Privacy Policy

VendTrack (“we”, “us”, or “our”) operates the VendTrack platform (vendtrack.io), a software-as-a-service dashboard for vending machine operators in Australia and New Zealand. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services.

We are committed to complying with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the New Zealand Privacy Act 2020. By using VendTrack, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Personal Information

• Name and email address when you create an account
• Authentication credentials managed through our identity provider (Supabase Auth)
• Profile information such as your role and account preferences
• Billing and payment information if you subscribe to a paid plan

Business Data

• Vending machine details (names, types, configurations)
• Site and location information where your machines are deployed
• Stock levels, product catalogues, and inventory records
• Revenue and transaction data, including sales amounts, timestamps, and payment methods

Uploaded Content

• Receipt images and documents you upload for AI-powered receipt parsing
• Any other files you choose to upload to the platform

Integration Data

• API keys and credentials for third-party payment terminal providers (Circumtec, Nayax, Cantaloupe) that you connect to VendTrack
• Transaction data synced from connected payment terminals

Automatically Collected Information

• Usage analytics collected through Vercel Analytics (page views, performance metrics)
• Browser type, device information, and IP address
• Referral source and pages visited within the platform

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the VendTrack platform
• Authenticate your identity and manage your account
• Display your vending machine performance dashboards, revenue analytics, and ROI metrics
• Sync transaction data from your connected payment terminal providers
• Process uploaded receipt images using AI to extract and categorise expense data
• Generate restocking recommendations and business insights
• Send service-related communications (account notifications, security alerts, platform updates)
• Monitor and improve platform performance, reliability, and security
• Comply with legal obligations under applicable privacy legislation

3. Data Storage and Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• Database: All data is stored in a PostgreSQL database managed by Supabase with Row Level Security (RLS) policies. RLS ensures that each user can only access their own data at the database level.
• Encryption at rest: Third-party API keys and credentials you store in VendTrack are encrypted using AES-256-GCM before being written to the database.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Authentication: User sessions are managed via secure JSON Web Tokens (JWT) issued by Supabase Auth. Sessions are refreshed on every request.
• Access controls: Role-based access controls limit what different users can see and do within the platform.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

4. Third-Party Services

VendTrack relies on the following third-party service providers to operate. Each provider has its own privacy policy governing how they handle data:

• Supabase — Authentication, database hosting, and real-time data infrastructure. Data is stored in Supabase-managed PostgreSQL instances.
• Vercel — Application hosting and deployment. Vercel Analytics collects anonymised usage and performance data.
• Anthropic (Claude API) — AI-powered receipt parsing. When you upload a receipt, the image is sent to Anthropic’s API for processing. Anthropic’s data retention and usage policies apply to that interaction.
• Payment terminal providers (Circumtec, Nayax, Cantaloupe) — When you connect a payment terminal integration, VendTrack communicates with the provider’s API to sync transaction data. We store encrypted credentials to maintain these connections.

We do not sell, rent, or trade your personal information to any third party.

5. Cookies and Analytics

VendTrack uses a minimal set of cookies and similar technologies:

• Essential cookies: Required for authentication and session management. These cannot be disabled as the platform will not function without them.
• Analytics: We use Vercel Analytics to collect anonymised, aggregated data about how the platform is used (such as page views and performance metrics). Vercel Analytics is privacy-focused and does not use third-party tracking cookies.

We do not use advertising cookies or third-party tracking pixels.

6. Data Retention

We retain your data for as long as your account remains active or as needed to provide you with our services. Specifically:

• Account data: Retained until you delete your account or request deletion.
• Transaction and business data: Retained for the duration of your account. Historical data is important for ROI analysis and reporting.
• Uploaded receipts: Receipt images sent to the AI parsing service are processed in real time and are not stored by VendTrack beyond the parsing session. Extracted data is stored as structured records in your account.
• Integration credentials: Encrypted API keys are deleted when you disconnect an integration or delete your account.

After account deletion, we may retain anonymised, aggregated data that can no longer be linked to you for analytical purposes. We may also retain certain data where required by law.

7. Your Rights

Under the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020, you have the following rights in relation to your personal information:

• Access: You may request access to the personal information we hold about you. Much of this data is directly accessible through your VendTrack dashboard.
• Correction: You may request that we correct any inaccurate, incomplete, or out-of-date personal information.
• Deletion: You may request deletion of your account and associated personal information. We will comply unless we are required by law to retain certain records.
• Complaint: If you believe we have breached your privacy, you may lodge a complaint with us. If you are unsatisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) or the New Zealand Office of the Privacy Commissioner.

To exercise any of these rights, please contact us at privacy@vendtrack.io. We will respond to your request within 30 days.

8. Cross-Border Data Transfers

Your data may be processed and stored in locations outside Australia and New Zealand, as our infrastructure providers (Supabase, Vercel, and Anthropic) operate servers in multiple regions, including the United States. Where your data is transferred overseas, we take reasonable steps to ensure that the receiving parties comply with obligations substantially similar to the Australian Privacy Principles and the New Zealand Information Privacy Principles. By using VendTrack, you consent to these transfers.

9. Children’s Privacy

VendTrack is a business-to-business platform designed for vending machine operators and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@vendtrack.io.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page and updating the “Last updated” date above. For significant changes, we may also notify you via email or through a notice within the platform. We encourage you to review this policy periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: