Privacy Policy

At Vendor Spots, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our farmers market vendor management platform.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site or use our services.

Personal Information

We collect information that you provide directly to us, including:

• Account Information: Name, email address, phone number, mailing address
• Vendor Profile: Business name, description, social media links, business address
• Payment Information: Processed securely through Stripe (we do not store credit card numbers)
• Application Documents: PDF applications, profile images, logos, banners
• Communication Data: Messages, emails, and SMS communications sent through our platform

Automatically Collected Information

When you access our platform, we automatically collect:

• Log Data: IP address, browser type, operating system, access times
• Device Information: Device type, unique device identifiers
• Usage Data: Pages visited, features used, actions taken on the platform
• Cookies: Session cookies for authentication and functionality

Third-Party Information

We may receive information from third-party services:

• Stripe: Payment processing and subscription management data
• Google Calendar: Calendar event data (only if you connect your account)
• WooCommerce: Product synchronization data (if applicable)

Business Documents

If you use our document management feature, we collect and store business documents you choose to upload, which may include:

• Business Licenses: State and local business permits, food handler permits, cottage food licenses, and similar regulatory documents
• Insurance Certificates: General liability insurance certificates, product liability insurance, and other insurance documentation
• Professional Certifications: Organic certifications, food safety certifications (ServSafe), and industry-specific credentials
• Tax Documents: W-9 forms, resale certificates, and related tax documentation (which may contain SSN or EIN)
• Other Business Documents: Articles of incorporation, DBA filings, and other documents you choose to upload

We use the information we collect to:

• Provide Services: Create and manage your account, process applications, manage subscriptions
• Process Transactions: Handle payments, vendor spot bookings, and subscription billing
• Communications: Send transactional emails, application status updates, payment confirmations
• Market Management: Connect vendors with market managers, facilitate event applications
• Improve Platform: Analyze usage patterns, identify bugs, develop new features
• Security: Detect fraud, prevent abuse, maintain platform security
• Legal Compliance: Comply with legal obligations and enforce our terms

Marketing Communications

We may send you marketing emails about new features, markets, or promotional offers. You can opt out of marketing emails at any time by clicking the "unsubscribe" link or contacting us directly.

We may share your information in the following circumstances:

With Other Users

• Market managers can view vendor profiles and contact information for applicants
• Vendors can view market information and contact market managers
• Public vendor profiles may be visible to other platform users

With Service Providers

• Stripe: Payment processing and subscription management
• Resend: Transactional email delivery
• Twilio: SMS notifications
• DigitalOcean Spaces: Image and file storage
• Google: Calendar integration (optional)

For Legal Reasons

We may disclose your information if required to:

• Comply with legal obligations or court orders
• Protect our rights, property, or safety
• Investigate fraud or security issues
• Enforce our Terms of Service

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred.

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted over HTTPS/TLS encryption
• Password Security: Passwords hashed using bcrypt
• Access Controls: Role-based access control (RBAC) system
• Email Verification: Mandatory email verification for all accounts
• Payment Security: PCI-DSS compliant payment processing through Stripe
• Secure Storage: Images and files stored on secure cloud infrastructure

Document Storage Security

Business documents uploaded to our platform are protected with additional measures:

• Encryption at Rest: Documents are encrypted using AES-256 encryption on our cloud storage provider (DigitalOcean Spaces)
• Private Access: Documents are stored with private access controls by default
• Time-Limited Access: Access is granted through authenticated URLs that expire within 15 minutes
• Access Logging: All document access is logged for security auditing

Who Can Access Your Documents

• You: Can view, download, and delete your own documents at any time
• Market Managers: Can view (but not download) documents for vendors who have applied to or are members of their markets
• Platform Administrators: Can access documents for customer support purposes only, with full audit logging of all access

Important: While we strive to protect your information, no security system is impenetrable. We cannot guarantee the absolute security of your data.

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and personal information
• Portability: Request your data in a portable format
• Opt-Out: Unsubscribe from marketing communications
• Object: Object to certain processing of your information

To exercise any of these rights, please contact us at the email address provided below. We will respond to your request within 30 days.

Document-Specific Rights

In addition to your general privacy rights, you have the following rights regarding uploaded documents:

• Access: View all documents you have uploaded through your account dashboard
• Download: Download copies of all documents you have uploaded at any time
• Delete: Request deletion of specific documents (subject to legal retention requirements)
• Access Log: Request a log of who has accessed your documents upon written request
• Data Export: Request all documents as part of a data export request

California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and the right to opt-out of the sale of personal information. We do not sell your personal information.

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict processing, data portability, and the right to object.

We use cookies and similar tracking technologies to:

• Essential Cookies: Required for authentication and core functionality
• Functional Cookies: Remember your preferences and settings
• Session Cookies: Maintain your logged-in state (JWT tokens)

Most browsers allow you to control cookies through their settings. However, disabling cookies may impact your ability to use certain features of our platform.

Do Not Track

We currently do not respond to "Do Not Track" browser signals. We may adopt a policy for responding to such signals in the future.

We retain your information for as long as necessary to:

• Provide our services and maintain your account
• Comply with legal obligations (e.g., tax records, payment history)
• Resolve disputes and enforce our agreements
• Prevent fraud and maintain security

Document-Specific Retention

Uploaded business documents are retained according to the following schedule:

• Business Licenses & Certifications: Active account + 1 year after account closure
• Insurance Certificates: Active account + 3 years (liability claims period)
• Tax Documents (W-9, etc.): 7 years from upload (IRS requirements)
• Other Documents: Active account + 90 days after account closure

When you delete your account, we will delete or anonymize your personal information within 90 days, except where we are required to retain it for legal or security purposes (such as tax document retention requirements).

You may request early deletion of documents through your account settings. We will process requests within 30 days, unless legal retention requirements apply.

Our platform is not intended for children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child without parental consent, we will take steps to delete that information.

If you believe we have collected information from a child, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email if the changes are significant
• Post a notice on our platform

Your continued use of our platform after changes are posted constitutes your acceptance of the updated Privacy Policy.