Privacy Policy

This Privacy Policy describes how [LEGAL ENTITY NAME] (“Supplira”, “we”, “us”) handles personal data when you use the Supplira website and software service. It is intended to support transparency for customers, suppliers, and procurement reviews. It does not guarantee that your use of Supplira satisfies GDPR or other legal obligations.

Information we collect

Depending on how you use Supplira, we may process:

• Account data — name, email address, organization details, role, and authentication-related information.
• Assessment and supplier data — supplier profiles, questionnaire content, responses, findings, risk scores, and related workflow metadata within your account.
• Supplier questionnaire responses — information submitted by your organization or by suppliers when completing assessments you send.
• Usage and operational logs — technical events needed to operate, secure, and troubleshoot the Service (for example request metadata, errors, and performance signals).
• Security and audit data — account-scoped audit records for security-sensitive actions, as described on our Security page.

How we use data

We use personal data to:

• Provide and operate the Supplira service
• Authenticate users and enforce access controls
• Send transactional communications (for example invitations and reminders)
• Maintain security, prevent abuse, and investigate incidents
• Support customers and improve the Service
• Meet legal obligations where applicable

We do not sell personal data.

Cookies and session handling

Supplira uses cookies and similar technologies needed for authentication and session management. Session cookies are HTTP-only where appropriate for web login flows. You can control browser cookie settings, but disabling required cookies may prevent you from using the Service.

Authentication and security data

We process credentials and security settings such as password hashes (bcrypt), optional multi-factor authentication (TOTP), and login rate-limiting signals. See our Security page for a summary of implemented controls.

Legal roles: controller and processor

For account and website data relating to your organization’s use of Supplira, we typically act as a data controller. For supplier assessment data and related content that you instruct us to process on your behalf through the platform, we typically act as a data processor. A Data Processing Agreement is available on request — see our DPA page.

Subprocessors and infrastructure

We use third-party service providers to run Supplira. Our primary application database is hosted in Sweden (AWS eu-north-1 via our database provider). Some supporting services (for example application hosting, email delivery, or abuse protection) may process data in other regions. A current list is published on our Subprocessors page.

Retention

We retain personal data for as long as needed to provide the Service, support your account, meet legal requirements, and resolve disputes. Retention periods may depend on your plan, account status, and our then-current data retention practices. When you stop using the Service, we will handle data according to applicable agreements and retention policies in effect at that time.

Data subject rights

Where applicable law provides rights (such as access, rectification, erasure, restriction, portability, or objection), you may contact us to exercise those rights. If we process data on your behalf as a processor, we will assist you in responding to requests from data subjects as described in our DPA where required.

Security measures

We implement technical and organizational measures appropriate to the Service, including PostgreSQL Row-Level Security (RLS) for tenant isolation, server-side authorization, audit logging, MFA support, and rate limiting. No system is perfectly secure. Details are summarized on our Security page.

International transfers

Because some subprocessors may operate globally, personal data may be processed outside the European Economic Area. Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms as applicable to each provider and relationship.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a revised “Last updated” date. Material changes may be communicated through the Service or by email where appropriate.

Contact

Privacy questions: [email protected]
General inquiries: [email protected]
Security issues: [email protected]