Supplo is built with European data protection law in mind. Here's how we handle your data and your customers' data responsibly.
The General Data Protection Regulation (GDPR) is the world's most comprehensive data privacy framework. Supplo is committed to full compliance with the GDPR (EU) 2016/679 and the UK GDPR. We believe that data protection is not a checkbox exercise — it is a core part of building a trustworthy product.
This page outlines how Supplo fulfils its obligations under the GDPR, what that means for you as a customer, and the tools we provide to help you meet your own GDPR obligations to your end-users.
Under GDPR, it's important to understand the distinction between a data controller and a data processor, as both Supplo and our customers have specific roles.
Supplo acts as the data controller for the personal data of our customers (i.e., the businesses that sign up for Supplo accounts). This includes your name, email address, billing information, and platform usage data. We determine the purposes and means of processing this data in accordance with our Privacy Policy.
Supplo acts as a data processor when handling the personal data of your end-users — the visitors who interact with the Supplo widget on your website. You, the Supplo customer, are the data controller for your end-users' data. We process it only on your instructions, under the terms of our Data Processing Agreement (DPA).
Under Article 6 of the GDPR, every processing activity must have a lawful basis. Supplo relies on the following lawful bases:
If you are located in the EEA, UK, or Switzerland, the GDPR grants you the following rights. You can exercise any of these by contacting us at support@supplo.io.
You have the right to obtain a copy of the personal data we hold about you, along with information about how and why we process it.
You have the right to have inaccurate or incomplete personal data corrected without undue delay.
You have the right to request deletion of your personal data where it is no longer necessary for the purposes it was collected, or where you withdraw consent.
You have the right to ask us to restrict the processing of your data in certain circumstances, such as while accuracy is being contested.
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and to transmit that data to another controller.
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
We will respond to all data subject rights requests within 30 days. We may request verification of your identity before processing a request.
Supplo retains personal data only for as long as necessary to fulfil the purposes for which it was collected. Our default retention schedules are:
Upon account deletion, all associated personal data is permanently removed within 30 days, except where we are required by law to retain it.
Supplo's primary infrastructure is hosted in Europe (Hetzner data centres in Germany). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission. A summary of our sub-processors and their locations is available in our Data Processing Agreement.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Supplo will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required by GDPR Article 33). Where the breach is likely to result in a high risk to individuals, we will also notify the affected data subjects directly (Article 34).
If you are a Supplo customer and a breach affects data we process on your behalf (as processor), we will notify you promptly so you can fulfil your own notification obligations.
A Data Processing Agreement is required under GDPR Article 28 whenever a controller engages a processor. Supplo provides a standard DPA to all customers that covers the required terms including subject matter, duration, nature and purpose of processing, categories of data, and obligations and rights of the controller.
You can review our standard DPA at supplo.io/dpa. To request a countersigned DPA for your records, email support@supplo.io with the subject "DPA Request" and we will turn it around within 2 business days.
For any GDPR-related questions, data subject rights requests, or to discuss a DPA, please contact us directly. While Supplo is not currently required to appoint a formal Data Protection Officer under Article 37, we take privacy oversight seriously and have a designated privacy contact:
You also have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.
We can have a countersigned Data Processing Agreement to you within 2 business days.