Founder-drafted template — currently under legal review. The substantive practices described here are accurate; the legal framing is being finalized with counsel before launch.
1. Who we are
Vendor Hub LLC ("Vendor Hub," "we," "us," "our") operates a vendor-management platform at getvendorhub.com that connects members (real estate agents, brokers, investors, landlords, property managers, homeowners managing renovations, and small businesses) with service vendors who self-attest to their licensing, insurance, and qualifications. We are a Tennessee limited liability company.
If you have questions about this policy or your data, contact us at privacy@getvendorhub.com.
2. Scope
This Privacy Policy describes how we collect, use, share, and protect personal information when you:
- Visit our website at getvendorhub.com or any subdomain
- Create an account as a member or vendor
- Use any feature of the Vendor Hub platform (browse, message, RFPs, payments, reviews, etc.)
- Receive communications from us
Vendor Hub is offered exclusively to United States residents. Account creation from outside the US is not supported (see Section 9 for the full territorial-scope statement). State- specific addenda apply for California, Virginia, Colorado, Connecticut, Utah, Texas, and other US states with applicable privacy laws.
3. Information we collect
Account identity: name, email, optional phone, organization, location ZIP, role (member, vendor, admin), display name, avatar.
Authentication state: password hash (bcrypt, managed by our authentication provider), session tokens.
Vendor business data (vendors only): business name, services, business description, photos, work-sample gallery, contact methods, pricing approach, self-attested license/insurance information.
Communications: in-platform messages between members and vendors, including any attachments (PDFs, photos, documents). Message content is private to the parties involved and our automated systems (see Section 5).
Quote requests (RFPs): RFP titles, scopes, budget hints, attachments, vendor proposals, awarded status.
Reviews: star ratings and written reviews on completed vendor work.
Subscription and payment metadata: subscription tier, payment processor customer ID, payment processor subscription ID. We do not collect or store payment card numbers, CVV, or bank account numbers. Card data is collected and tokenized directly by our payment processor (a PCI DSS Level 1 service provider); we receive only an opaque customer reference.
Operational data: IP address, browser user agent, pages visited, features used, click and timing data. Retention follows our subprocessors' default policies (typically 90 days for HTTP access logs, longer for billing-related events).
Information we deliberately do NOT collect: Social Security numbers, government IDs (driver's license, passport), full payment card numbers, banking routing/account numbers, biometric data, geolocation beyond user-supplied ZIP, browsing history outside of Vendor Hub, third-party advertising tracking IDs, health data, advertising IDs.
4. How we use your information
We use personal information to:
- Operate the Vendor Hub platform (account creation, sign-in, messaging, vendor matching, RFP routing, payments, reviews)
- Process subscription billing
- Communicate with you about your account, billing, security, and product updates
- Investigate and prevent fraud, abuse, fake-account creation, and circumvention of our subscription model (see Section 5)
- Generate aggregated, anonymized statistical analysis and market insights from bid, RFP, transaction, and platform-usage data (for example, average pricing for a given service category in a given geography). Aggregated outputs do not identify any specific user, member, or vendor and may be published, sold, or used as the basis of a paid feature.
- Comply with applicable laws and respond to lawful requests
- Improve and develop the platform
We do not sell or share personal information for cross-context behavioral advertising. We do not run third-party advertising trackers on Vendor Hub.
5. Automated processing of messages and account-level fraud detection
Messages sent through the Vendor Hub platform are scanned by an automated system to detect attempts to share off-platform contact information (phone numbers, email addresses, names of third-party payment apps) or to direct transactions away from the platform's intended workflow. Detected patterns may be masked in the recipient's view of the message and the original message is logged for review by Vendor Hub administrators.
Separately, automated systems evaluate signals from account creation, profile completion, and platform behavior (for example: profile completeness, business-attestation completeness, message patterns, marketplace activity ratios) to detect fake-account creation, fraud, and abuse. These signals may include AI-assisted scoring of profile content and are stored in an internal review queue accessible only to Vendor Hub administrators.
Both systems serve three purposes:
- Protecting both parties from premature sharing of contact information before an engagement is in place
- Enforcing the contractual commitments members and vendors make at signup (see our Terms of Service)
- Detecting potential fraud or abuse
Scanning is performed automatically at submission / signup / profile-completion time and does not result in human review of content unless the automated scan flags content for administrator attention. Administrators reviewing flagged content do so under confidentiality and are bound by the security controls described in our Security Posture document.
6. Subprocessors and how we share information
We share personal information with the following service providers, each under written contracts that limit their use of data to what's necessary to provide their service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel, Inc. | Hosting + content delivery network | United States |
| Supabase, Inc. | Database, authentication, file storage | United States (US-West-2) |
| Block, Inc. (Square) | Payment processing and subscription billing | United States and globally |
| Resend, Inc. | Transactional email delivery | United States (US-East-1) |
| Cloudflare, Inc. | Bot / abuse protection on signup, sign-in, password-reset, and quote-request forms (Turnstile) | United States and globally |
| Upstash, Inc. | Rate-limit counter storage | United States (US-West-1) |
| Posthog, Inc. | Product analytics | United States |
| Anthropic, PBC | AI features (vendor categorization, bid drafting, fraud and message scanning, profile risk scoring) | United States |
| Google LLC | Google Workspace email for the Vendor Hub team; Sign in with Google identity provider; .ics calendar feed (no Google Calendar API integration is live as of the effective date) | United States |
| Apple Inc. | Sign in with Apple identity provider | United States |
| Twilio Inc. | SMS notifications (post US A2P 10DLC approval) | United States |
Bot / abuse protection (Cloudflare Turnstile). When you visit the signup, sign-in, password-reset, or quote-request forms, Cloudflare Turnstile runs to distinguish humans from automated bots. To make that determination, Cloudflare receives basic browser metadata (request headers, IP address, and a short-lived JavaScript challenge token). Cloudflare does not set persistent cookies on getvendorhub.com for this purpose, and the data is used only for abuse detection — not advertising or profiling. See Cloudflare's Privacy Policy for details on how Cloudflare handles the data it receives.
We do not share personal information with advertising networks, data brokers, or any third party for marketing purposes.
We may share information when legally required (court order, subpoena, regulatory request) or to protect rights, safety, or property of Vendor Hub, our users, or the public. We will notify affected users of legal demands when permitted by law.
In the event of a corporate transaction (merger, acquisition, sale of assets), personal information may transfer to the successor entity, subject to this Privacy Policy or a successor policy with materially similar protections.
7. Security
We protect personal information using:
- HTTPS for all traffic, with HSTS preload and TLS 1.2+ enforced
- AES-256 encryption at rest (managed by Supabase on the underlying storage)
- Row-level security in our database — every read/write is policy-checked inside the database, below our application code
- Bcrypt password hashing (we never see your password in plaintext) with a minimum length of 10 characters, required character-class diversity, and a check against the HaveIBeenPwned breach corpus on signup and password change
- Account lockout after 10 failed sign-in attempts in a 24-hour window
- Signed webhook delivery for authentication emails and payment events
- Strict subprocessor access controls with documented rotation procedures for all credentials
- Email-spoofing protection via DMARC, SPF, and DKIM on the getvendorhub.com domain
For the full operational picture, see our public security page at getvendorhub.com/security.
No system is perfectly secure. If we detect a security incident affecting your information, we will notify you in accordance with Section 15 (Breach Notification) and applicable law.
8. Retention
- Active account data: retained while your account is active.
- After account deletion: all rows referencing your account are deleted via cascade in our database within minutes; backup rollover completes deletion within 7 days (the time it takes our daily backups to roll off).
- Operational logs: Vercel HTTP access logs (90 days), Supabase Postgres logs (default retention), Resend send logs (90 days), payment processor event logs (per their retention policy).
- Billing records: retained as required by tax law, typically seven years.
- Aggregated analytics outputs: anonymized aggregates derived from your activity (Section 4) may be retained indefinitely; once anonymized, they are no longer personal information.
9. Territorial scope and your privacy rights
Territorial scope. Vendor Hub is offered exclusively to United States residents. Account creation from non-US IP addresses is technically restricted, and the account-creation flow requires affirming US residency. Vendor Hub is not designed for, marketed to, or intended for residents of the European Union, the United Kingdom, or any other jurisdiction outside the United States. If you are not a US resident, please do not create an account; if you reside in the EU or UK, this policy and our service are not directed to you and the GDPR / UK GDPR do not apply to our processing of your data on this basis.
If, despite these restrictions, an account is created by a non-US resident, we reserve the right to suspend or terminate it.
Your privacy rights. Depending on your state of residence, you may have one or more of the rights below. To exercise any right, email privacy@getvendorhub.com with your request. We will verify your identity using the email address associated with your account.
Right to know / access. Request a copy of the personal information we have about you. We will provide a portable export within 30 days (extendable to 45 if necessary).
Right to delete. Request deletion of your personal information. Some data may be retained for legal or fraud-prevention purposes (e.g., billing records required by tax law).
Right to correct. Request correction of inaccurate personal information. Most fields are self-serve in your account; for fields you cannot edit yourself, the privacy mailbox handles corrections.
Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal as a confirming opt-out (effectively a no-op given we don't sell or share).
Right to limit use of sensitive personal information. We do not collect sensitive personal information (as defined by CCPA/CPRA), so this right does not currently apply.
Right to non-discrimination. Exercising privacy rights does not affect your pricing, feature access, or service quality.
Specific state rights:
- California (CCPA/CPRA): the rights above plus the right to know what categories of personal information we collected in the past twelve months. We will publish an annual disclosure if and when we cross the CCPA threshold for "businesses" subject to the law.
- Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA): similar rights to CCPA/CPRA. We treat these uniformly under our state-privacy framework.
10. Children's privacy
Vendor Hub is a B2B marketplace and is not directed at anyone under 16. We do not knowingly collect personal information from children. Accounts found to be operated by minors will be deleted on discovery.
11. Cookies and similar technologies
We use a small number of cookies and local-storage entries to:
- Maintain your authenticated session (essential — required for sign-in)
- Remember your UI preferences (essential)
- Measure aggregate product analytics (subject to your opt-out, when product analytics are enabled)
We do not use third-party advertising cookies. A full cookie list will be available on request.
12. International users
Vendor Hub stores and processes data in the United States and is offered only to United States residents (see Section 9). We do not knowingly accept users from outside the US.
13. Changes to this policy
We may update this policy as our practices change. Material changes will be communicated by email to your registered email address at least 30 days before taking effect. We will also post a banner on the platform highlighting the change and a summary of what's different.
The "Last updated" date at the top of this policy reflects the most recent revision. Prior versions are available on request.
14. Google API Services — Limited Use disclosure
When you choose to connect your Google Calendar to Vendor Hub, we request access to certain Google user data through the Google Calendar API. This section explains exactly what we receive, how we use it, and the limits we accept on its handling — required by the Google API Services User Data Policy.
Note (May 2026): The Google Calendar API integration is currently dormant. Vendor Hub ships a one-way .ics calendar subscription feed at the effective date; the Google OAuth flow described below is not active. This section remains in the policy for transparency about what will be requested when the integration is enabled.
Scopes we request and why:
| Scope | What it grants | Why Vendor Hub needs it |
|---|---|---|
https://www.googleapis.com/auth/calendar.events | Read and write events on the user's Google calendars | To create, update, and delete the events that mirror your Vendor Hub bookings (jobs, site visits, meetings) on your Google Calendar so they appear alongside your other commitments. Two-way sync also reads back changes you make in Google so the booking on Vendor Hub stays accurate. |
https://www.googleapis.com/auth/userinfo.email | Read the email address of the connected Google account | To display "Connected as you@gmail.com" on your Vendor Hub profile so you know which account is linked, and to direct sync activity to the correct calendar when a user has multiple Google accounts. |
What we do with Google user data:
- We create, modify, and delete only events that originated from a Vendor Hub booking. Each event we write carries an internal
vendor_hub_booking_idtag in the event'sextendedProperties.privateblock so we can identify our own events without scanning anything else. - We do not read calendar events that were not created by Vendor Hub. The Calendar API delta-sync endpoint returns events authored by other apps too; we filter those out at the application layer and discard them immediately without storing or processing them.
- Event metadata we pull (start/end time, status, our own description text) is used solely to keep the corresponding Vendor Hub booking up to date.
Limited Use commitments:
Vendor Hub's use of information received from Google APIs adheres to Google's Limited Use requirements, including the following:
- Allowed use only. We use Google user data only to provide and improve the calendar-sync feature you connected — to mirror your Vendor Hub bookings on your Google Calendar, surface calendar changes back into Vendor Hub, and show you the connected account email.
- No transfers. We do not transfer Google user data to third parties except as necessary to provide the feature (e.g., the Supabase database that stores your Vendor Hub bookings, where the connection's refresh token is held encrypted at rest), to comply with applicable law, or as part of a merger / acquisition / sale of assets where the acquirer agrees to the same restrictions.
- No advertising. We do not use Google user data — including any data accessed via
calendar.eventsoruserinfo.email— to serve ads, build advertising profiles, or sell to advertisers. - No human reading. We do not allow humans to read Google user data unless (a) we have your explicit consent for specific events, (b) reading is necessary for security purposes such as investigating abuse, (c) reading is necessary to comply with law, or (d) the data has been aggregated and anonymized for use in operating, improving, or supporting the calendar-sync feature.
What we store:
- An OAuth refresh token, encrypted at rest by Supabase (our database provider) and never accessible to anyone outside Vendor Hub's server-side workers.
- A short-lived access token (lifetime: 1 hour) that is refreshed automatically and not retained beyond expiry.
- A sync cursor (Google's
syncToken) so we only fetch event changes since the last sync. - The connected Google account's email address.
- The Google event ID for each event we created on your behalf, so we can find and update / delete it later.
We do not store the contents of events we did not create.
Disconnecting:
You can disconnect Google Calendar at any time from the Calendar Sync card on your /profile page. When you disconnect:
- We call Google's revocation endpoint so the OAuth grant ends server-side at Google.
- We delete the refresh token and account-email row from Vendor Hub's database.
- The mapping between your Vendor Hub bookings and Google events is removed.
- Events we previously added to your Google Calendar are not auto-deleted — you can clean them up directly in Google Calendar if you wish.
You can also revoke access from your Google account settings (myaccount.google.com/permissions) at any time; we will detect the revocation on the next sync and mark the connection inactive.
15. Breach notification
If we discover a security incident that has, or is reasonably likely to have, compromised your personal information, we will notify you without undue delay. Our standard target is within 72 hours of confirming both that an incident occurred and that your information was affected, which aligns with the strictest applicable US state notification windows.
Notification will be sent to the email address associated with your account and will include, to the extent then known:
- The categories of information affected
- A description of what happened and what we are doing in response
- Steps you can take to protect yourself (for example, changing your password, monitoring your bank statements)
- A contact for follow-up questions (privacy@getvendorhub.com)
When required by law, we will also notify the applicable state attorney general's office, the relevant federal regulator, and consumer credit reporting agencies on the timelines those laws require. If the scope of the incident is unclear at the 72-hour mark, we will send an initial notice with what we know and follow up with additional detail as the investigation completes.
Operational details of our incident response process are documented in our internal Incident Response Runbook and Data Inventory; we will share relevant portions on request from regulators or counsel.
16. Contact
Questions about this policy or your personal information:
Email: privacy@getvendorhub.com
Postal: Vendor Hub LLC, 6539 Marauder Dr, Nashville, TN 37209
Website: getvendorhub.com/privacy
For security-specific concerns or vulnerability reports, see getvendorhub.com/security.