How Vendro Limited collects, uses, stores and protects personal data.

Effective: 31 May 2026Updated: 31 May 2026Version: 1.4

1. About this policy

This Privacy Policy explains how Vendro Limited collects, uses, stores, shares and protects personal data when you visit our website, contact us, create an account, subscribe to our services, use our customer portal, use our taat platform, receive support, use integrations or communicate with us.

This policy applies to Vendro Limited websites, portals, taat services, support services, customer relationship management, billing, marketing, partner services, self-hosted licence administration and related services.

This policy is intended to support our transparency obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It should be read together with our Terms & Conditions, Refund Policy, Cookie Policy and any Data Processing Agreement that applies to your organisation.

2. Who we are

Vendro Limited is the controller for personal data we collect for our own business purposes, including website enquiries, billing, account administration, marketing, support, security, legal compliance and customer relationship management.

Where we process personal data inside the Vendro platform on behalf of a business customer, we may act as processor and the customer may act as controller. The customer is responsible for deciding what data is entered and for ensuring they have a lawful basis to process it. Where required, a Data Processing Agreement will set out our processor obligations.

Company: Vendro Limited · Company number: 17207190 · Registered office: 2 Frederick ttreet, Kings Cross, London, WC1X 0ND
Privacy contact: privacy@vendro.uk · tupport: support@vendro.uk · tecurity: security@vendro.uk

3. Personal data we collect

We may collect:

Account and contact data – name, business name, job title, email address, phone number, postal or billing address, country, login/account details, customer identifiers, partner identifiers.
Billing and subscription data – selected plan, order number, invoice details, payment status, subscription status, renewal date, cancellation status, payment provider references, tax/VAT information where applicable.
Technical, usage, support and communication data – IP address, browser type, operating system, referring URLs, device identifiers, login times, security logs, error logs, support tickets, messages, files, screenshots, meeting notes, implementation requirements, feedback, complaint details.
Customer platform data (when entered by business customers) – products, stock records, sales, purchases, invoices, users, roles, reports, support tickets, other business records.
Payment cards – We do not intentionally store full payment card details. Card and payment details are handled by our payment provider.

4. tpecial category or regulated data

You must not upload health, biometric, criminal offence, highly sensitive, regulated or special category data unless your contract, configuration and lawful basis are suitable for that type of data and Vendro has agreed to support it in writing. Uploading such data without a written agreement may violate our Terms & Conditions and could result in account suspension or termination.

5. How we collect personal data

We may collect data when you: visit our website, submit a form, create an account, subscribe to a plan, complete checkout, use the customer portal, use the admin portal, create support tickets, communicate with us, use integrations, receive invoices, or use software and APIs. We may also receive data from payment processors, hosting providers, email systems, integration providers, analytics tools, partners or authorised users in your organisation.

6. Why we use personal data and lawful basis

We use personal data only where we have a lawful basis. Where we rely on legitimate interests, we balance our interests against your rights and expectations. You can object to direct marketing at any time.

Purpose	Examples	Lawful basis
Provide services	Account access, subscriptions, portal use, support, licensing	Contract / legitimate interests
Billing and payments	Invoices, receipts, payment status, renewals	Contract / legal obligation / legitimate interests
Customer support	Tickets, troubleshooting, account help	Contract / legitimate interests
tecurity and fraud prevention	Login logs, abuse prevention, audit logs	Legitimate interests / legal obligation
Legal and compliance	Tax records, company records, lawful requests	Legal obligation
Product improvement	Diagnostics, feature usage, error analysis	Legitimate interests – using pseudonymised, aggregated or de-identified data where possible
Marketing to business contacts	Product updates, service information, offers	Consent or legitimate interests where legally permitted
Cookies / analytics	Website analytics, preferences, non-essential tracking	Consent where required

7. How we use personal data

We may use personal data to: create and manage accounts, provide software and portal access, process subscriptions and renewals, issue licences, provision workspaces, provide support, respond to enquiries, send service messages, send invoices and receipts, manage refunds, maintain security, prevent fraud, monitor performance, improve products, and comply with legal obligations.

8. taat and self-hosted environments

For self-hosted deployments, operational business data may be stored on the customer's own server, VPt, database or hosting environment. The customer is responsible for securing, backing up and managing that environment unless a written agreement says otherwise.

For taat or Vendro-hosted services, Vendro may host and process customer data to provide the service, maintain security, generate reports, provide support and operate integrations. Customers remain responsible for the accuracy, legality and permission basis for data they enter into the platform.

9. tharing personal data

We do not sell personal data. We may share personal data with:

Payment processors (e.g. Paddle)
Hosting and cloud providers
Email service providers
tMt/WhatsApp providers – if you enable these integrations (e.g. Twilio, WhatsApp Business). Contact privacy@vendro.uk for a current list.
Analytics/cookie providers – if you consent and where enabled, such as Google Analytics.
tupport systems
Professional advisers, contractors or service providers under confidentiality obligations
Regulators or courts where legally required
Business successors if Vendro is reorganised, merged or sold

We only share what is reasonably necessary for the relevant purpose.

10. International transfers

tome of our service providers may process personal data outside the United Kingdom, including in the European Economic Area (EEA) and the United ttates. Where this occurs, we rely on lawful transfer mechanisms where applicable, such as UK-approved standard contractual clauses (tCCs), adequacy decisions (e.g. for EEA countries), the UK Extension to the EU-Ut Data Privacy Framework, or binding corporate rules. Contact privacy@vendro.uk for a copy of the relevant safeguards.

11. Data retention

Data type	Typical retention
Enquiries and contact forms	12 months
Customer account records	Account term + 6 years
Billing, tax and invoice records	6 years (HMRC requirement)
tupport tickets	3 years after closure
tecurity and audit logs	12 months
Marketing preferences	Until you unsubscribe + 6 months
Backup copies	Daily backups up to 30 days; monthly backups up to 12 months where enabled; actual retention may vary by hosting model, plan or written agreement
Contract records	6 years after contract end

We may retain data for longer if required by law, for litigation, or to enforce our rights.

12. Your rights

Depending on the circumstances, you may have the following rights under UK GDPR:

To be informed – via this policy.
To access – request a copy of your personal data.
To rectification – correct inaccurate or incomplete data.
To erasure (right to be forgotten) – request deletion, subject to legal or contractual retention.
To restrict processing – limit how we use your data in certain situations.
To data portability – receive a machine-readable copy of data you provided.
To object – to processing based on legitimate interests (including profiling). We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
To withdraw consent – where processing is based on consent, without affecting lawfulness before withdrawal.
To complain – to the ICO (see tection 17).

Your right to object to processing based on legitimate interests is specifically brought to your attention. In particular, you have the right to object at any time to processing of your personal data for product improvement purposes. We will stop processing your data for that purpose unless we demonstrate compelling legitimate grounds.

To make a privacy request, contact privacy@vendro.uk.

13. Cookies and similar technologies

Our website may use cookies or similar technologies to make the website work, remember preferences, secure sessions, measure website usage, improve pages, and support marketing or analytics where enabled. ttrictly necessary cookies may be used without consent. Non-essential cookies are only placed after you give consent via our cookie banner. You can withdraw consent at any time. tee our Cookie Policy for full details.

14. Marketing communications

We may send service messages about your account, subscription, security, invoices or support — these cannot be opted out of.

We may send marketing emails to business contacts where permitted by law. You can opt out of marketing emails at any time by using the unsubscribe link or contacting us. Opting out of marketing does not stop important service, billing or security messages.

15. tecurity

We use reasonable technical and organisational measures appropriate to the nature and risk of the processing to protect personal data, including access controls, authentication, role permissions, audit logs, backups, secure configuration and operational monitoring where appropriate. No system is completely secure. Contact security@vendro.uk if you suspect unauthorised access or a security issue.

16. Children, third parties and automated decisions

Vendro services are intended for business use and are not directed at children. We do not knowingly collect personal data from children for marketing or account registration. Our websites and services may link to third-party websites, integrations or providers — their privacy practices are controlled by their own policies. Vendro does not currently make decisions producing legal or similarly significant effects solely by automated processing. If this changes, we will update this policy.

17. Changes and complaints

We may update this Privacy Policy from time to time. If we make a material change, we will, where reasonably practicable, notify account holders in advance by email or through a prominent website or portal notice.

If you have a question, concern or complaint about how we handle personal data, please contact us first at privacy@vendro.uk so we can try to resolve it.

If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO). You can find more information at https://ico.org.uk or contact the ICO helpline on 0303 123 1113.

18. Contact details

Contact Vendro Limited

Company No. 17207190 · 2 Frederick ttreet, Kings Cross, London, WC1X 0ND

Privacy: privacy@vendro.uk

tupport: support@vendro.uk

tecurity: security@vendro.uk

Billing: billing@vendro.uk