Privacy Policy

Account Information. When you create an account, we collect your name, email address, company name, industry, and company size. If you are an owner or admin, we also collect your billing email address.

Contract and Vendor Data. When you upload contracts or other documents to VendorPulse, we store those documents and the data extracted from them — including vendor names, contract values, renewal dates, notice periods, SLA terms, and any other fields you add or that our AI extracts.

Usage Data. We collect information about how you use the Service, including pages visited, features used, actions taken, and timestamps. This helps us improve the Service and diagnose issues.

Payment Information. Payment card details are processed and stored by Stripe, our payment processor. We do not store your full card number, CVV, or other raw payment credentials. We store only a Stripe customer ID and the last four digits and expiration date of your card for display purposes.

Communications. If you contact our support team, we retain your messages and any information you provide to resolve your issue.

Device and Technical Data. We collect standard technical information including IP address, browser type and version, operating system, and referring URLs for security and performance monitoring.

We use the information we collect to:

• •Provide and operate the Service — Process your uploads, run AI extractions, display your dashboard, and send renewal alerts
• •Process payments — Bill you for your subscription through Stripe
• •Send transactional emails — Renewal alerts, SLA reminders, certification expiry notices, billing confirmations, and trial notifications via Resend
• •Improve the Service — Analyze usage patterns to identify improvements, fix bugs, and develop new features
• •Provide support — Respond to your questions and resolve issues
• •Ensure security — Detect fraud, abuse, and unauthorized access
• •Meet legal obligations — Respond to lawful requests from public authorities

We do not sell your personal data to third parties. We do not use your contract data to train AI models or for any purpose other than providing the Service to you.

VendorPulse uses Anthropic's Claude AI API to extract key data from your uploaded contract documents and to power the Risk Analyzer feature. When you upload a document:

1. 1. The document is transmitted securely to Anthropic's API for processing
2. 2. Claude AI reads the document and extracts structured data (vendor name, value, dates, terms, etc.)
3. 3. The extracted data is returned to VendorPulse and stored in your account

Risk Analyzer. When you use the Risk Analyzer feature, your contract documents are also sent to Anthropic's Claude API for risk analysis and scoring.

Anthropic's Data Practices. Anthropic processes your documents pursuant to their API terms of service and privacy policy. By default, Anthropic does not use API input or output data to train their models. For details, see anthropic.com/privacy.

We recommend against uploading documents containing highly sensitive personal information (such as medical records or government identification numbers) beyond standard commercial contract data.

We share your data only with the following service providers, strictly for the purpose of operating the Service:

• •Supabase — Database hosting and file storage (PostgreSQL, S3-compatible object storage). Data is encrypted at rest and in transit.
• •Vercel — Application hosting and serverless function execution. Processes request data to serve the application.
• •Anthropic — AI processing for contract data extraction and risk analysis of uploaded documents.
• •Stripe — Payment processing and subscription billing management. Stripe handles all payment card data under PCI DSS compliance.
• •Resend — Transactional email delivery for alerts, notifications, invitations, and billing emails.
• •Slack — Optional integration for receiving notifications and alerts in your Slack workspace. Only used if you connect the Slack integration.

We do not share your data with advertising networks, data brokers, or any other third parties for commercial purposes.

We do not sell your data. We do not sell, rent, or trade your personal information or Your Data to any third party.

Service Providers. We share data with the subprocessors listed in Section 4 solely to provide the Service.

Legal Requirements. We may disclose your information if required by law, valid court order, or government request, or to protect the rights, property, or safety of VendorPulse, our users, or the public.

Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the successor entity subject to the same privacy protections described here. We will notify you of any such transfer.

Infrastructure. VendorPulse is hosted on Vercel (application layer) and Supabase (database and file storage). Both providers maintain SOC 2 Type II certifications and implement industry-standard security controls.

Encryption. All data is encrypted in transit using TLS 1.2 or higher. Contract documents and database data are encrypted at rest using AES-256 encryption.

Access Controls. Access to your data is restricted to members of your organization through Row-Level Security (RLS) policies enforced at the database level. VendorPulse staff access your data only when you explicitly grant permission or when required to resolve a critical technical issue.

Authentication. User authentication is handled through Supabase Auth, which supports secure password hashing, session management, and multi-factor authentication.

Despite our security measures, no method of transmission or storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.

VendorPulse uses a minimal set of cookies solely for:

• •Authentication — Session cookies to keep you signed in securely
• •Session management — Maintaining your application state

We do not use third-party advertising cookies, cross-site tracking pixels, or analytics services that share data with third parties. You can control cookie behavior through your browser settings, though disabling cookies will prevent you from signing in.

We retain your account data and contract data for as long as your account is active or as needed to provide the Service.

Account Closure. After account deletion or subscription cancellation, your data remains accessible for 90 days to allow for export. After 90 days, your data is permanently deleted from our active systems.

Backups. Backup copies may be retained for up to 12 months as part of our disaster recovery procedures, after which they are also deleted.

Billing Records. Transaction logs and billing records are retained for 7 years as required by financial regulations.

Legal Holds. We may retain certain data longer if required by law or for legitimate legal proceedings.

Depending on your location, you may have the following rights:

Access. You may request a copy of the personal data we hold about you by emailing privacy@vendorpulse.co.

Correction. You may update your account information directly through the Settings page, or contact us to correct inaccurate data.

Deletion. You may request deletion of your account and associated data by contacting support@vendorpulse.co. We will delete your data within 30 days, except where retention is required by law.

Export. You may export your contract data and vendor information directly from the Settings page at any time.

Restriction and Objection. In certain circumstances, you may request that we restrict processing of your data or object to processing based on legitimate interests.

Portability. You may request your data in a structured, machine-readable format.

To exercise any of these rights, email us at privacy@vendorpulse.co with the subject line "Privacy Request." We will respond within 30 days.

If you are located in the European Union, European Economic Area, or United Kingdom, the following additional provisions apply:

Legal Basis for Processing. We process your personal data on the following legal bases: • Contractual necessity — Processing required to provide the Service under our agreement with you • Legitimate interests — Security monitoring, fraud prevention, and service improvement, where not overridden by your rights • Consent — Where you have given explicit consent, which you may withdraw at any time • Legal obligation — Compliance with applicable laws

International Data Transfers. VendorPulse is based in the United States. When we transfer your data outside the EEA or UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.

EU/UK Representative. For GDPR or UK GDPR-related inquiries, you may contact our privacy team at privacy@vendorpulse.co.

Right to Lodge a Complaint. You have the right to lodge a complaint with your national or local data protection supervisory authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you additional rights:

Right to Know. You have the right to know what categories of personal information we collect, use, and disclose. See Section 1 for details.

Right to Delete. You may request deletion of your personal information. See "Your Rights" in Section 9.

Right to Opt-Out of Sale. We do not sell personal information. No opt-out is necessary.

Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

Categories of Information Collected. We collect: identifiers (name, email, IP address), commercial information (subscription and billing records), internet or electronic network activity (usage logs), and professional information (company name, industry).

To exercise your CCPA rights, email privacy@vendorpulse.co with the subject line "CCPA Request."

VendorPulse is a business software platform intended for use by organizations and individuals who are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us at privacy@vendorpulse.co and we will promptly delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address on file and by posting the updated policy at vendorpulse.co/privacy at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

VendorPulse Privacy Team Email: privacy@vendorpulse.co Support: support@vendorpulse.co Website: vendorpulse.co

We will respond to all privacy inquiries within 30 days.

This Privacy Policy is effective as of June 1, 2025.