Privacy Policy
Last updated: February 21, 2026
1. Introduction
Kiricode OÜ (registry code pending), registered at Saaruste tee 24, Sausti küla, Harjumaa, 75415, Estonia ("we", "us", or "Kiricode") is the data controller for personal data collected through vendorm8.com (the "Service").
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service. It applies to all users of vendorm8.com, including visitors, trial users, and paying subscribers.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Name, email address, and password (stored as a bcrypt hash, never in plain text)
- Organization information: Organization name, billing email address, and timezone
- Vendor data: Vendor records including company names, categories, statuses, and notes
- Vendor contacts: Names, email addresses, and phone numbers of vendor contacts
- Contracts: Contract details including names, values, dates, and terms
- Uploaded files: Contract documents and related files (up to 10 MB per file)
- Feedback: Messages submitted through the in-app feedback feature
- Waitlist entries: Email addresses submitted through the waitlist form
2.2 Information Collected Automatically
- Session data: IP address, user agent, and session timestamps
- Audit logs: Records of entity changes within the Service, including JSON diffs of modifications
- Analytics data: Page views and usage patterns via Google Analytics (only with your consent — see Section 4)
2.3 Information from Third Parties
- Stripe: Payment confirmation and subscription status. We do not store credit card numbers or full payment details locally; all payment processing is handled by Stripe.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide the Service | Account, org, vendor, contract, and file data | Contract performance (Art. 6(1)(b)) |
| Process payments | Billing email, Stripe subscription data | Contract performance (Art. 6(1)(b)) |
| Send transactional emails | Email address, name | Contract performance (Art. 6(1)(b)) |
| Send contract renewal reminders | Email address, contract dates | Contract performance (Art. 6(1)(b)) |
| Maintain audit logs | User ID, entity changes, timestamps | Legitimate interest (Art. 6(1)(f)) |
| Analytics | Page views, usage patterns (anonymized) | Consent (Art. 6(1)(a)) |
| Security and fraud prevention | IP address, session data | Legitimate interest (Art. 6(1)(f)) |
| Respond to support and feedback | Email, feedback content | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | As required by law | Legal obligation (Art. 6(1)(c)) |
5. Data Sharing & Sub-processors
We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers ("sub-processors") who assist us in operating the Service:
| Sub-processor | Purpose | Data Protection |
|---|---|---|
| Railway | Infrastructure hosting | EU region |
| Stripe | Payment processing | PCI-DSS compliant, EU-US DPF certified |
| Resend | Email delivery | DPA available |
| Google Analytics | Usage analytics (consent required) | EU-US DPF certified |
We may also disclose your data if required to:
- Comply with applicable laws, regulations, or legal processes
- Protect the rights, property, or safety of Kiricode OÜ, our users, or others
- Facilitate a merger, acquisition, or sale of assets (you will be notified of any such transfer)
6. International Data Transfers
Your data is primarily stored in the European Union (Railway EU region). Some sub-processors are located in the United States. Where personal data is transferred outside the EU/EEA, we ensure adequate safeguards are in place, including:
- EU-US Data Privacy Framework (DPF): Stripe and Google are certified under the EU-US Data Privacy Framework
- Standard Contractual Clauses (SCCs): Where DPF certification is not available, we rely on European Commission-approved Standard Contractual Clauses
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of subscription + 90 days |
| Organization and business data | Duration of subscription + 90 days |
| Session data | 7-day expiry per session; records retained until account deletion |
| Audit logs | Duration of subscription + 90 days |
| Uploaded files | Duration of subscription + 90 days |
| Feedback | Until account deletion |
| Waitlist entries | Until launch or upon request |
| Stripe events | Retained for billing dispute resolution |
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Bcrypt password hashing
- HMAC-signed session tokens
- HTTPS/TLS encryption for all data in transit
- Database encryption at rest
- Security headers (Helmet) and CORS policies
- Input validation and sanitization
- Multi-tenant row-level data isolation
- Role-based access control (RBAC)
- Mandatory email verification
- File upload size limits (10 MB per file)
While we strive to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
9. Your Rights Under the GDPR
If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate data (available via account settings or by contacting us)
- Right to Erasure: Request deletion of your personal data by contacting support@vendorm8.com
- Right to Restriction: Request that we restrict the processing of your personal data
- Right to Data Portability: Receive your data in a structured, machine-readable format. CSV export is available for vendor data; comprehensive data export is on our roadmap.
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time
We will respond to valid requests within 30 days. To exercise any of these rights, contact us at support@vendorm8.com.
You also have the right to lodge a complaint with your local data protection authority. Our supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee.
10. Your Rights Under the CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to Know: Request information about the categories and specific pieces of personal data we have collected
- Right to Delete: Request deletion of your personal data
- Right to Opt-Out of Sale: We do not sell your personal data
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
11. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@vendorm8.com.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email to the address associated with your account. The "Last updated" date at the top of this page indicates when this policy was last revised.
13. Contact
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — www.aki.ee