VNDLY Privacy Policy
Effective date: February 14, 2026

1. Introduction

This Privacy Policy explains how VNDLY collects, uses, and protects personal data when you use the VNDLY platform and related services at vndly.io.

2. Data Controller

The data controller is VNDLY, operated by Henrik Åberg, Stockholm, Sweden. You can contact us at support@vndly.io.

3. Data We Collect

  • Account information such as name, email address, and authentication data.
  • Business data you enter into the platform, including inventory, purchasing, orders, and contacts.
  • Usage analytics such as feature interactions, device data, and log information.
  • Support communications such as tickets, chat messages, and attachments.

4. How We Use Your Data

  • Provide and operate the Service, including authentication and account management.
  • Process billing and payments.
  • Respond to support requests and communicate service updates.
  • Improve product performance, security, and usability.
  • Detect and prevent fraud, abuse, or security incidents.

5. Legal Basis for Processing

We process personal data under GDPR legal bases including performance of a contract, legitimate interests (such as securing and improving the Service), and consent where required.

6. AI Features & BYOK Keys

If you enable AI features, you provide your own API keys (BYOK). Keys are encrypted using AES-256-GCM and sent only to the AI provider you select. VNDLY does not read or train on your AI conversations.

7. Third-Party Services

We use trusted subprocessors to deliver the Service:

  • Supabase (database and authentication): stores account and business data.
  • Stripe (payments): processes billing details and subscription status.
  • Vercel (hosting): delivers the web application and logs performance metrics.
  • EasyPost (shipping): receives shipment data you send for label creation.
  • Shopify and WooCommerce (integrations): sync product, order, and inventory data when connected.

8. Data Storage & Security

Data is hosted on Supabase and Vercel infrastructure with encryption in transit and at rest. We use row-level security to isolate tenant data and AES-256-GCM encryption for stored API keys.

9. Data Retention

We retain data while your account is active. After cancellation, data is retained for 30 days and then deleted unless required by law. System logs are retained for 90 days for security and troubleshooting.

10. Your Rights

You have the right to access, rectify, erase, restrict, or object to processing of your personal data, and the right to data portability. Where processing is based on consent, you may withdraw consent at any time.

11. How to Exercise Your Rights

To exercise your rights, email support@vndly.io. We will respond within 30 days.

12. Cookies

We use session cookies for authentication and store theme preferences in localStorage. We do not use third-party tracking cookies.

13. International Transfers

Your data may be processed in the EU and the US through our providers (Supabase and Vercel). Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

14. Children's Privacy

VNDLY is not intended for children under 16, and we do not knowingly collect their personal data.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least 30 days notice by email before changes take effect.

16. Contact & DPO

For privacy questions or DPO inquiries, contact support@vndly.io.