GDPR Compliance
Last updated: March 1, 2026
Venderaa is GDPR Compliant
We take data privacy seriously. Whether you are a vendor, customer, or visitor, we are committed to handling your personal data in accordance with the General Data Protection Regulation (GDPR) and related data protection laws.
The General Data Protection Regulation (GDPR) is a European data protection law that grants individuals significant rights over their personal data. Although Venderaa is based in Bangladesh, we are committed to upholding the principles of GDPR for all our users worldwide because we believe data privacy is a fundamental right.
Your Rights Under GDPR
Right to Access
You have the right to request a copy of all personal data we hold about you. We will provide this within 30 days of your request.
Right to Rectification
You can request correction of inaccurate or incomplete personal data. Most data can be updated directly in your account settings.
Right to Erasure
You can request deletion of your personal data ("right to be forgotten"). We will delete your data within 90 days, except where we have a legal obligation to retain it.
Right to Portability
You can request an export of your personal data in a machine-readable format (JSON or CSV) to transfer to another provider.
Right to Object
You can object to processing of your personal data for direct marketing at any time. You can also object to profiling and other processing based on legitimate interests.
Right to Restrict Processing
You can request that we limit how we process your data in certain circumstances, such as while you contest its accuracy or object to its use.
Our Data Protection Commitments
We collect only the minimum data necessary to provide the Service (data minimisation).
Data is processed only on lawful legal bases: consent, contract performance, or legitimate interest.
All personal data is encrypted in transit using TLS 1.2 or higher.
Passwords are hashed using industry-standard bcrypt hashing (never stored in plain text).
We do not sell or rent personal data to third parties.
Data processors (sub-processors) are bound by strict data processing agreements.
We will notify affected users and relevant authorities within 72 hours of a confirmed data breach.
Data retention periods are defined and enforced: account data deleted within 90 days of closure.
Exercise Your Rights
To exercise any of your data rights — access, deletion, portability, or opt-out — submit a request to our Data Protection Officer. We will respond within 30 days.