Vendor Privacy Policy

Last updated: 24 February 2026

1. Who We Are

All Access World ("the Platform", "we", "us", "our") is an online marketplace specialising in assistive technology and accessibility products. We operate as the data controller for vendor personal and business data processed through the Platform.

This Vendor Privacy Policy describes how we collect, use, store, and protect the personal and business data of vendor applicants and approved vendor partners. References to "you" or "vendor" throughout this policy refer to any individual or organisation that has submitted a vendor application or holds an active vendor account on the Platform.

For enquiries regarding this policy, please contact us at hello@accessaro.com.

2. Scope of This Policy

This Vendor Privacy Policy applies to:

Individuals and organisations that submit a vendor application to the Platform
Approved vendors who actively sell products through the Platform
Former vendors whose personal or business data may be retained in accordance with our data retention obligations

For customer-facing data processing practices, please refer to our general Privacy Policy.

This Vendor Privacy Policy supplements the general Privacy Policy. In the event of any conflict between this policy and the general Privacy Policy with respect to vendor-specific data processing, this policy shall prevail.

3. Data We Collect

We collect the following categories of vendor data:

Registration data (collected at application):

First name and last name
Email address
Company or store name
Website URL (optional)

Profile data (collected post-approval):

Business type (individual, company, or non-profit organisation)
Business address, city, and country
Contact telephone number
Tax identification number (stored in encrypted form)
Payout method and associated payment details (stored in encrypted form)
Store logo and banner image URLs
Store description

Automatically collected data:

Transaction and order history, including sales volume, revenue, and order counts
Product performance metrics (views, conversion rates, ratings)
Authentication and session data (login timestamps, session identifiers, device fingerprints)
Browser and device information (user agent, screen resolution, operating system)
IP address and approximate geolocation

4. How We Use Your Data

We process vendor data for the following purposes:

Application assessment: To evaluate vendor applications and make approval decisions (legal basis: pre-contractual measures)
Payout processing: To calculate commissions and process monthly payout disbursements (legal basis: contractual performance)
Communications: To send transactional notifications regarding application status, orders, payouts, and platform updates (legal basis: contractual performance and legitimate interest)
Analytics provision: To compile and present sales, order, and product performance data within the Vendor Dashboard (legal basis: contractual performance)
Fraud prevention: To detect and prevent fraudulent, abusive, or unauthorised activity (legal basis: legitimate interest)
Platform improvement: To analyse aggregated vendor data to enhance Platform functionality and vendor experience (legal basis: legitimate interest)
Legal compliance: To maintain records required by applicable tax, financial reporting, and data protection regulations (legal basis: legal obligation)

The primary legal bases for processing vendor data under Article 6 of the GDPR are: performance of a contract (the Vendor Terms and Conditions), pre-contractual measures (application review), legitimate interest (fraud prevention, platform improvement), and legal obligation (regulatory compliance).

5. Payment and Payout Data

To facilitate monthly payout disbursements, the Platform stores the following payment data, depending on the vendor's selected payout method:

Bank transfer: Bank name, account number, sort code or IBAN, and account holder name
PayPal: Verified PayPal email address
Stripe: Connected Stripe account identifier

All payout details are encrypted at rest using field-level encryption prior to database storage (see Section 6 for technical details). Within the Vendor Dashboard, payout details are masked, displaying only the final four characters to the authorised vendor.

The Platform does not store full credit or debit card numbers at any point. All customer payment processing is handled by Stripe, which maintains PCI DSS Level 1 certification, the highest level of payment security compliance.

6. Field-Level Encryption

The Platform implements field-level encryption for designated sensitive vendor data fields. The following technical measures are applied:

Algorithm: AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), providing both confidentiality and authenticated integrity verification
Key derivation: PBKDF2 (Password-Based Key Derivation Function 2) with a minimum of 100,000 iterations, using a dedicated salt value
Initialisation vector: 12 bytes (96 bits), randomly generated per encryption operation as recommended for GCM mode
Storage format: Encrypted values are stored with the prefix enc:v1: followed by a Base64-encoded payload containing the initialisation vector, ciphertext, and GCM authentication tag

Encrypted fields include:

tax_id: The vendor's tax identification number
payout_details: A JSON object containing bank account, PayPal, or Stripe payout information

Decryption is performed only at the point of need, such as during payout processing or when an authorised administrator requires access for a verified operational purpose. Encryption keys are stored separately from the encrypted data and are managed through environment-level configuration.

7. Email Communications

The Platform sends the following categories of transactional email communications to vendors:

Application received: Confirmation of vendor application submission
Application decision: Notification of approval or rejection, including the reason for rejection where applicable
Order notifications: Alerts when customer orders are placed for vendor products
Payout notifications: Confirmation of monthly payout processing
Policy and terms updates: Notification of material changes to the Vendor Terms or this Privacy Policy

These communications are transactional in nature and are necessary for the performance of the contract between the vendor and the Platform. As such, they are not classified as marketing communications, and vendors may not opt out of receiving them while maintaining an active vendor account.

Email communications are sent in the vendor's preferred language as set in their profile. Supported languages are English, Arabic, Italian, and German. Arabic emails are rendered with right-to-left (RTL) text direction. All email templates conform to WCAG accessibility standards.

8. Vendor Dashboard Analytics

The Vendor Dashboard provides vendors with access to analytical data derived from their activity on the Platform, including:

Total product count, order count, and cumulative revenue
Average customer rating across all products
Payout history, including past disbursements and pending balances
Commission calculations and earnings breakdowns
Product-level performance metrics

Analytics data is derived from transactional records generated through the vendor's use of the Platform. Individual vendor analytics are not disclosed to other vendors, third parties, or the general public. Aggregated and anonymised data may be used internally for Platform improvement purposes.

9. Cookies and Tracking

The Platform uses cookies and similar technologies to facilitate Vendor Dashboard functionality. The following cookie categories apply to vendor sessions:

Essential cookies (strictly necessary, no consent required):

Authentication session cookies for maintaining logged-in state
CSRF (Cross-Site Request Forgery) protection tokens
Session heartbeat cookies for idle timeout monitoring and session hardening

Analytics cookies (consent-based, opt-in):

Google Analytics 4 with IP anonymisation enabled for aggregated usage insights

All cookies are configured with the SameSite=Strict attribute for enhanced cross-site request protection. For a comprehensive overview of cookie types, retention periods, and management options, please refer to the Cookies section of the general Privacy Policy.

10. Third-Party Services

The Platform engages the following third-party service providers who may process vendor data in the course of providing their services:

Stripe (payment processing): Processes customer transactions and facilitates vendor payout disbursements. Stripe maintains PCI DSS Level 1 certification and processes data in accordance with their Privacy Policy
Supabase (database and authentication): Provides database hosting, user authentication, and data storage services. Data is stored in accordance with their Privacy Policy
Vercel (hosting and deployment): Provides web hosting, content delivery, and edge computing services. Data is processed in accordance with their Privacy Policy
Google Analytics 4 (analytics): Provides aggregated website usage statistics with IP anonymisation enabled. Analytics cookies are consent-based and may be declined. Data is processed in accordance with Google's Privacy Policy

The Platform does not sell, rent, or trade vendor personal data to any third party. Data is shared with the above providers only to the extent necessary for the provision of their respective services, and all providers are bound by appropriate data processing agreements.

11. Data Retention

Vendor data is retained for the following periods:

Active vendor profile data: Retained for the duration of the vendor's active account. Upon account closure, profile data is deleted or anonymised within 90 calendar days
Transaction and order records: Retained for a minimum of 7 years following the transaction date, in compliance with applicable tax and financial reporting regulations
Payout records: Retained for a minimum of 7 years following the disbursement date, in compliance with financial record-keeping requirements
Encrypted sensitive fields: Upon account closure, encryption keys associated with the vendor's tax identification number and payout details are revoked, rendering the encrypted data cryptographically unrecoverable
Security audit logs: Retained for 2 years for security monitoring and compliance audit purposes

For rejected vendor applications, application data is retained for 12 months from the date of rejection to facilitate potential reapplication. After this period, the data is permanently deleted.

Data retention periods may be extended where required by a legal obligation, regulatory investigation, or pending dispute resolution.

13. Data Security

The Platform implements the following security measures to protect vendor data:

Encryption at rest: Sensitive fields (tax_id, payout_details) are encrypted using AES-256-GCM with PBKDF2 key derivation (see Section 6)
Encryption in transit: All data transmission between the client and server is encrypted using TLS (HTTPS). Content Security Policy Level 3 with strict-dynamic and nonce-based script execution is enforced
Session hardening: Vendor sessions are subject to a 15-minute idle timeout, an 8-hour absolute timeout, and a maximum of 2 concurrent sessions. Session heartbeat monitoring runs at 5-minute intervals
CSRF protection: HMAC-based CSRF tokens with timing-safe comparison, using the Web Crypto API on the Vercel Edge Runtime
Dual approval: Permanent vendor account deletion is subject to a four-eyes principle, requiring authorisation from two independent Platform administrators
Security audit logging: All significant account actions are logged with device fingerprints and session identifiers for forensic traceability
Security alerts: Automated alerts are triggered for events such as MFA failures, role changes, vendor deletions, and session anomalies

While no system can guarantee absolute security, the Platform applies defence-in-depth measures that meet or exceed industry standards for the protection of vendor data.

14. International Transfers

Certain third-party service providers engaged by the Platform are based outside the European Economic Area (EEA). As a result, vendor data may be transferred to and processed in jurisdictions outside the EEA.

Where such transfers occur, the Platform ensures an adequate level of data protection through one or more of the following mechanisms:

Transfer to countries recognised by the European Commission as providing an adequate level of data protection (adequacy decisions)
Execution of EU Standard Contractual Clauses (SCCs) as approved by the European Commission
Engagement with service providers that maintain recognised security certifications (SOC 2, ISO 27001, PCI DSS)

All international data transfers are conducted in compliance with Chapter V of the GDPR. Vendors may request information about the specific safeguards applied to their data by contacting hello@accessaro.com.

15. Changes to This Policy

The Platform reserves the right to amend this Vendor Privacy Policy at any time. Material changes will be communicated as follows:

Affected vendors will receive an email notification at least 30 calendar days prior to the effective date of any material changes
The "Last updated" date at the top of this page will be revised accordingly

Vendors are encouraged to review this policy periodically to remain informed of any updates to our data processing practices.

16. Contact

For any questions, concerns, or requests relating to this Vendor Privacy Policy or the processing of your personal data, please contact us using the following channels:

Email: hello@accessaro.com
Contact form: Contact Us

We endeavour to respond to all privacy-related vendor enquiries within 2 business days. For GDPR data subject requests, we will acknowledge receipt within 72 hours and provide a substantive response within 30 calendar days.

Vendor Privacy Policy

Last updated: 24 February 2026

1. Who We Are

For enquiries regarding this policy, please contact us at hello@accessaro.com.

2. Scope of This Policy

This Vendor Privacy Policy applies to:

Individuals and organisations that submit a vendor application to the Platform
Approved vendors who actively sell products through the Platform
Former vendors whose personal or business data may be retained in accordance with our data retention obligations

For customer-facing data processing practices, please refer to our general Privacy Policy.

3. Data We Collect

We collect the following categories of vendor data:

Registration data (collected at application):

First name and last name
Email address
Company or store name
Website URL (optional)

Profile data (collected post-approval):

Business type (individual, company, or non-profit organisation)
Business address, city, and country
Contact telephone number
Tax identification number (stored in encrypted form)
Payout method and associated payment details (stored in encrypted form)
Store logo and banner image URLs
Store description

Automatically collected data:

Transaction and order history, including sales volume, revenue, and order counts
Product performance metrics (views, conversion rates, ratings)
Authentication and session data (login timestamps, session identifiers, device fingerprints)
Browser and device information (user agent, screen resolution, operating system)
IP address and approximate geolocation

4. How We Use Your Data

We process vendor data for the following purposes:

Application assessment: To evaluate vendor applications and make approval decisions (legal basis: pre-contractual measures)
Payout processing: To calculate commissions and process monthly payout disbursements (legal basis: contractual performance)
Communications: To send transactional notifications regarding application status, orders, payouts, and platform updates (legal basis: contractual performance and legitimate interest)
Analytics provision: To compile and present sales, order, and product performance data within the Vendor Dashboard (legal basis: contractual performance)
Fraud prevention: To detect and prevent fraudulent, abusive, or unauthorised activity (legal basis: legitimate interest)
Platform improvement: To analyse aggregated vendor data to enhance Platform functionality and vendor experience (legal basis: legitimate interest)
Legal compliance: To maintain records required by applicable tax, financial reporting, and data protection regulations (legal basis: legal obligation)

5. Payment and Payout Data

To facilitate monthly payout disbursements, the Platform stores the following payment data, depending on the vendor's selected payout method:

Bank transfer: Bank name, account number, sort code or IBAN, and account holder name
PayPal: Verified PayPal email address
Stripe: Connected Stripe account identifier

6. Field-Level Encryption

The Platform implements field-level encryption for designated sensitive vendor data fields. The following technical measures are applied:

Algorithm: AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), providing both confidentiality and authenticated integrity verification
Key derivation: PBKDF2 (Password-Based Key Derivation Function 2) with a minimum of 100,000 iterations, using a dedicated salt value
Initialisation vector: 12 bytes (96 bits), randomly generated per encryption operation as recommended for GCM mode
Storage format: Encrypted values are stored with the prefix enc:v1: followed by a Base64-encoded payload containing the initialisation vector, ciphertext, and GCM authentication tag

Encrypted fields include:

tax_id: The vendor's tax identification number
payout_details: A JSON object containing bank account, PayPal, or Stripe payout information

7. Email Communications

The Platform sends the following categories of transactional email communications to vendors:

Application received: Confirmation of vendor application submission
Application decision: Notification of approval or rejection, including the reason for rejection where applicable
Order notifications: Alerts when customer orders are placed for vendor products
Payout notifications: Confirmation of monthly payout processing
Policy and terms updates: Notification of material changes to the Vendor Terms or this Privacy Policy

8. Vendor Dashboard Analytics

The Vendor Dashboard provides vendors with access to analytical data derived from their activity on the Platform, including:

Total product count, order count, and cumulative revenue
Average customer rating across all products
Payout history, including past disbursements and pending balances
Commission calculations and earnings breakdowns
Product-level performance metrics

9. Cookies and Tracking

The Platform uses cookies and similar technologies to facilitate Vendor Dashboard functionality. The following cookie categories apply to vendor sessions:

Essential cookies (strictly necessary, no consent required):

Authentication session cookies for maintaining logged-in state
CSRF (Cross-Site Request Forgery) protection tokens
Session heartbeat cookies for idle timeout monitoring and session hardening

Analytics cookies (consent-based, opt-in):

Google Analytics 4 with IP anonymisation enabled for aggregated usage insights

10. Third-Party Services

The Platform engages the following third-party service providers who may process vendor data in the course of providing their services:

Stripe (payment processing): Processes customer transactions and facilitates vendor payout disbursements. Stripe maintains PCI DSS Level 1 certification and processes data in accordance with their Privacy Policy
Supabase (database and authentication): Provides database hosting, user authentication, and data storage services. Data is stored in accordance with their Privacy Policy
Vercel (hosting and deployment): Provides web hosting, content delivery, and edge computing services. Data is processed in accordance with their Privacy Policy
Google Analytics 4 (analytics): Provides aggregated website usage statistics with IP anonymisation enabled. Analytics cookies are consent-based and may be declined. Data is processed in accordance with Google's Privacy Policy

11. Data Retention

Vendor data is retained for the following periods:

Active vendor profile data: Retained for the duration of the vendor's active account. Upon account closure, profile data is deleted or anonymised within 90 calendar days
Transaction and order records: Retained for a minimum of 7 years following the transaction date, in compliance with applicable tax and financial reporting regulations
Payout records: Retained for a minimum of 7 years following the disbursement date, in compliance with financial record-keeping requirements
Encrypted sensitive fields: Upon account closure, encryption keys associated with the vendor's tax identification number and payout details are revoked, rendering the encrypted data cryptographically unrecoverable
Security audit logs: Retained for 2 years for security monitoring and compliance audit purposes

For rejected vendor applications, application data is retained for 12 months from the date of rejection to facilitate potential reapplication. After this period, the data is permanently deleted.

Data retention periods may be extended where required by a legal obligation, regulatory investigation, or pending dispute resolution.

13. Data Security

The Platform implements the following security measures to protect vendor data:

Encryption at rest: Sensitive fields (tax_id, payout_details) are encrypted using AES-256-GCM with PBKDF2 key derivation (see Section 6)
Encryption in transit: All data transmission between the client and server is encrypted using TLS (HTTPS). Content Security Policy Level 3 with strict-dynamic and nonce-based script execution is enforced
Session hardening: Vendor sessions are subject to a 15-minute idle timeout, an 8-hour absolute timeout, and a maximum of 2 concurrent sessions. Session heartbeat monitoring runs at 5-minute intervals
CSRF protection: HMAC-based CSRF tokens with timing-safe comparison, using the Web Crypto API on the Vercel Edge Runtime
Dual approval: Permanent vendor account deletion is subject to a four-eyes principle, requiring authorisation from two independent Platform administrators
Security audit logging: All significant account actions are logged with device fingerprints and session identifiers for forensic traceability
Security alerts: Automated alerts are triggered for events such as MFA failures, role changes, vendor deletions, and session anomalies

While no system can guarantee absolute security, the Platform applies defence-in-depth measures that meet or exceed industry standards for the protection of vendor data.

14. International Transfers

Where such transfers occur, the Platform ensures an adequate level of data protection through one or more of the following mechanisms:

Transfer to countries recognised by the European Commission as providing an adequate level of data protection (adequacy decisions)
Execution of EU Standard Contractual Clauses (SCCs) as approved by the European Commission
Engagement with service providers that maintain recognised security certifications (SOC 2, ISO 27001, PCI DSS)

15. Changes to This Policy

The Platform reserves the right to amend this Vendor Privacy Policy at any time. Material changes will be communicated as follows:

Affected vendors will receive an email notification at least 30 calendar days prior to the effective date of any material changes
The "Last updated" date at the top of this page will be revised accordingly

Vendors are encouraged to review this policy periodically to remain informed of any updates to our data processing practices.

16. Contact

For any questions, concerns, or requests relating to this Vendor Privacy Policy or the processing of your personal data, please contact us using the following channels:

Email: hello@accessaro.com
Contact form: Contact Us

Vendor Privacy Policy

1. Who We Are

2. Scope of This Policy

3. Data We Collect

4. How We Use Your Data

5. Payment and Payout Data

6. Field-Level Encryption

7. Email Communications

8. Vendor Dashboard Analytics

9. Cookies and Tracking

10. Third-Party Services

11. Data Retention

12. Your Rights Under GDPR

13. Data Security

14. International Transfers

15. Changes to This Policy

16. Contact

Vendor Privacy Policy

1. Who We Are

2. Scope of This Policy

3. Data We Collect

4. How We Use Your Data

5. Payment and Payout Data

6. Field-Level Encryption

7. Email Communications

8. Vendor Dashboard Analytics

9. Cookies and Tracking

10. Third-Party Services

11. Data Retention

12. Your Rights Under GDPR

13. Data Security

14. International Transfers

15. Changes to This Policy

16. Contact