GDPR Policy

1. Introduction

Vendorlytics is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This policy explains how we handle personal data for users in the European Economic Area (EEA) and United Kingdom.

As a data controller, Vendorlytics determines the purposes and means of processing personal data. We take our responsibilities under GDPR seriously and have implemented appropriate technical and organisational measures to ensure compliance.

2. Legal Basis for Processing

We process personal data based on one or more of the following legal grounds:

• Contract: Processing necessary to perform our contract with you (providing the Vendorlytics service)
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services and fraud prevention
• Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications)
• Legal Obligation: Processing necessary to comply with legal requirements

3. Your Rights Under GDPR

As a data subject, you have the following rights:

3.1 Right of Access

You have the right to request a copy of the personal data we hold about you.

3.2 Right to Rectification

You have the right to request correction of any inaccurate personal data we hold about you.

3.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

3.4 Right to Restrict Processing

You have the right to request that we limit the processing of your personal data in certain circumstances.

3.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

3.6 Right to Object

You have the right to object to certain types of processing, including processing for direct marketing purposes.

3.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.

4. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account Data: Retained while your account is active and for up to 30 days after deletion request
• Invoice Data: Retained for the duration of your subscription plus any legally required retention period
• Analytics Data: Retained in anonymised form for up to 2 years
• Support Communications: Retained for up to 3 years after resolution

5. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with adequate data protection as determined by the European Commission
• Binding Corporate Rules where applicable

6. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication measures
• Staff training on data protection
• Incident response procedures

7. Exercising Your Rights

To exercise any of your GDPR rights, please contact us at:

• Email: privacy@vendorlytics.com
• Response Time: We will respond to your request within 30 days

We may need to verify your identity before processing your request. If your request is complex or you have made multiple requests, we may extend the response period by an additional 60 days, in which case we will inform you.

8. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, you can contact your local data protection authority.

9. Changes to This Policy

We may update this GDPR Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.