This Privacy Policy explains how Daros Systems, Inc., a Delaware corporation (“Daros,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal data in connection with the Provendor procurement intelligence platform, the website provendor.io, and related applications, APIs, and services (collectively, the “Service”). By accessing or using the Service, you acknowledge the practices described here.
This Policy applies to personal data processed by Daros when you visit our marketing website, sign up for a Provendor account, invite colleagues or vendors, or interact with our sales or support teams. Where Daros determines the purposes and means of processing, Daros acts as the data controller.
When a Provendor customer uses the Service to process personal data about its own users, invited vendors, or other contacts (“Customer Content”), the customer acts as the controller and Daros acts as the processor. Processing of Customer Content is governed by the customer's agreement with Daros (including our Data Processing Addendum). If you are an end user or invited vendor with questions about Customer Content, contact the relevant customer.
Account and profile data. Name, work email, password hash, company, role, phone number, time zone, and profile image you provide when signing up, inviting teammates, or updating account settings.
Customer Content. Information you upload to the Service, including RFQ specifications, bills of quantities, drawings, vendor records, quotations, comparison matrices, clarification threads, notes, file attachments, and any personal data contained therein (for example, names and contact details of vendor representatives).
Communications. Emails, demo requests, chat messages, support tickets, and survey responses you send to us.
Billing data. If you purchase a paid plan, limited billing details are collected and processed by our payment processor (Stripe). We do not store full card numbers.
Usage, log, and device data. IP address, browser and device identifiers, operating system, pages viewed, referring URLs, product events (e.g., RFQ created, quotation uploaded), session timestamps, error reports, and approximate location derived from IP.
Cookies and similar technologies. Strictly necessary cookies to sign you in and remember preferences; with your consent, analytics and marketing cookies. See our Cookie Policy.
Where the GDPR or UK GDPR applies, we rely on the following lawful bases to process personal data:
AI and model training. We use AI features to assist procurement tasks (for example, extracting data from vendor quotations). We do not use Customer Content to train third-party foundation models. We may use aggregated or de-identified data to improve our own features.
No sale of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.
We use strictly necessary cookies to operate the Service (session authentication, theme preference, consent state). With your consent we also use analytics cookies (e.g., Google Analytics 4, Microsoft Clarity) and marketing cookies (e.g., LinkedIn Insight, Meta Pixel, Google Ads). Details, durations, and opt-out instructions are in our Cookie Policy. You can change your preferences at any time via the cookie banner.
Sub-processors. We share personal data with vetted sub-processors that power the Service (cloud hosting, email delivery, analytics, error monitoring, AI inference, payments). Each is bound by written data-processing terms, confidentiality obligations, and appropriate safeguards. The current list is at provendor.io/sub-processors.
Invited vendors.When a customer issues an RFQ, the vendor recipients receive only the RFQ content, attachments, and contact details that the customer chooses to share. Vendors do not see other vendors' submissions or pricing.
Business partners. Resellers, referral partners, and co-marketing partners where you have engaged with them, subject to appropriate safeguards.
Legal and safety. When we believe in good faith that disclosure is required by law, legal process, or is necessary to protect the rights, property, or safety of Daros, our users, or others.
Corporate transactions. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case this Policy will continue to apply unless the acquirer adopts a different policy you are notified about.
Daros is based in the United States and the Service is delivered globally. Personal data may be transferred to, stored, and processed in countries other than your own, including the United States. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on lawful mechanisms such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), the Swiss FDPIC SCCs, or a recognized adequacy decision, supplemented by appropriate technical and organizational measures. A copy of the transfer mechanism is available on request to privacy@provendor.io.
We retain account and Customer Content for the duration of the subscription. Upon termination, Customer Content is deleted or returned in accordance with the customer's agreement and our DPA — typically within 30 days, subject to legal holds. Log and security data are retained for up to 13 months. Billing and tax records are retained for up to 7 years as required by law. Marketing data is retained until you unsubscribe or request deletion.
We implement appropriate technical and organizational measures designed to protect personal data, including: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, principle of least privilege for staff, logging and alerting, vulnerability scanning, scoped vendor-portal tokens, secure software development practices, employee confidentiality and training, and incident-response procedures. No method of transmission or storage is perfectly secure. Report suspected issues to security@provendor.io.
Depending on where you live, you may have rights to:
To exercise rights, email privacy@provendor.io. We will verify your identity before responding. If your data is processed on behalf of a Provendor customer, we will refer your request to that customer and support their response.
If you are a California resident, the CCPA/CPRA grants you the rights to know, delete, correct, and request a copy of your personal information, to opt out of sale/sharing (we do not sell or share for cross-context behavioral advertising), and to limit the use of sensitive personal information (we do not use sensitive personal information for purposes requiring a limit). We do not discriminate against you for exercising these rights. To submit a request, email privacy@provendor.io. You may use an authorized agent; we will require written authorization and identity verification.
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.
The Service may link to third-party websites or integrate with third-party services. Their privacy practices are governed by their own policies. We recommend reviewing those policies before interacting with them.
We may update this Policy from time to time. Material changes will be communicated in-product, by email to account owners, or by posting a prominent notice on the website. The “Last updated” date at the top reflects the most recent version.
Daros Systems, Inc.
Privacy inquiries: privacy@provendor.io
Security reports: security@provendor.io
Legal notices: legal@provendor.io
Data processing inquiries: dpa@provendor.io
EEA/UK representative: contact privacy@provendor.io for representative details where required under Art. 27 GDPR.