Privacy Policy

How Vendro Limited collects, uses, stores and protects personal data.

Final revised Vendro Limited policy content for vendro.uk. Please review the full text below before using the service.

Read policy
Effective: 31-May-2026 Last updated: 31-May-2026 Version: 1.4

Privacy Policy

Last updated: 31-May-2026
Effective date: 31-May-2026
Version: 1.4

1. About this policy

This Privacy Policy explains how Vendro Limited collects, uses, stores, shares and protects personal data when you visit our website, contact us, create an account, subscribe to our services, use our customer portal, use our SaaS platform, receive support, use integrations or communicate with us.

This policy applies to Vendro Limited websites, portals, SaaS services, support services, customer relationship management, billing, marketing, partner services, self-hosted licence administration and related services.

This policy is intended to support our transparency obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It should be read together with our Terms & Conditions, Refund Policy, Cookie Policy and any Data Processing Agreement that applies to your organisation.

2. Who we are

Vendro Limited is the controller for personal data we collect for our own business purposes, including website enquiries, billing, account administration, marketing, support, security, legal compliance and customer relationship management.

Where we process personal data inside the Vendro platform on behalf of a business customer, we may act as processor and the customer may act as controller. The customer is responsible for deciding what data is entered and for ensuring they have a lawful basis to process it. Where required, a Data Processing Agreement will set out our processor obligations.

Company: Vendro Limited
Company number: 17207190
Registered office: 2 Frederick Street, Kings Cross, London, WC1X 0ND
Privacy contact: privacy@vendro.uk
Support contact: support@vendro.uk
Security contact: security@vendro.uk
Billing contact: billing@vendro.uk

3. Personal data we collect

We may collect:

  • Account and contact data – name, business name, job title, email address, phone number, postal or billing address, country, login/account details, customer identifiers, partner identifiers.
  • Billing and subscription data – selected plan, order number, invoice details, payment status, subscription status, renewal date, cancellation status, payment provider references, tax/VAT information where applicable.
  • Technical, usage, support and communication data – IP address, browser type, operating system, referring URLs, device identifiers, login times, security logs, error logs, support tickets, messages, files, screenshots, meeting notes, implementation requirements, feedback, complaint details.
  • Customer platform data (when entered by business customers) – products, stock records, sales, purchases, invoices, users, roles, reports, support tickets, other business records.
  • Payment cards – We do not intentionally store full payment card details. Card and payment details are handled by our payment provider.

4. Special category or regulated data

You must not upload health, biometric, criminal offence, highly sensitive, regulated or special category data unless your contract, configuration and lawful basis are suitable for that type of data and Vendro has agreed to support it in writing. Uploading such data without a written agreement may violate our Terms & Conditions and could result in account suspension or termination.

5. How we collect personal data

We may collect data when you: visit our website, submit a form, create an account, subscribe to a plan, complete checkout, use the customer portal, use the admin portal, create support tickets, communicate with us, use integrations, receive invoices, or use software and APIs.

We may also receive data from payment processors, hosting providers, email systems, integration providers, analytics tools, partners or authorised users in your organisation.

6. Why we use personal data and lawful basis

We use personal data only where we have a lawful basis. Where we rely on legitimate interests, we balance our interests against your rights and expectations. You can object to direct marketing at any time.

PurposeExamplesLawful basis
Provide servicesAccount access, subscriptions, portal use, support, licensingContract / legitimate interests
Billing and paymentsInvoices, receipts, payment status, renewalsContract / legal obligation / legitimate interests
Customer supportTickets, troubleshooting, account helpContract / legitimate interests
Security and fraud preventionLogin logs, abuse prevention, audit logsLegitimate interests / legal obligation
Legal and complianceTax records, company records, lawful requestsLegal obligation
Product improvementDiagnostics, feature usage, error analysisLegitimate interests – to improve our software, fix bugs and enhance user experience, using pseudonymised, aggregated or de-identified data where possible
Marketing to business contactsProduct updates, service information, offersConsent or legitimate interests where legally permitted, including soft opt-in only where applicable
Cookies/analyticsWebsite analytics, preferences, non-essential trackingConsent where required

7. How we use personal data

We may use personal data to: create and manage accounts, provide software and portal access, process subscriptions and renewals, issue licences, provision workspaces, provide support, respond to enquiries, send service messages, send invoices and receipts, manage refunds, maintain security, prevent fraud, monitor performance, improve products, and comply with legal obligations.

8. SaaS and self-hosted environments

Vendro may provide both cloud/SaaS and self-hosted software models. For self-hosted deployments, operational business data may be stored on the customer's own server, VPS, database or hosting environment. The customer is responsible for securing, backing up and managing that environment unless a written agreement says otherwise.

For SaaS or Vendro-hosted services, Vendro may host and process customer data to provide the service, maintain security, generate reports, provide support and operate integrations. Customers remain responsible for the accuracy, legality and permission basis for data they enter into the platform.

9. Sharing personal data

We do not sell personal data. We may share personal data with:

  • Payment processors (e.g., Paddle)
  • Hosting and cloud providers
  • Email service providers
  • SMS/WhatsApp providers – if you enable these integrations (e.g., Twilio, WhatsApp Business). Contact privacy@vendro.uk for a current list.
  • Analytics/cookie providers – if you consent and where enabled, such as Google Analytics.
  • Support systems
  • Professional advisers, contractors or service providers under confidentiality obligations
  • Regulators or courts where legally required
  • Business successors if Vendro is reorganised, merged or sold

We only share what is reasonably necessary for the relevant purpose.

10. International transfers

Some of our service providers may process personal data outside the United Kingdom, including in the European Economic Area (EEA) and the United States.

Where this occurs, we rely on lawful transfer mechanisms where applicable, such as:

  • UK‑approved standard contractual clauses (SCCs)
  • Adequacy decisions (e.g., for EEA countries)
  • The UK Extension to the EU‑US Data Privacy Framework (where applicable)
  • Binding corporate rules (where applicable)

You may contact privacy@vendro.uk for a copy of the relevant safeguards.

11. Data retention

We keep personal data only for as long as reasonably necessary for the purposes described in this policy.

Data typeTypical retention
Enquiries and contact forms12 months
Customer account recordsAccount term + 6 years
Billing, tax and invoice records6 years (HMRC requirement)
Support tickets3 years after closure
Security and audit logs12 months
Marketing preferencesUntil you unsubscribe + 6 months
Backup copiesCurrent target: daily backups retained up to 30 days and monthly backups retained up to 12 months, where enabled; actual retention may vary by hosting model, plan or written agreement
Contract records6 years after contract end

We may retain data for longer if required by law, for litigation, or to enforce our rights.

12. Your rights

Depending on the circumstances, you may have the following rights under UK GDPR:

  • To be informed – via this policy.
  • To access – request a copy of your personal data.
  • To rectification – correct inaccurate or incomplete data.
  • To erasure (right to be forgotten) – request deletion, subject to legal or contractual retention.
  • To restrict processing – limit how we use your data in certain situations.
  • To data portability – receive a machine‑readable copy of data you provided.
  • To object – to processing based on legitimate interests (including profiling). We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
  • To withdraw consent – where processing is based on consent, without affecting lawfulness before withdrawal.
  • To complain – to the ICO (see Section 17).

Your right to object to processing based on legitimate interests is specifically brought to your attention. In particular, you have the right to object at any time to processing of your personal data for product improvement purposes. We will stop processing your data for that purpose unless we demonstrate compelling legitimate grounds.

Some rights may not apply in every situation, for example where we must keep data for legal, security, billing or contract reasons.

To make a privacy request, contact privacy@vendro.uk.

13. Cookies and similar technologies

Our website may use cookies or similar technologies to make the website work, remember preferences, secure sessions, measure website usage, improve pages, and support marketing or analytics where enabled.

Strictly necessary cookies may be used without consent. Non-essential cookies (e.g., analytics, advertising, marketing) are only placed after you give consent via our cookie banner. You can withdraw consent at any time through your browser or our cookie settings.

We publish a separate Cookie Policy explaining what cookies are used, who sets them, what they do, how long they last and how users can manage consent.

14. Marketing communications

We may send service messages about your account, subscription, security, invoices or support – these cannot be opted out of.

We may send marketing emails to business contacts where permitted by law, including soft opt-in for existing customers only where applicable, or where you have consented. You can opt out of marketing emails at any time by using the unsubscribe link or contacting us.

Opting out of marketing does not stop important service, billing or security messages.

15. Security

We use reasonable technical and organisational measures, appropriate to the nature and risk of the processing, to protect personal data, including access controls, authentication, role permissions, audit logs, backups, secure configuration and operational monitoring where appropriate.

No system is completely secure. You are responsible for keeping your own passwords, admin users, API keys, devices and local environments secure. If you suspect unauthorised access or a security issue, contact security@vendro.uk promptly.

16. Children, third parties and automated decisions

Vendro services are intended for business use and are not directed at children. We do not knowingly collect personal data from children for marketing or account registration.

Our websites and services may link to third‑party websites, integrations or providers. Their privacy practices are controlled by their own policies. Vendro is not responsible for third‑party privacy practices, service availability, data handling, charges or terms.

Vendro does not currently make decisions producing legal or similarly significant effects solely by automated processing. If this changes, we will update this policy.

17. Changes and complaints

We may update this Privacy Policy from time to time. The latest version will be posted on our website with the effective date.

If we make a material change, we will, where reasonably practicable, notify account holders in advance by email or through a prominent website or portal notice.

If you have a question, concern or complaint about how we handle personal data, please contact us first at privacy@vendro.uk so we can try to resolve it.

If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO) – the UK data protection regulator.
You can find more information at https://ico.org.uk or contact the ICO helpline on 0303 123 1113.

18. Contact details

Vendro Limited
Company number: 17207190
Registered office: 2 Frederick Street, Kings Cross, London, WC1X 0ND

Privacy email: privacy@vendro.uk
Support email: support@vendro.uk
Security email: security@vendro.uk
Billing email: billing@vendro.uk