Privacy Policy

For sellers (people running a store on Vendoria), Vendoria is the data controller for account, billing, and platform-usage data.

For buyers(people shopping on a seller’s storefront), the seller is the primary data controller for order and contact information; Vendoria acts as a data processor on the seller’s behalf.

• Account info: name, email, hashed password, business/storefront name, currency and locale preferences.
• Order data: items purchased, prices, shipping/pickup details, buyer name, email, phone (when provided), shipping address.
• Payment data: processed by Stripe. We store a Stripe customer/payment-intent identifier and the order amount; we do not store full card numbers or CVCs.
• Channel-integration data: when you connect eBay, Mercari, Facebook Marketplace, or other channels, we store encrypted OAuth tokens and the order/listing data those channels return for your storefront.
• Communications: messages sent through buyer-seller chat, AI buyer assistant questions, and transactional emails/SMS/WhatsApp we deliver on your behalf.
• Operational logs: request metadata, error reports, and rate-limit counters used to keep the service available.

• Operate your storefront and process orders end-to-end.
• Send transactional notifications (order confirmations, shipping updates, abandoned-cart reminders to buyers who provided an email at checkout).
• Sync inventory and orders between your Vendoria store and connected channels (eBay, etc.).
• Provide product analytics, CRM features, and AI-assisted listing generation to sellers.
• Detect abuse, prevent fraud, and meet legal obligations.

We do not sell your data, and we do not use buyer contact information collected via a channel integration (e.g. eBay) for marketing without an explicit opt-in. Channel-acquired buyers are flagged in our system as “fulfillment only” until they opt in directly.

• Stripe — payment processing
• Twilio — SMS and WhatsApp messaging
• SMTP / transactional email providers — email delivery
• Cloudflare — DNS, edge networking, and bot protection
• Anthropic — AI-assisted listing generation and AI buyer chat (when enabled)
• eBay, Mercado Libre, Facebook, Mercari, PirateShip — only for the integrations you explicitly connect
• MinIO / S3-compatible storage — product photo hosting

We use httpOnly cookies for authentication and a small amount of localStorage on storefronts to remember a buyer’s cart contents per store. We do not use third-party advertising trackers.

Order, contact, and listing data are retained while your account is active. When a seller closes their account, we delete account, contact, and listing data within 30 days, with limited exceptions for records we are legally required to keep (such as tax and payment records, typically 7 years).

You have the right to access, correct, export, or delete your personal information. Email [email protected]with your request and we will respond within 30 days. If you are a buyer who wants their data removed from a specific seller’s storefront, contact that seller directly first; we can assist if they do not respond.

Residents of California (CCPA), the EEA/UK (GDPR), and other jurisdictions with applicable privacy laws have additional rights, including the right to lodge a complaint with a supervisory authority.

For sellers who connect their eBay account: if eBay notifies us that one of your buyers has requested account deletion, we will delete that buyer’s personal data from your Vendoria CRM within the timeframe required by eBay’s Marketplace Account Deletion policy. Order records are retained in pseudonymized form for tax compliance.

We encrypt data in transit (TLS) and channel OAuth tokens at rest (AES-256-GCM). Passwords are hashed with bcrypt. We follow least-privilege principles for internal access. No system is perfectly secure, and we will notify affected users without undue delay in the event of a breach.

We may update this policy from time to time. Material changes will be announced via email to seller account owners and reflected in the “Last updated” date above.

Questions or requests: [email protected].