[LEGAL]

Privacy Policy

Last Updated: March 5, 2026Effective Date: March 5, 2026

This Privacy Policy explains how Zonder Solutions S.L. collects, uses, shares, stores, and protects personal data when you use our website, platform, and related services.

We apply privacy-by-design principles and process personal data only for defined lawful purposes, with safeguards proportionate to risk and to the maximum extent required by applicable law.

1. Controller identity (Zonder Solutions S.L. + address placeholder block + contact email)

Data controller for covered processing activities:

  • Entity: Zonder Solutions S.L.
  • Registered office: [INSERT REGISTERED ADDRESS, CITY, COUNTRY]
  • Contact email: support@vendian.ai

2. Scope and applicability

This Policy applies to personal data processed in connection with our website, platform workspaces, customer support, onboarding, billing, integrations, and professional services.

Where we process data solely on behalf of enterprise customers as processor, the customer's instructions and applicable data processing terms also apply.

3. Categories of data collected

  • Account and identity data (name, email, role, organization details).
  • Authentication and security data (login metadata, device/session identifiers, audit logs).
  • Billing and commercial data (plan, invoice records, payment status, tax identifiers where required).
  • Credit and usage ledger data (Build Credit allocations, Run Credit consumption, top-up purchases, cycle resets).
  • Operational and usage data (workspace events, run logs, outputs, performance metrics).
  • Support and communications data (tickets, emails, meeting records).
  • Waitlist data (work email and attribution metadata such as source page and campaign parameters).
  • Integration and credential metadata (service identifiers, token metadata, scope information).
  • Website interaction and cookie-related data (preferences, analytics identifiers, consent signals).

4. Sources of data

  • Directly from you, your organization, or your authorized users.
  • From connected third-party services and APIs that you enable.
  • From payment providers, fraud prevention vendors, and service integrators.
  • From automatic logging and telemetry generated by product usage.
  • From waitlist intake forms and early-access signup workflows.

5. Purposes of processing

  • Provide, operate, and maintain platform functionality and workspace isolation.
  • Authenticate users and enforce security controls.
  • Execute automations and deliver outputs requested by customers.
  • Manage subscriptions, billing, invoicing, and payment administration.
  • Meter credit consumption, apply top-ups, and enforce cycle-based credit policies.
  • Manage early-access waitlist operations and launch communications.
  • Provide onboarding, implementation, and customer support services.
  • Prevent abuse, detect incidents, investigate misuse, and enforce legal terms.
  • Improve service reliability, performance, and user experience.
  • Comply with legal obligations and respond to lawful requests.

6. Legal bases (GDPR/UK GDPR mapping)

  • Performance of contract: to provide requested services and administer accounts.
  • Legitimate interests: service security, abuse prevention, operational analytics, and product improvement.
  • Consent: where required, such as non-essential cookies or specific marketing communications.
  • Legal obligation: for compliance, accounting, tax, sanctions, and lawful disclosure duties.

7. AI processing disclosure

Our services may use AI systems to classify data, generate outputs, summarize content, and support automation execution.

AI-generated outputs may contain errors or uncertainty; customers are responsible for appropriate review and validation before acting on sensitive outcomes.

8. AI improvement/training statement (only de-identified/aggregated)

We do not use identifiable customer content for broad model training by default.

We may use de-identified and aggregated usage signals, telemetry, and performance metadata to improve platform quality, security, and reliability, to the maximum extent permitted by applicable law.

9. Sharing and recipients (processors, subprocessors, legal disclosures)

We share personal data only where necessary to provide services, protect legitimate interests, or comply with legal obligations.

  • Infrastructure and cloud hosting providers.
  • Payment, invoicing, anti-fraud, and accounting service providers.
  • Communication, support, and incident management tools.
  • No-code form and workflow processors used for waitlist operations.
  • Professional advisers (legal, financial, compliance) under confidentiality obligations.
  • Authorities and courts where required by law or to protect rights and safety.

10. International transfers (EU-first, SCC fallback, safeguards)

We prioritize processing and storage in the EEA where operationally feasible.

When data must be transferred outside the EEA/UK, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent lawful mechanisms, with supplementary technical and organizational controls where appropriate.

11. Retention schedule (by category)

Where data is no longer needed, we delete, anonymize, or securely isolate it according to our retention and deletion controls.

  • Account and profile data: retained while account is active and for a limited post-termination period required for legal, audit, or dispute purposes.
  • Billing and tax records: retained for legally required retention periods.
  • Credit and top-up ledgers: retained for billing reconciliation, fraud prevention, and legal defensibility.
  • Security and audit logs: retained according to security policy and risk requirements.
  • Support communications: retained for service continuity, quality, and legal defensibility.
  • Cookie and analytics data: retained based on consent choices and configured retention settings.

12. Security measures (technical/organizational)

  • Encryption in transit and at rest where appropriate.
  • Access controls, least-privilege permissions, and role separation.
  • Logging, monitoring, and anomaly detection for security events.
  • Secure development and change-management practices.
  • Periodic security testing and incident response procedures.
  • Vendor due diligence and contractual data protection commitments.

13. Incident response/breach notification principles

We maintain incident response processes to identify, contain, investigate, and remediate security events.

Where required by applicable law, we notify affected parties and competent authorities within legally mandated timeframes.

14. Data subject rights (GDPR + UK GDPR + CCPA-style rights with jurisdiction qualifiers)

Depending on applicable law and your location, you may have rights including access, correction, deletion, portability, restriction, objection, and withdrawal of consent.

You may also have rights related to disclosure of categories of personal data, and rights to limit certain sharing, subject to lawful exceptions.

  • Right to know/access personal data we process about you.
  • Right to request correction of inaccurate personal data.
  • Right to request deletion, subject to legal and contractual exceptions.
  • Right to data portability where applicable.
  • Right to object or restrict processing in defined cases.
  • Right to non-discrimination for exercising privacy rights.

15. Verification process and response timelines

To protect account security and prevent unauthorized disclosure, we may verify requester identity before processing rights requests.

We respond within timeframes required by applicable law and may extend where legally permitted for complex requests, with notice to requester.

16. Cookies and similar technologies (full categories + consent controls)

We use a consent-first model for non-essential tracking. On first visit, analytics/performance tracking remains blocked until you choose "Accept all." If you choose "Accept none," non-essential tracking remains disabled.

You can change your choice anytime from the "Cookie settings" control in the footer. Blocking non-essential cookies may limit analytics-based improvements but does not disable core site functionality.

  • Strictly necessary cookies: required for core functionality and security.
  • Preference cookies: store language, session, and interface settings.
  • Analytics cookies: help us measure usage and improve service performance.
  • Marketing cookies: used only where applicable and consented, for campaign effectiveness and audience insights.

17. Do Not Sell/Share and targeted advertising statement (if applicable language with caveat)

We do not sell personal data for money.

Where applicable law defines certain disclosures as "sharing" for cross-context behavioral advertising, you may exercise opt-out rights through available controls and by contacting support@vendian.ai.

18. Children's data (18+ service use)

Our services are intended for adults and business users. We do not knowingly collect personal data from individuals under 18 for account use.

If you believe underage data was provided in violation of this Policy, contact support@vendian.ai for prompt review and removal where required.

19. Automated decision-making and profiling statement

We may use automated systems to support routing, scoring, detection, and workflow automation. These systems are designed to assist operations, not replace legally required human judgment in sensitive contexts.

Where applicable law grants rights regarding automated decision-making, you may request review through support@vendian.ai.

20. Third-party links/services

Our services may contain links to third-party sites or integrate external services. Their privacy practices are governed by their own policies and terms.

21. Complaints and supervisory authority rights

If you believe your data has been processed unlawfully, you may contact us first at support@vendian.ai so we can investigate and resolve the issue.

You may also lodge a complaint with a competent data protection authority in your jurisdiction.

22. Policy changes and effective dates

We may update this Policy to reflect legal, technical, or operational changes. Updated versions will show a revised effective date.

Where required by applicable law, we will provide additional notice or obtain consent before material changes take effect.

23. Contact and DSR channel (support@vendian.ai)

For privacy, data subject rights, legal notices, and compliance inquiries, contact support@vendian.ai.

Reference your workspace, account email, and request scope to accelerate verification and response.