sensitive content are protected so that only you and the people you choose can read them.
  • You stay in control: You can download your data, fix mistakes, or ask us to delete your account.
  • No hidden surveillance: We do not train third-party AI models on your private content without your clear permission.
  • Questions? Email [email protected] — a real person on our compliance team will respond.

SOVEREIGN LEADERSHIP ACKNOWLEDGMENT PREAMBLE

> *"Privacy is not a privilege — it is a right, a foundation, and a sovereign commitment."*

The Vegotron Privacy Architecture was conceived and engineered in alignment with the progressive digital visions of the following Heads of State and "Continue exactly from where you left off and finish the remaining directives."Sovereign Leaders:

LeaderOffice
H.E. President Abdel Fattah El-SisiPresident of the Arab Republic of Egypt
H.H. Sheikh Mohamed bin Zayed Al Nahyan (MBZ)President of the United Arab Emirates
H.H. Sheikh Mohammed bin Rashid Al Maktoum (MBR)Vice President and Prime Minister of the UAE · Ruler of Dubai
H.H. Sheikh Dr. Sultan bin Muhammad Al QasimiMember of the UAE Supreme Council · Ruler of the Emirate of Sharjah
H.M. King Salman bin Abdulaziz Al SaudKing of Saudi Arabia and Custodian of the Two Holy Mosques
H.R.H. Prince Mohammed bin Salman bin Abdulaziz Al Saud (MBS)Crown Prince and Prime Minister of Saudi Arabia

Their visions for an Arab digital renaissance, sovereign AI infrastructure, and the UAE's National AI Strategy 2031 are directly reflected in Vegotron's architectural choices — local inference, zero data export, hardware-anchored privacy, and post-quantum cryptography.


FOUNDER EXECUTION CLAUSE

This Privacy Policy, and the technical architecture it describes, was entirely designed and implemented by:

> Eng. Ahmed Ayman Saad Zaghloul Mahmoud > *Founder, Chief Architect, and Sole Owner — Vegotron L.L.C* > *Egyptian National · United Arab Emirates* > Contact: [email protected]


Contact

RoleEmail
Data Protection Officer[email protected]
Legal & Compliance[email protected]
Security Incidents[email protected]
General Support[email protected]
Terms Inquiries[email protected]
General Contact[email protected]
Platform Status[email protected]
Corporate Info[email protected]
Press & Media[email protected]
Founder[email protected]

1. Controller Identity

Vegotron® FZ-L.L.C ("Vegotron," "we," "us") is the Data Controller for all personal data processed through the Vegotron Platform across all supported delivery surfaces: iOS mobile, Android mobile, Web (browser), Windows desktop, Linux desktop, Spatial/XR/AR/VR, and the sovereign Command-Center administrative interface.


2. Sovereign Privacy Architecture

> Vegotron's privacy protection is not a legal wrapper applied after engineering — it is a zero-trust, hardware-anchored constraint woven into every layer of the stack.

2.1 Zero-Knowledge Hardware Isolation (Trusted Execution Environments)

Sensitive cryptographic operations execute inside Trusted Execution Environments (TEEs) — Intel SGX enclaves on server infrastructure; Apple Secure Enclave on iOS/macOS; Android StrongBox on qualified Android devices.

What this means for you:

  • The enclave executes in isolated memory that the host OS, hypervisor, and Vegotron engineers cannot read or modify.
  • Your private keys, biometric binding tokens, and decryption seeds are generated inside the enclave and never exist in unprotected memory.
  • Remote attestation allows your device to cryptographically verify that the enclave code matches exactly what Vegotron published — before any sensitive data is passed to it.

2.2 Decentralized Identity — W3C DIDs & Verifiable Credentials

Authentication is built on the W3C Decentralized Identifier (DID) specification combined with Ed25519 Verifiable Credentials (W3C VC Data Model 2.0).

Your DID (`did:vegotron:<hash>`) is derived from your device key pair — globally unique, self-sovereign, not controlled by Vegotron. You can rotate, revoke, or export your DID key at any time. If Vegotron ceases to exist, your data remains under your exclusive cryptographic control.

2.3 Edge Execution — WebAssembly Sandboxes

Compute-intensive operations run inside WebAssembly (Wasm) sandboxes on your device or within Vegotron's on-premises Wasm edge kernel. Your raw data never travels to a remote server for computation. When a Wasm task completes, its memory is zeroed and the sandbox destroyed.

2.4 Mesh Encryption — NATS JetStream + AES-256-GCM

All intra-mesh communication is encrypted with AES-256-GCM before NATS publication. Encryption keys are derived per-stream using HKDF with unique salts. Inter-service gRPC channels are additionally secured with mutual TLS 1.3 (mTLS).

2.5 Post-Quantum Cryptography

Vegotron deploys a hybrid post-quantum Key Encapsulation Mechanism — Kyber-768 paired with X25519 — protecting all session establishment against "harvest-now-decrypt-later" attacks (NIST FIPS 203). Digital signatures use Ed25519; password hashing uses Argon2id.

2.6 Memory Hygiene

All Go microservices enforce cryptographic memory zeroing (`defer security.Zero(&variable)`) on all sensitive byte slices and string variables immediately after use. Sensitive material is never swapped to disk, logged, or transmitted in diagnostics.


3. MEA Regional Compliance Framework

3.1 Egypt — PDPL No. 151/2020 & Supreme Cybersecurity Council

We comply with Egypt's Personal Data Protection Law No. 151 of 2020:

  • Explicit data subject consent with granular opt-in/opt-out; no implied consent.
  • Data minimization: only data strictly necessary for service delivery is collected.
  • Mandatory breach notification to the Egyptian Data Protection Center (EDPC) and affected users within 72 hours.
  • Supreme Cybersecurity Council standards applied to all infrastructure security controls.
  • Egyptian nationals' rights: access, correction, deletion, portability, and objection — all fulfilled within 30 days.
  • No transfer of Egyptian national data outside Egypt without equivalent legal protection in the destination jurisdiction.

3.2 Saudi Arabia — NCA ECC-1:2018 & Saudi PDPL

We comply with Saudi Arabia's PDPL (Royal Decree M/19, 1443H) and NCA Essential Cybersecurity Controls (ECC-1:2018):

  • All 29 NCA Essential Controls applied: identity management, data classification, network security, incident response, third-party security, physical security, and cloud security controls.
  • Saudi data subjects' rights: access, correction, and deletion within 30 days of verified request.
  • Designated Data Protection Officer (DPO) for all operations touching Saudi personal data.
  • Saudi user data not transferred outside KSA without equivalent legal protection.
  • NCA Cybersecurity Policies for National Critical Information Infrastructure (NCII) aligned.

3.3 UAE — DESC, SIA, and Federal PDPL

Primary jurisdiction. Our UAE compliance includes:

  • DESC Cybersecurity Framework — all application, network, and endpoint security controls benchmarked to DESC standards.
  • SIA (Security Industry Regulatory Agency) — secure technology operations within UAE certified.
  • Federal Law No. 45/2021 (PDPL) — lawful processing, data subject rights, DPO, 72-hour breach notification.
  • Federal Law No. 34/2021 (Cybercrime Law) — zero-tolerance enforcement; forensic-grade incident logging.
  • Cloudflare UAE-edge routing; no user data unnecessarily routed outside the region.

3.4 ISO/IEC 27001:2022 — Information Security Management

  • Documented ISMS governing all security operations with quarterly risk assessments.
  • Physical, logical, and network access controls across all infrastructure tiers.
  • Supplier security assessments required for all third-party services.
  • Internal audit cycle with defined remediation timelines.

3.5 ISO/IEC 27701:2019 — Privacy Information Management

  • PII controller and processor obligations documented and enforced.
  • Privacy Impact Assessments (PIAs) for all new features processing personal data.
  • Automated data retention minimization schedules with cryptographic deletion verification.
  • Contractual privacy protections for all third-party data processors.

4. Multi-Platform Permission Manifest

4.1 iOS (Apple App Store)

PermissionUsageStore Privacy Label
CameraSpatial/AR depth, TEE biometric loginData Not Collected
Face ID / Touch IDSecure Enclave authenticationData Not Collected
Local NetworkLAN-local sovereign mesh discoveryData Not Linked to You
Push NotificationsReal-time alerts (E2E encrypted payloads)Data Not Linked to You
MicrophoneVoice messaging, live roomsData Not Collected
Photo Library (read)User-selected media upload onlyData Linked to You (selected media)

4.2 Android (Google Play Data Safety)

PermissionUsageData Shared?
`CAMERA`AR/spatial depth, biometric (StrongBox)No
`USE_BIOMETRIC`StrongBox-bound authenticationNo
`INTERNET`Platform connectivityEncrypted only
`POST_NOTIFICATIONS`Push alerts (encrypted)No
`RECORD_AUDIO`Voice messaging, live roomsNo
`READ_MEDIA_IMAGES`User-selected uploadsOnly selected files

4.3 Web, Windows, Linux, Spatial/XR

Standard browser APIs (WebSocket, WebRTC, WebAssembly, getUserMedia) used under explicit user consent. Full permission manifest in Terms §5. Spatial depth sensors (LiDAR) processed locally; no depth data transmitted.

Live WebRTC + gifts (v1.0.943): When you join a live room as viewer or broadcaster, session metadata (room ID, participant role, signaling health) is processed to establish WebRTC via the SFU (`rtc-service` :3010). Virtual gift sends record sender/receiver IDs, gift type, and amount in the ledger; gift animations are pushed to viewers in real time — we do not sell this telemetry to advertisers.

4.4 Network Port Disclosure

The Vegotron Platform uses the following network ports:

Port RangeProtocolPurpose
`:3000`HTTPS / TLS 1.3Main API Gateway — single external entry point
`:3001–:3079`gRPC-web / mTLS 1.3Secure cross-node multiplexing — internal mesh
`:3100`HTTPSPublic Web Client (Next.js SSR)
`:3200`HTTPSCommand-Center HUD (admin-only)
`:3010`HTTPS / WebRTCRTC SFU — live viewer/broadcaster signaling
`:3201`HTTPSMesh Skin consumer interface
`:3300`HTTPSFounder Portfolio (ahmedzaghloul.vegotron.com)
`:3443`HTTPS/3 QUICHTTP/3 ultra-low latency
`:8085`WSSReal-time state sync — HUD telemetry, feed
`:50051/:50071`gRPC / mTLSAI inference gRPC channels

All ports above `:3001` on the catalog mesh are internal-only and not reachable from the public internet.


5. Universal Accessibility Engine — Privacy Commitment

Vegotron's Universal Accessibility Engine (`core/services/omni-inclusion-engine`) provides groundbreaking privacy-first support for users with disabilities:

  • Deaf & Hard-of-Hearing: Sign language gesture recognition executed entirely on-device via MediaPipe and Core ML. No gesture frames transmitted to servers.
  • Mute / Speech-Impaired: Text-to-speech and voice command interpretation executed locally via Piper TTS and Whisper.cpp on-device model. Audio never transmitted.
  • Visually Impaired / Blind: Screen reader integration (VoiceOver, TalkBack, NVDA) combined with Vegotron's visual-to-text AI description engine operating locally. No visual data leaves the device.
  • Haptic Feedback Engine: Rich haptic patterns delivered via OS haptic APIs — no haptic profile transmitted.

All accessibility features process sensitive sensory data exclusively on-device. Accessibility preferences are encrypted and stored only in the user's personal Sovereign Vault.


6. Data We Collect

6.1 Account & Identity Data

  • DID-linked display name, email address, and Argon2id-hashed credential.
  • Optional: profile photo, biography, city-level location (voluntarily provided).
  • Device attestation token (TEE-generated; non-reversible to hardware identity).

6.2 Communications Data

  • Direct messages: end-to-end encrypted by default. Vegotron holds no decryption key.
  • Feed posts and reactions you choose to make public.
  • Live-room session metadata (timestamps, participant counts — no media recording without consent).

6.3 Technical Data

  • IP address: retained 7 days for abuse prevention, then irrecoverably discarded.
  • Session tokens: short-lived JWT (15-minute access window), zeroed on logout.
  • Device type and OS version: retained for compatibility rendering only.
  • Performance telemetry: anonymised CPU/memory metrics — no content, no PII.

6.4 Spatial & Biometric Data

  • ARKit LiDAR depth grids: processed locally for SMPL-X avatar binding. Never transmitted.
  • Biometric templates: stored exclusively in Secure Enclave / StrongBox TEE. Vegotron never receives raw biometric material.

6.5 Financial Data

  • Marketplace transactions in an immutable double-entry audit ledger (SHA-256 hashes).
  • Wallet balances encrypted with your account key.
  • Payment instrument details never stored by Vegotron — PCI-DSS certified processors.

6.6 AI Interaction Data

  • Prompt content: processed locally or on-premises. Not stored, not logged, not used for training.
  • Session metadata: retained maximum 24 hours, then auto-deleted.

7. How We Use Your Data

PurposeLegal BasisRetention
Account creation and DID-linked authenticationContractual necessityDuration of account + 30 days
Platform service deliveryContractual necessityDuration of account
Security monitoring and abuse preventionLegitimate interest90 days
Financial transaction recordsLegal obligation7 years
Platform diagnostics (anonymised)Legitimate interest7 days raw / 12 months aggregate
Regional regulatory complianceLegal obligationAs required by applicable law

We do not: sell your data, share it with advertisers, use it to train external AI models, or profile you for third-party marketing.


8. Data Sharing — Near-Zero Model

We share data only in the following strictly limited circumstances:

  • With you: Full portable export on request within 30 days.
  • Legal obligations: Court orders or regulatory demands from UAE, KSA, or Egyptian authorities, with mandatory transparency reporting where law permits.
  • Security incidents: With cybersecurity authorities when a breach creates statutory notification obligations.
  • Business transfers: Only to a successor entity with equivalent or stricter privacy obligations.

We never share data with: social media platforms, data brokers, advertising networks, analytics vendors, AI training companies, or any third party for commercial gain.


9. AI Sovereignty

9.1 Vegotron's AI inference pipeline runs exclusively on Ollama-powered local models on Vegotron-controlled on-premises hardware. No User query or content is transmitted to any external AI API.

9.2 AI interaction logs are ephemeral: RAM-only, never flushed to persistent storage, auto-wiped when the inference session terminates.

9.3 No AI-generated behavioral profile, psychographic model, or interest graph is constructed from your activity.


10. Security Architecture

10.1 Cryptographic Standards

LayerStandard
Data at restAES-256-GCM
Data in transitTLS 1.3 minimum, HSTS enforced, HTTP/3 QUIC available
Inter-service meshAES-256-GCM over NATS JetStream + mTLS 1.3 gRPC
Real-time mediaDTLS-SRTP
Post-Quantum (hybrid)Kyber-768 + X25519 hybrid KEM (NIST FIPS 203)
Digital signaturesEd25519
Password hashingArgon2id
Audit log integrityMerkle-tree signed, tamper-evident
Memory zeroing`defer security.Zero()` on all sensitive byte slices

10.2 Access Control

  • Zero-trust network access (ZTNA) for all inter-service communication.
  • mTLS 1.3 mandatory for all gRPC microservice channels.
  • Principle of least privilege across the full microservice fleet.
  • Cloudflare Tunnel with zero-trust access — no public server IPs exposed.

10.3 Incident Response

  • Security incidents logged to an immutable, cryptographically signed Merkle-tree audit ledger.
  • Breaches reported to relevant authorities and affected users within 72 hours of confirmed detection.
  • Crash logs written with admin digital alerts; zero PII in crash logs.
  • Simultaneous breach notifications to UAE Data Office, DESC, and applicable KSA/Egypt authorities.

11. Your Rights

Under UAE PDPL, Saudi PDPL, Egypt PDPL, EU GDPR (where applicable), and Vegotron's own commitments:

RightHow to ExerciseTimeline
AccessAccount Settings → Data Export, or [email protected]30 days
RectificationAccount Settings — direct editImmediate
ErasureAccount Settings → Delete Account · privacy.vegotron.com User Sovereignty Hub (posts · comments · media · music · streams · podcasts · emails) · or [email protected]30 days (sector deletes immediate where self-service)
PortabilityMachine-readable JSON/ZIP export via User Sovereignty Hub or [email protected]30 days
Objection[email protected]72 hours acknowledgement
Withdraw ConsentAccount SettingsImmediate, no penalty
DID Key RotationAccount Settings → Identity → Rotate KeySelf-service, immediate

11.1 User Sovereignty Hub (v1.0.963)

The privacy.vegotron.com User Sovereignty Hub provides self-service controls aligned with Meta Download Your Information, Google Takeout, and Apple Privacy Report parity:

  • Content erasure: Persistent soft-delete for posts, comments, and media (content-service); music tracks, live streams, and podcast shows (vego-live-stream); email messages (vego-mail-engine).
  • Data export: Machine-readable portability package (JSON/ZIP) via compliance-service with gateway download proxy.
  • Storage purge: Client-side cache, cookies, bookmarks, and telemetry buffers — user-initiated only.

Sector deletes propagate through the API Gateway (`POST /api/v1/sovereignty/content/delete`) with audit logging. Tombstoned records are excluded from catalog APIs within 24 hours.


12. Children's Privacy

The Platform is not directed at individuals under 18. We do not knowingly collect personal data from children. Contact [email protected] to report any child data, deleted within 48 hours.


13. International Data Transfers

Personal data is stored and processed within UAE-based infrastructure. Technical support outside the UAE is governed by binding contractual protections equivalent to or exceeding GDPR Standard Contractual Clauses (SCCs), restricted to read-only, time-limited, audited sessions. Egyptian and Saudi user data is subject to additional restrictions per applicable national law.


14. Retention Schedule

Data CategoryRetention Period
Account & DID identity dataDuration of account + 30 days post-deletion
End-to-end encrypted messagesDevice-stored; server-side metadata: 90 days
Security / abuse logs90 days
Financial transaction records7 years (UAE Commercial Law)
AI inference logsMaximum 24 hours
Platform telemetry (anonymised)12 months
Crash reports (no PII)30 days
IP addresses7 days
Accessibility preferencesEncrypted in Sovereign Vault; duration of account

15. Changes to This Policy

Material changes communicated with at least 14 days' notice via Platform notification and registered email. Full version history available on request via [email protected].


16. Supervisory Authorities

JurisdictionAuthority
UAEUAE Data Office · Dubai Electronic Security Center (DESC)
Saudi ArabiaNational Cybersecurity Authority (NCA) · SDAIA
EgyptEgyptian Data Protection Center (EDPC) · Supreme Cybersecurity Council
EU (where applicable)Relevant national Data Protection Authority

*Vegotron® FZ-L.L.C · Sharjah, United Arab Emirates · +971 555 206 302 · [email protected]* *Last reviewed: July 12, 2026 | v3.0.18 (v1.0.963-User-Sovereignty-Omnibus-Delete) | ISO/IEC 27001:2022 · ISO/IEC 27701:2019 · UAE PDPL · Saudi Arabia PDPL · Egypt PDPL No. 151/2020 · NCA ECC-1:2018 · DESC-compliant · SIA-compliant · GDPR-aligned · Apple App Store · Google Play · Microsoft Store*

Go HomeAboutPortfolioPrivacy PolicyTerms of Service