This Privacy Policy applies to all users of Vendschat, including visitors to our marketing website, registered account holders, and workspace administrators. By using our services you acknowledge this policy. If you do not agree, please discontinue use of our services.
Introduction
Vendschat is an omnichannel business messaging platform and a product brand of Vendocker LLC, its parent holding company. Vendschat unifies WhatsApp, Instagram, Facebook Messenger, and email into a single intelligent inbox, providing AI-powered automation, CRM integrations, broadcast messaging, and workflow connectivity with third-party automation tools.
We respect your privacy and process personal data only to the extent necessary to deliver our services, comply with legal obligations, and pursue our legitimate business interests. This policy describes:
- What personal data we collect and from whom
- The purposes for which we process that data
- The legal basis for each processing activity
- With whom we share data and under what safeguards
- How long we retain data
- Your rights and how to exercise them
- How you can request deletion of your data (see Section 10)
We may update this policy periodically. Material changes will be communicated via email or a prominent notice on our platform. Continued use after the effective date constitutes acceptance of the updated policy.
Data Controller
The data controller responsible for your personal data is:
Product Brand: Vendschat
Website: https://vendschat.com
Privacy inquiries: privacy@vendschat.com
Vendschat is a product brand of Vendocker LLC, which is its parent holding company — analogous to the relationship between a product and the corporate group that owns it. Vendocker LLC is the legal entity that holds all rights, obligations, and contractual relationships related to Vendschat, and is the data controller for all personal data processed in connection with the Vendschat service.
Vendocker LLC is a registered developer on the Meta Platform. Its integration with Meta's services is subject to Meta's Platform Terms, Business Tools Terms, and applicable data protection obligations imposed by Meta on developers accessing Meta Platform APIs, including the WhatsApp Business Platform and Messenger Platform.
For processing activities related to messages exchanged on Meta's platforms (WhatsApp, Instagram, Messenger), Vendschat acts as a data processor on behalf of the business customer (workspace owner), who is the data controller of end-customer conversations. Business customers who use our platform must have their own lawful basis for processing end-customer messages and must maintain their own privacy disclosures toward their customers.
Meta Platform Data (including data received through Meta Platform APIs, OAuth tokens, WhatsApp Business Platform data, and related identifiers) is received and controlled by Vendocker LLC in its capacity as the registered Meta Platform developer and provider of the Vendschat service. For Meta developer compliance and API access, Vendocker LLC — not your business or end-customers — is the entity responsible for Platform Data that Meta shares with us. This is separate from the processor role described above for end-customer message content processed on your instructions.
Data We Collect
We collect personal data from multiple sources depending on how you interact with our services.
3.1 Account & Registration Data
When you create an account, we collect:
| Full name | Account identification and personalization |
| Work email address | Account creation, authentication, and communications |
| Password (hashed) | Authentication security |
| Company / organization name | Workspace setup and billing |
| Role within the organization | Access control and permissions |
3.2 Authentication Data
We support the following authentication methods:
- Email & Password: Credentials are hashed; we never store plain-text passwords.
- Google OAuth: We receive your name and email address from Google; we do not receive your Google password. You can manage permissions at myaccount.google.com/permissions.
- Team Invite Tokens: Invitation links contain a one-time token tied to the invitee's email address and workspace role.
3.3 Messaging & Conversation Data
As a messaging platform, we process content that flows through our system:
| Message content (text, media, documents) | Delivering messages between businesses and their customers |
| Message metadata (timestamps, delivery status, read receipts) | Conversation management and analytics |
| Thread assignments, labels, and notes | Team collaboration and workflow management |
| AI-generated reply suggestions and summaries | Productivity features (not used for model training without consent) |
| Broadcast campaign content and audience lists | Sending approved bulk messages |
3.4 Contact (End-Customer) Data
Business customers using Vendschat may store information about their own customers (end-customers) in our platform. This may include:
- Name and phone number
- Email address
- Country and language preferences
- Custom notes and CRM-synced fields
For this data, the business customer (workspace owner) is the data controller. Vendschat acts as a data processor and processes this data only on the documented instructions of the business customer.
3.5 Channel Connection Data
When connecting messaging channels (e.g., WhatsApp via Meta Embedded Signup), we collect:
- OAuth authorization codes issued by Meta
- WhatsApp Business Account (WABA) ID and Phone Number ID
- Meta Business Manager ID
- Granted API permissions and scopes
3.6 Technical & Usage Data
We automatically collect technical data when you use our services:
| IP address | Security, fraud prevention, and approximate geolocation |
| Browser type and version | Compatibility and debugging |
| Operating system | Technical support |
| Session duration and page interactions | Service improvement and analytics |
| Authentication tokens (httpOnly cookies: vc_at, vc_rt) | Session management |
| API request logs | Security monitoring and debugging |
3.7 Payment & Billing Data
Payments are processed by Stripe. We do not store full payment card numbers on our servers. We receive from Stripe:
- Billing contact name and email
- Billing address
- Plan and subscription information
- Transaction confirmation references
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and management | Name, email, company, password | Contract performance |
| Authentication and session security | Email, tokens, IP address | Contract performance / Legitimate interest |
| Providing the messaging platform | Message content, metadata, contacts | Contract performance |
| AI reply suggestions and summaries | Conversation context | Contract performance / Consent |
| Sending broadcasts and template messages | Contact lists, message content | Contract performance |
| CRM and integration workflows | Contact and conversation data | Contract performance / Consent |
| Billing and subscription management | Name, email, plan data | Contract performance |
| Security, fraud prevention, abuse detection | IP, logs, session data | Legitimate interest / Legal obligation |
| Product analytics and improvement | Anonymized usage data | Legitimate interest |
| Customer support | Account and conversation data | Contract performance / Legitimate interest |
| Legal compliance and regulatory obligations | As required by law | Legal obligation |
| Marketing communications (opt-in only) | Email address | Consent |
Legal Bases for Processing
Where the General Data Protection Regulation (GDPR) or UK GDPR applies, we process personal data on the following legal bases under Article 6 GDPR:
Performance of a Contract
Processing necessary to provide you with the Vendschat service, including account creation, messaging, and feature access.
Consent
Marketing emails, optional analytics cookies, and certain third-party integrations. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal Obligation
Processing required to comply with applicable laws, including tax, accounting, anti-money laundering, or law enforcement requests.
Legitimate Interests
Security monitoring, fraud prevention, product analytics, CRM management, and service improvement, where our interests are not overridden by your rights and freedoms.
For users in Brazil, processing is also governed by the Lei Geral de Proteção de Dados (LGPD). Your rights under the LGPD are described in . Section 11.
Integration-Specific Data Disclosures
Vendschat enables connectivity with third-party automation and CRM platforms. This section describes the specific personal data involved in each integration and the purpose for which it is shared.
Important: All integrations are opt-in. Data is only transmitted to a third-party integration when you (the workspace administrator) explicitly configure and activate that integration within your Vendschat workspace settings.
Make.com (formerly Integromat)
Celonis SE (Make.com), Chemnitzer Str. 115, 09126 Chemnitz, Germany
Privacy Policy ↗- Inbound message content and metadata (sender, timestamp, channel)
- Contact identifiers (phone number, name) as defined in scenario triggers
- Conversation status and label updates
- Webhook event payloads configured by the workspace admin
- Triggering automated workflows on new messages or contact events
- Syncing conversation data to external systems (CRMs, databases, spreadsheets)
- Building multi-step automation scenarios involving Vendschat data
Consent — you activate this integration explicitly
Data may be processed in the EU. Make.com complies with GDPR as a data processor.
- Message content and metadata from configured trigger events
- Contact name, phone number, email, and custom fields
- Workspace-level event data as configured in Zap triggers
- Outbound action payloads sent back to Vendschat
- Connecting Vendschat with thousands of third-party apps
- Automating actions based on messaging events
- Syncing data with CRMs, ticketing systems, and business tools
Consent — you create and activate Zaps in your workspace settings
Data may be transferred to the USA. Zapier Inc. participates in the EU–US Data Privacy Framework. We have executed a Data Processing Agreement with Zapier under Article 28 GDPR.
n8n
n8n GmbH, Softwarepark Hagenberg, Hauptstraße 99, 4232 Hagenberg im Mühlkreis, Austria (cloud) or self-hosted
Privacy Policy ↗- Webhook payloads containing message events, contact data, and conversation metadata
- API-authenticated data requests from your n8n workflows
- Any data fields exposed via the Vendschat REST API that your workflows access
- Enabling complex, multi-step workflow automation via n8n nodes
- Triggering business logic on incoming messages or conversation events
- Integrating Vendschat data with databases, internal tools, and other APIs
Consent — activated via n8n instance configuration in your workspace
For Vendschat-managed n8n instances (Advanced plan), the instance is hosted in the region you select during onboarding. Self-hosted n8n: data processing is under your control. Cloud n8n: governed by n8n GmbH's privacy policy and DPA.
- Contact name, phone number, and email address
- Conversation summaries and status updates
- Custom contact properties synced between Vendschat and HubSpot CRM
- Deal or ticket association data as configured
- Bidirectional CRM synchronization of contacts and conversations
- Updating HubSpot contact records from Vendschat conversation outcomes
- Enriching Vendschat contact profiles with HubSpot CRM data
Consent — you connect your HubSpot account via OAuth in workspace settings
HubSpot Inc. participates in the EU–US Data Privacy Framework. Processing in the USA is covered by EU Standard Contractual Clauses.
Meta & WhatsApp Data Processing
Vendschat integrates with Meta Platform APIs, including the WhatsApp Business Platform, Messenger Platform, and Instagram Messaging API. Our use of Meta APIs is subject to Meta's Platform Terms, Business Tools Terms, and Supplemental Terms for specific products.
7.1 WhatsApp Business Platform
When a business customer connects their WhatsApp Business Account (WABA) to Vendschat, we process:
- Inbound and outbound WhatsApp message content and media
- Message delivery and read status webhooks from Meta
- Contact phone numbers and display names
- Message templates submitted to and approved by Meta
- WABA, Phone Number ID, and Business Manager IDs
We use this data solely to provide the messaging service to the business customer. We do not use WhatsApp message content for advertising, third-party data monetization, or training AI models without explicit consent.
WhatsApp message content is subject to WhatsApp's own end-to-end encryption for messages between users; as a registered Meta developer using the WhatsApp Business API, we receive decrypted content via the API in order to display messages in the business inbox.
7.2 Instagram & Facebook Messenger
For Instagram DMs and Facebook Messenger connected via Meta Graph API, we process:
- Incoming and outgoing message content from connected Page/Instagram accounts
- Sender profile identifiers (scoped to the connected Page)
- Message metadata (timestamps, read status, reaction data)
7.3 Meta Embedded Signup
When a workspace admin connects a WhatsApp Business Account using Meta Embedded Signup, we receive a one-time OAuth authorization code and, upon exchange, access tokens scoped to the granted permissions. We store the access token securely to make API calls on behalf of the connected account.
7.4 Meta Platform Data Use Restrictions
We comply with Meta's Platform Data Use Restrictions. Specifically:
- We do not sell Meta Platform Data to any third party, nor use it to target advertising.
- We do not use Meta Platform Data to build user profiles for non-Vendschat services.
- We do not transfer Meta Platform Data to data brokers, ad networks, or data aggregators.
- We retain Meta Platform Data only as long as necessary to provide the service or as required by law.
- We provide mechanisms for users and business customers to request deletion of their Meta-sourced data (see Section 10).
7.5 Meta Privacy Policy Reference
Meta's privacy practices for its platforms are governed by Meta's own Privacy Policy, available at facebook.com/about/privacy.
Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data (name, email, company) | Duration of active account + 90 days after deletion request | Contract / Legal obligation |
| Message content and conversation history | Duration of active subscription + 30 days after cancellation | Contract performance |
| Contact (end-customer) records | Duration of active subscription + 30 days, or until deletion requested | Contract performance |
| Authentication logs and session data | 90 days | Security / Legitimate interest |
| API access logs | 90 days | Security / Legitimate interest |
| Payment transaction records | 7 years | Legal obligation (tax/accounting) |
| Support tickets and communications | 3 years after resolution | Legitimate interest / Legal claims |
| Analytics data (anonymized) | Up to 26 months | Legitimate interest |
| Backup copies | 30 days rolling | Business continuity |
After the applicable retention period expires, data is securely deleted or irreversibly anonymized. You may request earlier deletion as described in Section 10.
Data Deletion
Required under Meta Platform Terms & GDPR Article 17
You have the right to request the deletion of your personal data. We honor all deletion requests, whether submitted voluntarily, as a legal right under applicable law, or as required by Meta's Platform Terms.
How to Request Data Deletion
You may submit a data deletion request through any of the following methods:
Email Request
Send an email to privacy@vendschat.com with subject line "Data Deletion Request". Include the email address associated with your account and specify whether you want to delete your account, specific data types, or all data.
In-App Account Deletion
Log in to app.vendschat.com, navigate to Settings → Account → Delete Account. This initiates immediate deletion of your account and associated data.
Workspace Data Deletion (Admins)
Workspace administrators can delete individual contacts, conversations, or entire workspaces from the Settings panel. Deletion is immediate for active data; backup copies are purged within 30 days.
Meta Callback URL
In compliance with Meta Platform Terms, we provide a data deletion callback. When a user revokes our app's permissions via Facebook Settings, Meta sends a deletion request to our registered callback endpoint. We process this automatically and will email you a confirmation code to verify the deletion at: privacy@vendschat.com.
What Gets Deleted
Upon a complete account deletion request, we will delete:
- ✓ Your account profile (name, email, password hash)
- ✓ All workspaces you own and their associated data
- ✓ Conversation history and message content
- ✓ Contact records stored in your workspace
- ✓ Integration tokens and third-party connections
- ✓ Meta Platform data (WhatsApp, Instagram, Messenger) obtained via API
- ✓ Broadcast campaigns and contact lists
- ✓ API keys and webhook configurations
What We Must Retain
Certain data may be retained after a deletion request when required by law:
- → Payment transaction records (up to 7 years for tax/legal compliance)
- → Minimal records needed to comply with a legal hold or active litigation
- → Anonymized/aggregated analytics that cannot identify you
Response Timeline
We will acknowledge your deletion request within 2 business days and complete the deletion within 30 days of receipt. We will send you a confirmation email once the deletion is complete. Backup copies are purged on a rolling 30-day cycle.
Your Privacy Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you and information about how it is processed. (GDPR Art. 15)
Right to Rectification
Request correction of inaccurate or incomplete personal data. (GDPR Art. 16)
Right to Erasure
Request deletion of your personal data ('right to be forgotten'). See Section 10 for how to exercise this right. (GDPR Art. 17)
Right to Restriction
Request that we restrict processing of your data in certain circumstances. (GDPR Art. 18)
Right to Data Portability
Receive your personal data in a structured, machine-readable format. (GDPR Art. 20)
Right to Object
Object to processing based on legitimate interests, including profiling. (GDPR Art. 21)
Right to Withdraw Consent
Withdraw consent for consent-based processing at any time without affecting prior processing. (GDPR Art. 7)
Right to Lodge a Complaint
File a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France). (GDPR Art. 77)
California (CCPA/CPRA) Rights
California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information. To exercise CCPA rights, contact us at privacy@vendschat.com.
Brazil (LGPD) Rights
Brazilian users have rights under the Lei Geral de Proteção de Dados, including rights to confirmation, access, correction, anonymization, portability, deletion, information about sharing, and the right to revoke consent. To exercise LGPD rights, contact us using the details in Section 17.
To exercise any of the above rights, email us at privacy@vendschat.com using the email address associated with your account. We will respond within 30 days (or within the timeframe required by applicable law).
International Data Transfers
Vendschat is a global service operated by Vendocker LLC (United States). Primary application hosting — including Meta Platform Data stored by the Vendschat service — is on servers provided by Hetzner Online GmbH in Germany (EU/EEA). Your data may also be processed in other countries when you use integrations or processors located outside the EU/EEA. We ensure that any international transfer of personal data is subject to appropriate safeguards:
- EU/EEA hosting: Core platform data, including databases and backups for app.vendschat.com, is hosted in Germany on Hetzner infrastructure within the EU/EEA.
- EU–US Data Privacy Framework: Where our US-based processors participate in the DPF, data transfers to the USA are based on the European Commission's adequacy decision (Article 45 GDPR).
- Standard Contractual Clauses (SCCs): Where DPF certification is absent, we rely on EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the UK Addendum to the EU SCCs.
- Adequacy Decisions: Transfers to countries with an EU adequacy decision are permissible without additional safeguards where applicable.
You may request a copy of the applicable transfer mechanisms by contacting us at privacy@vendschat.com.
Data Security
We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
- Authentication credentials are hashed using industry-standard algorithms (passwords are never stored in plain text)
- Authentication tokens are stored in httpOnly, Secure cookies inaccessible to client-side scripts
- Access to production databases is restricted to authorized personnel via role-based access controls
- We conduct regular security reviews and vulnerability assessments
- Third-party service providers are vetted for security compliance and bound by DPAs
- Real-time infrastructure runs on Ably's secure WebSocket platform with TLS encryption
- Production workloads run on Hetzner servers in Germany, deployed via self-hosted Coolify under Vendocker LLC's control
- Error monitoring via Sentry is configured to minimize personal data and exclude message content and Meta Platform Data where technically feasible
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay and report to the relevant supervisory authority within 72 hours as required by GDPR Article 33.
Children's Privacy
Vendschat is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If you believe a child has provided personal data to us, please contact us immediately at privacy@vendschat.com and we will take immediate steps to delete such information.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:
- Update the "Effective Date" at the top of this page
- Send a notification to registered account holders via email
- Display a prominent notice within the Vendschat application
We encourage you to review this page periodically. Your continued use of Vendschat after the effective date of an updated policy constitutes your acceptance of the changes.
Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact our Privacy team:
Vendocker LLC (operating as Vendschat)
Email: privacy@vendschat.com
Website: https://vendschat.com
For GDPR-related requests, you also have the right to contact the supervisory authority in your EU member state or the UK Information Commissioner's Office (ICO) if you believe your data has been processed unlawfully.
We aim to respond to all privacy inquiries within 5 business days and to resolve all requests within 30 days (or within the applicable legal timeframe).