Privacy Policy.
What we collect, why we collect it, who we share it with, and the choices you have — in plain language.
1. Who we are
VendorDrop ("VendorDrop," "we," "us") is a service operated by Rural Capital, LLC, PO Box 368, Robert Lee, TX 76945 — support@vendordrop.io. VendorDrop helps organizations collect Certificates of Insurance (COIs) from their third-party vendors.
This policy explains what we collect, why, who we share it with, and your choices.
2. The two kinds of people in VendorDrop
We treat two groups differently because they interact with us differently:
- Organizers — registered account holders who use VendorDrop to request and review documents.
- Vendors — third parties whom an Organizer invites to upload a COI. Vendors do not create accounts; they upload through a one-time link. We process a Vendor's information on behalf of the Organizer who invited them (the Organizer is the controller of that data; we are the processor).
3. What we collect
From Organizers (account data):
- Email address and password (passwords are handled by our authentication provider; we never store them in plain text).
- Organization name(s) you create, and your membership/role in them.
- Records of your acceptance of our Terms of Service (timestamp and version).
- Content you enter: campaign names, target dates, reminder settings, vendor names and emails you add, and review/rejection notes you write.
From or about Vendors (processed for the Organizer):
- The vendor's email address (provided by the Organizer, not collected from the vendor).
- The Certificate of Insurance document (PDF) the vendor uploads, and metadata about it (upload time, review status, expiration date the Organizer enters).
- We deliberately do not collect W-9s, Social Security numbers, or other financial-identity documents, and the product is built to refuse them.
Automatically:
- Standard server logs (IP address, timestamps, request data) for security and reliability.
- If we enable product-usage analytics, they will be aggregate and cookieless (for example, pages viewed and features used). We do not use analytics to track you across other websites.
- Strictly-necessary cookies for authentication and session management.
4. What we do not do
- We do not sell your personal information.
- We do not use Vendor documents or emails for any purpose other than providing the service to the Organizer who collected them.
- We do not show a Vendor any other Vendor's information, or their own upload history ("blind drop").
- We do not perform automated content analysis (OCR/AI) of uploaded documents.
5. How we use information
- To provide the service: store and display documents to authorized Organizers, generate secure time-limited links, and send transactional email.
- To send transactional email via our email provider: vendor invitations, reminder emails for missing or expiring documents, and rejection notices. These are operational, not marketing.
- To secure the service, prevent abuse, debug, and meet legal obligations.
6. Email
Transactional email is sent from a vendordrop.io address via Resend. Because these messages are necessary to operate the service (a vendor cannot complete the task without them), they are not marketing email. If you believe you are receiving VendorDrop email in error, contact us at support@vendordrop.io and we will stop the messages, or ask the Organizer who invited you to remove you from their vendor list.
7. Sub-processors (who we share data with)
We use trusted vendors to run the service. They process data only to provide their service to us:
- Supabase — database, authentication, and file storage (hosts account data and uploaded documents), United States.
- Resend — transactional email delivery.
- Fly.io — application hosting.
We maintain data-processing agreements (DPAs) with these sub-processors. If we add sub-processors (for example, analytics or error tracking), we will update this list. We may also disclose information if required by law or to protect rights and safety.
8. Where documents live and how they're protected
Uploaded documents are stored in a private storage bucket. They are never served from a public URL; access is granted only through short-lived signed links (expiring in about 60 seconds) generated for an authorized Organizer. Data is encrypted in transit (TLS) and at rest by our storage provider.
9. Retention
- Uploaded documents and their review history are retained as a compliance/audit record and are not deleted when a document is rejected. We retain them for the life of the account plus 90 days.
- Account data is retained while the account is active and for 90 days afterward.
- You or an Organizer may request earlier deletion of specific data — see Section 11.
10. Your rights
Depending on where you live (for example, GDPR for the EU/UK, CCPA/CPRA for California), you may have rights to access, correct, delete, or port your personal information, and to object to certain processing. To exercise these rights, email support@vendordrop.io; we respond within 30 days. Vendors should direct requests to the Organizer who invited them, or contact us and we will route the request.
11. Contact / requests
support@vendordrop.io — Rural Capital, LLC, PO Box 368, Robert Lee, TX 76945. We respond within 30 days.
12. Children
VendorDrop is a business tool not directed to children and is not intended for anyone under 16.
13. International transfers
VendorDrop is operated from the United States, and information is processed and stored in the United States. If you use the service from outside the United States, you understand that your information will be transferred to and processed in the United States.
14. Changes
We may update this policy. We will post the new version with an updated effective date and notify account holders by email of material changes.
See also our Terms of Service.