Legal

Privacy Policy

Effective July 3, 2026

Who we are

VendorBenchmark is a benchmarking platform for enterprise software buyers. This policy covers the VendorBenchmark web application at app.vendorbenchmark.com and the VendorBenchmark mobile app for iOS and Android. Questions: info@redresscompliance.com.

What we collect

  • Account information. Your name, work email, organization, and role, provided when your organization invites you.
  • Documents you upload. Contracts and proposals you submit for benchmarking, stored encrypted in private storage and visible only to your organization and our analyst team.
  • Usage and audit records. Actions taken in the product (views, downloads, uploads, edits) with time, IP address, and browser/device details. This audit trail is a security feature: it lets your organization see who accessed what.
  • Mobile device data. If you enable push notifications in the mobile app, we store a push token for your device and its platform (iOS/Android) so alerts can reach you. Biometric unlock (Face ID / fingerprint) happens entirely on your device, biometric data never leaves it and is never sent to us.
  • Support communications. Messages you send us, including bug reports and advisory requests.

How we use it

  • To provide the service: benchmarking your contracts, delivering reports, and sending the alerts you enable.
  • To answer questions you ask the built-in assistant, grounded in your organization's own data.
  • To secure the platform: authentication, tenant isolation, rate limiting, and audit logging.
  • To improve the product, using aggregated, de-identified usage patterns.
  • We do not sell your data, and we do not use your documents to benchmark other customers' deals in identifiable form.

AI processing

Some features use large language models (Anthropic Claude) to draft analyses, extract contract terms, and answer questions. Your content is sent to the model provider only to produce the response you requested and is not used to train their models under our agreement.

Sharing

Data is shared only with the subprocessors that run the service (hosting, database and file storage, email delivery, push notification relay, error monitoring) under data processing agreements, and where the law requires it. Your documents are never shared with other customers.

Security

Data is encrypted in transit (TLS) and at rest. Tenant isolation is enforced at the database layer with row-level security. Files live in private buckets and are only reachable through short-lived signed links. Access by our staff is role-gated, protected by multi-factor authentication, and audit-logged. On mobile, your session is stored encrypted using the device keychain.

Retention and deletion

Your organization controls its data: contracts and their files can be deleted from the product, which removes both the database records and the stored files. Account deletion requests and data export requests can be sent to info@redresscompliance.com and are honored within 30 days.

Push notifications and your choices

Push notifications are strictly opt-in and controlled per alert type in the app's settings. Turning them off, signing out, or removing a device deletes that device's push token. Email alerts have the same per-type controls.

Changes

We'll post any material changes to this policy here and note the effective date below. Continued use of the service after a change means the updated policy applies.