Privacy Policy
Last updated: March 9, 2026
VendorProof ("we", "us", "our") operates the vendorproof.com website and SaaS application. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data.
1. Data We Collect
1.1 Account data
When you create an account we collect your name, email address, organization name, and country. We store a bcrypt-hashed version of your password — we never store plaintext passwords.
1.2 Vendor and document data
You may upload vendor records and compliance documents (W-9s, certificates of insurance, licenses, etc.). These are stored in encrypted cloud storage and associated with your organization.
1.3 Payment data
Payments are processed by Stripe. We do not store credit card numbers. Stripe may collect information necessary for payment processing and fraud prevention.
1.4 Usage data (analytics)
With your consent, we use PostHog to collect anonymized analytics such as page views, feature usage, and session recordings (with all form inputs masked). This data helps us improve the product. Analytics cookies are only set if you accept them via our cookie consent banner.
2. Cookies
A cookie is a small text file stored in your browser. We use the following cookies:
2.1 Strictly necessary cookies
These cookies are required for the site to function and cannot be disabled.
| Cookie name | Purpose | Duration |
|---|---|---|
authjs.session-token / __Secure-authjs.session-token | Encrypted session token containing your user ID, role, and subscription tier. Set after you log in. | 30 days |
authjs.csrf-token | Protects against cross-site request forgery during authentication. | Session |
authjs.callback-url | Stores the redirect URL during the login flow. | Session |
vp-cookie-consent | Records your cookie preference ("granted" or "denied"). | 1 year |
2.2 Analytics cookies (require consent)
These cookies are only set when you click "Accept" on our cookie consent banner.
| Cookie name | Purpose | Duration | Provider |
|---|---|---|---|
ph_*_posthog | Stores a device ID, session ID, and feature-flag state for analytics. | 1 year | PostHog |
2.3 Third-party cookies (payment processing)
When you navigate to Stripe's hosted checkout page to complete a payment, Stripe sets its own cookies on the stripe.com domain for fraud prevention and payment processing. These are strictly necessary for completing payments and are governed by Stripe's Privacy Policy.
2.4 Managing your preferences
You can change your cookie preference at any time by clearing the vp-cookie-consent cookie from your browser settings. The consent banner will reappear on your next visit. You can also block cookies entirely through your browser settings, though this may prevent you from logging in.
3. How We Use Your Data
- Providing the service — storing your vendors and documents, sending expiration reminders, generating compliance reports.
- Authentication & security — verifying your identity, preventing unauthorized access, rate-limiting abuse.
- Payment processing — managing your subscription via Stripe.
- Product improvement — with your consent, analyzing usage patterns to improve features and fix bugs.
- Transactional emails — sending account-related emails such as email verification, password resets, and document expiration reminders.
4. Data Sharing
We share data only with the following service providers:
- Supabase — database hosting and file storage
- Stripe — payment processing
- Resend — transactional email delivery
- PostHog — product analytics (only with your consent)
- Vercel — application hosting
We do not sell your personal data. We do not share your data with advertisers.
5. Data Retention
We retain your account data and uploaded documents for as long as your account is active. If you delete your account, we will delete your personal data and documents within 30 days. Anonymized analytics data may be retained indefinitely.
6. Your Rights
Depending on your jurisdiction (EU/EEA under GDPR, UK under UK GDPR, California under CCPA, Finland under the Finnish Data Protection Act), you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data
- Export your data in a portable format
- Withdraw consent for analytics at any time
- Object to processing of your data
To exercise any of these rights, contact us at support@vendorproof.com.
7. Security
We protect your data with HTTPS encryption in transit, encrypted storage at rest, bcrypt password hashing, CSRF protection, rate limiting, and Content Security Policy headers. For details, see our security practices.
8. Children
VendorProof is not intended for use by children under 16. We do not knowingly collect data from children.
9. Changes to This Policy
We may update this policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.
10. Contact
If you have questions about this Privacy Policy, contact us at support@vendorproof.com.