No you need to handle this in resolution, posting here will only attract comments from others who cannot assist directly with your claim. Any vendor not using PGP is a red flag as there is not legitimate reason for a vendor not to be using it, you should only send identifiable information encrypted. If your drop address is not linked to you or someone linked to you though sending the address would carry no real risk. I'd be more interested in why the vendor isn't using PGP "at the moment" though.