This Privacy Policy explains how Supplio ("Supplio", "we", "our", "us") collects, uses, shares and protects personal data when you visit supplio.co.uk, when you or your colleagues use the Supplio platform at app.supplio.co.uk, when a supplier uses the Supplio supplier portal at a customer's invitation, or when you otherwise interact with us. It is written to comply with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
1. Who we are and how to contact us
Supplio is operated by Supplio as a UK sole trader. Our correspondence address is United Kingdom. We are in the process of completing our registration with the UK Information Commissioner's Office (ICO); the registration number will be added here once issued.
Supplio is the controller of personal data described in section 3 (the data we collect for our own purposes). Where you are a Supplio business customer uploading personal data into the platform about your employees, suppliers or others, you are the controller and Supplio is the processor. That processing is governed by our Data Processing Addendum.
For any privacy-related question or to exercise your rights, email privacy@supplio.co.uk. While we scale, the founder acts as the single point of contact for privacy. Once we are required to do so, we will appoint a Data Protection Officer and publish their details here.
2. Scope
This Privacy Policy applies to personal data we process as a controller in connection with:
- visitors to supplio.co.uk (the marketing site);
- users of the Supplio platform (account administrators and authorised users acting on behalf of a Supplio business customer);
- third-party suppliers who use the supplier portal at the invitation of a Supplio customer;
- prospective customers, leads and contacts who interact with our sales and contact channels;
- recipients of our service-related and (where consented to) marketing communications.
Where you are a supplier-portal user, please note that the Supplio customer that invited you is the controller of most data about you in the platform. Supplio acts on the customer's behalf as processor for that data. Questions about why your data is being collected should be directed to the customer in the first instance.
3. Personal data we collect and process
We collect the categories of personal data below. We have aimed to be exhaustive rather than generic, so that you can see exactly what is processed.
3.1 Marketing-site and contact data
- Contact-form submissions: name, work email, company, plan interest, free-text message. Collected when you submit our contact form.
- Sales and partner enquiries: name, email, company, role and any further information you send us by email.
- Newsletter / marketing email (where applicable): email address and consent state.
- Technical and usage data: IP address, user-agent, referrer, pages viewed, approximate location (derived from IP at country/region level) and cookie identifiers. See our Cookies Policy.
3.2 Account data (platform users)
- Identity: first name, last name, email address, optional phone number, optional profile photo, organisation name and role within the customer's organisation.
- Authentication credentials: a hashed password (we never store passwords in clear text), two-factor preferences, login timestamps, lockout state and a refresh-token hash for keeping you signed in.
- Session and security data: IP address, user-agent, session cookies, security event records (failed login attempts, password resets, token refreshes).
- Account configuration: notification preferences, locale, timezone, UI settings.
3.3 Supplier-portal user data
- Identity: name, work email, role at the supplier organisation, optional phone number.
- Authentication and session data as for account users.
- Supplier organisation data: company name, registration number, VAT number, address, contact persons, certifications, insurance details, sustainability declarations and other information requested by the inviting customer.
3.4 Billing data
- Stripe customer reference: we store an identifier issued by Stripe linking our records to your Stripe customer object.
- Subscription state: plan, billing interval, renewal date, payment status.
- Invoice metadata: invoice number, amount, currency, description, dates.
- We do notstore full payment card numbers. Card details are entered directly into Stripe's payment forms and are handled by Stripe as a PCI-DSS Level 1 service provider.
3.5 Customer Data uploaded to the platform
Customers upload supplier records, documents, communications, scoring inputs and other data into the platform. Where this includes personal data, the customer is the controller and we are the processor. See the DPA for details.
3.6 Application telemetry
- Audit logs: who did what, when, from which IP address, captured for security, integrity and compliance purposes (e.g. document uploads, configuration changes, score recalculations).
- Operational logs: request and error logs, performance metrics, rate-limit events. We strive to keep personal data out of error logs and review log content periodically.
4. Where we get personal data from
- directly from you when you fill in a form, create an account, contact us or use the platform;
- from your employer / the organisation that invites you to the platform (for account users) or from the inviting customer (for supplier-portal users);
- automatically through your use of the website and platform (cookies, server logs, analytics);
- from third-party services we use (e.g. Stripe sends us subscription event data; address-lookup providers return structured address suggestions; the "Have I Been Pwned" service confirms whether a password hash prefix appears in known breaches);
- from publicly available sources (e.g. Companies House) for due-diligence purposes where relevant.
5. Why we process personal data and on what lawful basis
We rely on the following lawful bases under Article 6 of the UK GDPR. The table below maps each processing activity to its lawful basis. Special-category data is not knowingly processed; if you submit such data through the platform (for example, in a supplier health-and-safety statement), additional conditions under Article 9 may apply and the customer must ensure it has the necessary basis.
| Activity | Lawful basis |
|---|---|
| Creating and operating your platform account, providing support, billing | Performance of a contract (Art. 6(1)(b)) |
| Replying to contact-form and sales enquiries | Legitimate interests (Art. 6(1)(f)) — handling the enquiry you made |
| Security monitoring, fraud prevention, audit logging | Legitimate interests — protecting the Service and our customers; legal obligation where applicable |
| Privacy-friendly aggregate analytics | Consent (Art. 6(1)(a)) — opted in via the cookie banner |
| Marketing emails to existing customers about similar products | Legitimate interests + PECR Regulation 22(3) soft opt-in, with opt-out in every message |
| Marketing emails to prospects who are not existing customers | Consent |
| Complying with tax, accounting and other legal obligations | Legal obligation (Art. 6(1)(c)) |
| Defending or asserting legal claims | Legitimate interests / legal obligation |
Where we rely on legitimate interests, we balance our interests against your rights and freedoms. You can ask us for a copy of any relevant legitimate-interests assessment by emailing privacy@supplio.co.uk.
6. Automated decision-making and profiling
The Supplio platform includes a supplier-scoring feature which assigns numeric scores and a risk-level indicator to suppliers based on signals configured by the inviting customer (such as document completeness, certification validity, response rates and sustainability declarations). The scoring is rule-based and deterministic; we do not use artificial intelligence or machine learning to produce supplier scores.
Where a supplier is an identified individual (for example, a sole-trader supplier), supplier scoring may amount to profiling. Supplio designs the feature to support, not replace, human decision-making, and our Terms require customers to ensure that any decision producing legal or similarly significant effects on a supplier is subject to meaningful human review. If you are a supplier and want an explanation of a score assigned to you or to contest a decision based on it, please contact the customer that invited you in the first instance, and copy privacy@supplio.co.uk if you cannot reach a resolution.
7. Who we share personal data with
We do not sell personal data. We share personal data only with the categories of recipient below.
- Sub-processors that help us run the Service (e.g. cloud hosting, payment processing, transactional email, file storage, address lookup, breached-password checking, content delivery and security). The current sub-processor list, including the country in which each operates and the safeguards in place, is published at /legal/sub-processors.
- Your organisation (for account users) or the inviting customer (for supplier-portal users): the data you submit into the platform is visible to your organisation's administrators or to the inviting customer, as appropriate.
- Professional advisers: accountants, auditors, lawyers and insurers, under duties of confidentiality.
- Authorities, regulators, courts and law-enforcement when required by law, court order or in response to a valid request, and where appropriate after challenging or narrowing the request.
- A successor entity in connection with a merger, acquisition or sale of all or substantially all of our assets, subject to customary confidentiality protections and notice to affected customers.
8. International transfers
We aim to keep personal data within the United Kingdom and the European Economic Area. Some of our sub-processors (notably Stripe and certain content-delivery / security providers) are based in or transfer data to the United States or other third countries. When personal data is transferred outside the UK to a country that has not been the subject of UK adequacy regulations, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the IDTA) or equivalent appropriate safeguards under Article 46 of the UK GDPR, supplemented where necessary by additional technical and organisational measures. Details of each transfer are in the sub-processor list.
9. How long we keep personal data
| Data | Retention |
|---|---|
| Contact-form submissions, sales enquiries | Up to 24 months from last interaction, then deleted, unless a customer relationship begins |
| Account data (platform users) | Duration of the customer's subscription, plus up to 90 days after termination for export and reconciliation |
| Billing and invoice records | 6 years from the end of the relevant tax year (HMRC record-keeping requirement) |
| Authentication credentials and session tokens | Access tokens: up to 24 hours. Refresh tokens: up to 7 days. Blacklisted tokens: until expiry. |
| Marketing email subscribers | Until you withdraw consent, then deleted from active sending lists; we keep a minimal suppression record to honour the opt-out |
| Application audit logs (security and compliance forensics) | 13 months by default; longer where reasonably required to investigate or evidence a specific incident, then deleted or anonymised |
| Backups | Up to 35 days, after which they are overwritten in normal rotation |
Where we keep data longer to comply with a legal obligation or to defend legal claims, we restrict access to it to those who need it for that purpose.
10. Your rights
Subject to the conditions in the UK GDPR, you have the right to:
- Be informed about how we use your personal data (this Privacy Policy);
- Access a copy of the personal data we hold about you;
- Rectify inaccurate or incomplete personal data;
- Erase personal data we no longer need or that we hold without a lawful basis;
- Restrict processing in certain circumstances;
- Object to processing based on legitimate interests, including direct marketing (which you can always object to);
- Data portability: receive a copy of the personal data you provided to us, in a structured, commonly used, machine-readable format, where we process it on the basis of consent or contract and by automated means;
- Withdraw consent at any time where processing is based on consent (withdrawal does not affect the lawfulness of processing before withdrawal);
- Not be subject to a decision based solely on automated processing which produces legal or similarly significant effects (see section 6).
To exercise any of these rights, email privacy@supplio.co.uk from the email address associated with the data you are asking about (or include other verification we can use). We will respond within one month, extendable by up to two further months for complex requests. There is no fee for a reasonable request.
If you are unhappy with how we have handled your personal data, please tell us first so we can try to resolve it. You always have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint, by phone on 0303 123 1113, or by post to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
11. Security
We implement appropriate technical and organisational measures to protect personal data, including: TLS 1.2+ encryption in transit; AES-256 (or equivalent) encryption at rest in our cloud-provider storage layer; bcrypt password hashing; checks against the Have I Been Pwned breached-password database; refresh-token rotation with re-use detection; rate limiting and lockouts on authentication endpoints; immutable application audit logs; role-based access controls; segregated tenant databases for customer data; and ongoing dependency-vulnerability monitoring. See our Security Statement for more detail.
No system is perfectly secure. If you become aware of a vulnerability or suspected compromise, contact security@supplio.co.uk.
12. Children
Supplio is a business-to-business service and is not intended for, or directed to, children. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected such data, please contact us and we will delete it.
13. Cookies
We use a small number of cookies and similar technologies on the marketing site and platform. See the Cookies Policy for the full list, what they do, and how to manage your preferences.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when it was last revised. For material changes affecting how we use your personal data, we will provide more prominent notice (such as an email or in-product notification) at least 30 days before the change takes effect.
15. Contact
Privacy questions, requests or complaints? Email privacy@supplio.co.uk.