Privacy Policy

1. Introduction

Vendably ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our commerce intelligence platform ("Service").

By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company name, and password when you create an account.
• Billing Information: Payment card details processed securely through our payment provider (Stripe). We do not store your full card details on our servers.
• Product Data: Product information you import into the Service, including titles, descriptions, prices, images, and other attributes.
• Communications: Information you provide when contacting us through the contact form, email, or support channels.

2.2 Information Collected Automatically

• Usage Data: How you interact with the Service, including pages viewed, features used, and actions taken.
• Device Information: Browser type, operating system, device type, and screen resolution.
• Log Data: IP address, access times, and referring URLs.
• Cookies: Small data files stored on your device to enhance your experience and provide analytics.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process transactions and send related information
• Send administrative messages, updates, and security alerts
• Respond to your comments, questions, and support requests
• Monitor and analyse usage patterns to improve user experience
• Detect, prevent, and address technical issues and fraud
• Comply with legal obligations

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: Third-party companies that help us operate the Service (e.g., hosting providers, payment processors, email and messaging services).
• Channel Partners: When you distribute product feeds, the data you choose to distribute is shared with your selected marketing channels.
• Legal Requirements: When required by law, regulation, or legal process.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.

4.1 Named sub-processors and third parties

The following organisations process personal data on our behalf or receive it as part of delivering the Service.

Stripe (billing)

Stripe, Inc. handles payment card processing and subscription billing. We pass your payment details directly to Stripe and do not store full card numbers on our servers. Stripe's privacy policy is at stripe.com/privacy.

Brevo (transactional email and SMS)

Brevo (Sendinblue SAS, headquartered in Paris, France) delivers transactional email and transactional SMS on our behalf.

Email: Brevo sends account notifications, security alerts, and billing communications to your registered email address. We pass your email address, your name, and the message content to Brevo for this purpose.

SMS: If you add and verify a phone number in Account, Brevo may deliver the following categories of SMS to that number:

• Security alerts: notifications of a new sign-in from an unrecognised device or location, and any multi-factor authentication codes if SMS-based MFA is enabled on your account.
• Billing-critical alerts: a final-notice SMS before your account is suspended for a missed payment.

We do not send marketing SMS. Ever.

What Brevo receives for each SMS: your verified phone number, the message text, and a tag identifying the message category (security or billing). What Brevo retains: message content for up to 30 days; delivery-status metadata (such as whether the message was delivered) for up to 90 days.

Legal basis for SMS: legitimate interest (security alerts, to protect your account) and contractual necessity (billing-critical alerts, which are part of the subscription agreement).

You can disable either SMS category at any time in Account, Notifications. Removing your verified phone number disables all SMS from Vendably and clears the number from our records.

Brevo's data processing terms are published as part of their Terms of Service (Annex 2, Data Processing Agreement). Brevo is EU-headquartered; your data is processed within the EEA.

Browser Push Services (web push notifications)

If you opt in to web push notifications in Account, Notifications, your browser delivers those notifications via its vendor's Push Service. Depending on your browser, that service is operated by one of the following:

• Google (Chrome, Edge): Firebase Cloud Messaging / Web Push. Google Privacy Policy.
• Mozilla (Firefox): Mozilla autopush. Firefox Privacy Notice.
• Apple (Safari): Apple Push Notification service. Apple Privacy Policy.

These Push Services are third parties, not sub-processors: they receive the minimum information needed to route a notification to your browser, but they cannot read the notification content. Push payloads are end-to-end encrypted using VAPID and your browser's own keys before they leave our servers; the Push Service routes by an opaque endpoint URL your browser generated and holds the encrypted payload only until your browser collects it.

What the Push Service sees: the routing endpoint and the encrypted (unreadable) payload. What Vendably stores: the routing endpoint URL, your browser's public encryption keys, a device label you set (for example "Work laptop"), and your browser's user-agent string.

We send push notifications in the following categories:

• Security alerts: a connection being revoked.
• Operational alerts: feed quality issues and SKU usage warnings.
• Billing-critical alerts: final notice before account suspension.

We do not send marketing push notifications.

Legal basis: consent (you grant permission via your browser's native prompt, which we trigger only from the opt-in toggle in Account, Notifications) plus your per-category preferences in the same settings page.

You can revoke push notifications per browser in Account, Notifications, or at any time via your browser's own notification settings. Revoking in-browser or at the operating-system level immediately prevents delivery.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. We will retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

Product data is retained for 30 days after account deletion. You may request earlier deletion by contacting us.

6. Data Security

We implement appropriate technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security assessments and audits
• Access controls and authentication mechanisms
• Employee training on data protection practices

7. Your Rights

Under applicable data protection laws (including GDPR and UK GDPR), you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data.
• Restriction: Request restriction of processing of your personal data.
• Portability: Request transfer of your personal data in a structured format.
• Objection: Object to processing of your personal data.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, please contact us.

8. Cookies

We use cookies and similar technologies to:

• Keep you signed in to your account
• Remember your preferences and settings
• Understand how you use the Service
• Improve the Service based on usage patterns

You can control cookies through your browser settings. Disabling certain cookies may limit your ability to use some features of the Service.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses approved by the relevant authorities.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending an email to your registered address. We encourage you to review this policy periodically.

12. Contact

If you have questions about this Privacy Policy or our data practices, please contact us.