Privacy Policy

Last updated: March 3, 2026

Villanueva Ventures LLC (“Vexlink,” “we,” “us”) operates vexlink.io. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Platform.

1. Information We Collect

1.1 Information You Provide

  • Account information: Name, email address, password (hashed, never stored in plain text).
  • Seller information: Display name, bio, avatar, payout preferences.
  • Purchase information: Email address used for purchases, download history.
  • Communications: Messages sent through dispute forms, refund requests, or support emails.

1.2 Information Collected Automatically

  • Usage data: Pages visited, listings viewed, search queries, clicks.
  • Device data: Browser type, operating system, screen resolution.
  • IP address: Used for security (rate limiting, fraud detection, brute-force protection).
  • Cookies: Session cookies for authentication, preference cookies for theme settings.

1.3 Information from Third Parties

  • Google OAuth: If you sign in with Google, we receive your name, email, and profile picture. We do not access your Google Drive, contacts, or other data.
  • Stripe: Payment processing is handled by Stripe. We receive transaction confirmations but never see or store your credit card number, CVV, or full card details.

2. How We Use Your Information

  • Provide, maintain, and improve the Platform.
  • Process transactions and send purchase confirmations.
  • Send email notifications (purchase receipts, bounty updates). You can opt out.
  • Detect and prevent fraud, abuse, and security threats.
  • Enforce our Terms of Service.
  • Respond to support requests and disputes.
  • Generate anonymized, aggregated analytics to improve the Platform.

We do NOT:

  • Sell your personal information to third parties.
  • Use your data for targeted advertising.
  • Share your email with sellers (buyer emails are masked in reviews and seller dashboards).
  • Train AI models on your data.

3. How We Share Your Information

We share information only in these limited circumstances:

  • Stripe: Payment processing (name, email, transaction amount).
  • Resend: Email delivery (recipient email and email content only).
  • Vercel: Hosting provider (standard web server logs).
  • Supabase: Database hosting (all data stored encrypted at rest).
  • Legal requirements: If required by law, subpoena, or court order.
  • Safety: To protect the rights, property, or safety of Vexlink, our users, or the public.

4. Data Security

  • Passwords are hashed using bcrypt (never stored in plain text).
  • All data transmitted over HTTPS/TLS encryption.
  • Database encrypted at rest (AES-256).
  • Authentication tokens expire after 7 days.
  • Sessions end after 10 minutes of inactivity or browser close.
  • Brute-force protection: 5 failed login attempts = 15-minute lockout.
  • Rate limiting on all API endpoints.
  • Content Security Policy headers to prevent XSS attacks.
  • File uploads scanned for malware, executables, secret keys, and prompt injection.
  • Admin endpoints protected by secret key authentication.
  • Seller file paths never exposed in public API responses.

5. Cookies

We use minimal cookies:

CookiePurposeDuration
vx_pending_*Google OAuth token handoff2 minutes
vx-themeDark/light mode preferencePersistent

Authentication tokens are stored in localStorage (not cookies), which means they are not sent with every HTTP request and are not accessible by third-party scripts from other domains.

6. Your Rights

6.1 All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update inaccurate information via your dashboard.
  • Deletion: Request deletion of your account and associated data.
  • Portability: Request your data in a machine-readable format.

6.2 California Residents (CCPA)

  • Right to know what personal information is collected.
  • Right to delete personal information.
  • Right to opt out of the “sale” of personal information. We do not sell personal information.
  • Right to non-discrimination for exercising your rights.

6.3 EU/EEA Residents (GDPR)

  • All rights above, plus the right to restrict processing and object to processing.
  • Legal basis for processing: contract performance (providing the service), legitimate interests (security, fraud prevention), and consent (optional emails).
  • Data is stored in the United States. By using Vexlink, you consent to this transfer.

To exercise any of these rights, email privacy@vexlink.io. We will respond within 30 days.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Purchase records: Retained for 7 years for tax and legal compliance.
  • Server logs: Retained for 90 days.
  • Dispute records: Retained for 2 years.

8. Children’s Privacy

Vexlink is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it promptly.

9. Third-Party Links

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies.

10. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be posted with an updated date. Continued use constitutes acceptance.

11. Contact

For privacy-related inquiries: