Privacy Policy
This Privacy Policy explains what information SupplierMafia (the "platform", "we", "us") collects when you use our service, how we use it, who we share it with, and the controls you have. It applies to anyone who creates an account at suppliermafia.com.
0. Who we are
The data controller for the personal information described in this policy is SupplierMafia, operating from the United Kingdom. For all privacy-related questions, contact privacy@suppliermafia.com. We have not appointed a formal Data Protection Officer because we are not required to under UK GDPR — our processing is not core to a regulated activity that triggers the appointment requirement. The privacy inbox above is monitored by the founding team.
EU and EEA users. If you are located in the European Union or wider EEA and would like to contact us about your rights under EU GDPR, please use privacy@suppliermafia.com in the first instance. For the separate Digital Services Act single-point-of-contact and legal-representative details required for non-EU platforms, see Section 17 of our Terms of Service.
1. Information we collect
Account information
When you create an account we collect your name, email address, and (if you sign in with Google) the basic profile information that Google sends us. If you complete your buyer or supplier profile we also store the optional fields you fill in (location, timezone, business hours, bio, profile photo).
Conversation content
SupplierMafia is a chat platform, so the messages you send and receive are stored on the platform. This includes message text, files you attach, invoices, and metadata about the conversation (who is in it, when messages were sent, who has read them). We retain this content for as long as your account is active so that you and your supplier can keep a working record of the relationship.
Usage and technical data
We collect basic technical information when you use the platform: your IP address, browser and device type, the pages you load, and timestamps. This is used to keep the service running, diagnose problems, and detect abuse.
What we do not collect
We do not run third-party advertising trackers. We do not sell your data to anyone. We do not collect payment-card data ourselves; if a payment processor is added in the future, that processor will handle card data under their own terms.
2. How we use your information
- To operate the platform: deliver your messages, render your invoice list, show you the suppliers in our network.
- To keep the platform safe: detect abuse, off-platform contact attempts, and policy violations.
- To communicate with you about the service: account notifications, security alerts, important changes.
- To improve the platform: understand which features are useful, where things break, what to build next.
3. Legal basis for processing (UK / EU users)
Under UK GDPR and (where applicable) EU GDPR, we rely on the following lawful bases:
- Contract performance (Art. 6(1)(b)): processing your account, messages, and invoices is necessary to deliver the service you signed up for.
- Legitimate interests (Art. 6(1)(f)): keeping the platform secure, detecting abuse, preventing fraud, and improving the service. We balance these against your rights and only rely on this basis where the impact on you is limited.
- Legal obligation (Art. 6(1)(c)): retaining certain records for tax, accounting, or law-enforcement disclosure where required.
- Consent (Art. 6(1)(a)): for optional features like marketing emails, where consent is what triggers the processing. You can withdraw consent at any time from Settings.
4. Who can see your data
Other users on the platform
Anyone you share a conversation with can see your name, profile photo, and the messages you send in that conversation. Suppliers you have not opened a conversation with cannot see your private profile information.
SupplierMafia staff
Our admin team can read conversations when investigating reports, abuse, or platform-safety issues. Every such access is logged in our internal audit log. We do not browse conversations for any other reason.
Service providers (sub-processors)
We use a small number of trusted service providers to operate the platform. Each acts as our data processor under a written data-processing agreement (UK GDPR Article 28) and is contractually bound to handle your data only for the purposes we direct.
| Sub-processor | Purpose | Location of processing | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage, realtime messaging | AWS regions (primary EU-west; some metadata in US-east) | Adequacy (UK-EU) for EU-hosted data; UK IDTA for any US transfers |
| Vercel Inc. | Static-site hosting, edge functions, serverless routes | Global edge network (closest to user) | UK IDTA for US transfers |
| Resend (Drape Inc.) | Transactional and announcement email delivery | United States | UK IDTA |
| Cloudflare Inc. | DNS, DDoS protection (where in front of our domains) | Global edge network | UK IDTA for US transfers |
| Google LLC | "Sign in with Google" OAuth identity verification; Google Analytics 4 (only when you accept the analytics cookie banner) | United States | UK IDTA; OAuth only fires on the Google sign-in path, Analytics only after explicit consent |
| hCaptcha (Intuition Machines Inc.) | Anti-bot challenge at signup (only when enabled) | United States | UK IDTA |
We will notify users at least 14 days in advance of adding a material new sub-processor that has access to user content. To object to a planned change, email privacy@suppliermafia.com before the effective date; we will respond before adding the processor.
Legal requirements
We may disclose information when required by law (court order, valid subpoena, regulatory request), or when necessary to protect the rights, property, or safety of SupplierMafia, our users, or the public. We push back on overbroad requests and notify the affected user where legally permitted to do so.
5. International transfers
SupplierMafia is operated from the United Kingdom. Our service providers may store and process data in other regions — primarily the European Economic Area and the United States. Where data leaves the UK or EEA, we rely on adequacy decisions where available, or on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where adequacy is not in force. Your data is not stored in or processed from sanctioned regions.
6. Retention
We keep personal information for as long as is necessary to provide the service and to meet legal obligations:
- Active accounts: kept while the account is in use.
- Deleted accounts — what happens to your data: when you delete your account, your personal identifying information is removed within minutes — your name, profile photo, email, location, timezone, and onboarding details are erased from our database. Your account is signed out and login credentials are scrambled so they can never be used again. Conversation content and invoices you exchanged with suppliers stay attached to an anonymised placeholder ("Deleted user") so the other parties to those conversations retain their own commercial records. This is consistent with UK GDPR Article 17(3)(b) and (e), which allow retention of content where the other party has a legitimate need for it (tax, accounting, dispute defence). If you would prefer a deeper erasure that also removes content visible to the other parties you transacted with, email privacy@suppliermafia.com and we'll review on a case-by-case basis. Each request gets weighed against the supplier's legitimate interest in their own commercial record.
- Conversation history: kept for as long as either party's account remains active, since both sides need access to the record.
- Invoices and payment records: kept for up to 7 years after the relevant tax year to comply with UK accounting and tax-record obligations. This applies regardless of whether either party has since deleted their account.
- Security and audit logs: kept for up to 2 years to investigate abuse and meet incident-response obligations.
- Marketing-email opt-outs and similar consent records: kept indefinitely so we don't accidentally re-contact someone who opted out.
7. Your rights
Under UK GDPR (and equivalent rights under EU GDPR for users in the EEA), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data. Most fields can be edited directly from Settings; email us for anything you can't change yourself.
- Erasure — close your account from Settings. Your identifying information is anonymised within minutes; content you exchanged with other parties stays attached to an anonymised placeholder per the retention rules above. For a deeper erasure that includes content visible to the other parties you transacted with, email privacy@suppliermafia.com. We will respond within 30 days, subject to the retention exceptions above and the other party's overriding legitimate interest in their commercial record.
- Restriction — ask us to pause processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable JSON file. Use the "Export data" button in Settings, or request via email.
- Object — to processing based on legitimate interests, including profiling for fraud detection. We will weigh your objection against our legitimate interests case by case.
- Withdraw consent — where we rely on consent (e.g. announcement emails), turn it off in Settings.
- Complain — you can lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority in the EEA. We would appreciate the chance to address concerns first.
8. California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to know what personal information we collect, why, and who we share it with — this policy is our disclosure.
- Right to delete the personal information we hold about you, subject to legal retention exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioural advertising. There is no "Do Not Sell or Share" link required because there is nothing to opt out of.
- Right to non-discrimination — exercising any of these rights will not affect the price or quality of the service we offer you.
- Sensitive personal information: we do not collect or use SPI for any purpose beyond providing the service.
To exercise any California right, email privacy@suppliermafia.com. We will verify your identity before responding (typically by confirming you control the email tied to the account).
9. Cookies and similar technologies
We use a small number of cookies and similar technologies to keep you signed in, remember your preferences, and detect abuse. We also use Google Analytics 4 with Consent Mode v2 to understand aggregate platform usage, but only after you have explicitly accepted the analytics cookie banner. We do not use third-party advertising cookies and we do not run Google Ads. See the Cookies Policy for the full list and your controls. You can change your analytics choice at any time from the cookie banner (re-open via "Cookie preferences" in the footer).
10. Automated decision-making
We do not make decisions about you that have legal or similarly significant effects based solely on automated processing. Suspicious-activity detection may surface accounts to admins for review, but the final decision to suspend, warn, or close an account is always made by a human.
11. Security
We use industry-standard security practices including encrypted connections (HTTPS / TLS 1.2+), encrypted data at rest, role-based access controls, scoped API keys, and Row Level Security on every database table. Authentication is handled by Supabase Auth with bcrypt password hashing and (optionally) two-factor codes. No platform can guarantee perfect security.
Personal-data breach response. If a security incident results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data, we follow the timelines in UK GDPR Article 33 and 34:
- Within 72 hours of becoming aware of a notifiable breach, we notify the UK Information Commissioner's Office (and any other supervisory authority with jurisdiction). Where we cannot complete the assessment in 72 hours, we send an interim notification and follow up with further information as it becomes available, as Article 33(4) allows.
- Without undue delay, where the breach is likely to result in a high risk to your rights and freedoms, we contact you directly (Article 34). The notification will tell you, in plain language, what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.
- We maintain an internal log of every personal-data breach (including those that did not meet the notification threshold) for at least two years and make it available to the supervisory authority on request.
For incidents that affect platform availability or service quality without affecting personal data, see our public incident-response and post-mortem practice in our Terms. For US state-law breach notifications (where applicable), we follow the timelines required by the relevant state's data-breach notification statute.
12. Children
SupplierMafia is a B2B platform intended for use by adult business operators. The service is not directed at, and may not be used by, anyone under 18. We do not knowingly collect personal information from anyone under 18, and the platform does not market to or design any feature for under-18 users. If you believe an under-18 user has registered, email privacy@suppliermafia.com and we will close the account and erase the personal data we hold, subject only to the retention exceptions in Section 6.
13. Changes to this policy
If we change this policy materially we will notify you in-app or by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version. We keep prior versions on request.
14. Contact
Questions about this policy or your data? Email privacy@suppliermafia.com and we will get back to you within five business days.