VendorTrace Privacy Policy
Last updated: February 2026
1. Who we are
VendorTrace is operated by LINA Solutions AB, a company registered in Sweden. We act as the data controller for personal data processed through this service.
Privacy enquiries: privacy@vendortrace.io. Security disclosures: security@vendortrace.io. General: info@vendortrace.io
2. What we collect
Account data
When you create an account, we collect:
- Your name and email address (for authentication via AWS Cognito)
- Organisation profile: company name, size, industry, primary use case, home country, and timezone (collected at onboarding, used to personalise reports)
Scan and activity data
- Domain names you submit for scanning
- Scan results generated by the service
- Your IP address, recorded in an activity audit log on domain tracking, vendor tracking, and scan actions (retained for 365 days)
User-provided compliance data
When you manually add vendor compliance information (DPA URLs, certification names, sub-processor URLs), we store that data linked to your account. It is used to improve future AI-assisted research for your organisation and, in aggregate, to improve the service.
Optional integrations
The following data is only collected if you choose to connect an integration. Connecting an integration counts as your consent to that specific processing. You can disconnect at any time from the integrations settings page.
Google Workspace
If you connect Google Workspace, we request read-only access to your Admin SDK audit reports. We use this to discover which third-party applications have been authorised via OAuth in your Workspace, so those apps appear in your vendor register.
Scopes requested:
admin.reports.audit.readonly: reads OAuth token grant activityuserinfo.email: identifies your Workspace domain
We store:
- An OAuth access and refresh token
- A service account JSON key, if you provide one for server-to-server access
- The list of discovered apps: app name, OAuth client ID, scopes granted, and user count
We do not read email, calendar, Drive, user profiles, or any data beyond the OAuth token activity report. Google LLC (US) processes API calls made with your credentials. Standard contractual clauses apply to this transfer.
Disconnecting the integration deletes the stored tokens, service account key, and app records immediately.
Billing data
We do not store payment card details. Payments are handled by Stripe. We store a Stripe customer ID and subscription ID to manage plan access.
Authentication tokens
After login, your session is managed using a combination of server-side storage and browser memory. The refresh token is stored in an httpOnly, same-site cookie set by the VendorTrace server. It is not accessible to JavaScript. Short-lived access tokens are held in memory only and are discarded when you close the tab or browser.
3. How we use your data
- To authenticate you and manage your account
- To run scans and return results
- To enforce plan limits and process billing
- To send transactional email required to operate the service: password resets, email verification, scan completion alerts you have opted into (legal basis: contract performance, Article 6(1)(b)).
- To send product update emails about new features or changes to the service: we rely on legitimate interests (Article 6(1)(f)) and on the soft opt-in provision under applicable national ePrivacy rules, given our existing customer relationship and that communications concern similar services. You can opt out of product updates at any time by contacting info@vendortrace.io.
- To improve vendor research accuracy using AI-assisted enrichment
- To detect abuse and enforce acceptable-use policies (via audit logs)
We do not sell your data or use it for advertising.
Lawful basis for processing
For each processing activity, we rely on the following legal basis under GDPR Article 6:
- Account creation, authentication, running scans, returning results, enforcing plan limits: Article 6(1)(b): processing is necessary to perform the contract with you.
- Billing, subscription management: Article 6(1)(b): contract performance.
- Transactional email (password resets, scan alerts you have opted into): Article 6(1)(b): contract performance.
- IP address audit logs, abuse detection, security monitoring: Article 6(1)(f): legitimate interests of LINA Solutions AB in maintaining the security and integrity of the service. You have the right to object to processing based on legitimate interests; see section 8.
- Bug reports submitted through the app: Article 6(1)(f): legitimate interests in diagnosing and fixing service defects.
- AI-assisted vendor research using domain names you submit: Article 6(1)(b): contract performance.
4. Questionnaire respondents
If you receive a vendor security questionnaire link from one of our customers, you are a questionnaire respondent. The organisation that sent you the link is the data controller for your response. VendorTrace processes your answers and attestation details as a data processor acting on that organisation's instructions.
We collect: your name, email address (for attestation and to send you a copy of your answers), and your questionnaire responses.
We store your responses in our EU-hosted database (AWS DynamoDB, eu-north-1) for as long as the sending organisation retains the questionnaire instance. Your in-progress answers are saved to your browser's local storage until you submit.
To exercise your rights over your questionnaire response, contact the organisation that sent you the questionnaire. They are the controller and responsible for responding to your request. For questions about VendorTrace's role as processor, contact info@vendortrace.io.
5. What we scan
VendorTrace analyses publicly available information about domains you submit: DNS records, TLS certificates, HTTP headers, and publicly accessible web resources. We do not access private systems, authenticate to any service, or perform intrusive testing.
Vendor domain names are sent to our AI research pipeline (AWS Bedrock, eu-west-1) and to Tavily (a third-party web search API) for compliance evidence gathering. See section 7 for details.
6. Data retention
Scan result retention depends on your plan tier:
- Free: no scan history retained
- Pro: 90 days
- Team: 1 year
- Enterprise: configurable
Activity audit logs are retained for 365 days regardless of plan.
Bug reports submitted through the app are retained for 90 days. Feature requests are retained indefinitely and are not linked to your identity after submission.
Account data is retained until you delete your account. On deletion, your Cognito identity and account settings are removed immediately. Plan data is tombstoned (subscription history kept for legal and billing purposes). Audit logs are kept for the remainder of their 365-day TTL. Scan results are kept for the remainder of their tier-based TTL.
Domain names used in scans may be retained in our vendor classification database in anonymised form (detached from your account) to improve vendor pattern matching for all users. These anonymised patterns are not personal data as defined by GDPR Article 4(1) because they are not linked to or linkable to any identified or identifiable natural person.
7. Sub-processors
We use the following third-party processors to operate the service. A dedicated page lists full details including data categories transferred, transfer safeguards, and last review date: vendortrace.io/subprocessors.
| Processor | Purpose | Location |
|---|---|---|
| AWS Cognito | User authentication | EU (eu-north-1, Stockholm) |
| AWS DynamoDB | Primary data store | EU (eu-north-1, Stockholm) |
| AWS Bedrock | AI-assisted vendor research | EU (eu-west-1, Ireland) |
| AWS Amplify / CloudFront | UI hosting and content delivery | EU (eu-north-1); CloudFront global CDN for static assets |
| Stripe | Payment processing | US (standard contractual clauses apply) |
| Tavily | Web search for vendor compliance evidence | US (vendor domain names sent; standard contractual clauses apply) |
| Resend | Transactional email delivery | US (email address sent; standard contractual clauses apply) |
| AWS SES | Internal notification email (bug reports) | EU (eu-north-1, Stockholm) |
| Cloudflare | Bot detection and CAPTCHA on public-facing forms | US (global network; EU processing available under Cloudflare's DPA; standard contractual clauses apply) |
| Google LLC | Workspace OAuth audit reports (only when Google Workspace integration is connected) | US (standard contractual clauses apply) |
8. Your rights
Under GDPR, you have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: ask us to delete your data. You can delete your account directly from the account settings page. On deletion, your Cognito identity and account settings are removed immediately.
- Restriction: ask us to restrict processing while a dispute is resolved.
- Portability: receive your account and scan data in a structured, machine-readable format (JSON or CSV). Request an export at info@vendortrace.io. We fulfil export requests within 30 days.
- Object: object to processing based on our legitimate interests (Article 6(1)(f)). We will stop unless we can demonstrate compelling legitimate grounds that override your interests. You always have the right to object to processing for direct marketing purposes.
- Automated decision-making: we do not make decisions that produce legal or similarly significant effects on you solely by automated means.
To exercise any right, contact us at info@vendortrace.io. We will respond within 30 days.
You also have the right to lodge a complaint with the Swedish Data Protection Authority: IMY (Integritetsskyddsmyndigheten), Box 8114, 104 20 Stockholm, Sweden. imy.se.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notice.