Privacy Policy
Contents
- Scope and Our Role
- Information We Collect
- How We Use Information
- Artificial Intelligence Processing
- Enterprise, Consultant, and Sub-User Access
- Sharing and Disclosure
- Sub-Processors
- Cookies and Similar Technologies
- Retention
- Security
- International Data Transfers
- Your Rights
- California Residents
- European Economic Area, United Kingdom, and Switzerland
- Shopify App Data
- Children
- Third-Party Sites
- Changes to this Policy
- Contact
1. Scope and Our Role
This Privacy Policy applies to Project Automation LLC ("Project Automation," "Vendee Pro," "we," "us," or "our") and to the data we process in connection with the Vendee Pro website at vendeepro.app, our mobile and web applications, our APIs, and our integrations (collectively, the "Service").
Our role under data protection laws depends on context:
- Visitors to the marketing site. When you visit our public pages, request a demo, sign up for marketing emails, or contact us, we are the controller (or "business" under U.S. state privacy laws) of the personal information you submit.
- Account holders and authorized users. When you register for and use the Service, we are the controller of administrative information (such as billing, account credentials, support correspondence, and security and audit logs) and a processor (or "service provider") of the Customer Data you upload, generate, or sync into the Service.
- End users of our customers. If your business uses Vendee Pro to manage products, vendors, purchase orders, sales, or other records that contain personal information of third parties, we process that information on your behalf and you are the controller responsible for the lawful basis for that processing.
2. Information We Collect
2.1 Information you provide
- Account details, such as name, email address, phone number, business name, role, and password (stored hashed).
- Billing information, such as billing address, tax identification, and the last four digits and expiration date of your payment card. Full card details are handled by our payment processor and are not stored on our systems.
- Communications, including support messages, feedback, and replies to surveys.
- Customer Data, including products, variants, vendors, suppliers, locations, stores, sales history, purchase orders, transfers, stocktakes, snapshots, photographs you upload, files you import, and any other content you place into the Service.
- AI inputs and outputs, including prompts, voice transcripts, attached context, the outputs the AI returns, and your confirmations or rejections of any proposed action.
2.2 Information we collect automatically
- Usage data, including pages viewed, features used, time stamps, referring URLs, search queries inside the Service, and AI tool-call history.
- Device and connection data, including IP address, browser type and version, operating system, device identifiers, and approximate location derived from IP.
- Diagnostic and security logs, including authentication events, error stack traces, request metadata, and rate-limit and abuse signals.
- Cookies and similar technologies as described in Section 8.
2.3 Information from integrations
When you connect a Third-Party Service (such as Shopify, Heartland Retail, or another point-of-sale or commerce system), we receive the data permitted by that integration. The specific scope is described where you authorize the connection. We use that data to operate the integration, calculate reports, and surface insights inside the Service.
2.4 Information from other sources
We may receive information about you from your colleagues (for example, when an Owner adds you as a Sub-User), from an Enterprise Admin who has invited your Account, from Consultants assigned to your Account, from referrers, and from publicly available sources for fraud prevention.
3. How We Use Information
We use information to:
- provide, operate, secure, and improve the Service;
- create and authenticate Accounts, and enforce permissions and audit controls;
- process payments and manage Subscriptions and AI Credits;
- generate AI Output, run reports, and execute the actions you confirm;
- communicate with you about the Service, including announcements, security alerts, and policy updates;
- send marketing communications where permitted, with an option to unsubscribe in every email;
- monitor for fraud, abuse, security incidents, and violations of our Terms;
- perform analytics on usage to understand performance, prioritize improvements, and inform product decisions;
- generate aggregated or de-identified data that no longer reasonably identifies any person, which we may use for any lawful purpose, including improving the Service and publishing industry insights;
- comply with our legal obligations and enforce our agreements; and
- establish, exercise, or defend legal claims.
4. Artificial Intelligence Processing
4.1 What we process
When you use AI features, we process the prompt you submit, the relevant context drawn from your Customer Data (for example, products, purchase orders, inventory, and sales records), any voice transcript you provide, and the AI Output. We retain a log of each AI tool call, including which tool was invoked, what data was returned to the model, and which actions you confirmed.
4.2 Routing to AI Providers
We send AI requests to one or more third-party large language model providers (each, an "AI Provider"). We may route through aggregators (such as OpenRouter) that select an appropriate model on our behalf. The AI Provider that processes a given request can change over time without prior notice. The current set of AI Providers is listed in the sub-processor table in Section 7.
4.3 No model training on Customer Data
We do not use Customer Data to train, fine-tune, or otherwise improve foundation models owned by us or by any third party, except where you have provided explicit, opt-in written consent for a specific program. Where commercially available, we contract with our AI Providers under zero-retention or no-training arrangements. We do, however, use anonymized, aggregated, or de-identified data, which cannot reasonably be associated with you, your Authorized Users, or your business, to evaluate and improve the Service.
4.4 Voice features
Voice capture in your browser typically uses your operating system or browser’s native speech recognition (such as the Web Speech API). The audio may be processed by your device or by your browser’s vendor under that vendor’s privacy policy. We do not record or store continuous audio. Once your speech is converted to text, the resulting text is treated as Customer Data.
4.5 Logs and audit
We retain logs of AI prompts, tool calls, proposed actions, and your confirmations for security, abuse prevention, debugging, billing, and dispute resolution. These logs are retained as described in Section 9.
5. Enterprise, Consultant, and Sub-User Access
If your Account is part of an Enterprise Account, the Enterprise Admin has administrative access to your Account, including the ability to view configuration, Customer Data, billing, AI usage, and audit logs, and to impersonate the Account for support and oversight purposes. If you accept a Consultant assignment, the assigned Consultant has the access permissions you have granted them. If you are an Authorized User of an Account that you do not own, the Owner of that Account controls how your activity within the Service is logged and viewed.
You should not place any personal information of third parties into the Service unless you have a lawful basis to do so and have provided any required notices to those third parties. By using the Service, you instruct us to process such personal information on your behalf in accordance with this Privacy Policy and our Terms.
6. Sharing and Disclosure
We share personal information only as described in this Section. We do not sell personal information for monetary consideration.
- Sub-processors and service providers, including hosting, AI providers, payment processors, email and notification providers, error monitoring, customer support tooling, and analytics. These vendors process information under written contracts that limit their use to providing services to us. The current list is in Section 7.
- Third-Party Services you connect, such as Shopify or Heartland Retail. Data flows to and from these services to operate the integrations you authorize.
- Enterprise Admins and assigned Consultants, where you are a Member Account or have authorized a Consultant assignment.
- Authorized Users you invite, who can see and act on the data within the permissions you grant.
- Legal and safety disclosures, where we believe in good faith that disclosure is required to comply with a legal obligation or valid request from law enforcement, to protect the rights, property, or safety of Project Automation, our users, or the public, or to detect, prevent, or address fraud, abuse, or security issues.
- Business transactions, where personal information may be transferred as part of a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction. We will provide notice of any such transfer that materially changes how your information is handled.
- With your direction, where you instruct us to share information with a specific recipient.
7. Sub-Processors
The following service providers process personal information on our behalf to deliver the Service. We may add or change sub-processors and will update this list when we do.
| Sub-processor | Purpose | Reference |
|---|---|---|
| Stripe | Payment processing, subscription billing, invoicing | stripe.com/privacy |
| OpenRouter | Routing of AI requests to underlying language model providers | openrouter.ai/privacy |
| OpenAI | Large language model inference for AI features | openai.com/policies/privacy-policy |
| Anthropic | Large language model inference for AI features | anthropic.com/legal/privacy |
| Google (Generative AI) | Large language model inference for AI features | policies.google.com/privacy |
| SendGrid (Twilio) | Transactional and marketing email delivery | twilio.com/legal/privacy |
| Shopify | POS, e-commerce, and inventory integration where you connect your Shopify store | shopify.com/legal/privacy |
| Heartland Retail | POS and inventory integration where you connect your Heartland Retail account | heartland.us/privacy-policy |
| Cloud hosting and infrastructure | Application hosting, storage, content delivery, and database operations | Provided on request |
8. Cookies and Similar Technologies
We use cookies, local storage, and similar technologies to operate the Service, remember your preferences, secure your session, and gather usage analytics. We use:
- Strictly necessary cookies required for authentication, session management, security, and load balancing.
- Preference cookies that remember your settings such as default store, sort order, and table density.
- Analytics cookies and pixels that help us understand how the Service is used. These may be set by our analytics sub-processors.
You can control cookies through your browser settings, including blocking or deleting them. Some features will not work if you disable strictly necessary cookies. We do not currently respond to "Do Not Track" signals because no consistent industry standard exists for them.
9. Retention
We retain personal information for as long as is needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:
- Account records and Customer Data: for the duration of your Subscription. After termination, we make Customer Data available for export for thirty (30) days, after which we may permanently delete it from active systems. Backups may persist for an additional reasonable period before being purged in the ordinary course.
- Billing records: retained for at least seven (7) years to comply with tax and accounting obligations.
- AI prompt and tool-call logs: retained for security, billing, and dispute resolution for a period commensurate with those purposes, typically up to twenty-four (24) months.
- Security and audit logs: retained as needed to investigate incidents, typically for at least twelve (12) months.
- Marketing data: retained until you opt out, after which we keep a suppression record so we do not contact you again.
Aggregated and de-identified data may be retained indefinitely.
10. Security
We use administrative, technical, and physical safeguards to protect personal information, including encryption in transit (TLS), encryption at rest where supported by our infrastructure, role-based access control, tenant-isolated database scoping, multi-factor authentication for administrative access, audit logging, and a documented incident response process. No method of transmission or storage is fully secure, and we cannot guarantee absolute security. You are responsible for safeguarding your credentials and for the security of any device or network you use to access the Service.
11. International Data Transfers
Vendee Pro is operated from the United States. If you access the Service from outside the United States, you understand that your personal information will be transferred to and processed in the United States and other countries where our sub-processors operate. Where required, we rely on appropriate transfer mechanisms such as the Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum.
12. Your Rights
Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal information, object to processing, and withdraw consent. You may exercise these rights through our contact form. We will respond within the time frame required by applicable law. We may need to verify your identity before fulfilling your request, and we may decline a request where permitted by law, including where your request would compromise the privacy or rights of another person, would interfere with our legal obligations, or relates to information we hold as a processor on behalf of one of our customers (in which case you should contact that customer).
If you are an end user whose personal information is in a customer’s Account (for example, an employee or contact stored in our customer’s Vendee Pro Account), please contact that customer directly. We will assist them in responding to your request.
13. California Residents
This Section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA").
Categories of personal information collected. In the past twelve months we have collected the following categories of personal information from or about California residents: identifiers (such as name, email, phone, IP address); commercial information (such as Subscription history); internet or other electronic network activity (such as usage and device data); geolocation data (approximate, derived from IP); audio data (transient voice transcription input); professional or employment information (such as job title); and inferences drawn from the foregoing. Sources include you, your Authorized Users, your integrations, and our service providers.
Sale and sharing. We do not sell personal information for monetary consideration and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA.
Sensitive personal information. We do not use or disclose sensitive personal information for any purpose other than those permitted under the CCPA without further notice or consent.
Your rights. California residents have the right to request to know, delete, correct, and limit the use of personal information, and the right not to be discriminated against for exercising those rights. Submit a request through our contact form. You may use an authorized agent to submit a request, subject to verification.
14. European Economic Area, United Kingdom, and Switzerland
If you are in the European Economic Area, the United Kingdom, or Switzerland, this Section provides additional disclosures.
Legal bases. We process personal information based on (a) the performance of our contract with you; (b) your consent, where required; (c) our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights; and (d) compliance with our legal obligations.
International transfers. Where we transfer personal information outside the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on the Standard Contractual Clauses or another lawful transfer mechanism.
Your rights. You have the right to access, rectify, erase, restrict, and port your personal information, and to object to processing. You also have the right to lodge a complaint with your local data protection authority.
Data Processing Addendum. If you require a Data Processing Addendum, including the Standard Contractual Clauses, please reach us through our contact form.
15. Shopify App Data
When a merchant installs our Shopify application, we access limited order and inventory data from the merchant’s Shopify store solely to provide app functionality.
Data we access
- Order line items (products, SKUs, quantities)
- Net sales amounts
- Discount and markdown values
- Inventory levels and inventory valuation
- Fulfillment status
- Return information, where applicable
Data we do not access
- Customer names
- Customer email addresses
- Customer phone numbers
- Customer shipping or billing addresses
- Payment or financial information
How we use this data
Shopify order and inventory data is used to power reports and inventory features within the Service. It is never used for advertising, profiling, resale, or sharing with unrelated third parties.
Storage and retention
For Shopify report features that operate on a real-time basis, data is retrieved on demand, processed in memory, and discarded after the report is delivered. For features that depend on synced product, variant, location, or sales records, that data is stored within your Account in encrypted form and retained for the duration of your Subscription. Shopify API credentials are stored securely and are deleted within 24 hours after the merchant uninstalls the app.
Security
All data transmission between our application and Shopify occurs over TLS-encrypted connections. Access controls, audit logging, and tenant isolation apply to any synced data we store.
Merchant control
Merchants can disconnect our application from their Shopify store at any time through the Shopify admin panel. Uninstallation immediately revokes our access to live store data.
16. Children
The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please reach us through our contact form so we can take appropriate action.
17. Third-Party Sites
The Service may contain links to websites or services we do not operate. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policy of every site you visit.
18. Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, if the changes are material, provide additional notice (such as an in-app notification or email) at least seven (7) days before the changes take effect. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes.
19. Contact
If you have questions or requests regarding this Privacy Policy, please contact us:
Project Automation LLC
Atlanta, Georgia, United States
Contact: vendeepro.app/contact
Web: https://vendeepro.app/