Privacy Policy

Vendise Inc. ("Vendise," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, use our mobile applications, or access any of our services (collectively, the "Platform").

By using the Platform, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Platform.

If you have any questions about this Privacy Policy, please contact us at admin@vendise.com.

We collect the following categories of personal information:

a) Account Information (All Users)

• First and last name
• Email address
• Phone number (optional)
• Profile picture (if uploaded)
• Password (encrypted and managed by AWS Cognito)

b) Buyer Information

• Shipping addresses (full name, street address, city, province/state, postal/ZIP code, country, phone, email)
• Payment method details (last four digits and card brand only — full card data is processed by Stripe and never stored on Vendise servers)
• Order history, return history, and transaction records
• Product reviews and ratings
• Favorite products and watchlist items
• Coupon usage

c) Seller Information (via Stripe Connect KYC)

• Legal full name and date of birth
• Last four digits of Social Security Number (SSN) or Social Insurance Number (SIN)
• Full residential address
• Job title and business category
• Bank account and routing numbers (for payout processing)
• Store name, description, business email, and logo
• Product listings, inventory, and sales data

Note: Sensitive seller financial information (SSN/SIN, bank details) is collected and processed directly by Stripe under their privacy policy. Vendise does not store full SSN/SIN or bank account numbers on our servers.

d) Authentication Data

• Email and password credentials (managed securely by AWS Cognito)
• Social login tokens when authenticating via Google, Facebook, or Apple
• Session tokens stored in secure HTTP-only cookies

e) Automatically Collected Information

• IP address, browser type and version, device information
• Pages visited, time spent on pages, referring URLs
• E-commerce interaction data via Google Analytics 4 (product views, add-to-cart events, purchases)
• Cookies and similar tracking technologies (see our Cookie Policy)

f) User-Generated Content

• Product images uploaded by Sellers (stored on AWS S3)
• Return request images uploaded by Buyers
• Product reviews and seller responses
• Store descriptions and logos
• Support ticket communications

We use the information we collect for the following purposes:

• Account Management: To create and manage your account, verify your identity, and provide customer support
• Order Processing: To process purchases, payments, refunds, returns, and shipping
• Payment Processing: To facilitate secure payments between Buyers and Sellers through Stripe
• Seller Onboarding: To verify seller identities and enable payouts through Stripe Connect
• Shipping: To generate shipping labels, calculate rates, and provide tracking information through carrier partners (USPS, FedEx, UPS)
• Platform Improvement: To analyze usage patterns and improve the Platform's features and performance using Google Analytics 4
• Communications: To send order confirmations, shipping updates, and service-related notifications
• Marketing: To send promotional offers and style updates, only with your explicit consent
• Fraud Prevention: To detect, prevent, and respond to fraud, unauthorized access, and other security issues
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

Vendise does not sell your personal information. We may share your information with the following categories of recipients:

• Sellers: When you place an order, your shipping address and contact information are shared with the Seller to fulfill your order
• Payment Processor (Stripe): To process payments, manage seller payouts, and perform identity verification for sellers
• Cloud Infrastructure (Amazon Web Services): To store and process data using DynamoDB (database), S3 (file storage), and Cognito (authentication)
• Analytics (Google Analytics 4): To analyze Platform usage and e-commerce performance. No personally identifiable information is passed to Google Analytics
• Shipping Carriers (USPS, FedEx, UPS): To generate shipping labels and provide tracking information
• Shopify: If you use the Shopify integration feature to sync products, product data may be transferred between Vendise and your Shopify store
• Law Enforcement: When required by law, court order, or legal process, or when necessary to protect the rights, property, or safety of Vendise, our Users, or the public
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity

We take the security of your personal information seriously and implement appropriate technical and organizational measures:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL
• Encryption at Rest: Data stored in AWS DynamoDB and S3 is encrypted at rest using AWS-managed encryption keys
• Secure Authentication: User passwords are hashed and managed by AWS Cognito. We never store plaintext passwords
• PCI Compliance: All payment data is handled by Stripe, which is PCI DSS Level 1 certified. Full credit card numbers never touch Vendise servers
• Security Headers: We implement security headers including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law:

• Account Data: Retained for the duration of your account and for a reasonable period after account deletion to resolve disputes and comply with legal obligations
• Transaction Records: Retained for a minimum of seven (7) years for tax and accounting purposes
• Return Records: Retained for the duration of the dispute resolution period and any applicable legal retention requirements
• Analytics Data: Aggregated and anonymized analytics data may be retained indefinitely
• Marketing Preferences: Retained until you withdraw your consent

You may request deletion of your personal information at any time by contacting us at admin@vendise.com, subject to legal retention obligations.

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation provide you with the following rights:

• Right to Access: You may request access to the personal information we hold about you
• Right to Correction: You may request that we correct any inaccurate or incomplete personal information
• Right to Withdraw Consent: You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
• Right to Complain: You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

To exercise any of these rights, please contact us at admin@vendise.com. We will respond to your request within thirty (30) days.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes, and the third parties with whom we share it
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to Correct: You have the right to request correction of inaccurate personal information
• Right to Opt Out: You have the right to opt out of the "sale" or "sharing" of your personal information. Vendise does not sell or share your personal information as defined under the CCPA/CPRA
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise any of these rights, please contact us at admin@vendise.com. We will verify your identity before processing your request and respond within forty-five (45) days.

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with the following rights:

• Right of Access: You may request a copy of the personal data we process about you
• Right to Rectification: You may request correction of inaccurate or incomplete personal data
• Right to Erasure: You may request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
• Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances
• Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format
• Right to Object: You may object to the processing of your personal data for direct marketing or other purposes based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing

Legal Bases for Processing: We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our contractual obligations (e.g., order processing, account management)
• Consent: Processing based on your explicit consent (e.g., marketing communications, non-essential cookies)
• Legitimate Interest: Processing necessary for our legitimate business interests (e.g., fraud prevention, platform security, analytics)
• Legal Obligation: Processing necessary to comply with applicable laws

To exercise your rights, contact us at admin@vendise.com. You also have the right to lodge a complaint with your local data protection authority.

Your personal information is primarily stored on servers located in Canada (AWS ca-central-1 region). However, your data may be transferred to and processed in other countries, including the United States, in connection with the following:

• Stripe: Payment processing and seller identity verification may involve data transfer to Stripe servers in the United States
• Google Analytics: Analytics data may be processed on Google servers located in various countries
• Shipping Carriers: Shipping information may be processed by carrier systems in the countries of origin and destination

Where personal data is transferred outside of Canada, the EEA, or the UK, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), adequacy decisions, or other legally approved transfer mechanisms, to protect your personal data in accordance with applicable privacy laws.

The Platform is not directed to children under the age of 13 (or under the age of 16 in the EEA/UK). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at admin@vendise.com.

The Platform may contain links to third-party websites and integrations with third-party services, including:

• Shopify (for product synchronization)
• Social login providers (Google, Facebook, Apple)
• Payment processor (Stripe)
• Shipping carrier websites

These third-party services have their own privacy policies. Vendise is not responsible for the privacy practices or content of third-party websites or services. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by posting the updated Privacy Policy on the Platform with a revised "Effective Date." For significant changes, we may also notify you via email.

Your continued use of the Platform after the posting of a revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: admin@vendise.com
• Company: Vendise Inc.

For Canadian privacy inquiries, you may also contact the Office of the Privacy Commissioner of Canada.