1. Introduction
PyVendr (https://pyvendr.com) is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights regarding your data.
This policy applies to all visitors, registered users, and customers of the PyVendr website and services. By using our service, you acknowledge that you have read and understood this policy.
2. Data Controller
PyVendr is the data controller for the personal data collected through our service. For data protection inquiries, contact us at hello@pyvendr.com.
3. Data We Collect
We collect only the minimum data necessary to provide our service:
Information You Provide
- Account data: Email address, name (optional), password (stored as a bcrypt hash — we never store your plain-text password)
- Payment data: Purchase history, payment amounts, Stripe payment IDs (your card details are handled exclusively by Stripe and never touch our servers)
- Support data: Support tickets, messages, and any information you voluntarily provide when contacting us
- 2FA data: TOTP secret encrypted with AES-256-GCM (if you enable two-factor authentication)
Information Collected Automatically
- Session data: Session token hash, IP address, user agent string (for security and session management)
- License activation data: Machine fingerprint hash, IP address at activation time (for license enforcement)
- Aggregated analytics: Page views and visits via Plausible Analytics (privacy-friendly, no personal data, no cookies)
4. Lawful Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your personal data on the following lawful bases:
- Contract performance: Processing necessary to fulfill your purchase, deliver Products, manage your account, and provide customer support (Article 6(1)(b))
- Legitimate interest: Processing for fraud prevention, security monitoring, service improvement, and license enforcement (Article 6(1)(f))
- Legal obligation: Processing required to comply with tax, accounting, and legal requirements (Article 6(1)(c))
- Consent: Where required (e.g., optional marketing communications), we will obtain your explicit consent and you may withdraw it at any time (Article 6(1)(a))
5. How We Use Your Data
- Process purchases, generate license keys, and deliver download access
- Authenticate your account and manage sessions securely
- Send transactional emails: order confirmations, download links, password resets, email verification
- Enforce license terms (activation limits, expiration)
- Prevent fraud, abuse, and unauthorized access
- Respond to support tickets and inquiries
- Comply with legal obligations (tax records, law enforcement requests)
- Improve our service based on aggregated, anonymized usage patterns
6. Data We Do NOT Collect
- We do not use advertising cookies, tracking pixels, or third-party ad networks
- We do not sell, rent, trade, or share your personal data with third parties for their marketing purposes
- We do not store your payment card details (handled entirely by Stripe)
- We do not track your browsing behavior across other websites
- We do not collect biometric data, health data, or sensitive personal information
- We do not engage in automated decision-making or profiling that produces legal effects
7. Cookies & Tracking
PyVendr uses minimal, essential cookies only:
| Cookie | Purpose | Duration |
|---|
| Session JWT | Authentication | 7 days |
| Theme preference | UI customization | Persistent (localStorage) |
| Cookie consent | Records your consent choice | Persistent (localStorage) |
We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies, does not track individuals, and is fully GDPR/CCPA/PECR compliant. No personal data is collected by our analytics.
See our Cookie Policy for full details.
8. Third-Party Services
We share data with the following third-party processors, only to the extent necessary to provide our service:
| Service | Purpose | Data Shared |
|---|
| Stripe | Payment processing | Email, payment details (card data handled by Stripe only) |
| Plausible | Privacy-friendly analytics | No personal data (aggregated page views only) |
| SMTP Provider | Transactional email delivery | Email address, email content |
We do not use any other third-party analytics, advertising, or social media tracking services.
9. Data Security
We implement robust technical and organizational measures to protect your data:
- Passwords hashed with bcrypt (12 rounds)
- TOTP secrets encrypted with AES-256-GCM with versioned key rotation
- Sessions use JWT with SHA-256 hashed server-side token storage
- All traffic encrypted via TLS 1.2+ (HSTS enabled)
- Database access enforced via least-privilege roles with connection limits
- All API inputs validated with Zod schemas
- Sensitive data (emails, tokens, keys) automatically redacted from all application logs
- Dual-layer rate limiting (Nginx + application level)
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
While we take every reasonable precaution, no system is 100% secure. In the unlikely event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by GDPR.
10. Data Retention
- Account data: Retained for as long as your account exists. Deleted within 30 days of account deletion request.
- Order and license records: Retained for 7 years to comply with tax and accounting regulations
- Session records: Automatically deleted after 7 days of inactivity
- Support tickets: Retained for 2 years after resolution, then anonymized or deleted
- Aggregated analytics: Retained indefinitely (contains no personal data)
11. International Data Transfers
PyVendr is operated from Australia. If you are accessing our service from outside Australia, your data may be transferred to and processed in Australia. By using our service, you consent to the transfer of your data to Australia.
Where we transfer data to third-party processors (e.g., Stripe) located in other jurisdictions, we ensure appropriate safeguards are in place as required by applicable data protection laws.
12. Your Rights (GDPR & General)
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten"): Request deletion of your personal data
- Right to restriction: Request that we limit processing of your data
- Right to data portability: Request your data in a structured, machine-readable format (you can export your data from your account page)
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time
- Right to lodge a complaint: File a complaint with your local data protection authority
To exercise any of these rights, contact us at hello@pyvendr.com. We will respond to legitimate requests within 30 days.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:
- Right to know: What personal information we collect, use, disclose, and sell
- Right to delete: Request deletion of your personal information
- Right to opt-out of sale: We do not sell your personal information to third parties
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
- Right to correct: Request correction of inaccurate personal information
- Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA
To make a CCPA/CPRA request, email hello@pyvendr.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.
14. Children's Privacy
PyVendr is not directed to children under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at hello@pyvendr.com and we will delete the data promptly.
15. Changes to This Policy
We may update this Privacy Policy as our practices evolve or as required by law. Material changes will be communicated via email to the address associated with your account, or by a prominent notice on the website, at least 14 days before the changes take effect. Continued use after the effective date constitutes acceptance of the revised policy.