Privacy Policy

1. Who is responsible for your data

VendoReport ("we") is the data controller for the personal data described in this policy. VAT registration is in progress; this page will be updated with the full registered details once complete.

For anything related to your data, write to info@vendoreport.com. We answer within a few business days.

2. What data we collect

• Order data: your email address, the vendor domains you submit, and your language preference. You provide these at checkout.
• Payment and billing data: handled by Stripe, our payment provider. Card numbers never reach our systems. Stripe shares with us your billing details and, if you provide one, your VAT ID, so an invoice can be issued.
• Correspondence: emails you send to info@vendoreport.com.
• Analytics data: only if you accept cookies, Google Analytics collects usage data about your visit (pages viewed, approximate location, device type). See section 8.

3. Why we process it and on what legal basis

• To deliver the service you bought (reports by email, order updates): performance of a contract, GDPR Art. 6(1)(b).
• To issue invoices and meet tax obligations: legal obligation, Art. 6(1)(c).
• To measure how the site is used, via Google Analytics: your consent, Art. 6(1)(a). You can refuse or withdraw it at any time; the site works the same.
• To prevent abuse of the service and keep it secure: our legitimate interest, Art. 6(1)(f).

4. About the vendor domains you submit

The domains you submit identify companies, not people, and we analyse them using publicly accessible information only (DNS records, TLS configuration, exposed services, breach databases). We do not probe, intrude or test beyond passive observation.

In rare cases a domain may relate to an identifiable individual, for example a sole trader. Where that happens, we process the related public data under our legitimate interest in providing the assessment our customer requested. Anyone concerned can write to info@vendoreport.com to object.

5. Who we share data with

We never sell your data. We share it only with the providers needed to run the service:

• Stripe (payments and invoicing)
• Vercel (website hosting)
• Our email provider (report delivery and support)
• Discord (internal order notifications to our fulfilment team: order amount, your email, the submitted domains)
• Google (analytics, only with your consent)

6. International transfers

Some of these providers are US companies. Where data leaves the EU, the transfer relies on the EU-US Data Privacy Framework or on Standard Contractual Clauses, as applicable to each provider.

7. How long we keep it

• Order data and delivered reports: 12 months from delivery, so you can request your report again. Then deleted.
• Invoices and accounting records: 10 years, as required by Italian tax law.
• Support correspondence: up to 12 months after the conversation ends.
• Your cookie choice: stored in your browser until you clear it or change it.

8. Cookies and analytics

The site sets no tracking cookies by default. Your cookie choice itself is stored locally in your browser (no cookie banner on every visit).

If you accept, Google Analytics 4 sets cookies (such as _ga) to measure visits. These identifiers are retained by Google Analytics for up to 14 months. If you reject, nothing is set and the site works exactly the same.

You can change your choice at any time via "Cookie preferences" in the footer.

9. Your rights

Under the GDPR you can ask us, at any time, to access, correct, delete or export your data, to restrict or object to its processing, and to withdraw any consent you gave. Write to info@vendoreport.com.

You also have the right to lodge a complaint with a supervisory authority. In Italy that is the Garante per la protezione dei dati personali (gpdp.it).

10. Changes to this policy

If we change this policy in a meaningful way, we will update the date at the top. Substantial changes affecting how we use order data will be communicated to recent customers by email.