Privacy Policy
Last updated: 11 April 2026
1. Who We Are
Vendora ("we", "us", "our") operates the reselling tools platform at vendora.site and the associated Vendora Discord bot. For data enquiries, contact us at support@vendora.site.
2. What Data We Collect
| Data | Source | Why |
|---|---|---|
| Discord user ID, username, avatar | Discord OAuth2 on login | Account identification and display |
| Subscription tier and status | PayPal webhook + our records | Gating features and Discord role assignment |
| PayPal subscription ID | PayPal webhook | Linking your subscription to your account |
| Platform credentials (Depop, Vinted) | You enter them in the dashboard | Authenticating to platforms on your behalf for cross-listing |
| Listings data (title, price, condition) | You create listings | Storing and managing your active cross-listings |
| Inventory items and watchlist | Discord bot commands | Persisting your /tracker and /pricedrop data across sessions |
| Bot command usage counts | Bot command execution | Enforcing per-tier rate limits |
| Session data | Supabase Auth | Keeping you logged in; auto-deleted after 24 hours of inactivity |
We do not collect payment card details — all billing is handled by PayPal.
3. How We Store Your Data
All data is stored in a PostgreSQL database hosted on Supabase (EU region). Platform credentials (usernames and passwords for Depop/Vinted) are encrypted at rest using AES-256-GCM before storage. The encryption key is derived from a server-side secret and never exposed to clients.
The Discord bot is hosted on Railway. The dashboard and website are hosted on Netlify.
4. How We Use Your Data
- To authenticate you and maintain your session
- To provide features appropriate to your subscription tier
- To assign and revoke your Discord server roles following subscription changes
- To post listings to third-party platforms on your behalf (only when you request it)
- To enforce rate limits and prevent abuse
- To send you service-related Discord DMs (subscription confirmations, announcements)
We do not use your data for advertising or sell it to third parties.
5. Third-Party Services
We use the following third-party services that may process your data:
- Supabase — database and authentication. Privacy Policy
- Discord — authentication and bot interaction. Privacy Policy
- PayPal — subscription billing. Privacy Policy
- Anthropic (Claude AI) — generating AI tool responses. Inputs are processed but not used for model training per Anthropic's API terms. Privacy Policy
- Netlify — website hosting. Privacy Policy
- Railway — bot server hosting. Privacy Policy
6. Platform Credentials
When you link your Depop or Vinted account, you provide your login credentials. These are:
- Transmitted over HTTPS
- Immediately encrypted using AES-256-GCM before being stored in the database
- Never logged in plaintext
- Used only to authenticate to those platforms on your behalf
- Deleted from our database when you disconnect your account
By linking a platform account, you confirm you have the right to share those credentials and you accept responsibility for compliance with that platform's terms of service.
7. Data Retention
- Active account data: Retained while your account exists
- Subscription data: Retained for 7 years for legal/financial compliance
- Platform credentials: Deleted when you disconnect or close your account
- Session data: Auto-deleted after 24 hours of inactivity
- Listings data: Retained until you delete a listing or close your account
8. Your Rights (UK GDPR)
Under UK GDPR, you have the right to:
- Access: Request a copy of all data we hold about you
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your account and associated data
- Portability: Request your data in a machine-readable format
- Restriction: Request we limit how we process your data
- Object: Object to processing based on legitimate interests
To exercise any of these rights, contact us at support@vendora.gg. We will respond within 30 days.
You may also lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies
We use only functional cookies and local storage necessary to maintain your login session (provided by Supabase Auth). We do not use advertising or analytics cookies. No third-party tracking scripts are loaded on the dashboard.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via Discord DM or the #announcements channel in the Vendor Village server. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact
For privacy questions or data requests: support@vendora.gg or via the #support channel in Vendor Village.