Privacy Policy

Last updated: 8 June 2026

VendingPing (operated by SpanMerge, "we", "us", "our") is committed to protecting the privacy and personal data of our users, their customers, and visitors to our website. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights under applicable data protection laws — including the Nigeria Data Protection Regulation (NDPR) and the EU General Data Protection Regulation (GDPR).

1. Data We Collect

1.1 Account Information

When you sign up for VendingPing, we collect:

• Full name, email address, phone number
• Business name, business category, and business address
• Login credentials (passwords are hashed and never stored in plain text)
• Billing and payment information (processed securely via Paystack)

1.2 Product Catalog Data

We store product information you provide — including product names, descriptions, prices, images, sizes, variants, and availability status — to power your AI sales agent.

1.3 Conversation Data

When your AI sales agent interacts with your customers on WhatsApp, Instagram, Telegram, or Messenger, we collect and store:

• Message content (text, images, voice notes, documents)
• Sender and recipient identifiers (phone numbers, social media handles)
• Timestamps and delivery status
• AI-generated responses and conversation summaries

1.4 Order and Transaction Data

• Order details (products, quantities, prices, delivery addresses)
• Payment status and transaction references
• Customer contact information associated with orders

1.5 Usage and Analytics Data

• Pages visited on vendingping.com (via Plausible Analytics — no cookies, no personal data)
• Dashboard usage patterns (features used, frequency)
• Device type, browser, and approximate location (country level)

2. How We Use Your Data

We process your data for the following purposes:

• Service delivery: Powering your AI sales agent to respond to customer messages accurately using your product catalog and business context.
• Order management: Tracking orders, processing payments, and managing delivery logistics.
• AI analysis: Analysing conversation patterns to improve AI response quality, train vertical-specific models, and generate business insights on your dashboard.
• Customer relationship management: Storing customer contacts, conversation history, and engagement scores (RFM scoring) to power re-engagement features like broadcasts and follow-ups.
• Account management: Authentication, billing, subscription management, and customer support.
• Product improvement: Aggregated, anonymised analytics to improve VendingPing's features and performance.
• Legal compliance: Fulfilling our obligations under applicable laws and regulations.

3. Legal Basis for Processing

We process personal data on the following legal bases:

• Contract performance: Processing necessary to deliver the VendingPing service you subscribed to.
• Consent: Where you have given explicit consent (e.g. marketing communications).
• Legitimate interests: Improving our service, preventing fraud, and ensuring security.
• Legal obligation: Compliance with NDPR, GDPR, and other applicable laws.

4. Third-Party Data Processors

We share data with the following trusted third-party processors, each bound by data processing agreements:

• Supabase — Authentication, database hosting, and file storage. Data stored on secure cloud infrastructure.
• Paystack — Payment processing for subscription billing. Paystack is PCI-DSS compliant and does not share your payment details with us.
• Meta (WhatsApp Business API & Instagram API) — Message delivery and receipt on WhatsApp and Instagram. Subject to Meta's Data Policy.
• Telegram Bot API — Message delivery on Telegram. Subject to Telegram's Privacy Policy.
• Zoho — Transactional email delivery (account notifications, password resets, receipts).
• Plausible Analytics — Privacy-focused website analytics. No cookies, no personal data collected, fully GDPR compliant.

5. Data Retention

• Conversation data is retained for 12 months from the date of the last message in a conversation. After 12 months, conversations are anonymised (customer identifiers removed) and retained in aggregate form for analytics purposes only.
• Account data is retained for the duration of your active subscription plus 30 days after account closure.
• Order data is retained for 24 months for business reporting, then anonymised.
• Payment records are retained for 7 years in compliance with Nigerian tax and financial regulations.

6. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Row-level security on all database tables
• Regular security audits and vulnerability assessments
• Access controls with role-based permissions
• Secure API key management

7. Your Rights

Under the NDPR and GDPR, you have the following rights:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your account and all associated data. Vendors can delete their account and all data directly from the dashboard, or by emailing us.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to restrict processing: Request limitation of processing in certain circumstances.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent for marketing communications at any time.

To exercise any of these rights, email us at privacy@vendingping.com. We will respond within 30 days.

8. NDPR Compliance (Nigerian Users)

As a data controller operating in Nigeria, VendingPing complies with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023. Specifically:

• We have appointed a Data Protection Officer (DPO) responsible for overseeing compliance.
• We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
• We maintain records of all data processing activities as required by the NDPR.
• We provide clear notice and obtain appropriate consent before processing personal data.
• We implement adequate security measures to protect personal data as required under Part 2.1 of the NDPR.
• Nigerian users may lodge complaints with the Nigeria Data Protection Commission (NDPC).

9. International Data Transfers

Your data may be transferred to and processed in countries outside Nigeria (including the United States and European Union) where our third-party processors operate. We ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

10. Cookies

VendingPing's marketing website (vendingping.com) does not use cookies. We use Plausible Analytics, a privacy-focused analytics tool that requires no cookies and collects no personal data. Our web application (app.vendingping.com) uses essential cookies for authentication sessions only — no tracking cookies.

11. Children's Privacy

VendingPing is a business tool and is not directed at children under 18. We do not knowingly collect personal data from anyone under 18 years of age. If we discover that a child has provided us with personal data, we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website at least 14 days before the changes take effect.

13. Contact Us

For privacy-related inquiries, requests, or complaints:

• Email: privacy@vendingping.com
• General enquiries: hello@vendingping.com
• Data Protection Officer: privacy@vendingping.com

If you are unsatisfied with our response, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) or the relevant supervisory authority in your jurisdiction.