VendWave

VendWave Privacy Policy

Last updated: April 2026

1. Introduction

Welcome to VendWave. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how VendWave ("we", "us", or "our") collects, uses, stores, and protects information about you when you use our platform at vendwave.app and our WhatsApp assistant service.

By signing up for VendWave, you agree to the collection and use of information in accordance with this policy.

We operate in compliance with the Nigerian Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023. If you are located in the European Economic Area, we also comply with the General Data Protection Regulation (GDPR).

2. Who We Are

VendWave is a business management platform that helps small vendors and business owners log sales, create invoices, track inventory, and manage their business through WhatsApp and a web portal.

For questions about this policy, contact us at: privacy@vendwave.app

3. Information We Collect

3.1 Information You Provide Directly

Account information:

  • Full name
  • Business name and display name
  • Email address
  • Password (stored as a secure hash — we never store your plain text password)
  • WhatsApp phone number
  • Currency preference
  • Business logo (if uploaded)

Business data you enter:

  • Customer names, phone numbers, and email addresses
  • Transaction records — sales amounts, products, payment status
  • Invoice and receipt details
  • Inventory records — product names, quantities, prices
  • Team member names and WhatsApp numbers

Communications:

  • WhatsApp messages you send to the VendWave assistant
  • Messages you send through the portal chat interface
  • Support communications you send to us

3.2 Information Collected Automatically

Usage data:

  • Pages visited and features used within the portal
  • Time and date of actions
  • Device type and browser information
  • IP address
  • Session duration

WhatsApp interaction data:

  • Message timestamps
  • Message delivery status
  • Whether you have activated your WhatsApp connection

3.3 Information From Third Parties

Paystack:

When you make a payment we receive transaction confirmation from Paystack including payment reference, amount, and status. We do not store your card details — these are handled entirely by Paystack.

Twilio:

We use Twilio to send and receive WhatsApp messages. Twilio processes your WhatsApp number and message content to facilitate the service.

Cloudinary:

We use Cloudinary to store your business logo and generated invoice and receipt images.

4. How We Use Your Information

We use the information we collect to:

  • Provide the service — process your sales, generate invoices and receipts, track inventory, and deliver analytics
  • Power the WhatsApp assistant — parse your messages using AI to understand your intent and take the right action
  • Send you communications — morning reminders, weekly business reviews, trial expiry notices, payment confirmations, and system notifications via WhatsApp
  • Process payments — manage your subscription through Paystack
  • Improve the product — understand how vendors use VendWave to make it better
  • Provide support — respond to your questions and resolve issues
  • Comply with legal obligations — meet our obligations under Nigerian and applicable international law

We do not sell your personal information to third parties. We do not use your business data for advertising purposes.

5. AI Processing of Your Messages

When you send a message to the VendWave WhatsApp assistant or use the portal chat, your message is processed by Anthropic's Claude AI to identify your intent and extract relevant information such as customer names, amounts, and product names.

Your messages are sent to Anthropic's API for processing. Anthropic's privacy policy governs how they handle this data. We do not use your messages to train AI models.

We store the intent and extracted entities in our database to execute your requested action. The raw message text is not stored permanently — only the structured data extracted from it.

6. Your Customers' Data

When you use VendWave you may enter information about your own customers — their names, phone numbers, and transaction history. You are the data controller for your customers' information. We process this data on your behalf as a data processor.

You are responsible for:

  • Ensuring you have the right to store your customers' information
  • Informing your customers that their information is processed through VendWave
  • Handling any requests your customers make regarding their personal data

7. Team Members

If you add team members to your VendWave account, we collect their name and WhatsApp number. We send them an activation message via WhatsApp. Their transaction activity is recorded and visible to the business owner.

Team members should be informed that their activity on VendWave is visible to the business owner.

8. How We Share Your Information

We share your information only in the following circumstances:

Service providers:

  • Twilio — WhatsApp message delivery
  • Anthropic — AI message processing
  • Paystack — payment processing
  • Cloudinary — file storage
  • Vercel — frontend hosting
  • Railway/Render — backend hosting

All service providers are contractually required to handle your data securely and only for the purposes we specify.

Legal requirements:

We may disclose your information if required by Nigerian law, court order, or government authority.

Business transfers:

If VendWave is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before this happens.

We do not share your information with any other third parties.

9. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account data — retained while your account exists and for 12 months after deletion
  • Transaction records — retained for 7 years to comply with Nigerian financial record-keeping requirements
  • WhatsApp message content — not stored permanently beyond the current session
  • Conversation context — deleted after 10 minutes of inactivity
  • Deleted account data — soft deleted immediately on request, permanently deleted 30 days after the deletion request

When you request account deletion your data is immediately made inaccessible and permanently deleted 30 days later. You can cancel the deletion within that 30-day window.

10. Data Security

We take the security of your data seriously. We implement the following measures:

  • All data transmitted between your device and our servers is encrypted using HTTPS/TLS
  • Passwords are hashed using bcrypt — we cannot see your password
  • JWT tokens expire after 15 minutes and require refresh
  • Database access is restricted to authorised systems only
  • Regular security reviews of our infrastructure

No method of electronic storage or transmission is 100% secure. While we use commercially reasonable means to protect your data we cannot guarantee absolute security.

11. Your Rights Under NDPR and GDPR

You have the following rights regarding your personal data:

Right to access — You can request a copy of all personal data we hold about you.

Right to rectification — You can correct inaccurate personal data through your account settings or by contacting us.

Right to erasure — You can request deletion of your account and all associated data. We process deletion requests within 30 days.

Right to data portability — You can export all your business data in CSV and PDF format from your dashboard at any time.

Right to restrict processing — You can request that we limit how we use your data in certain circumstances.

Right to object — You can object to certain types of processing including direct marketing.

Right to withdraw consent — Where processing is based on consent you can withdraw it at any time.

To exercise any of these rights contact us at privacy@vendwave.app. We will respond within 30 days.

12. Cookies

We use essential cookies to keep you logged in and maintain your session. We do not use advertising cookies or tracking cookies.

Cookies we use:

  • Session cookie — keeps you authenticated during your session
  • Refresh token cookie — httpOnly, allows you to stay logged in securely
  • Theme preference — stores your light or dark mode preference

You can disable cookies in your browser settings but this will prevent you from using the authenticated parts of VendWave.

13. Children's Privacy

VendWave is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor please contact us immediately at privacy@vendwave.app.

14. International Data Transfers

Your data is primarily stored on servers located in the European Union and United States through our hosting providers. When data is transferred internationally we ensure appropriate safeguards are in place including standard contractual clauses where required.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via:

  • A WhatsApp message to your registered number
  • An email to your registered address
  • A prominent notice in the portal

The date at the top of this page shows when the policy was last updated. Continued use of VendWave after changes are posted constitutes acceptance of the updated policy.

16. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: privacy@vendwave.app
Website: vendwave.app

For NDPR-related complaints you may also contact the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.