Privacy Policy

Last updated: 25 May 2026

B2B SupplierHub (“we”, “us”, or “our”) operates the supplierhub.io platform. This policy explains what data we collect, why we collect it, and the choices you have. We keep it plain English — no legalese.

1. What we collect

We collect only what we need to run the platform:

  • Account data — your name, email address, and company name when you register. Authentication is handled by Clerk; we never store your password directly.
  • Behavioural data (with your consent) — the search queries you run, products and category pages you view, filters you apply, and reverse-sourcing lookups. Only collected after you accept cookies via the banner. Stored in Google BigQuery as discrete events with a 24-month retention window. Used to surface demand-gap insights (e.g. searches that returned no results) and to improve catalog relevance.
  • Supplier data — if you are a supplier, the catalog feed, pricing, stock levels, and company details you submit or authorise us to ingest.
  • Operational logs — every API request handled by our backend is recorded (URL, status code, timing, redacted body) in an internal audit log used for debugging, security monitoring, and abuse detection. Bodies are capped at 16 KB and credential fields (tokens, passwords, API keys) are redacted before storage. Operational logs are processed on a legitimate-interest basis for service operation and are retained for 12 months.
  • Technical data — IP address, browser type, and session identifiers, collected automatically to secure the platform and diagnose errors.

We do not collect payment card details. Billing, where applicable, is handled by a PCI-compliant third-party processor.

2. How we use your data

  • To provide and operate the platform — search, supplier profiles, product listings.
  • To verify supplier credentials and maintain data accuracy.
  • To send transactional emails (account confirmation, password reset, feed sync alerts).
  • To analyse aggregate usage patterns and improve the product. Where you have accepted cookies, this includes attributing your pre-signup browsing to your account once you register (so we can show you relevant suggestions). The link is made via a single internal mapping table (anonymous identifier → user account); no third party receives it.
  • To identify supplier-acquisition opportunities by analysing aggregated searches that return no results — a buyer's specific query is never shared with a supplier.
  • To comply with legal obligations and protect against fraud or abuse.

We do not sell your data. We do not use your data to serve third-party advertising. We do not run automated decision-making that produces legal or similarly significant effects on you.

3. Cookies & tracking

We use a small, named set of first-party cookies. All are set byapp.b2bsupplierhub.com— no third-party trackers, no advertising pixels, no cross-site tracking, no fingerprinting.

Strictly-necessary cookies — always on. You cannot disable these without breaking sign-in.

  • Clerk session cookies (__session,__client_uat, etc.) — keep you signed in. Set by our authentication provider Clerk. Cleared on sign-out.
  • shub_consent — records your choice (granted / denied) from the cookie banner. Persists 12 months, then the banner re-appears.

Analytics cookies — only set if you click Accept on the banner.

  • shub_anon — a random UUID that lets us correlate your activity across pages and visits to spot demand patterns. Persists 2 years (or until you click Decline / clear it). Read by our own backend only; never shared with a third party. When you sign up or log in, this id is mapped to your account in an internal table so we can attribute your earlier browsing to your profile — that mapping is deletable on request (see Section 6).

Your controls

  • Decline on the banner — no shub_anon is ever set; no behavioural event is recorded; any existing analytics cookie is cleared.
  • Accept — analytics on. You can revoke at any time by clearing cookies in your browser, which re-shows the banner on next visit.
  • Signed-in users can also email us to delete their identifier mapping or all captured events (see Section 6).

Operational request logs are written server-side without using any client-side identifier. They cover ~12 months of access records (URL, status, timing, redacted body) for security and debugging on a legitimate-interest basis under GDPR Article 6(1)(f). These do not depend on your cookie choice.

4. Data sharing

We share data only in these limited circumstances:

  • Service providers — authentication (Clerk), hosting, and email delivery. These providers process data on our behalf under strict data processing agreements.
  • Suppliers you contact — when you initiate contact via the platform, your name and email are shared with that supplier so they can respond to you.
  • Legal requirements — we will disclose data if required by law or to protect the rights, property, or safety of our users or the public.

5. Data retention

We retain account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required to keep it for legal compliance (e.g. financial records).

Behavioural events (searches, product views) are retained for 24 monthsand then automatically deleted. Aggregated daily summaries (e.g. "20 buyers searched for X on this day") that no longer identify any individual visitor are kept indefinitely for trend analysis.

Operational request logs are retained for 12 months. The internal mapping between an anonymous identifier and a user account is deleted when the account is deleted.

6. Your rights (GDPR & UK GDPR)

If you are based in the EEA or UK, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Restriction — ask us to limit processing in certain circumstances.

To exercise any of these rights, email us at privacy@supplierhub.io. We will respond within 30 days. A request to delete behavioural data will remove your identifier mapping immediately and purge associated events at the next monthly partition pass; aggregated counts cannot identify you and are not affected.

7. Security

All data is transmitted over HTTPS. Database access is restricted to authenticated internal services. We conduct periodic security reviews and address vulnerabilities promptly. No system is 100% secure — please use a strong, unique password and enable two-factor authentication where available.

8. Changes to this policy

We may update this policy as the platform evolves. We will notify registered users by email for material changes and update the “Last updated” date above. Continued use after notification constitutes acceptance.

9. Contact

Questions about this policy? privacy@supplierhub.io