Terms of Service & Privacy Policy

These Terms of Service (“Terms”) govern your access to and use of VendorLeak (“Service”), operated by VendorLeak (“we,” “us,” or “our”). By accessing or using the Service you confirm that you are at least 18 years old, have read and understood these Terms, and agree to be bound by them.

If you are accessing the Service on behalf of an organization, you represent and warrant that you have full legal authority to bind that organization to these Terms, and that the organization agrees to these Terms.

We may revise these Terms from time to time. Continued use of the Service after any revision constitutes acceptance of the updated Terms.

VendorLeak is a vendor risk assessment Software-as-a-Service (SaaS) platform. It allows organizations to evaluate third-party vendors by scanning publicly available information, privacy policies, and terms of service documents. The Service surfaces risk signals, policy violations, and compliance concerns to help security, privacy, and procurement teams make informed decisions.

Informational use only. Risk assessments produced by the Service are AI-generated analytical opinions based on publicly available information at the time of the scan. They do not constitute legal advice, regulatory opinions, audit findings, or certifications of any kind. You should not rely solely on VendorLeak output when making procurement, legal, or compliance decisions.

AI limitations. The Service uses large language models to analyze vendor policy documents. AI outputs can be incomplete, out of date, or incorrect. We make no warranty as to the accuracy, completeness, or fitness of any risk score, verdict, or recommendation produced by the Service.

To use the Service you must register for an account by providing a valid email address and a secure password, or by authenticating via a supported third-party OAuth provider (e.g., Google). You are responsible for maintaining the confidentiality of your credentials and for all activity that occurs under your account.

You must notify us immediately at team@vendorleak.com if you suspect unauthorized access to your account. We reserve the right to suspend or terminate accounts that we reasonably believe have been compromised or used in violation of these Terms.

You may not share your account credentials with any person who is not a member of your authorized workspace. Each individual user must have their own account.

Free trial. New accounts may access the Service on a 14-day free trial. A valid payment method is required at sign-up to initiate the trial. You will not be charged until the trial period ends. You may cancel at any time during the trial period at no cost.

Paid subscription. After the trial period, continued access requires a paid subscription at the rate displayed on our pricing page at the time of sign-up. Fees are billed in advance on a monthly basis and are non-refundable except as required by applicable law or as expressly stated herein.

Automatic renewal. Your subscription will automatically renew at the end of each billing period unless you cancel before the renewal date. By providing a payment method, you authorize us to charge that method for all amounts due.

Cancellation. You may cancel your subscription at any time from your account settings or by contacting team@vendorleak.com. Cancellation takes effect at the end of the current billing period. We do not provide pro-rated refunds for unused time unless required by applicable law.

Past due accounts. If a payment fails, we will attempt to retry the charge. If payment remains outstanding, we may suspend or terminate your access to the Service without further notice.

Price changes.We reserve the right to change subscription fees. We will provide at least 30 days’ advance notice of any price increase via email or in-app notification. Continued use of the Service after the price change takes effect constitutes acceptance of the new fees.

Payment processing. Payments are processed by Stripe, Inc., our payment subprocessor. We do not store your full payment card details on our servers. Use of Stripe is subject to the Stripe Terms of Service.

Each subscription covers one workspace for up to four (4) team members. You may invite team members to your workspace via a secure invite link. The workspace owner is responsible for all activity that occurs within the workspace, including activity by invited members.

Adding a team member who does not have their own subscription does not transfer or share your subscription with that member. Each individual user is responsible for maintaining their own account credentials.

We reserve the right to modify the per-workspace member limit. We will provide advance notice of any reduction in the member limit to affected workspace owners.

You agree to use the Service only for lawful purposes and in accordance with these Terms. You must not:

• Use the Service to scan or monitor your own organization’s policies (the Service is intended for third-party vendor assessment).
• Attempt to circumvent any rate limits, access controls, authentication mechanisms, or subscription gates.
• Use automated scripts, bots, or crawlers to access the Service outside of any officially supported API.
• Reverse engineer, decompile, or disassemble any part of the Service.
• Resell, sublicense, or otherwise make the Service available to third parties without our prior written consent.
• Submit false or misleading information when registering or using the Service.
• Upload or transmit malicious code, viruses, or any content designed to disrupt or damage the Service.
• Use the Service in any manner that violates applicable law, including privacy laws, export control laws, or sanctions regulations.
• Attempt to access another user’s account or data, or to probe, scan, or test the vulnerability of our systems.

We reserve the right to suspend or terminate accounts that violate this section, with or without prior notice, at our sole discretion.

Our property. The Service, including its software, design, algorithms, and all content we produce, is owned by VendorLeak and protected by applicable intellectual property laws. Nothing in these Terms transfers ownership of the Service or its underlying technology to you.

License to use. Subject to your compliance with these Terms and payment of applicable fees, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service solely for your internal business purposes.

Your data.You retain ownership of any data, vendor lists, or content you submit to the Service (“Your Data”). You grant us a limited license to process Your Data solely to the extent necessary to provide the Service to you. We do not claim any ownership over Your Data.

Scan output. Risk reports, verdicts, scores, and recommendations generated by the Service based on Your Data are provided to you for your internal use. You may share these outputs internally or with vendors you are evaluating. You may not represent AI-generated output as a legal opinion, audit, or certification.

Feedback. If you submit feedback, suggestions, or ideas about the Service, you grant us a perpetual, irrevocable, royalty-free license to use that feedback for any purpose, without compensation or attribution to you.

We collect the following categories of information:

• Account information. Your name, email address, hashed password, and account creation date.
• Vendor data. Vendor names, URLs, and domain names you submit for scanning or monitoring.
• Scan results. Risk scores, verdicts, policy violation summaries, and scan timestamps generated by the Service.
• Usage data. Log data such as pages visited, features used, API call timestamps, and browser/device type — used to improve the Service and detect abuse.
• Billing information. Subscription status and transaction history. Full payment card details are processed and stored by Stripe, not by us.
• Gmail integration (optional). If you choose to connect your Google account via OAuth to use our Gmail scanning feature, we request read-only access to email metadata (sender domains only). We do not read, store, or transmit the body or content of any email message. The Gmail OAuth token is used only during the active scan and is not persisted on our servers.
• Cookies and similar technologies. We use essential cookies for authentication session management. We do not use advertising or behavioral tracking cookies.

We use the information we collect solely to provide and improve the VendorLeak Service:

• To create and manage your account and organization workspace.
• To perform vendor risk scans, generate reports, and power active monitoring alerts.
• To send transactional emails (account verification, password reset, billing receipts, material service notices).
• To enforce these Terms and protect the security and integrity of the Service.
• To comply with applicable legal obligations.

We do not use your data for advertising, behavioral profiling, or to train AI models on your proprietary data. Policy text submitted for scanning is passed to our AI infrastructure provider solely to generate the analysis for your immediate request and is not retained for model training purposes.

The only exceptions to this principle are the infrastructure subprocessors described in Section 11 below, which process data on our behalf under strict contractual obligations solely to operate the Service.

We may disclose information if required by valid legal process (e.g., a court order, subpoena, or government request), or to protect the rights, safety, or property of VendorLeak, our users, or others. Where legally permitted, we will notify you before complying with any such request.

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity, which will be bound by these Terms or equivalent protections.

We retain your data for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

Account deletion. You may request deletion of your account at any time via your account settings or by contacting team@vendorleak.com.

Post-cancellation. Following subscription cancellation or account deletion, all of your data — including account information, vendor lists, and scan history — will be permanently deleted from our active systems within 60 days. Encrypted database backups may retain your data for up to an additional 30 days before being purged on the backup rotation schedule.

Legal retention exceptions. We may retain certain data for longer periods where required by law (e.g., billing records for tax compliance) or where necessary to resolve pending disputes or enforce our agreements.

We may retain anonymized, aggregated statistical data (e.g., total scan counts) that cannot reasonably be used to identify you.

We implement commercially reasonable technical and organizational measures to protect your data, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest via our database infrastructure provider (Supabase/PostgreSQL).
• Row-level security policies that enforce strict data isolation between organizations.
• Authentication best practices including hashed passwords and short-lived session tokens.
• Rate limiting and abuse detection on all API endpoints.

No method of transmission over the Internet is 100% secure. We cannot guarantee the absolute security of your data. If you discover a security vulnerability, please report it responsibly to team@vendorleak.com before public disclosure.

You have the following rights with respect to your personal data:

• Access. Request a copy of the personal data we hold about you.
• Correction. Ask us to correct inaccurate or incomplete data.
• Deletion. Request erasure of your personal data (subject to legal retention obligations set out in Section 12).
• Portability. Where technically feasible, request an export of your data in a machine-readable format.
• Objection / Restriction. Object to or request restriction of certain processing activities where permitted by applicable law.

GDPR (EEA/UK users). If you are located in the European Economic Area or the United Kingdom, your personal data is processed on the legal basis of contract performance (to deliver the Service), legitimate interest (security, fraud prevention, service improvement), and legal obligation. You have the right to lodge a complaint with your local supervisory authority.

CCPA (California residents). California residents have the right to know what personal information we collect, to request deletion, to opt out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising these rights.

To exercise any of these rights, email us at team@vendorleak.com. We will respond within 30 days (or within any shorter period required by applicable law).

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, WE EXPRESSLY DISCLAIM ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE.

We do not warrant that: (a) the Service will be uninterrupted, error-free, or secure; (b) any defects will be corrected; (c) the results obtained from using the Service will be accurate, complete, or reliable; or (d) the Service will meet your specific requirements or expectations.

Risk assessments, verdicts, and recommendations generated by the Service are analytical outputs of AI models and are not legal opinions, audit results, or compliance certifications. We are not responsible for decisions you make based on Service output.

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL VENDORLEAK, ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR SUBPROCESSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE SERVICES, ARISING OUT OF OR RELATING TO YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL OUR TOTAL CUMULATIVE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE EXCEED THE GREATER OF (A) THE TOTAL FEES PAID BY YOU TO US IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY, OR (B) ONE HUNDRED U.S. DOLLARS ($100).

Some jurisdictions do not allow the exclusion or limitation of certain damages, so the above limitations may not apply to you in full.

You agree to defend, indemnify, and hold harmless VendorLeak and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) your use of the Service in violation of these Terms; (b) Your Data or content you submit to the Service; (c) your violation of any applicable law or third-party right; or (d) any misuse of Service outputs, including presenting AI-generated assessments as legal opinions or certified audit findings.

These Terms are governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles.

Informal resolution. Before initiating any formal proceeding, you agree to contact us at team@vendorleak.com and give us 30 days to attempt to resolve the dispute informally.

Binding arbitration.If a dispute cannot be resolved informally, it shall be resolved by binding individual arbitration administered by the American Arbitration Association (“AAA”) under its Consumer Arbitration Rules, except where prohibited by law. Arbitration will be conducted in English. You waive any right to participate in a class action lawsuit or class-wide arbitration.

Exceptions. Either party may seek emergency injunctive relief from a court of competent jurisdiction in Delaware to prevent irreparable harm pending arbitration. Small claims court actions remain available where eligible.

If you are located in the EU or UK, nothing in this section limits your right to bring a claim before the courts of your country of habitual residence.

By you. You may terminate your account at any time by cancelling your subscription and requesting account deletion via your account settings or by contacting us.

By us. We may suspend or terminate your access to the Service immediately, with or without notice, if: (a) you breach these Terms; (b) we reasonably suspect fraud, abuse, or security risks associated with your account; (c) you fail to pay fees when due; or (d) we are required to do so by law.

Effect of termination. Upon termination, your license to use the Service ceases immediately. Sections 7 (IP), 15 (Disclaimer), 16 (Limitation of Liability), 17 (Indemnification), 18 (Governing Law), and any other provisions that by their nature should survive, shall survive termination of these Terms.

We may update these Terms from time to time. When we make material changes we will notify you by email to the address on file and/or by displaying a prominent notice in the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Terms.

If you disagree with the changes, you may cancel your account before the effective date and receive a pro-rated refund of any prepaid fees covering the period after the effective date, if applicable.

Entire agreement. These Terms, together with our Privacy Policy and any other policies incorporated by reference, constitute the entire agreement between you and VendorLeak with respect to the Service and supersede all prior agreements.

Severability. If any provision of these Terms is found to be unenforceable, that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will remain in full force and effect.

No waiver. Our failure to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision.

Assignment. You may not assign these Terms or any rights hereunder without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets without your consent.

Force majeure. We will not be liable for any failure or delay in performance resulting from causes beyond our reasonable control, including natural disasters, acts of government, telecommunications failures, or third-party service outages.

If you have any questions, concerns, or requests regarding these Terms or your data, please contact us: