VendBase

Privacy Policy

Effective date: March 9, 2026

1. Information We Collect

We collect different information depending on how you use VendBase:

Operators (Vendors)

  • Account information — Full name, email address, and password when you create an account.
  • Business information — Business name, description, URL slug, cart type, phone number, email address, physical address, website URL, social media handles (Instagram, TikTok), logo image, hero image, brand color, timezone, and service area.
  • Menu data — Menu categories, items, prices, descriptions, dietary tags, modifier groups, item images, and inventory information.
  • Payment configuration — Stripe account ID, Square merchant ID and OAuth tokens (stored server-side only), Venmo username, Zelle identifier, payment instructions, and subscription billing identifiers.
  • Notification preferences — Email notification settings, SMS notification settings, and push notification device tokens (when enabled by the Operator).

Customers

  • Account information — Full name, email address, and password when you create an account.
  • Activity data — Which businesses you have favorited and booking requests you have submitted.

Booking Submitters (Customers or Visitors)

  • Name, email address, phone number (optional), event date and time, event location, guest count, service package selection, and any message you include. No account is required to submit a booking.

Guests (Event Attendees)

  • Order information — Name (optional), phone number (optional, for SMS updates), order items and modifiers selected, order notes, pickup time slot, and payment method chosen.
  • Phone number — If you provide a phone number when placing an order, it is stored with your order and used to send SMS text messages about your order status via Twilio.
  • Push notification token — If the Operator has push notifications enabled (instead of SMS), you may opt in to receive order status updates via your browser. A device token is stored with your order to deliver notifications.
  • Local storage — Your order details (order ID, order number, and payment-related tokens) are stored in your browser's local storage so you can track your order.

All Users

  • IP addresses — Used for rate limiting to prevent abuse. IP addresses are held in server memory only and are not stored in our database.

2. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Process bookings (transmit booking details to the relevant Operator)
  • Process guest orders (transmit order details to the relevant Operator)
  • Send transactional notifications — booking alerts, order alerts, daily business reports, and low stock alerts to Operators via email
  • Send SMS text messages to Guests with order status updates and to Customers with booking confirmations (when phone number is provided and Operator has enabled SMS)
  • Deliver push notifications for order status updates (when opted in by the Guest and enabled by the Operator)
  • Process subscription payments and manage billing
  • Enforce rate limits and prevent abuse
  • Communicate important updates about your account or the Service

We do not use your information for advertising, behavioral profiling, or marketing purposes. We do not have any analytics or tracking system. We only send transactional emails directly related to your use of the Service.

3. How Your Information Is Shared

We do not sell your personal information. Your data is shared only in the following ways:

With Operators (Platform Data Sharing)

When you submit a booking request or place a guest order, your information (name, email, phone number, event details, or order contents) is shared with the Operator whose business you are interacting with. This is necessary for the Operator to fulfill your request. Operators are required by our Terms of Service to use this information only for legitimate business purposes.

Public Business Information

Operator business profiles, menus, pricing, events, and service packages are publicly accessible to anyone. This is by design to allow Guests and Customers to browse and place orders.

Third-Party Service Providers

We share data with the following third parties as necessary to operate the Service:

  • Supabase — Database hosting, user authentication, file storage (images), and real-time messaging. Supabase Privacy Policy
  • Stripe — Payment processing for guest card payments (via Stripe Connect) and Operator subscription billing. Credit card data is sent directly from your browser to Stripe and never touches VendBase servers. Stripe Privacy Policy
  • Square — Alternative payment processing for guest card payments (via Square OAuth). Card data is tokenized by the Square Web Payments SDK in your browser and never touches VendBase servers. Square OAuth tokens are stored server-side only. Square Privacy Policy
  • Twilio — SMS text message delivery for order status notifications and booking confirmations. When you provide a phone number, it is shared with Twilio to deliver text messages. Twilio receives the phone number and message content. Twilio Privacy Policy
  • Resend — Transactional email delivery (booking notifications, order alerts, daily reports, low stock alerts). Resend Privacy Policy
  • Google Firebase Cloud Messaging — Push notification delivery for order status updates (when enabled by the Operator). Firebase receives device tokens and notification content. Firebase Privacy Information
  • DigitalOcean — Application server hosting. DigitalOcean Privacy Policy

Legal Requirements

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of VendBase, our users, or the public.

4. Cookies and Local Storage

Authentication cookies: We use essential, strictly necessary cookies set by Supabase to maintain your authentication session. These cookies are HttpOnly, Secure, and SameSite=Lax. They are required for the Service to function and cannot be disabled while using the Service. No consent banner is required for these cookies as they are strictly necessary.

Local storage: For guest ordering, we store your active order details (order ID, order number, total amount, and payment-related tokens) in your browser's local storage. This data persists until the order is completed or you clear your browser data.

No tracking: We do not use third-party tracking cookies, advertising cookies, analytics cookies, or tracking pixels of any kind.

5. Data Retention

We retain data as follows:

  • Account data — Retained for as long as your account is active.
  • Orders and bookings — Retained for the duration of the associated Operator's business account to support operational needs, reporting, and dispute resolution.
  • Business deletion — When an Operator's business is deleted, all associated menu items, orders, bookings, events, and sessions are permanently deleted.

6. Your Rights

You have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request correction of inaccurate personal data. Operators and Customers can update most of their information directly through the Service.
  • Deletion — Request deletion of your account and associated personal data.

To exercise any of these rights, contact us at support@vendbase.app. We will respond to your request within 30 days. Note that some data may be retained where required by law or for legitimate business purposes such as dispute resolution.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encrypted connections (HTTPS with HSTS) for all data in transit
  • Secure, HttpOnly authentication cookies
  • Row-level security (RLS) in our database to enforce tenant data isolation
  • Strong password requirements (minimum 10 characters with complexity rules)
  • Rate limiting on authentication, booking, and ordering endpoints
  • HMAC-based token verification for guest order ownership
  • Content Security Policy (CSP), X-Frame-Options, and other HTTP security headers
  • No third-party tracking scripts or advertising networks

However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, contact us at support@vendbase.app and we will promptly delete it.

9. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to non-discrimination for exercising your privacy rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To exercise your CCPA rights, contact us at support@vendbase.app.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before the changes take effect. The updated policy will be posted on this page with a revised effective date.

11. Contact

If you have questions about this Privacy Policy or our data practices, contact us at support@vendbase.app.