Privacy Policy

1. Who we are

VendorRadar is a service operated by MDB Next, a sole proprietorship established in the Netherlands. References to "VendorRadar", "we", or "us" in this Policy refer to MDB Next as data controller under Article 4(7) GDPR.

Registered with the Dutch Chamber of Commerce (KvK) under number 42063101.

We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and the Dutch Implementation Act (Uitvoeringswet AVG).

For any question about this Policy or how we handle your data, reach us via our contact page.

2. Data we collect

We collect the following categories of personal data:

• Account data. Email address, full name, role, company name, company country, company size, primary regions, focus categories, and any profile fields you provide during onboarding.
• Billing data. Subscription tier, billing period, Stripe customer and subscription identifiers, invoice metadata, VAT number where applicable. Card details are handled directly by Stripe; we never see or store full card numbers.
• Usage data. Vendors you watch, saved comparisons, Vendor Match queries (business context such as use case, company size, must-haves; no name or email), alert preferences, changelog events you have read.
• Technical data. Server logs (timestamps, IP address, user-agent), SMTP error logs (may contain email addresses), activation email tracking events, Stripe webhook events, necessary to operate the Service, debug incidents, and detect abuse.
• Communications. Messages you send us, support requests, contact form submissions (name, email, message), vendor requests, and any reply we send back to you.
• Waitlist data. Email address and double opt-in confirmation, retained until launch plus 90 days.
• Analytics data. Aggregated page-view and performance metrics collected via Vercel's privacy-friendly analytics. No third-party advertising or cross-site tracking is used.

3. How we use your data

• to create and operate your account, deliver the Service, and apply subscription-tier entitlements;
• to process payments, handle invoicing, and comply with tax and accounting obligations under Dutch law (including artikel 52 AWR);
• to send transactional emails about your account (sign-in links, billing notices, security alerts) and, where you have opted in, weekly digest emails with vendor program updates;
• to produce aggregated analytics that help us improve the Service;
• to protect the Service, our users, and third parties against fraud, abuse, and security threats;
• to respond to your support requests and other communications;
• to comply with legal obligations, enforce our Terms of Service, and establish or defend legal claims where necessary.

4. Lawful basis

We process personal data only where we have a lawful basis under Article 6 GDPR:

• Contract (Art. 6(1)(b)) — to provide the Service to you under our Terms of Service.
• Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, operate aggregate analytics, and communicate about our product in a reasonable, non-intrusive way. We balance these interests against your rights and interests.
• Consent (Art. 6(1)(a)) — where you opt in to weekly digest emails or other optional features. Waitlist signups use a verifiable double opt-in process: when you submit a waitlist request via our contact form, we email a confirmation link to the address you provided and only add you to the launch announcement list once you click that link. Until you confirm, your row is held as "pending" and excluded from any outreach. You can withdraw your waitlist consent at any time via the contact form; we will delete the pending or confirmed row and confirm by reply. The right to withdraw extends to every consent-based processing we operate.
• Legal obligation (Art. 6(1)(c)) — to retain accounting and invoice records and respond to lawful requests from authorities.

5. Third-party processors

We rely on the following providers, each bound by a written data-processing agreement or equivalent contractual safeguards:

• Supabase (Supabase, Inc.) hosts the application database and authentication. EU region. DPA in place.
• Stripe (Stripe Payments Europe, Ltd., Ireland) processes payments and manages subscriptions. DPA in place via Stripe's standard terms.
• Vercel (Vercel, Inc.) hosts the web application (EU region fra1) and handles edge delivery and privacy-friendly aggregate analytics.
• Anthropic (Anthropic, PBC, United States) processes text submitted to the Vendor Match feature and related AI features. We send only business context (use case, company information, must-haves) and do not submit names, email addresses, or other directly identifying personal data. Anthropic does not use this data to train its models under our business API terms. Transfer to the United States is covered by Standard Contractual Clauses (Art. 46 GDPR).
• Brevo (Sendinblue SAS, Paris, France) processes transactional and notification emails (sign-in codes, alerts, billing notices). EU region. DPA in place.
• PostHog (PostHog Inc., United States; data hosted in the EU via Frankfurt) provides product analytics. Tracking runs only after you accept analytics cookies. We process page views, feature-usage events, and (for signed-in users) your email address as a pseudonymous identifier. Transfer to the United States is covered by Standard Contractual Clauses (Art. 46 GDPR). DPA in place.
• n8n (n8n GmbH, Germany) processes automation workflows connecting Stripe events, account provisioning, and email triggers. EU region.
• Sentry (Functional Software, Inc.) processes error reports and stack traces for application stability monitoring. Personal data may incidentally appear in error context; we minimise this and do not intentionally send PII.

We do not sell or rent your personal data. We do not share personal data with third parties other than the processors above, unless required by law or with your explicit consent.

6. Automated decision-making

VendorRadar does not engage in automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. The Vendor Match feature generates advisory recommendations only; you remain fully responsible for all commercial decisions.

7. International transfers

Vercel, Anthropic, Sentry, and PostHog (corporate entity) are established in the United States; PostHog hosts our data in the EU. Where personal data is transferred outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, the EU–US Data Privacy Framework adequacy decision. A copy of the applicable safeguards is available on request.

All other processors (Supabase, Stripe/Europe, Brevo, n8n) are established within the EEA.

Our Service is not directed at residents of the United States or Canada. We do not knowingly collect or process personal data from individuals located in these jurisdictions.

8. Retention

• Account data: while your account is active and for up to 30 days after you request deletion, to complete in-flight processes and back-up cycles.
• Billing records: 7 years after the financial year to which they relate (Article 52 Algemene Wet Rijksbelastingen).
• Audit logs: 12 months.
• Server logs (including IP addresses): up to 90 days for security and diagnostic purposes.
• SMTP error logs (may contain email addresses): 7 days.
• Waitlist signups: until launch plus 90 days.
• Aggregated, non-identifying analytics: may be retained indefinitely.

9. Your rights

Under GDPR you have the right to:

• access your personal data and receive a copy of it (Art. 15);
• have inaccurate or incomplete data corrected (Art. 16);
• have your data erased in certain circumstances (Art. 17);
• restrict processing in certain circumstances (Art. 18);
• receive your data in a portable, machine-readable format (Art. 20);
• object to processing based on legitimate interests (Art. 21);
• withdraw any consent you have given at any time, without affecting the lawfulness of prior processing (Art. 7(3));
• lodge a complaint with a supervisory authority (Art. 77).

To exercise any of these rights, reach us via our contact form from the address on your account. We will respond within 30 days, extended by up to a further 60 days for complex requests in line with GDPR Article 12(3).

Our supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), autoriteitpersoonsgegevens.nl.

10. Cookies

VendorRadar uses only strictly necessary cookies for authentication, session handling, CSRF protection, and remembering your theme preference. These are essential for the Service to function and are exempt from consent under Article 5(3) of the ePrivacy Directive.

We do not use advertising cookies, third-party tracking pixels, or cross-site analytics. Vercel's built-in page analytics are aggregated and do not rely on cookies that identify individual users.

We use PostHog (hosted in the EU) for product analytics. This helps us understand how visitors use VendorRadar so we can improve it. We do not sell data to third parties. You can decline these cookies via the banner at the bottom of any page.

11. Security

We apply appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, encryption at rest on our primary database, role-based access controls, row-level security policies, signed authentication cookies, multi-factor authentication for administrative access, and rate limiting on sensitive endpoints.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and, where required, inform affected users without undue delay.

12. Children

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to the address on your account or via an in-app notice at least 30 days before they take effect. The current version is always available at this URL with the effective date at the top.

14. Contact

For any privacy-related question or request, reach us via our contact page.