Last Updated: July 10, 2026
We, VENDO CONNECT INC, value your privacy, therefore we want to provide you with the most precise information regarding the rules of processing your personal information by us.
Capitalized terms used in this privacy notice that are not defined herein shall have the meanings given to them in the Terms and Conditions for Spree Commerce Sandbox (the ‘Terms’), available on our Website. In addition, certain terms (such as “CCPA”, “CPRA”, “GDPR”, “UK GDPR”) are defined directly in this privacy notice.
This privacy notice is addressed to people visiting our Website and the Customers or the Authorized Users who complete the Sign Up or use the Sandbox. However, we do not aim any of our products or services at consumers and children, and we do not knowingly collect personal information about consumers or children.
If you are a California resident, the CCPA provisions may apply. When we write ‘CCPA’, we mean the California Consumer Privacy Act. As used in this notice, the CCPA includes its amendments by the California Privacy Rights Act (‘CPRA’).
If you are from the European Economic Area, the GDPR provisions apply. When we write ‘GDPR’, we mean regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
If you are from Great Britain, the UK GDPR provisions apply to you. When we write ‘UK GDPR’, we mean “UK GDPR” as defined in section 3(10) of the UK Data Protection Act 2018.
Due to different legal definitions, we use the terms personal data and personal information interchangeably.
By using our Website and the Sandbox, you also declare that you are aware of our practices regarding the collection and use of your personal information.
1. More about us and how you can contact us
Your personal information will be processed by VENDO CONNECT INC, a Delaware corporation, with correspondence address: 3500 S DuPont Highway, STE FL101, Dover, County of Kent, Delaware 19901, US, entered into the register under file No. 7005612 (hereinafter: ‘Vendo’).
You can contact us via e-mail at the following address: gdpr@getvendo.com
Within the meaning of the GDPR and the UK GDPR, Vendo is the controller of your personal data. At the same time, we would like to inform you that Vendo has not appointed a data protection officer.
2. Why do we collect and what will we use your data for
Vendo will collect and process your data:
a) in order to maintain the Website, as well as to make available the content and functionalities collected on it. If the GDPR or the UK GDPR applies: the basis is article 6(1)(b) of the GDPR or the UK GDPR.
b) in order to enable you to contact us, answer your question and conduct further correspondence. If the GDPR or the UK GDPR applies: the basis is article 6(1)(f) of the GDPR or the UK GDPR, i.e. the legitimate interest of Vendo, consisting in conducting correspondence addressed to Vendo in connection with the conducted activity, as well as pursuant to article 6(1)(a) of the GDPR or the UK GDPR, in terms of additional data not required by Vendo and provided by you voluntarily.
c) in order to provide you with the Sandbox and thus conclude or perform an agreement with Vendo. If the GDPR or the UK GDPR applies: the basis is article 6(1)(b) of the GDPR or the UK GDPR (in the case of a customer who is a natural person, including a natural person conducting individual business activity or a partner in a civil partnership) or article 6(1)(f) of the GDPR or the UK GDPR, i.e. the legitimate interest of Vendo, which is the necessity of processing in the form of taking action in order to conclude or perform an agreement with a customer (in the case of persons acting on behalf of a customer who is either a natural person or a legal person or another organizational unit, i.e. employees, associates, representatives of such a customer, members of the customer’s management board, etc.).
d) in order to provide, operate, secure, and improve the Sandbox and to conduct sales and marketing activities based on your use of the Sandbox, including collecting the Usage Data, evaluating and qualifying interest in Vendo’s products, and contacting you regarding licenses of the Software and related services. The collection and use of Usage Data is a condition of free access to the Sandbox, as set out in the Terms. Usage Data may be combined with information from Vendo’s internal records and CRM systems, its Affiliates, publicly available sources, and third-party business information providers, for qualification and outreach purposes. If the GDPR or the UK GDPR applies: the basis is article 6(1)(b) of the GDPR or the UK GDPR (in the case of a customer who is a natural person, including a natural person conducting individual business activity or a partner in a civil partnership) or article 6(1)(f) of the GDPR or the UK GDPR where you use the Sandbox as an Authorized User or act as a representative of the business that entered into the Agreement, i.e. Vendo’s legitimate interest in concluding and performing the Agreement with the entity on whose behalf you act; and, as regards sales and marketing activities, article 6(1)(f) of the GDPR or the UK GDPR, i.e. Vendo’s legitimate interest in promoting its own products and services and qualifying commercial leads based on Sandbox usage.
e) in order to conduct other marketing activities and promote Vendo’s own products and services. If the GDPR or the UK GDPR applies: the basis is article 6(1)(f) of the GDPR or the UK GDPR, i.e. Vendo’s legitimate interest in promoting its own products and services.
f) for purposes deriving from the provisions of law, if Vendo has obligations relating to the necessity to process data. If the GDPR or the UK GDPR applies: the basis is article 6(1)(c) of the GDPR or the UK GDPR.
g) in order to consider any complaints, as well as to establish, exercise or defend legal claims. If the GDPR or the UK GDPR applies: the basis is article 6(1)(f) of the GDPR or the UK GDPR, i.e. the legitimate interest of Vendo consisting in conducting the complaint procedure, as well as in possible establishment, exercise or defence of legal claims in court and out of court.
h) for the purposes resulting from your consent. The purpose of processing for which we need your consent will be indicated in its content. If the GDPR or the UK GDPR applies: the basis is article 6(1)(a) of the GDPR or the UK GDPR.
In connection with the purposes described above, we collect the following categories of personal information: (a) identification and contact data, such as your name, business e-mail address, and the business you represent; (b) account and authentication data, such as login identifiers and, if you sign up via OAuth, profile data received from the relevant identity provider; (c) the Usage Data; and (d) the content of your correspondence with us. We collect personal information from the following sources: directly from you; automatically, when you use our websites or the Sandbox; from the relevant identity provider, if you sign up via OAuth; from the individual who invited you to a Sandbox Instance (who provides us with your e-mail address in order to deliver the invitation); from our Affiliates; and from publicly available sources and third-party business information providers.
3. Obligation to provide the data
Providing data for most of the purposes referred to in point 2 is voluntary but at the same time necessary to use some services. For example: if you want to use the Sandbox, you have to provide data and agree to the collection of Usage Data, as set out in the Terms. If you do not agree, you may not use the Sandbox; you may stop further collection at any time by requesting termination of the Agreement using the contact details indicated in point 1.
Providing data for purposes deriving from the provisions of law is obligatory.
4. The period of the data storage
Your personal data will be processed only for as long as necessary to fulfil the specific purpose described in this notice, unless the purpose of the processing ceases to exist earlier or, depending on the circumstances, you successfully object to the processing or withdraw your consent.
In the case of the Sandbox: upon termination of the Agreement, we delete your Sandbox Instances and Test Data. We may retain lead and contact data (including related Usage Data) for up to 24 months from your last activity for our sales and record-keeping purposes, and thereafter for the period of limitation of potential claims, if applicable.
In the case of processing for purposes resulting from legal provisions, the data will be processed for the time specified in these provisions.
5. Profiling
Due to the tools used by Vendo, your personal data may be profiled, i.e. automatically evaluated in relation to certain factors concerning you. Vendo performs profiling in order to appropriately select communication materials and materials promoting the activities of Vendo. However, your personal data will not be processed in an automated manner that may affect your rights or have a similar effect on you. If the GDPR or the UK GDPR applies: profiling for this purpose is performed based on the legitimate interest of Vendo (article 6(1)(f) of the GDPR or the UK GDPR), consisting in selecting appropriate content and information and promotional materials based on your business profile.
6. The recipients of the data
We work with external service providers to provide certain services. These service providers may use or transfer your personal data. The recipients of the personal data may include, in particular: entities operating IT systems or providing IT tools, hosting and cloud infrastructure providers, companies providing marketing services, entities cooperating with us in handling legal matters, marketing agencies and advertising partners.
The recipients of data may also include our Affiliates (companies from the Vendo group), including where a license of the Software or related services would be concluded with our Affiliate.
In addition, we may disclose selected information to competent authorities (e.g. offices, courts, bailiffs and other institutions) or third parties who submit a request for such information based on an appropriate legal basis and in accordance with applicable law. Recipients of your personal data, including our Affiliates and service providers, may be located in countries other than your country of residence, including the United States.
7. Your rights under the CCPA
In the preceding 12 months, we have collected the following categories of personal information: identifiers (such as name, e-mail address, and IP address); professional or employment-related information (such as the company you represent); commercial information (such as your interest in our products and services); internet or other electronic network activity information (such as the Usage Data described in point 2); approximate geolocation data (derived from IP address); and inferences drawn from the above (such as lead qualification). We collect this information directly from you, automatically when you use our Website or the Sandbox, from the individual who invited you to a Sandbox Instance, from our Affiliates, and from publicly available sources and third-party business information providers. We use it for the purposes described in point 2, disclose it to the recipients described in point 6, and retain it for the periods described in point 4.
California residents have the following rights:
a) the right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them in the preceding 12 months, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold. Please note that much of the information you can make a request for is already contained in this privacy notice;
b) the right to correct inaccurate information;
c) the right to “opt out” of processing or allowing a business to sell their personal information to, or share it with, third parties;
d) the right to have a business, under certain circumstances, delete personal information;
e) the right to be free from discrimination related to your exercise of your privacy rights;
f) the right to use an authorized agent to submit a request.
If you live in California and would like to make such a request, please contact us using the details indicated in point 1.
8. Other U.S. state privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states that have adopted comprehensive privacy laws have certain rights, such as access and data portability, correction, and deletion requests. You also have the right to opt out of the sale of personal data, opt out of processing of personal data for targeted advertising, and opt out of processing personal data for profiling. If you live in one of these states and would like to make such a request, please contact us using the details indicated in point 1.
Nevada residents have the right to submit a verified request directing us not to sell their personal information. However, we do not currently sell your personal information, as sale is defined in Section 603A of Nevada law. If you live in Nevada and would like to make such a request, please contact us using the details indicated in point 1.
9. Users outside the United States and international data transfers
We are a company established in the United States, and we provide our Website, the Sandbox, and our services from the United States. Our products and services are directed primarily at the United States market. If you access our Website, the Sandbox, or our services from outside the United States, your personal data will be stored and processed in the United States and in other countries where our Affiliates and service providers operate. The data protection laws of these countries may differ from, and may provide a lower level of protection than, the laws of your country of residence.
If the GDPR or the UK GDPR applies: we collect your personal data directly from you and process it in the United States, where we are established. Where personal data is shared within the Vendo group (including with our Affiliate in the European Union) or with our service providers, such sharing takes place in accordance with applicable data protection law. You may contact us using the details in point 1 to obtain more information.
10. Your rights under the GDPR and the UK GDPR
If you are located within the EEA or Great Britain, the following rights apply to you:
a) the right to withdraw consent to the extent that the basis for processing was consent (article 7(3) of the GDPR or the UK GDPR). You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent does not entail any negative consequences,
b) the right to access data (article 15 of the GDPR or the UK GDPR),
c) the right to request the rectification of your personal data (article 16 of the GDPR or the UK GDPR),
d) the right to request the deletion of your personal data (‘the right to be forgotten’) (article 17 of the GDPR or the UK GDPR),
e) the right to request the restriction of the processing of your personal data (article 18 of the GDPR or the UK GDPR),
f) the right to transfer your personal data (article 20 of the GDPR or the UK GDPR),
g) the right to object to the processing of data due to a special situation to the extent that the basis for the processing of personal data is the basis of a legitimate interest (article 21 of the GDPR or the UK GDPR).
You can exercise all the rights described above by writing to Vendo using the details indicated in point 1.
In addition, if you believe that Vendo is processing your data in an unlawful manner, you have the right to lodge a complaint with the competent supervisory authority.