This Privacy Policy (“Policy”) describes how Fynext Labs Pty Ltd (ABN 25 696 584 175), incorporated under the laws of Australia, providing its service via its product/platform called “Vendora Genie”, a B2B eCommerce platform (“Company”, “Platform”, “we”, “our”, “us”) collects, uses, processes, stores, discloses, transfers, and protects personal information of users who access or use our website, applications, merchant tools, e-commerce infrastructure services, payment integrations, logistics integrations, APIs, and related services (collectively, the “Services”).
Our platform enables businesses, merchants, sellers, creators, and brands (“Merchants”) to create digital storefronts, manage online sales, process payments, interact with customers, and use various business tools. We may also process information relating to customers who purchase goods/services from merchants through stores hosted on our platform (“Customers”).
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.
01 Applicability
This Policy applies to:
- Website visitors
- Merchant account holders
- Merchant employees / authorized users
- Customers purchasing from merchant stores
- Vendors / service providers
- Marketing subscribers
- Applicants / job candidates
- API developers / integration partners
This Policy applies where we act as:
(a) Data Controller / Business / Data Fiduciary
Where we determine how personal data is processed.
(b) Data Processor / Service Provider
Where merchants control customer data and we process such information on their behalf.
Merchants remain independently responsible for maintaining their own privacy policies for customer-facing storefronts.
02 Applicable Privacy Laws
Depending on your location, your personal information may be protected under applicable privacy laws including:
Australia
- Privacy Act 1988 (Cth)
- Australian Privacy Principles (APPs) under Section 14
- Notifiable Data Breaches Scheme
United States
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Other applicable state privacy laws
New Zealand
- Privacy Act 2020
- Information Privacy Principles (IPPs)
- Mandatory privacy breach notification obligations
India
- Digital Personal Data Protection Act, 2023 (DPDPA)
- Information Technology Act, 2000
- SPDI Rules, 2011 (where applicable)
Where multiple laws apply, we will comply with the stricter applicable legal standard.
03 Information We Collect
A. Identity Information
- Name
- Username
- Business name and ABN
- Government-issued ID (where verification required)
B. Contact Information
- Email address
- Phone number
- Billing / shipping address
C. Business Information
- Tax registration details
- Business licenses
- GST / VAT details
- Bank account details
D. Transaction Information
- Orders
- Refunds
- Payment history
- Subscription payments
- Merchant sales data
E. Customer Data (Processed on behalf of Merchants)
- Customer names
- Contact details
- Purchase history
- Delivery information
F. Technical Information
- IP address
- Browser type
- Device identifiers
- Operating system
- Cookies
- Log files
G. Marketing Information
- Preferences
- Newsletter subscriptions
- Campaign interactions
H. Support Communications
- Chat records
- Emails
- Call recordings
04 How We Collect Information
We collect data:
- Directly from you
- Through merchant registrations
- Through customer checkouts
- Through integrations / apps / plugins
- Through cookies and analytics tools
- Through payment gateways
- Through logistics / shipping partners
- Through third-party identity verification providers
05 Purpose of Processing
We use personal information to:
- Create merchant accounts
- Enable store creation
- Process orders
- Facilitate payments
- Provide logistics integrations
- Verify merchants
- Prevent fraud
- Improve platform functionality
- Offer customer support
- Send service notifications
- Provide marketing communications
- Comply with legal obligations
- Resolve disputes
- Enforce platform terms
06 Legal Basis for Processing
We process personal information only where we have a valid legal basis under applicable privacy laws. Depending on your jurisdiction, such legal bases may include:
- Your consent to collect and process personal information;
- Performance of a contract or taking steps prior to entering into a contract with you;
- Compliance with legal or regulatory obligations;
- Protection against fraud, security threats, abuse, or unlawful activity;
- Our legitimate business interests, provided such interests do not override your legal rights where applicable;
- Other lawful grounds permitted under applicable law.
Australia
For users located in Australia, we process personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We collect, use, and disclose personal information only where reasonably necessary for our business functions and activities, with consent where required for sensitive information or direct marketing communications.
United States
For users located in the United States, we process personal information in accordance with applicable federal and state privacy laws, including but not limited to the CCPA (as amended by the CPRA), the VCDPA, the CPA, and other applicable state laws. Processing may occur for business purposes, commercial purposes, contractual necessity, fraud prevention, legal compliance, and other legally permitted purposes.
New Zealand
For users located in New Zealand, we process personal information in accordance with the Privacy Act 2020 and the Information Privacy Principles (IPPs). We collect and use personal information only for lawful purposes connected with our business activities and where such collection is necessary for those purposes.
India
For users located in India, we process personal data in accordance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable rules thereunder. Processing may be based on:
- Consent provided by the Data Principal;
- Certain legitimate uses permitted under the DPDPA;
- Compliance with legal obligations;
- Employment-related purposes (where applicable);
- Prevention and detection of fraud or misuse of the Platform.
Where laws of multiple jurisdictions apply simultaneously, we shall comply with the stricter applicable legal standard.
07 Payment Information
In connection with subscriptions, merchant fees, customer purchases, refunds, payouts, and other transactions conducted through the Platform, we may collect, process, facilitate, or transmit payment-related information through authorized third-party payment processors, payment gateways, banking partners, and financial institutions.
Such payment-related information may include, without limitation: billing name; billing address; payment card details; bank account details; UPI / payment wallet information; transaction identifiers; payment history; tax-related payment information.
We generally do not store complete debit card, credit card, CVV, or other sensitive payment authentication data on our servers unless expressly stated and permitted under applicable law and industry standards. Where payment card information is processed, such processing may be undertaken by third-party payment processors that maintain their own security standards, including compliance with applicable Payment Card Industry Data Security Standards (PCI-DSS) requirements.
Our third-party payment service providers may independently collect, process, retain, and share financial information in accordance with their respective privacy policies, terms of service, and regulatory obligations. Users are encouraged to review such third-party policies before completing transactions.
We may receive limited transaction-related information from payment processors for purposes including: payment verification; fraud prevention; chargeback management; refund processing; subscription billing; merchant settlement and payouts; regulatory compliance; financial reporting and auditing.
We shall not be responsible for any unauthorized access, data breach, service interruption, or misuse of financial information caused solely by third-party payment processors, banks, card networks, or payment gateway providers, except to the extent such liability arises due to our gross negligence, wilful misconduct, or violation of applicable law.
08 Merchant Customer Data
Our Platform enables independent merchants, sellers, brands, and businesses (“Merchants”) to create and operate online storefronts, process customer transactions, manage orders, and interact with their end customers (“Customers”). In connection with such services, we may process personal information relating to Customers on behalf of Merchants.
Customer information processed through merchant storefronts may include, without limitation: name; email address; phone number; billing and shipping address; order details; payment-related transaction information; purchase history; delivery preferences; customer support communications; and other information voluntarily provided during checkout or account creation.
In such circumstances, the relevant Merchant generally acts as the primary data controller / business / data fiduciary (as applicable under relevant law) with respect to customer personal information collected through its storefront, and determines the purposes and means of processing such information.
Our role is generally limited to acting as a data processor / service provider on behalf of the Merchant, solely for the purpose of: hosting merchant storefronts; facilitating transactions; processing orders; enabling payment integrations; managing shipping / logistics integrations; providing analytics tools; fraud prevention; customer support functionalities; and platform administration and security.
We process such Customer information only in accordance with our agreements with Merchants, applicable law, and documented instructions provided by Merchants, except where required for compliance with legal obligations, fraud prevention, platform security, or enforcement of our legal rights.
Merchants are solely responsible for: maintaining their own customer-facing privacy policies; obtaining required consents; providing legally required notices; responding to customer privacy requests; ensuring lawful processing of customer information; and complying with applicable consumer protection and privacy laws in relevant jurisdictions.
Customers who make purchases from merchant stores hosted on our Platform should review the applicable Merchant’s privacy policy. We are not responsible for a Merchant’s independent privacy practices, data handling activities, or legal compliance obligations where such activities occur outside the scope of our Services.
09 Cookies and Tracking Technologies
We use cookies, pixels, SDKs, web beacons, tags, scripts, and similar tracking technologies to operate, secure, analyze, and improve our Platform, merchant storefronts, applications, and related services.
These technologies may collect information such as IP address, browser type and settings, device identifiers, operating system, website usage activity, browsing behavior, referral URLs, session information, purchase behavior, advertising interactions, and location data (where permitted).
Categories of cookies
- Essential Cookies — required for the operation of our website, user authentication, account login, checkout functionality, fraud prevention, payment processing, and security purposes. These cookies cannot typically be disabled without affecting platform functionality.
- Functional Cookies — used to remember user preferences, language settings, shopping cart activity, login credentials, and personalization features.
- Analytics Cookies — used to measure website traffic, user interactions, merchant store performance, platform usage trends, and service improvements.
- Advertising and Marketing Cookies — used to deliver personalized advertisements, measure campaign effectiveness, retarget users, and track advertising interactions across websites and platforms where legally permitted.
- Session Cookies — temporary cookies that expire once a user closes their browser.
- Third-Party Cookies — certain third-party service providers, advertisers, payment partners, integrations, and analytics vendors may place cookies or similar technologies on our Platform, subject to their own privacy practices and policies.
Where required under applicable laws — including the Privacy Act 1988 (Australia), applicable U.S. state privacy laws (including CCPA/CPRA where applicable), the Privacy Act 2020 (New Zealand), and the Digital Personal Data Protection Act, 2023 (India) — we obtain user consent prior to placing non-essential cookies or similar tracking technologies on user devices.
Users may manage, block, or delete cookies through browser settings, device settings, cookie consent banners / preference centers, or third-party opt-out tools where available. Please note that disabling certain cookies may affect website functionality, merchant storefront operations, checkout experiences, and other platform features.
For additional information regarding the specific cookies we use, their duration, purposes, and management options, please review our separate Cookie Policy, which forms part of this Privacy Policy.
10 Disclosure of Information
We may disclose data to: payment processors; shipping providers; cloud hosting providers; analytics providers; fraud prevention vendors; legal advisors; government authorities; business partners; affiliates / subsidiaries.
We do not sell personal information unless explicitly disclosed and legally permitted. For California residents, users may exercise “Do Not Sell or Share My Personal Information” rights where applicable.
11 International Data Transfers
Your data may be processed in multiple countries. By using our Services, you acknowledge cross-border data transfers. We implement safeguards including contractual protections, security controls, access restrictions, and vendor due diligence.
12 Data Retention
We retain personal information only for as long as is reasonably necessary to fulfil the purposes for which it was collected, including providing and maintaining the Services, managing merchant accounts, processing transactions, facilitating customer orders, providing customer support, enforcing contractual obligations, preventing fraud, maintaining platform security, resolving disputes, conducting audits, and complying with applicable legal, regulatory, accounting, taxation, and reporting obligations under the laws of Australia, the United States, New Zealand, India, and other applicable jurisdictions.
The retention period may vary depending on the nature of the information, contractual requirements, applicable statutory limitation periods, regulatory obligations, ongoing investigations, litigation holds, or legitimate business needs. Upon expiry of the applicable retention period, we may securely delete, destroy, de-identify, anonymize, or aggregate such information in accordance with applicable law; provided, however, that we may retain certain information for longer periods where required or permitted by law, for evidentiary purposes, fraud prevention, enforcement of legal rights, or compliance with regulatory directives.
13 Data Security
We implement commercially reasonable technical, administrative, organizational, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, loss, misuse, destruction, or accidental compromise. Such safeguards may include encryption of sensitive data during transmission and, where applicable, at rest; role-based access controls; multi-factor authentication; firewalls; intrusion detection and monitoring; secure hosting infrastructure; vulnerability assessments; backup protocols; restricted employee access on a need-to-know basis; confidentiality obligations imposed on employees, contractors, and service providers; and periodic review of our security practices.
No method of transmission over the internet, electronic storage system, or security framework is entirely secure or immune from risks, and therefore we cannot guarantee absolute security of personal information.
14 User Rights
Depending on jurisdiction, users may have rights to:
- Access personal information
- Correct inaccurate data
- Delete personal information
- Withdraw consent
- Restrict processing
- Data portability
- Opt out of targeted advertising
- Lodge complaints with regulators
15 California Privacy Rights
California residents may request: categories of personal information collected; sources of data; business purpose of processing; deletion of personal information; correction of personal information; opt-out rights under CCPA / CPRA.
Requests may be submitted at: assistance@vendoragenie.com.
16 Australian Privacy Rights
Australian users may access personal data, correct inaccuracies, and file complaints with the Office of the Australian Information Commissioner. We comply with the Australian Privacy Principles.
17 New Zealand Privacy Rights
New Zealand residents may request access, request correction, and file complaints with the Office of the Privacy Commissioner. We comply with the Privacy Act 2020.
18 India Privacy Rights
Under India’s Digital Personal Data Protection Act, 2023, users may: access information; correct data; erase data; withdraw consent; nominate representatives; and file grievances. Users may contact the Data Protection Board of India where applicable.
19 Children’s Privacy
Our Platform and Services are not directed toward, and are not intended to knowingly collect personal information from, children or minors below the age threshold permitted under applicable law without obtaining legally required consent from a parent or legal guardian. Where we become aware that personal information of a child has been collected without appropriate authorization, we reserve the right to delete such information and restrict access to the relevant services. For users in the United States we comply with COPPA where applicable; for users in Australia, with the Privacy Act 1988 (Cth); for users in New Zealand, with the Privacy Act 2020; and for users in India, with the Digital Personal Data Protection Act, 2023, including obtaining verifiable parental consent where required.
20 Third-Party Links
Our platform may contain links to third-party websites, applications, and services. We are not responsible for their privacy practices.
21 Business Transfers
In the event of a merger, acquisition, consolidation, corporate restructuring, reorganization, financing transaction, sale of assets, sale of business operations, insolvency proceeding, bankruptcy, change in control, or any similar corporate transaction involving all or part of our business, personal information and other data held by us may be disclosed, transferred, assigned, or otherwise shared with potential or actual purchasers, investors, lenders, successor entities, professional advisors, or affiliated entities. Any such transfer shall be subject to appropriate confidentiality obligations and applicable data protection laws, and the receiving entity shall be required to process such personal information in a manner consistent with this Privacy Policy or as otherwise permitted or required under applicable law.
22 Data Breach Notification
In the event of any actual, suspected, or reasonably foreseeable unauthorized access, disclosure, alteration, loss, destruction, or compromise of personal information that constitutes a reportable data breach under applicable law, we shall take commercially reasonable steps to investigate, contain, mitigate, and remediate the incident in a timely manner.
Where required under applicable laws, we may notify affected individuals, regulatory authorities, law enforcement agencies, payment partners, merchants, or other relevant stakeholders. This includes compliance, where applicable, with Australia’s Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), New Zealand’s Privacy Act 2020, applicable U.S. federal and state data breach notification laws, and obligations under India’s Digital Personal Data Protection Act, 2023.
23 Your Responsibilities as a Merchant
Merchants using our platform must:
- Maintain lawful privacy notices
- Obtain customer consent where required
- Comply with applicable tax laws
- Comply with applicable consumer laws
- Avoid unlawful processing activities
24 Changes to this Privacy Policy
We may update this Policy from time to time. Updated versions will be posted on our website with revised effective dates.
25 Contact Information
26 Grievance Officer
Users may contact us regarding any privacy-related concerns, complaints, requests, or grievances using the contact details above. For users in Australia, complaints may be escalated to the Office of the Australian Information Commissioner (OAIC). For users in New Zealand, to the Office of the Privacy Commissioner. For users in the United States, under CCPA / CPRA and other applicable state laws. For users in India, complaints may be addressed to our designated Grievance Officer under the Digital Personal Data Protection Act, 2023.
27 Do Not Track Disclosure (US Users)
Certain web browsers may offer a “Do Not Track” (DNT) feature. Because there is currently no universally accepted standard for recognizing or responding to DNT signals, our Platform may not currently respond to such signals unless required under applicable law. Users located in jurisdictions that provide specific opt-out rights (including California) may exercise applicable privacy choices through our consent management tools, cookie settings, or by contacting us.
28 Consent
By accessing, using, registering for, or otherwise interacting with our Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, disclosure, storage, transfer, and processing of your personal information in accordance with this Privacy Policy, to the extent such consent is required under applicable law. Where applicable laws require express consent for specific processing activities, such consent shall be obtained separately. Users who do not agree with this Privacy Policy should discontinue use of the Services.