Vendable
Legal

Privacy Policy

Effective May 18, 2026

1. What We Collect

  • Account info: email, password hash (PBKDF2-SHA256), business website URL
  • Business info: data extracted from your public website (business name, services, founder, contact info, etc.)
  • Usage data: IP address (for rate limiting), timestamps of actions, search engine ranking data about your business
  • No payment info on us: when payments are added, they'll be handled by Stripe - we never see card details

2. How We Use Your Data

  • To generate and publish AI-optimized content about your business
  • To measure your AI-search visibility (citation tracking on Bing, Claude, etc.)
  • To submit your URLs to search engines and AI engines for indexing
  • To improve Vendable's service quality (aggregated, anonymized)
  • To contact you about your account (transactional emails only)

3. Who We Share Data With

We use the following processors. Each has a data processing agreement with us:

  • Anthropic - AI generation (Claude). Your business data is sent to generate content. No training on your data.
  • Supabase - Database hosting (US, encrypted at rest)
  • Vercel - Application hosting
  • Resend - Transactional email delivery
  • Bing / Microsoft - IndexNow URL submission and citation queries
  • Wayback Machine (Internet Archive) - Public archive of your profile pages
  • Notion - Internal tracking of trial customer metrics (no customer-identifying data beyond business name)
  • Press wire services - only when you opt in via your dashboard

We do not sell your data. We do not share it with advertisers. We do not use it for training AI models without explicit consent.

4. Public Content

Content we publish about your business on app.getvendable.ai is intentionally public - it's how AI search engines find it. You can hide it any time from your dashboard.

5. Your Rights (GDPR / CCPA)

If you're in the EU, UK, or California, you have rights to:

  • Access the personal data we hold about you
  • Correct inaccuracies
  • Delete your account and associated personal data
  • Export your data
  • Object to certain processing
  • Withdraw consent (where consent is the legal basis)

Email mia@getvendable.ai to exercise any of these. We respond within 30 days.

6. Cookies

We use one cookie: a signed session cookie (HMAC-SHA256) to keep you logged in. 30-day expiry. We do not use third-party tracking cookies, advertising cookies, or analytics cookies that identify individuals.

7. Data Retention

We keep your account data while your account is active. After account deletion, we retain data for 30 days for recovery, then permanently delete. Aggregated/anonymized analytics may be retained indefinitely.

8. Children

Vendable is not directed at children under 16. We do not knowingly collect personal data from children.

9. Security

Passwords are stored as PBKDF2-SHA256 hashes with per-row salt. Data is encrypted in transit (HTTPS) and at rest (Supabase encryption). Access to production data is limited to authorized personnel. We'll notify affected users within 72 hours of any data breach.

10. Changes

We may update this policy. Material changes notified by email at least 14 days in advance.

11. Contact

Data questions: mia@getvendable.ai