MV
ManageVendors

Privacy Policy

How we collect, use, and protect your personal information when you use ManageVendors.

Effective: February 26, 2026|Last updated: February 26, 2026

ManageVendors (“we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our vendor risk intelligence platform (“the Service”).

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address — for authentication and notifications
  • Full name — for display in your organization
  • Avatar URL — from OAuth providers (Google, GitHub), if available
  • Organization name — created during signup

1.2 Usage Data

We automatically collect:

  • IP addresses (for rate limiting and security)
  • Browser type and version (for compatibility and debugging)
  • Pages visited and features used (for product improvement)
  • Timestamps of actions (for audit logging)

1.3 Organization Data

When you use the Service, you provide us with configuration data including:

  • Which vendors your organization monitors
  • Alert rules and notification preferences
  • Team member invitations and role assignments

1.4 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or other payment card data. We only retain your Stripe Customer ID for subscription management.

1.5 Information We Do Not Collect

  • Your vendor login credentials
  • Contents of your vendor accounts
  • Your internal documents or communications
  • Social Security numbers or government IDs
  • Biometric data

2. How We Use Your Information

We use collected information to:

  • Provide the Service — authenticate you, monitor your selected vendors, and deliver alerts
  • Improve the Service — analyze usage patterns to enhance features and fix bugs
  • Communicate with you — send alerts, notifications, and important service updates
  • Ensure security — detect and prevent fraud, abuse, and unauthorized access
  • Process payments — manage subscriptions and billing through Stripe
  • Comply with law — respond to legal requests and enforce our Terms

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share information only in these circumstances:

3.1 Service Providers

We use third-party services that process data on our behalf:

  • Supabase — database hosting and authentication
  • Vercel — application hosting and edge network
  • Stripe — payment processing
  • Resend — transactional email delivery

Each provider is contractually obligated to protect your data and use it only for the purpose of providing services to us.

3.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change and your options regarding your data.

4. Data Retention

  • Account data — retained for the duration of your account, plus 30 days after deletion
  • Vendor monitoring data — retained for the duration of your subscription (historical data is a core feature)
  • Audit logs — retained for 2 years for security and compliance purposes
  • Payment records — retained as required by tax and financial regulations

5. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Row Level Security (RLS) for multi-tenant data isolation
  • httpOnly cookies for session management (never localStorage)
  • Rate limiting on all API endpoints
  • Regular security audits and dependency reviews

For more details, see our Security page.

6. Your Rights

6.1 All Users

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Delete your account and associated data
  • Export your data in a machine-readable format
  • Opt out of non-essential communications

6.2 EU/EEA Residents (GDPR)

If you are in the European Union or European Economic Area, you additionally have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Data portability
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

Our legal basis for processing is: (a) contract performance (to provide the Service), (b) legitimate interests (security, product improvement), and (c) consent (marketing communications).

6.3 California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Opt out of the sale of personal information
  • Non-discrimination for exercising your privacy rights

We do not sell personal information as defined under the CCPA.

7. Cookies

We use cookies for:

  • Essential cookies — session management and authentication (required for the Service to function)
  • Analytics cookies — understanding usage patterns to improve the Service (can be disabled)

We do not use advertising or tracking cookies. We do not participate in cross-site tracking.

8. International Data Transfers

Our infrastructure is primarily hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 16, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

Email: privacy@managevendors.io

Security issues: security@managevendors.io

We will respond to privacy requests within 30 days (or sooner as required by applicable law).