Privacy Policy

Last updated: April 9, 2026

1. Introduction

This Privacy Policy describes how Yaw Labs LLC ("Company," "we," "us") collects, uses, and protects your information when you use Vend at vend.sh ("Service"). We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

2.1 Creator Accounts

When you sign up as a Creator, we collect:

  • GitHub profile information (name, email, avatar, GitHub user ID)
  • Payout information (email address for payment disbursement)
  • Project information (names, descriptions, tier configurations)

2.2 Buyer Transactions

When a Buyer makes a purchase, we collect:

  • Email address
  • Name (if provided)
  • Payment information (processed by Stripe — we never store card numbers)
  • Transaction details (amount, product, tier)

2.3 Usage Data

We automatically collect:

  • License key validation requests (key ID, timestamp)
  • Tool invocation records (tool name, count, timestamp — reported via the SDK)
  • Key activation data (instance name, instance identifier)

2.4 Technical Data

We use minimal cookies required for authentication (session cookies). We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

3. How We Use Your Information

  • To authenticate your account and maintain your session
  • To process payments and issue license keys
  • To calculate and remit sales tax (as Merchant of Record)
  • To send payout disbursements to Creators
  • To provide usage analytics to Creators about their products
  • To detect and prevent fraud
  • To send transactional emails (purchase confirmations, key delivery, payout notifications)
  • To comply with legal obligations (tax reporting, law enforcement requests)

We do not sell your personal information. We do not use your data for advertising. We do not share your data with third parties except as described in this policy.

4. Third-Party Services

We share data with the following service providers:

  • Stripe: Payment processing. Stripe receives payment information directly and is PCI-DSS Level 1 certified. See Stripe's Privacy Policy.
  • GitHub: Authentication. We receive your public profile information via GitHub OAuth. See GitHub's Privacy Statement.
  • Amazon Web Services: Infrastructure hosting. Data is stored in AWS us-west-2 (Oregon) region with encryption at rest.

5. Data Retention

  • Account data: Retained for the lifetime of your account plus 60 days after deletion.
  • Transaction records: Retained for 7 years (tax compliance requirement).
  • Usage records: Retained for 1 year, then aggregated and anonymized.
  • License keys: Retained for the lifetime of the associated project or until explicitly deleted by the Creator.

6. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Database access restricted to application servers via private networking
  • Cryptographically secure license key generation
  • Session-based authentication with HTTP-only secure cookies
  • No storage of payment card numbers (handled entirely by Stripe)

7. Your Rights

7.1 All Users

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and associated personal data
  • Export your data in a machine-readable format

7.2 California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have additional rights:

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

7.3 European Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation:

  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

Our legal basis for processing is: contract performance (for account and transaction data), legitimate interest (for fraud prevention and service improvement), and legal obligation (for tax compliance).

8. Children's Privacy

Vend is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@vend.sh or write to:

Yaw Labs LLC
Attn: Vend Privacy
California, United States