PRIVACY POLICY

Last Updated: February 26, 2026

1. Introduction

Venderly ("we," "us," or "our") provides a procurement onboarding platform. This Privacy Policy explains how we process personal data from our customers (business users) and their vendors. We act as a Data Controller for our own business data and a Data Processor when handling vendor data on behalf of our customers.

2. Information We Collect

We collect data necessary to facilitate business-to-business procurement:

  • Account Data: Name, business email, job title, and authentication credentials.
  • Vendor Compliance Data: Tax IDs, insurance certificates, diversity certifications, and banking details provided by vendors.
  • Technical Data: IP addresses, device identifiers, and usage/security logs generated by our application infrastructure and analytics tooling, including Vercel-hosted services.
  • Communication Data: Records of support tickets, invitation workflows, and onboarding correspondence.

3. Legal Bases for Processing (UK & EU)

In accordance with the GDPR and the UK Data Use and Access Act (DUAA), we process data under:

  • Contractual Necessity: To provide the Venderly service to you.
  • Legitimate Interests: To improve our platform, ensure cybersecurity, and prevent fraud in the procurement process.
  • Legal Obligation: To comply with tax, anti-money laundering (AML), and "Know Your Vendor" (KYV) regulations.

4. US State Privacy Disclosures (CCPA/CPRA & Others)

For residents of California, Virginia, and other US states with active privacy laws:

  • No Sale of Data: We do not "sell" personal information for monetary value.
  • Targeted Advertising: We do not "share" data for cross-contextual behavioural advertising.
  • Sensitive Information: We limit the use of sensitive data (such as Tax IDs and banking details) to vendor verification, compliance, and payment operations.
  • Global Privacy Control (GPC): Our website is configured to recognise and honour GPC signals from your browser as a valid opt-out request where required by applicable law.

5. International Data Transfers

Venderly uses third-party infrastructure providers, including Vercel (application hosting), Neon (managed PostgreSQL), Cloudflare R2 (S3-compatible object storage), Stripe (payments), and Resend (transactional email).

  • EU/UK to US: Where personal data is transferred from the EU/UK to the US, we rely on the EU-U.S. Data Privacy Framework (DPF) and the UK Extension where applicable.
  • Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use the 2021 European Commission SCCs (or UK-approved equivalents) to protect transferred data.

6. Data Retention & Security

  • Security: We apply role-based access controls, encryption in transit, and encryption at rest through our infrastructure providers, and maintain technical and organisational safeguards designed to protect procurement data.
  • Retention: We retain data for the duration of your subscription plus up to 7 years where required to meet statutory audit, accounting, and legal obligations.

7. Your Rights

Regardless of your location, Venderly provides a unified process to exercise your rights:

  • Access & Portability: Request a copy of your data in a machine-readable format.
  • Correction & Deletion: Update inaccurate data or request deletion, including "the right to be forgotten" where applicable.
  • Right to Complain (UK 2026 Update): UK users may complain directly to us, and we will acknowledge receipt within 30 days.

8. Contact Us & DPO

If you have questions regarding your data or wish to exercise your rights, please contact:

Privacy Team / Data Protection Officer Email: privacy@venderly.co.uk

Address: [Insert Your Registered Business Address]