Privacy Policy

1. Information We Collect

We collect information you provide directly when creating an account, placing orders, or contacting support. This includes name, email address, phone number, company name, billing address, and shipping address.

We also collect payment information processed through our third-party payment processor, Stripe. VendorX does not store full credit card numbers or bank account details on our servers.

• ✓Account registration data (name, email, company)
• ✓Order and transaction records
• ✓Usage analytics and platform interaction data
• ✓Device and browser information collected automatically
• ✓Cookies and similar tracking technologies

2. How We Use Information

We use collected information to operate, maintain, and improve the VendorX Platform. Specific uses include:

• ✓Processing orders and fulfilling transactions
• ✓Billing and platform licensing fees
• ✓Providing customer support and responding to inquiries
• ✓Sending transactional notifications (order confirmations, shipping updates)
• ✓Analyzing platform usage to improve features and performance
• ✓Enforcing our Terms of Service and preventing fraud
• ✓Complying with legal obligations

3. Data Isolation

VendorX is a multi-tenant platform. Each tenant operates in an isolated data environment enforced through four independent layers: (1) Entity Framework Core query filters at the application layer scope every database query to the authenticated tenant, (2) a per-request tenant-scoped PostgreSQL session variable anchors the connection-level tenant context, (3) a database-command verification interceptor fails closed if tenant context is not set on the connection, and (4) PostgreSQL Row-Level Security policies enforced on every tenant-scoped table reject any query or write whose tenant context does not match the row. Tenant data is never commingled, shared across tenants, or accessible to other tenants.

A failure in any single layer does not silently defeat the others. Cross-tenant data access is architecturally prevented at the database, not merely restricted by application logic. Technical detail and the AICPA SOC 2 TSC CC6.1 control mapping are published at /trust-center/tenant-isolation.

4. Third-Party Services

We share information with third-party service providers only as necessary to operate the platform. These providers are contractually obligated to protect your data and use it only for the services they provide to us.

• ✓Stripe — payment processing and billing
• ✓ShipStation — shipping label generation and carrier rate shopping
• ✓Sentry — error tracking and application monitoring
• ✓Azure — cloud hosting and infrastructure
• ✓HetrixTools — uptime monitoring (anonymous HTTP probes against public health and storefront routes; no personal data captured in current configuration)

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. When you request account deletion, we remove personal data within 30 days, except where retention is required by law (e.g., tax records, transaction history).

Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics and platform improvement purposes.

6. Cookies & Tracking Technologies

VendorX uses cookies and similar technologies on our public marketing site and within the platform application. We categorize these as follows:

• ✓Strictly Necessary — Required for platform operation, authentication, and security (e.g., session tokens, CSRF protection, tenant routing). These cannot be disabled.
• ✓Functional — Remember your preferences and settings (e.g., theme, language, last-used views). These enhance your experience but are not required for core functionality.
• ✓Analytics — Help us understand how the platform is used so we can improve features and performance (e.g., Sentry for error tracking and performance monitoring). These are anonymized and never used for advertising.

6.1. Cookies We Do Not Use

VendorX does not use advertising, retargeting, or third-party marketing cookies. We do not sell or share cookie data with advertisers. We do not participate in cross-site tracking networks.

7. Security

We implement industry-standard security measures to protect your data:

• ✓OAuth 2.0 / OpenID Connect authentication with JWT bearer tokens
• ✓TLS encryption for all data in transit
• ✓AES-256 encryption for data at rest, enforced today by Azure Database Transparent Data Encryption with Microsoft-managed keys; customer-managed keys (BYOK) on our near-term roadmap
• ✓Role-based access control (RBAC) with five permission levels
• ✓Regular security audits and vulnerability assessments

8. Your Rights

Depending on your jurisdiction, you may have rights under applicable data protection laws, including the GDPR (EU) and CCPA (California). These rights may include:

• ✓Right to access your personal data
• ✓Right to correct inaccurate data
• ✓Right to delete your personal data
• ✓Right to data portability (export your data)
• ✓Right to opt out of data sales (we do not sell personal data)
• ✓Right to non-discrimination for exercising your rights

9. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

VendorX (Joseph Bermudez d/b/a VendorX, a Florida sole proprietorship; transitioning to VendorX Technologies LLC upon formation) — privacy@vendorxpro.com