Legal Policies

1. Introduction

VendorShield LLC ("VendorShield," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our dark web threat intelligence monitoring service at vendorshield.io.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company name, job title, phone number
• Billing Information: Payment details (processed securely by Stripe), billing address, tax ID
• Service Configuration: Domains to monitor, email addresses to monitor, alert preferences
• Communications: Support requests, feedback, survey responses

2.2 Information Automatically Collected

• Usage Data: IP address, browser type, device information, pages visited, timestamps
• Technical Data: Cookies, log files, error reports, API usage metrics
• Location Data: Approximate location based on IP address (country/region level)

2.3 Information from Third Parties

• Auth0: Authentication data, login timestamps, MFA status
• Stripe: Payment transaction records, subscription status
• Dark Web Sources: Publicly available breach data, threat intelligence feeds, ransomware marketplace data

3. How We Use Your Information

We use your personal information to:

• Provide Services: Dark web monitoring, threat detection, real-time alerts, analytics reports
• Account Management: Authentication, payment processing, customer support
• Service Improvement: Usage analysis, feature development, testing and troubleshooting
• Communication: Service notifications, security alerts, product updates, marketing (with consent)
• Legal Compliance: Enforce Terms of Service, prevent fraud, comply with legal obligations

4. Legal Basis for Processing (GDPR)

For users in the EEA, UK, and Switzerland:

• Contract Performance: To provide the Service you've subscribed to
• Legitimate Interests: Service improvement, fraud prevention, security
• Consent: Marketing communications and non-essential cookies
• Legal Obligations: Compliance with applicable laws

5. Data Sharing and Disclosure

We do not sell your personal information. We share data only with:

Service Providers

Other Circumstances

• Business Transfers: In case of merger, acquisition, or asset sale
• Legal Requirements: Court orders, government requests, legal proceedings
• With Your Consent: For purposes not listed here with explicit consent

6. Data Retention

7. Data Security

We implement industry-standard security measures:

Technical Measures:

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication (MFA) support
• Bcrypt password hashing with salting
• Firewalls and intrusion detection systems
• DDoS protection via Cloudflare

Organizational Measures:

• Role-based access controls
• Regular security awareness training
• Employee background checks
• Documented incident response procedures
• Quarterly security audits
• Vendor due diligence

Infrastructure Security:

• Server hardening and minimal attack surface
• Regular security patch management
• 24/7 security monitoring and alerting
• Encrypted daily backups with 30-day retention
• Tested disaster recovery procedures

8. Your Privacy Rights

All Users

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your personal data
• Objection: Object to certain processing activities
• Data Portability: Receive your data in a structured format

GDPR Rights (EEA, UK, Switzerland)

• Right to restriction of processing
• Right to object to legitimate interest processing
• Right to withdraw consent
• Right to lodge a complaint with supervisory authority

CCPA/CPRA Rights (California Residents)

• Right to know what information we collect
• Right to delete your information
• Right to opt-out of sale/sharing (we do not sell)
• Right to non-discrimination
• Right to correct inaccurate information

9. International Data Transfers

Your data may be transferred to:

• Australia: Auth0 authentication services
• United States: Primary data processing
• European Union: Hetzner servers (Germany/Finland)
• Global: Cloudflare CDN network

We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) and Data Processing Agreements.

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

11. California Privacy Disclosures

Categories of Personal Information Collected:

• Identifiers (name, email, IP address)
• Commercial information (billing, subscriptions)
• Internet activity (browsing, clicks)
• Professional information (company, job title)
• Inferences (preferences, behavior patterns)

We do not sell personal information.

12. Changes to Privacy Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via:

• Email notification
• Website notice
• Updated "Last Updated" date

Continued use after changes constitutes acceptance.

1. What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help the website function efficiently and provide information to improve your experience.

2. Types of Cookies We Use

2.1 Necessary Cookies (Always Active)

Purpose: Essential website functionality, authentication, security, session management

Duration: Session and persistent (up to 1 year)

Provider: VendorShield, Auth0

2.2 Analytics Cookies

Purpose: Understand visitor behavior, traffic analysis, performance monitoring

Duration: Up to 2 years

Provider: Google Analytics

Data Collected: IP address (anonymized), browser type, device info, pages visited, time on site

2.3 Advertising Cookies

Purpose: Ad personalization, conversion tracking, remarketing, campaign measurement

Duration: Up to 2 years

Provider: Google Ads

Data Collected: Ad interactions, conversion events, demographics (aggregated)

2.4 Personalization Cookies

Purpose: User preferences, language selection, theme (dark/light mode)

Duration: Up to 1 year

Provider: VendorShield

3. Third-Party Cookies

4. Managing Your Cookie Preferences

Cookie Consent Banner

When you first visit our website, you can:

• Accept all cookies
• Reject non-essential cookies
• Manage preferences (customize by category)

Change Preferences Anytime

Click the cookie icon in the bottom-left corner of our website.

Browser Settings

Control cookies through your browser:

• Chrome Cookie Settings
• Firefox Cookie Settings
• Safari Cookie Settings
• Edge Cookie Settings

Opt-Out of Targeted Advertising

• Google Ads Settings
• NAI Opt-Out
• DAA Opt-Out

5. Google Consent Mode v2

We use Google Consent Mode v2 to respect your preferences while enabling privacy-preserving measurement. When you deny consent, Google tags operate in limited mode using cookieless pings and anonymized data.

6. Data Retention

• Session cookies: Deleted when browser closes
• Analytics cookies: 26 months
• Advertising cookies: 24 months
• Preference cookies: 12 months

1. Acceptance of Terms

By accessing or using VendorShield's services, you agree to be bound by these Terms of Service. If you do not agree, do not use our Service.

2. Service Description

VendorShield provides dark web threat intelligence monitoring, including:

• Continuous monitoring for credential leaks
• Ransomware marketplace mentions
• Infostealer log detection
• Real-time alerts and notifications
• Threat analytics and reporting
• API access for SIEM/SOAR integration

3. Account Registration

You must:

• Provide accurate and complete registration information
• Maintain the security of your account credentials
• Notify us immediately of unauthorized access
• Be 18 years or older to use the Service
• Have authority to bind your organization (if applicable)

You are responsible for all activities under your account.

4. Acceptable Use

You agree to use VendorShield lawfully and NOT for:

• Malicious, abusive, or fraudulent activity
• Unauthorized access to systems or networks
• Violation of intellectual property rights
• Distribution of malware or harmful code
• Harassment, threats, or illegal activities
• Attempting to reverse engineer our Service
• Reselling or redistributing our Service without authorization

We reserve the right to suspend or terminate access for violations.

5. Subscription and Billing

Billing Cycle: Subscriptions are billed monthly via Stripe on a recurring basis.

Payment Responsibility: You authorize us to charge your payment method for all fees incurred.

Price Changes: We may change pricing with 30 days' notice. Continued use after price change constitutes acceptance.

Failed Payments: If payment fails, we may suspend access until payment is received.

Taxes: You are responsible for applicable taxes (sales, VAT, GST).

6. Service Availability

Uptime Commitment: We strive for 99.9% uptime but do not guarantee uninterrupted service.

Maintenance: We may perform scheduled maintenance with advance notice when possible.

No Warranty: The Service is provided "as is" without warranties of any kind, express or implied.

7. Intellectual Property

Our Rights: VendorShield owns all rights to our Service, software, content, trademarks, and intellectual property.

License Grant: We grant you a limited, non-exclusive, non-transferable license to use the Service during your subscription.

Restrictions: You may not copy, modify, distribute, sell, or lease any part of our Service.

8. Limitation of Liability

To the maximum extent permitted by law, VendorShield shall not be liable for:

• Indirect, incidental, special, or consequential damages
• Lost profits, data, or business opportunities
• Service interruptions or errors
• Third-party actions or content
• Damages exceeding fees paid in the 12 months prior to the claim

9. Termination

By You: Cancel your subscription anytime through your account settings.

By Us: We may suspend or terminate your account for violation of Terms, non-payment, fraudulent activity, or legal requirements.

Effect of Termination: Upon termination, access ends, no refunds for unused time, and we may delete your data after 90 days.

10. Governing Law

These Terms are governed by the laws of the State of Wyoming, United States, without regard to conflict of law principles.

Month-to-Month Subscription Model

VendorShield operates on a month-to-month subscription basis with no long-term contracts.

No Refund Policy

Due to the nature of our digital service and immediate access to threat intelligence data, we do not offer refunds for:

• Partial months
• Early cancellations
• Unused services
• Change of mind
• Dissatisfaction with Service

Cancellation Process

You may cancel your subscription at any time:

1. Log into your VendorShield account
2. Navigate to Account Settings → Billing
3. Click "Cancel Subscription"
4. Confirm cancellation

After Cancellation:

• Access remains active until the end of your current billing cycle
• No additional charges will occur
• Your data is retained for 90 days, then permanently deleted

Billing Disputes

If you believe you've been incorrectly charged:

1. Contact support@vendorshield.io within 30 days
2. Provide transaction details and reason for dispute
3. We will investigate and respond within 5 business days

Legitimate billing errors will be corrected or refunded.

Payment Processing

All payments are securely processed through Stripe, our PCI-DSS compliant payment processor.

Exception Cases

Refunds may be considered in exceptional circumstances:

• Documented technical failure preventing Service access for extended period
• Duplicate billing errors
• Fraudulent transactions (subject to investigation)

Each case is reviewed individually. Contact support@vendorshield.io for consideration.

1. Prohibited Activities

You may NOT use VendorShield to:

Illegal Activities:

• Violate any applicable laws or regulations
• Engage in fraud, theft, or illegal activities
• Facilitate criminal activity
• Violate export control laws

Security Violations:

• Attempt unauthorized access to systems or networks
• Distribute malware, viruses, or harmful code
• Conduct denial-of-service attacks
• Probe, scan, or test vulnerabilities without permission
• Breach security or authentication measures

Harmful Conduct:

• Harass, threaten, or intimidate individuals
• Violate privacy rights of others
• Impersonate any person or entity
• Spread misinformation or defamatory content

Service Abuse:

• Resell or redistribute the Service without authorization
• Use automated systems to access the Service excessively
• Attempt to circumvent usage limits
• Interfere with Service operations or other users

2. Monitoring and Enforcement

We reserve the right to:

• Monitor use of the Service for compliance
• Investigate suspected violations
• Remove or disable access to violating content
• Suspend or terminate accounts for violations
• Report illegal activity to law enforcement
• Cooperate with legal investigations

3. Reporting Violations

To report violations of this policy:

Email: security@vendorshield.io

Subject: "AUP Violation Report"

Include detailed information about the suspected violation.

4. Consequences of Violations

Violations may result in:

• Warning and request to cease activity
• Temporary suspension of access
• Permanent account termination
• Legal action for damages
• Cooperation with law enforcement

We reserve the right to take action without prior notice in cases of severe violations.

1. Scope and Roles

Data Controller: You (the customer) determine purposes and means of processing personal data.

Data Processor: VendorShield processes personal data on your behalf to provide the Service.

2. Data Processing Details

Types of Personal Data Processed:

• Email addresses (for monitoring)
• Domain information
• Alert contact information
• Usage and access logs

Purpose of Processing:

• Dark web threat monitoring
• Credential leak detection
• Alert notifications
• Service delivery and support

3. Sub-Processors

We use the following sub-processors:

We will notify you of any changes to sub-processors with 30 days' notice.

4. Data Security

We implement measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication
• Regular security assessments
• Incident response procedures
• Employee training and confidentiality agreements

5. Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay (within 72 hours)
• Provide details of the breach, affected data, and mitigation measures
• Cooperate with your investigation and notification obligations

6. Data Retention and Deletion

Upon termination or at your request:

• We will delete or return all personal data within 90 days
• Copies retained for legal compliance will be securely isolated
• Certification of deletion available upon request