Privacy Policy

1. Introduction

Vendub (“we,” “our,” “us,” or the “Service”) is a multi-tenant vendor management platform operated from Houston, Texas, United States. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you access or use the Vendub platform, website, and any related services.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organization, you confirm that you have the authority to accept this Privacy Policy on behalf of that organization.

This Privacy Policy is incorporated into and subject to our Terms of Service. Capitalized terms not defined in this Privacy Policy have the meanings given to them in the Terms of Service.

2. Information We Collect

2.1 Information You Provide to Us

Account Information: When you create an account, we collect your full name, email address, and password. Your password is cryptographically hashed before storage and is never stored or accessible in plain text.

Organization Information: When you create an organization, we collect the organization name and your configuration preferences (such as vendor categories). When you invite team members, we process their email addresses and assigned roles.

Vendor Data: Data you and your team enter into the Service, including vendor records (name, description, phone, website), vendor contacts (name, email, phone, job title), reviews and ratings, tags, and categories. This data is owned by your organization.

Import Data: If you use the bulk import feature, we process the Excel files you upload to create or update vendor records. Uploaded files are processed server-side and are not retained after processing is complete.

Communications: If you contact us for support or provide feedback, we collect your name, email address, and the content of your message.

2.2 Information Collected Automatically

Analytics Data: We use Vercel Analytics to collect anonymized page view data, including pages visited, referral sources, and general device and browser information. Vercel Analytics is privacy-friendly and does not use cookies or collect personally identifiable information.

Performance Data: We use Vercel Speed Insights to collect Core Web Vitals and page load performance metrics. This data is used solely to monitor and improve Service performance and does not include personally identifiable information.

Server Logs: Our hosting infrastructure automatically records standard server log information, which may include your IP address, browser type and version, operating system, referring URL, pages visited, and timestamps. This data is used for security monitoring, abuse prevention, and debugging.

2.3 Information We Do Not Collect

We do not collect or process any of the following:

• Biometric data
• Geolocation data (precise GPS coordinates)
• Financial account numbers or payment card details (these are handled exclusively by Paddle, our payment processor)
• Data from advertising networks or social media tracking pixels
• Information from children (see Section 10)

3. Cookies and Similar Technologies

We use a minimal set of cookies and browser storage technologies that are essential to the operation of the Service. We do not use advertising cookies, tracking cookies, or third-party marketing cookies.

Authentication Cookies: We use secure, httpOnly cookies managed by Supabase Auth to maintain your login session. These cookies are essential for the Service to function and cannot be disabled while using the Service.

PKCE Code Verifier: A temporary cookie used during authentication flows (such as password reset) as part of the Proof Key for Code Exchange security protocol. This cookie is automatically removed after the authentication flow completes.

Theme Preference: We use browser localStorage (not a cookie) to store your display theme preference (light, dark, or system). This data never leaves your device.

Because we use only essential, functional cookies and do not employ any advertising or non-essential tracking technologies, we do not currently display a cookie consent banner. If we introduce non-essential cookies in the future, we will implement an appropriate consent mechanism before doing so.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To provide, operate, and maintain the Service, including authenticating your identity, managing your account, processing data imports and exports, and delivering the features you use.
• Organization management: To process invitations, manage team memberships and roles, and enforce plan-based feature limits.
• Communications: To send transactional emails necessary for the operation of the Service, including account confirmation, password resets, team invitations, and billing notifications.
• Security and abuse prevention: To detect, investigate, and prevent unauthorized access, fraud, abuse, and other harmful activities.
• Service improvement: To analyze anonymized usage patterns and performance data to improve the Service, fix bugs, and develop new features.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell your personal information. We do not use your personal information for advertising, profiling, or automated decision-making. We do not share your data with advertising networks, data brokers, or any third party for their own marketing purposes.

5. How We Share Your Information

5.1 Within Your Organization

Your name, email address, and role are visible to other members of organizations you belong to. Reviews you submit, including your display name and rating, are visible to other members of your organization. Organization owners and admins can see all member information for their organization.

5.2 Third-Party Service Providers

We share your information with the following third-party service providers who process data on our behalf to operate the Service. Each provider processes only the data necessary for its specific function:

Important note regarding Paddle:Paddle.com Market Limited operates as the Merchant of Record for all paid transactions. When you purchase a subscription, Paddle acts as an independent data controller for your payment and billing information — not merely a processor acting on our behalf. Paddle collects and processes your payment details directly under Paddle's own privacy policy. We do not receive, store, or have access to your full payment card details.

5.3 Legal Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request
• Enforce our Terms of Service or investigate potential violations
• Detect, prevent, or address fraud, security issues, or technical problems
• Protect the rights, property, or safety of Vendub, our users, or the public as required or permitted by law

5.4 Business Transfers

If Vendub is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice within the Service of any change in ownership or use of your personal information, as well as any choices you may have regarding your information.

5.5 With Your Consent

We may share your information for purposes not described in this Privacy Policy if we have obtained your explicit consent to do so.

6. Data Storage and Security

We implement commercially reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Tenant isolation: All organization data is isolated at the database level through PostgreSQL Row Level Security (RLS) policies scoped to each organization. No user can access, query, or modify data belonging to another organization.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
• Encryption at rest: Database storage is encrypted at rest through our infrastructure provider (Supabase/AWS).
• Authentication security: Passwords are cryptographically hashed using industry-standard algorithms. Authentication tokens (JWTs) have automatic expiration. Service-level credentials are stored securely server-side and are never exposed to client applications.
• Webhook verification: Inbound webhooks from third-party services (such as Paddle) are verified using HMAC-SHA256 signature validation.

While we take reasonable precautions to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

• Active accounts: Account and organization data is retained for as long as your account remains active and the organization exists.
• Account deletion: When you delete your account, your personal account information is removed from our active systems within 30 days. Reviews you authored are anonymized (attributed to “Deleted user”) to preserve organizational data integrity.
• Organization deletion: When an organization is deleted by its owner, all associated data is permanently removed from active systems within 30 days.
• Backups: Residual copies of deleted data may persist in encrypted backups for a limited period as part of standard infrastructure practices. These backups are overwritten in the normal course of backup rotation and are not used to restore individual records after deletion.
• Billing records: Transaction history and billing records processed by Paddle are retained by Paddle in accordance with Paddle's own data retention policies and applicable tax and accounting regulations.
• Server logs: Standard server logs containing IP addresses and request data are retained by our hosting provider (Vercel) in accordance with their data retention practices.

8. Your Rights

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal information:

8.1 General Rights (All Users)

• Access: You can view your account information, organization data, and vendor data directly within the application at any time.
• Correction: You can update your name, email, and other account information through your account settings.
• Deletion: You can delete your account at any time through the application. Organization owners can delete their organization and all associated data.
• Data portability: You can export your organization's vendor data at any time in a standard Excel format. Export is available on all plans, including the Free tier.

8.2 Rights for EEA and UK Residents

If you are located in the EEA or UK, you have additional rights under the GDPR and UK GDPR, including:

• Legal basis for processing: We process your personal data on the following legal bases: (a) performance of our contract with you; (b) our legitimate interests (security, abuse prevention, service improvement), where those interests are not overridden by your rights; and (c) compliance with legal obligations.
• Right to restrict processing: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to object: You may object to our processing of your personal data based on our legitimate interests.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
• Data Protection Agreements: We are prepared to enter into Data Processing Agreements (DPAs) with organizations that require them for GDPR compliance. Please contact us to request a DPA.

8.3 Rights for California Residents

If you are a California resident, you have additional rights under the CCPA and CPRA:

• Right to know: You may request information about the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• No sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

8.4 Rights for Texas Residents

If you are a Texas resident, you may have additional rights under the Texas Data Privacy and Security Act (TDPSA), including the right to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. We do not engage in any of these activities.

8.5 Exercising Your Rights

You can exercise most of your data rights directly through the application (account settings, data export, account deletion). For rights not available through the application, or to submit a formal request, please contact us at the email address provided in Section 14. We will respond to verifiable requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling your request.

9. International Data Transfers

Vendub is operated from the United States. Your data is primarily stored and processed in the United States through our infrastructure providers (Supabase on AWS, Vercel). Some of our service providers may store or process data in other jurisdictions.

If you are located outside the United States, including in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, please be aware that your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EEA and UK, we rely on the following transfer mechanisms as applicable: (a) adequacy decisions by the European Commission or UK government; (b) Standard Contractual Clauses (SCCs) approved by the European Commission; and (c) our service providers' compliance frameworks and data protection commitments. Paddle, as an independent controller based in the UK/EU, processes billing data within its own compliance framework.

By using the Service, you acknowledge that your data will be processed in the United States and potentially other jurisdictions as described in this section.

10. Children's Privacy

The Service is designed for use by businesses and professionals. It is not intended for use by individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal information from children or minors.

If we become aware that we have inadvertently collected personal information from a person under 18, we will take prompt steps to delete such information from our systems. If you believe that a minor has provided us with personal information, please contact us immediately at the email address provided in Section 14.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will take the following steps:

• Investigate the breach promptly and take steps to contain and remediate it
• Assess the risk of harm to affected individuals
• Notify affected users by email without unreasonable delay, and within the timeframes required by applicable law (generally within 72 hours where required under GDPR)
• Notify relevant supervisory authorities as required by applicable law
• Provide information about the nature of the breach, the data affected, the steps we are taking, and recommendations for how you can protect yourself

We maintain internal procedures for identifying, reporting, and managing personal data breaches.

12. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. Because there is no industry-standard interpretation of DNT signals, the Service does not currently respond to DNT signals. However, as described in this Privacy Policy, we do not engage in tracking users across third-party websites for advertising purposes.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. For material changes, we will provide at least 30 days' prior notice via email to the address associated with your account and/or through a prominent notice within the Service.

We will update the “Last updated” date at the top of this Privacy Policy when changes are made. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you should discontinue use of the Service and may delete your account.

We encourage you to review this Privacy Policy periodically for any updates.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@vendub.com

For requests related to your data rights under GDPR, CCPA, TDPSA, or other applicable privacy laws, please include “Privacy Rights Request” in the subject line of your email so we can route your request appropriately.

For billing and payment-related privacy inquiries, please note that Paddle.com Market Limited is the Merchant of Record and an independent data controller for your payment information. You may contact Paddle directly through the information provided in your transaction receipts or on Paddle's website.