This Data Protection Policy (“Policy”) describes how Fynext Labs Pty Ltd (ABN 25 696 584 175), incorporated under the laws of Australia, providing its service via its product / platform called “Vendora Genie”, a B2B eCommerce platform (“Company”, “Platform”, “we”, “our”, or “us”) collects, uses, processes, stores, discloses, transfers, and protects personal information.
The Platform enables merchants, vendors, wholesalers, retailers, distributors, and business users to create, manage, operate, and scale digital commerce operations in a manner similar to enterprise eCommerce enablement platforms.
This Policy applies to all employees, contractors, consultants, vendors, affiliates, and representatives of the Company; all Platform users, merchants, customers, and business partners; all Personal Data processed through the Platform; and all systems, devices, infrastructure, applications, databases, and networks owned or operated by the Company.
02 Objectives of this Policy
- ensure lawful and transparent processing of Personal Data;
- protect confidentiality, integrity, and availability of data;
- establish governance and accountability mechanisms;
- comply with global privacy and cybersecurity laws;
- mitigate risks of unauthorized access, misuse, disclosure, or breach;
- safeguard rights of data subjects / data principals; and
- maintain trust and security within the Platform ecosystem.
03 Applicable Laws and Regulatory Frameworks
3.1 Australia
- Privacy Act 1988 (Cth)
- Australian Privacy Principles (APPs)
- Notifiable Data Breaches Scheme (NDB Scheme)
- Spam Act 2003
- Telecommunications Act 1997 (where applicable)
3.2 European Union / European Economic Area
- Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
- ePrivacy Directive
- Applicable member-state privacy laws
3.3 United States
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Utah Consumer Privacy Act (UCPA)
- Connecticut Data Privacy Act (CTDPA)
- Federal Trade Commission Act
- State-level breach notification laws
3.4 India
- Digital Personal Data Protection Act, 2023 (DPDP Act)
- Information Technology Act, 2000
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
3.5 Canada
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Applicable provincial privacy laws
3.6 New Zealand
- Privacy Act 2020
- Information Privacy Principles (IPPs)
3.7 Other Jurisdictions
The Company shall additionally comply with local consumer protection laws, cybersecurity regulations, cross-border transfer requirements, and privacy obligations applicable in jurisdictions where the Platform operates or users are located.
04 Definitions
4.1 “Personal Data”
Any information relating to an identified or identifiable natural person.
4.2 “Sensitive Personal Information”
Includes information relating to financial information; government identifiers; biometric data; precise geolocation; authentication credentials; health data; or any category classified as sensitive under applicable laws.
4.3 “Processing”
Any operation performed on data including collection, recording, storage, use, transfer, disclosure, analysis, deletion, or destruction.
4.4 “Data Subject” / “Data Principal”
The individual to whom Personal Data relates.
4.5 “Controller” / “Data Fiduciary”
The entity determining purposes and means of processing.
4.6 “Processor”
An entity processing data on behalf of another entity.
05 Data Collection
5.1 Merchant and Business Information
- company names
- business registrations
- tax identification details
- payment details
- billing information
- business addresses
5.2 User Information
- names
- contact details
- email addresses
- mobile numbers
- login credentials
- authentication information
5.3 Transactional Information
- orders
- invoices
- payment records
- shipping details
- customer interactions
5.4 Technical Information
- IP addresses
- browser information
- operating systems
- device identifiers
- cookies and tracking technologies
- analytics information
5.5 Support and Communication Data
- customer support records
- chat communications
- ticketing information
- feedback submissions
06 Lawful Basis for Processing
Where required under applicable laws, the Company shall process Personal Data only on lawful grounds, including: consent; contractual necessity; compliance with legal obligations; legitimate business interests; fraud prevention and security; regulatory compliance; performance of services requested by users.
Under GDPR Article 6 and related provisions, processing shall be supported by a valid lawful basis. Under the DPDP Act, processing shall occur in accordance with valid consent or legitimate uses recognized under law.
07 Purposes of Processing
- operation of the Platform
- merchant onboarding
- order processing
- account administration
- payment facilitation
- fraud monitoring
- customer support
- analytics and performance optimization
- compliance and audit purposes
- marketing communications (subject to applicable consent requirements)
- security and cybersecurity monitoring
- dispute resolution
- legal enforcement
08 Consent Management
Where consent is required: consent shall be free, informed, specific, unambiguous, and revocable; users shall be able to withdraw consent at any time; withdrawal mechanisms shall be easily accessible; records of consent shall be maintained.
For EU users, consent standards shall comply with GDPR Articles 4, 6, 7, and 8. For Indian users, consent practices shall comply with the DPDP Act, 2023.
09 Children’s Data
The Platform is intended for business users and not for individuals below the legally permitted age under applicable laws. The Company does not knowingly collect Personal Data from minors without legally valid authorization where required.
Where children’s data laws apply — including GDPR Article 8, COPPA (United States), and DPDP Act child-related obligations — the Company shall implement additional safeguards and parental consent mechanisms where necessary.
10 Data Subject Rights
Subject to applicable laws, individuals may have the right to: access Personal Data; correct inaccurate data; request deletion; object to processing; restrict processing; withdraw consent; request portability; opt out of targeted advertising; opt out of profiling or automated decision-making; lodge complaints with supervisory authorities.
These rights may arise under: GDPR Articles 12–23; CCPA / CPRA consumer rights provisions; PIPEDA access rights; Privacy Act 2020 (NZ); DPDP Act grievance redressal mechanisms.
11 Data Security Measures
11.1 Technical Safeguards
- encryption in transit and at rest
- firewalls
- intrusion detection systems
- multi-factor authentication
- access controls
- audit logging
- vulnerability assessments
- endpoint protection
- regular security patching
11.2 Organizational Safeguards
- employee confidentiality obligations
- role-based access management
- cybersecurity training
- vendor due diligence
- incident response procedures
11.3 Compliance Standards
Where applicable, the Company may align security practices with ISO/IEC 27001, SOC 2 principles, NIST Cybersecurity Framework, and PCI-DSS requirements for payment handling.
12 Data Retention
Personal Data shall be retained only for as long as necessary for stated purposes; contractual requirements; legal obligations; dispute resolution; enforcement of agreements. Upon expiry of retention periods, data shall be securely deleted, anonymized, or destroyed.
13 Cross-Border Data Transfers
Due to the global nature of the Platform, Personal Data may be transferred across jurisdictions. The Company shall ensure that cross-border transfers are conducted lawfully and may rely upon: Standard Contractual Clauses (SCCs); adequacy decisions; contractual safeguards; consent mechanisms; recognized transfer frameworks. For EU users, international transfers shall comply with GDPR Chapter V.
14 Third-Party Processors and Subprocessors
The Company may engage third-party vendors for hosting, cloud infrastructure, analytics, payment processing, communication services, cybersecurity, and customer support.
Such third parties shall be subject to: confidentiality obligations; data processing agreements; security obligations; compliance reviews. The Company shall take commercially reasonable steps to ensure subprocessors maintain adequate security standards.
15 Cookies and Tracking Technologies
The Platform may use cookies, web beacons, pixels, analytics technologies, and session identifiers. Users may manage cookie preferences through browser settings or Platform controls where applicable. For EU users, cookie practices shall comply with GDPR, the ePrivacy Directive, and applicable consent requirements. See our Cookie Policy for details.
16 Automated Decision-Making and Profiling
Where automated processing or profiling is used: users shall be informed where legally required; safeguards shall be implemented; human review mechanisms may be provided where applicable by law.
17 Data Breach Response
The Company shall maintain a documented incident response framework. In the event of a data breach, the Company may investigate the incident, mitigate risks, notify affected individuals, notify regulators, preserve evidence, and implement remediation measures.
Notifications shall be made in accordance with applicable laws, including: GDPR Articles 33 and 34; Australia’s NDB Scheme; U.S. state breach notification laws; PIPEDA breach reporting requirements; DPDP Act obligations where applicable.
18 Employee Responsibilities
All employees and contractors must: comply with this Policy; maintain confidentiality; use Company systems responsibly; report security incidents immediately; complete privacy and cybersecurity training.
Violation of this Policy may result in disciplinary action, termination, legal proceedings, or regulatory reporting.
19 Vendor and Partner Compliance
Third-party service providers and business partners handling Company data must: comply with applicable privacy laws; implement reasonable security practices; execute data processing agreements; cooperate during audits and investigations.
20 Governance and Accountability
The Company shall maintain internal governance mechanisms including: privacy oversight; risk assessments; compliance reviews; policy audits; security monitoring; vendor management procedures. Where required by law, the Company may appoint a Data Protection Officer (DPO), grievance officers, privacy representatives, or EU representatives.
21 User Rights Request Process
The Company shall establish procedures for identity verification; request acknowledgment; statutory response timelines; complaint handling; escalation mechanisms. Requests shall be handled within timelines prescribed under applicable laws.
22 Marketing Communications
Marketing communications shall comply with: Spam Act 2003 (Australia); CAN-SPAM Act (United States); GDPR direct marketing requirements; CASL (Canada); local anti-spam laws. Users shall be provided opt-out mechanisms where required.
23 Platform Security Responsibilities of Users
Users of the Platform are responsible for: maintaining credential confidentiality; implementing strong passwords; restricting unauthorized access; complying with applicable laws; maintaining security of connected systems.
24 Policy Updates
The Company reserves the right to amend or update this Policy from time to time. Updated versions may be published through the Platform or Company communication channels. Continued use of the Platform following updates constitutes acknowledgment of revised terms where permitted by law.
25 Contact and Grievance Redressal
Where legally required, jurisdiction-specific grievance officers or representatives may be appointed.
26 Governing Law
This Policy shall be interpreted in accordance with the laws of Australia and mandatory privacy and data protection laws applicable in jurisdictions where users are located. Nothing in this Policy limits statutory rights available under applicable consumer or privacy laws.
27 Acknowledgement
By accessing or using the Platform, users acknowledge that they have read, understood, and agreed to this Data Protection Policy and the Company’s data handling practices.