VendorOS AIBack to Home

Privacy Policy

Last updated: June 2025  |  Effective Date: June 2025

This Privacy Policy is prepared in compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and applicable international data protection standards.

1. Introduction

VendorOS AI (“VendorOS”, “we”, “our”, or “us”) is a technology company providing an AI-powered business management platform for Nigerian entrepreneurs and small-to-medium enterprises (SMEs). We are committed to protecting your personal data and processing it in a lawful, fair, and transparent manner.

This Privacy Policy explains how we collect, use, disclose, store, and protect information about you when you use our platform at vendoros-ai.vercel.app and related services (collectively, “the Platform”).

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

VendorOS AI is the Data Controller responsible for your personal data under the NDPA 2023.

Company: VendorOS AI

Email: privacy@vendoros.ai

Support: support@vendoros.ai

Platform: vendoros-ai.vercel.app

3. Data We Collect

We collect the following categories of personal and business data:

3.1 Account & Identity Data

  • Full name and email address
  • Password (stored as encrypted hash — never in plain text)
  • Profile information you provide during signup

3.2 Business Data

  • Business name, description, and contact information
  • WhatsApp number and phone number
  • Subscription plan and billing status
  • Business operational data: customers, orders, inventory, transactions, and marketing campaigns

3.3 Customer Data You Upload

  • Names, phone numbers, email addresses, and WhatsApp numbers of your customers
  • Order histories and spending patterns
  • Conversation logs from WhatsApp interactions

You are the data controller for your customers' data. You are responsible for obtaining appropriate consent from your customers before uploading their data to our Platform.

3.4 Payment & Subscription Data

  • Subscription plan details and billing history
  • Payment transaction references (via Flutterwave)
  • We do NOT store raw card numbers, CVV, or full bank account details — these are handled exclusively by Flutterwave, our PCI-DSS compliant payment processor

3.5 Technical & Usage Data

  • IP address and device information
  • Browser type and operating system
  • Pages visited and features used on the Platform
  • Login timestamps and session data
  • Error logs and performance metrics

3.6 AI Interaction Data

  • Messages you send to our AI agents (OgaAI, Customer Care, Finance, Sales, Inventory, Marketing agents)
  • AI-generated responses and business insights
  • Conversation history used to improve AI responses within your session

4. Legal Basis for Processing

Under the NDPA 2023, we process your data on the following legal bases:

Contractual Necessity

Processing required to provide the services you signed up for — account management, order processing, inventory tracking, and AI agent services.

Legitimate Interests

Improving our platform, preventing fraud, ensuring security, and providing customer support — balanced against your rights and interests.

Legal Obligation

Compliance with Nigerian tax laws, anti-money laundering regulations, and other applicable laws.

Consent

For marketing communications and optional data sharing. You may withdraw consent at any time.

5. How We Use Your Data

We use your personal and business data to:

  • Create and manage your account and business profile
  • Provide AI-powered business management features and insights
  • Process payments and manage subscriptions
  • Send transactional notifications (payment confirmations, subscription reminders)
  • Provide customer support and respond to inquiries
  • Detect and prevent fraud, abuse, and security threats
  • Improve and optimize our Platform and AI models
  • Comply with legal obligations under Nigerian law
  • Send marketing communications (only with your consent)
  • Calculate and process affiliate commissions

6. Data Storage & Security

6.1 Where Your Data is Stored

Your data is stored on Supabase, a PostgreSQL database hosted on servers in the European Union (EU-West). All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.

6.2 Security Measures

  • Row-Level Security (RLS) ensures each business can only access its own data
  • All passwords are hashed using bcrypt — never stored in plain text
  • API endpoints require authenticated sessions for all data access
  • HMAC-SHA256 signature verification on all webhook endpoints
  • Regular security audits and vulnerability assessments
  • Access to production systems is restricted to authorized personnel only
  • Multi-factor authentication required for administrative access

6.3 Data Retention

  • Account data: Retained for the duration of your subscription plus 90 days after termination
  • Business/transaction data: Retained for 7 years to comply with Nigerian financial regulations (FIRS)
  • Support communications: Retained for 2 years
  • AI conversation logs: Retained for 90 days, then anonymised
  • Technical logs: Retained for 30 days

7. Who We Share Your Data With

We do not sell your personal data. We only share data with the following trusted third-party service providers under strict data processing agreements:

Supabase (PostgreSQL Database)

Purpose: Database hosting and authentication services

Location: EU (Ireland)

Basis: Contractual necessity

Anthropic (Claude AI)

Purpose: Processing AI agent requests and generating business insights

Location: USA (adequacy safeguards applied)

Basis: Contractual necessity

Flutterwave

Purpose: Payment processing and subscription management

Location: Nigeria / Global (PCI-DSS compliant)

Basis: Contractual necessity

n8n (Workflow Automation)

Purpose: Automated business workflows and notifications

Location: EU / Cloud

Basis: Legitimate interests

Vercel

Purpose: Web hosting and deployment infrastructure

Location: USA / Global (SCCs in place)

Basis: Legitimate interests

We may also disclose your data to law enforcement or regulatory authorities if required by Nigerian law, court order, or to protect the rights and safety of our users.

8. Your Rights Under the NDPA 2023

As a data subject under the Nigeria Data Protection Act 2023, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your data (subject to legal retention requirements)

Right to Data Portability

Receive your data in a machine-readable format

Right to Object

Object to processing based on legitimate interests or for direct marketing

Right to Restrict Processing

Request that we limit how we use your data in certain circumstances

Right to Withdraw Consent

Withdraw consent for consent-based processing at any time

Right to Lodge a Complaint

File a complaint with the Nigeria Data Protection Commission (NDPC)

To exercise any of these rights, please contact us at privacy@vendoros.ai. We will respond within 30 days as required by the NDPA 2023.

9. Cookies & Tracking

We use essential cookies and session tokens to maintain your login session and ensure platform security. We do not use third-party advertising cookies or cross-site tracking technologies.

Session data is stored securely using HTTP-only cookies and expires automatically after inactivity.

10. Children's Privacy

VendorOS AI is a business management platform intended for adults aged 18 and above. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided data to us, please contact us immediately at privacy@vendoros.ai.

11. Cross-Border Data Transfers

Some of our service providers process data outside Nigeria. In all cases, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required, to provide an equivalent level of data protection as required by the NDPA 2023.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes via email or a prominent notice on the Platform at least 14 days before changes take effect. Continued use of the Platform after that date constitutes acceptance of the updated policy.

13. Contact & Complaints

For privacy-related inquiries, to exercise your rights, or to lodge a complaint:

Email: privacy@vendoros.ai

Support: vendoros-ai.vercel.app/support

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng if you believe your data rights have been violated.