PRIVACY
Privacy Policy
Last updated: 2026-04-26
1. Overview
Vensider.io ("we," "us," or "our") operates the Vensider.io vendor security review platform at vensider.io. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our service.
We are committed to protecting your privacy and handling your data transparently. If you have questions, contact us at [email protected].
2. Data we collect
Account information
Name, email address, and a password. Passwords are never stored in plain text — only a salted PBKDF2-HMAC-SHA256 hash is kept.
Company profile data
Company name, industry, size, compliance obligations, identity provider configuration, endpoint security stack, and data sensitivity information. This is entered voluntarily and used to contextualize vendor reviews.
Vendor review inputs
Vendor names, product URLs, intended use descriptions, and data types you describe as entering a vendor product. This information is used to generate your security review.
Usage data
Pages viewed, features used, and interactions with the platform. Used to improve the product and detect abuse.
Payment information
Billing is handled entirely by Stripe. We do not store credit card numbers or payment instrument details.
3. How we use your data
- → To generate vendor security reviews contextualized to your company profile
- → To send review completion and critical finding alert emails
- → To manage your subscription and process payments via Stripe
- → To improve the accuracy and relevance of our AI-generated reports
- → To detect and prevent fraud, abuse, and security incidents
- → To comply with legal obligations
We do not sell your personal data. We do not use your data to train AI models without your explicit consent.
4. AI and data processing
Vensider.io uses Anthropic's Claude API to generate vendor security reports. When you initiate a review, information about the vendor (their publicly available documents) and a summary of your company's compliance context is sent to Anthropic's API for processing.
Anthropic's data processing agreement is available at anthropic.com/legal/privacy. Anthropic does not use API inputs to train models by default.
We do not send personally identifiable information about your employees or customers to Anthropic. We send vendor product context and your company's compliance/stack profile.
5. Data sharing and sub-processors
We use the following sub-processors to operate the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI report generation | USA |
| Stripe | Payment processing and billing | USA |
| Resend | Transactional email delivery | USA |
| Sentry | Error monitoring and crash reporting | USA |
6. Data retention
We retain your account data and vendor reviews for as long as your account is active. If you delete your account, your data is deleted within 30 days, except where we are required to retain it for legal or compliance purposes.
You can export all your vendor reviews at any time in PDF or Markdown format from the dashboard.
7. Your rights (GDPR)
If you are located in the EU/EEA, you have the following rights under GDPR:
- → Access: Request a copy of all personal data we hold about you
- → Correction: Request correction of inaccurate data
- → Deletion: Request deletion of your personal data ("right to be forgotten")
- → Portability: Receive your data in a machine-readable format
- → Objection: Object to processing for direct marketing purposes
- → Restriction: Request restriction of processing in certain circumstances
To exercise these rights, email [email protected]. We will respond within 30 days.
We process EU personal data under Standard Contractual Clauses (SCCs) for transfers to the USA. Our Data Processing Agreement (DPA) is available on request.
8. Security
We implement industry-standard security measures to protect your data. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to production systems is restricted to authorized personnel only with MFA required.
For our full security practices, see our Security page.
9. Cookies
We use only essential authentication cookies required for the service to function. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. For full details, see our Cookie Policy.
10. Changes to this policy
We may update this policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before they take effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.
11. Contact
For privacy questions or to exercise your rights: [email protected]
Related legal documents