← Back to Vendorlogic

Privacy policy

Last updated May 2026

1. Information we collect

Vendorlogic collects information you provide directly when creating an account, submitting credit applications, or responding to trade reference requests. This includes your name, email address, phone number, business details, and banking information relevant to credit evaluation.

2. How we use your information

We use collected information to:

  • Process and evaluate credit applications
  • Facilitate trade reference requests and responses
  • Communicate application status updates
  • Verify business identity through third-party services
  • Improve our platform and user experience

3. Information sharing

We share application data only with the vendor you applied to and their authorized team members. Trade reference data is shared with the requesting vendor. We do not sell personal information to third parties. We may share data with verification partners (identity, business, and credit verification) as part of the application review process.

4. Data security

We use industry-standard encryption (TLS) for data in transit and at rest. Access to application data is restricted by role-based permissions. Passwords are hashed using bcrypt. We conduct regular security reviews of our infrastructure.

5. Data retention

We retain application data for as long as your account is active or as needed to provide services. You may request account deletion through the account settings page, which deactivates your account and removes your password.

6. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account
  • Export your application data

7. Third-party services

We rely on the following sub-processors. None receive raw application data except as required to deliver their function:

  • Supabase — primary data hosting (Postgres + Storage), US region.
  • PostHog — product analytics, with session replay sampled at 10% and dead-click capture for UX debugging.
  • Sentry — error tracking, with session replay sampled at 10% (replays are only captured on errors).
  • Resend — transactional email delivery (decisions, reminders, magic links).
  • BetterStack — external uptime monitoring; pings public health endpoints only.
  • Vercel — application hosting and Speed Insights performance telemetry.
  • Persona — identity verification (KYC) and business verification (KYB), including government-ID photos and selfies where the workflow requires it. Only invoked when a user enters the verification flow on an application.
  • Plaid — bank-account verification and transaction history retrieval. Users connect their bank through Plaid Link; we receive a long-lived access token (stored encrypted at rest with AES-256-GCM), institution name, and account identifiers, plus the transaction summaries needed to underwrite an offer. We do not store bank login credentials — those go to Plaid directly.
  • Anthropic — AI assist features. Content sent to Anthropic is used for inference only and is not retained for training per our agreement.

7a. Signature and audit metadata

When you electronically sign an application, decision, offer, or trade reference, we record your typed name, signature image (drawn on a signature pad), the IP address from which you signed, and your browser user-agent string. This metadata is retained as proof of intent and is included in any signed PDF we generate.

We also maintain a security audit log of authentication events (sign-in, sign-out, impersonation, permission changes). The audit log stores a one-way hash of the IP address — not the raw IP — so we can detect anomalous patterns without retaining the original identifier.

8. Cookies and tracking

Vendorlogic uses cookies in three categories:

  • Essential — required for sign-in, CSRF protection, and session continuity. These are always set and cannot be disabled because the platform will not function without them.
  • Analytics — PostHog product analytics and Vercel Speed Insights performance telemetry. Off by default. We do not load or capture analytics until you opt in via the cookie banner shown on your first visit. You can change your choice at any time using the “Privacy choices” link in the footer.
  • Marketing — none currently used.

PostHog and Sentry set first-party cookies when enabled (analytics consent for PostHog; error-attribution for Sentry). We do not use third-party advertising cookies and do not sell or share data for advertising purposes.

8a. EU / EEA / UK users (GDPR)

If you are accessing the platform from the European Union, the European Economic Area, or the United Kingdom, the GDPR (and the UK's equivalent regime) gives you the following rights with respect to personal data we hold about you:

  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (“right to be forgotten”), subject to legal-retention exceptions
  • Right to restrict or object to processing
  • Right to data portability — receive your data in a machine-readable format
  • Right to withdraw consent at any time for processing based on consent (e.g. analytics)
  • Right to lodge a complaint with a supervisory authority in your country of residence

The legal bases we rely on are: contract(processing required to provide the credit-application service you signed up for), consent (analytics cookies, optional features), and legitimate interest(security audit logs, fraud prevention).

To exercise any of these rights, email vinnie@vltest.net with the subject line “GDPR request”. We respond within 30 days as required by GDPR.

Note (beta): Vendorlogic is currently in beta and does not operate an EU data center. Personal data is processed in the United States by our hosting providers. The specifics of our international-transfer mechanism, Data Protection Officer designation, and EU representative are pending legal review and will be added to this policy before general availability in the EU.

9. Contact

For privacy-related questions or requests, contact us at vinnie@vltest.net.