Legal · Data Protection

Data Protection Policy

Our framework for the collection, processing, storage, transfer, disclosure, retention, protection, and deletion of Personal Data across the jurisdictions where Vendora Genie operates.

Effective DD / MM / YYYY
Last updated DD / MM / YYYY

This Data Protection Policy (“Policy”) describes how Fynext Labs Pty Ltd (ABN 25 696 584 175), incorporated under the laws of Australia, providing its service via its product / platform called “Vendora Genie”, a B2B eCommerce platform (“Company”, “Platform”, “we”, “our”, or “us”) collects, uses, processes, stores, discloses, transfers, and protects personal information.

The Platform enables merchants, vendors, wholesalers, retailers, distributors, and business users to create, manage, operate, and scale digital commerce operations in a manner similar to enterprise eCommerce enablement platforms.

This Policy applies to all employees, contractors, consultants, vendors, affiliates, and representatives of the Company; all Platform users, merchants, customers, and business partners; all Personal Data processed through the Platform; and all systems, devices, infrastructure, applications, databases, and networks owned or operated by the Company.

02 Objectives of this Policy

  1. ensure lawful and transparent processing of Personal Data;
  2. protect confidentiality, integrity, and availability of data;
  3. establish governance and accountability mechanisms;
  4. comply with global privacy and cybersecurity laws;
  5. mitigate risks of unauthorized access, misuse, disclosure, or breach;
  6. safeguard rights of data subjects / data principals; and
  7. maintain trust and security within the Platform ecosystem.

03 Applicable Laws and Regulatory Frameworks

3.1 Australia

3.2 European Union / European Economic Area

3.3 United States

3.4 India

3.5 Canada

3.6 New Zealand

3.7 Other Jurisdictions

The Company shall additionally comply with local consumer protection laws, cybersecurity regulations, cross-border transfer requirements, and privacy obligations applicable in jurisdictions where the Platform operates or users are located.

04 Definitions

4.1 “Personal Data”

Any information relating to an identified or identifiable natural person.

4.2 “Sensitive Personal Information”

Includes information relating to financial information; government identifiers; biometric data; precise geolocation; authentication credentials; health data; or any category classified as sensitive under applicable laws.

4.3 “Processing”

Any operation performed on data including collection, recording, storage, use, transfer, disclosure, analysis, deletion, or destruction.

4.4 “Data Subject” / “Data Principal”

The individual to whom Personal Data relates.

4.5 “Controller” / “Data Fiduciary”

The entity determining purposes and means of processing.

4.6 “Processor”

An entity processing data on behalf of another entity.

05 Data Collection

5.1 Merchant and Business Information

5.2 User Information

5.3 Transactional Information

5.4 Technical Information

5.5 Support and Communication Data

06 Lawful Basis for Processing

Where required under applicable laws, the Company shall process Personal Data only on lawful grounds, including: consent; contractual necessity; compliance with legal obligations; legitimate business interests; fraud prevention and security; regulatory compliance; performance of services requested by users.

Under GDPR Article 6 and related provisions, processing shall be supported by a valid lawful basis. Under the DPDP Act, processing shall occur in accordance with valid consent or legitimate uses recognized under law.

07 Purposes of Processing

08 Consent Management

Where consent is required: consent shall be free, informed, specific, unambiguous, and revocable; users shall be able to withdraw consent at any time; withdrawal mechanisms shall be easily accessible; records of consent shall be maintained.

For EU users, consent standards shall comply with GDPR Articles 4, 6, 7, and 8. For Indian users, consent practices shall comply with the DPDP Act, 2023.

09 Children’s Data

The Platform is intended for business users and not for individuals below the legally permitted age under applicable laws. The Company does not knowingly collect Personal Data from minors without legally valid authorization where required.

Where children’s data laws apply — including GDPR Article 8, COPPA (United States), and DPDP Act child-related obligations — the Company shall implement additional safeguards and parental consent mechanisms where necessary.

10 Data Subject Rights

Subject to applicable laws, individuals may have the right to: access Personal Data; correct inaccurate data; request deletion; object to processing; restrict processing; withdraw consent; request portability; opt out of targeted advertising; opt out of profiling or automated decision-making; lodge complaints with supervisory authorities.

These rights may arise under: GDPR Articles 12–23; CCPA / CPRA consumer rights provisions; PIPEDA access rights; Privacy Act 2020 (NZ); DPDP Act grievance redressal mechanisms.

11 Data Security Measures

11.1 Technical Safeguards

11.2 Organizational Safeguards

11.3 Compliance Standards

Where applicable, the Company may align security practices with ISO/IEC 27001, SOC 2 principles, NIST Cybersecurity Framework, and PCI-DSS requirements for payment handling.

12 Data Retention

Personal Data shall be retained only for as long as necessary for stated purposes; contractual requirements; legal obligations; dispute resolution; enforcement of agreements. Upon expiry of retention periods, data shall be securely deleted, anonymized, or destroyed.

13 Cross-Border Data Transfers

Due to the global nature of the Platform, Personal Data may be transferred across jurisdictions. The Company shall ensure that cross-border transfers are conducted lawfully and may rely upon: Standard Contractual Clauses (SCCs); adequacy decisions; contractual safeguards; consent mechanisms; recognized transfer frameworks. For EU users, international transfers shall comply with GDPR Chapter V.

14 Third-Party Processors and Subprocessors

The Company may engage third-party vendors for hosting, cloud infrastructure, analytics, payment processing, communication services, cybersecurity, and customer support.

Such third parties shall be subject to: confidentiality obligations; data processing agreements; security obligations; compliance reviews. The Company shall take commercially reasonable steps to ensure subprocessors maintain adequate security standards.

15 Cookies and Tracking Technologies

The Platform may use cookies, web beacons, pixels, analytics technologies, and session identifiers. Users may manage cookie preferences through browser settings or Platform controls where applicable. For EU users, cookie practices shall comply with GDPR, the ePrivacy Directive, and applicable consent requirements. See our Cookie Policy for details.

16 Automated Decision-Making and Profiling

Where automated processing or profiling is used: users shall be informed where legally required; safeguards shall be implemented; human review mechanisms may be provided where applicable by law.

17 Data Breach Response

The Company shall maintain a documented incident response framework. In the event of a data breach, the Company may investigate the incident, mitigate risks, notify affected individuals, notify regulators, preserve evidence, and implement remediation measures.

Notifications shall be made in accordance with applicable laws, including: GDPR Articles 33 and 34; Australia’s NDB Scheme; U.S. state breach notification laws; PIPEDA breach reporting requirements; DPDP Act obligations where applicable.

18 Employee Responsibilities

All employees and contractors must: comply with this Policy; maintain confidentiality; use Company systems responsibly; report security incidents immediately; complete privacy and cybersecurity training.

Violation of this Policy may result in disciplinary action, termination, legal proceedings, or regulatory reporting.

19 Vendor and Partner Compliance

Third-party service providers and business partners handling Company data must: comply with applicable privacy laws; implement reasonable security practices; execute data processing agreements; cooperate during audits and investigations.

20 Governance and Accountability

The Company shall maintain internal governance mechanisms including: privacy oversight; risk assessments; compliance reviews; policy audits; security monitoring; vendor management procedures. Where required by law, the Company may appoint a Data Protection Officer (DPO), grievance officers, privacy representatives, or EU representatives.

21 User Rights Request Process

The Company shall establish procedures for identity verification; request acknowledgment; statutory response timelines; complaint handling; escalation mechanisms. Requests shall be handled within timelines prescribed under applicable laws.

22 Marketing Communications

Marketing communications shall comply with: Spam Act 2003 (Australia); CAN-SPAM Act (United States); GDPR direct marketing requirements; CASL (Canada); local anti-spam laws. Users shall be provided opt-out mechanisms where required.

23 Platform Security Responsibilities of Users

Users of the Platform are responsible for: maintaining credential confidentiality; implementing strong passwords; restricting unauthorized access; complying with applicable laws; maintaining security of connected systems.

24 Policy Updates

The Company reserves the right to amend or update this Policy from time to time. Updated versions may be published through the Platform or Company communication channels. Continued use of the Platform following updates constitutes acknowledgment of revised terms where permitted by law.

25 Contact and Grievance Redressal

Fynext Labs Pty Ltd

ABN25 696 584 175

Where legally required, jurisdiction-specific grievance officers or representatives may be appointed.

26 Governing Law

This Policy shall be interpreted in accordance with the laws of Australia and mandatory privacy and data protection laws applicable in jurisdictions where users are located. Nothing in this Policy limits statutory rights available under applicable consumer or privacy laws.

27 Acknowledgement

By accessing or using the Platform, users acknowledge that they have read, understood, and agreed to this Data Protection Policy and the Company’s data handling practices.